State Exchange Problems Added ACA Threat Regardless of SCOTUS Decision In King v. Burwell

March 3, 2015

While most Americans are familiar with the well-publicized issues and higher than projected premium costs of coverage offered to Americans enrolling in health care coverage through the federal healthcare marketplace Healthcare.gov created under the health care reforms of the Patient Protection & Affordable Care Act (ACA), many Americans are just beginning to recognize the growing problems and concerns emerging with state exchanges in those states that elected to enact their own exchange.  As the Supreme Court prepares to hear arguments in the challenge to the payment of ACA subsidies to individuals in states that elected not to adopt a state-run health care exchangeto pay for coverage purchased through the federal healthcare.gov marketplace in King v. Burwell on Wednesday, March 4, 2015, the growing evidence of rapidly emerging funding and other challenges affecting state-run exchanges raise concerns about the solvency and reliability of coverage promised and purchased through those state-run exchanges.  These state exchange funding difficulties create concerns not only for state lawmakers, but also for the health care providers and patients that are relying upon adequate funding to ensure that patients can receive promised care and coverage and the health care providers caring for these patients will receive promised payment for these services.

During the Congressional debates leading up to the enactment of ACA, for instance, ACA advocates touted the Massachusetts health care mandates and reform law of Massachusetts as part of the model for ACA and evidence of the potential benefits offered by enactment of ACA.  Now Massachusetts officials are blaming ACA for serious underfunding and other problems in their state’s health care connector.

Massachusetts Governor Charlie Baker recently cited the Health Connector and its challenges in enrolling Massachusetts residents in health insurance plans as part of the Affordable Care Act that forced the state to temporarily transition hundreds of thousands of state residents into the commonwealth’s Medicaid program as a primary reason for the state’s projected $1.5 billion budget deficit.  He now has asked for the resignations of four Massachusetts Health Connector board members:  MIT professor Jonathan Gruber,  Covered California actuarial consultant John Bertko; Massachusetts Nonprofit Network CEO Rick Jakious and Spring Insurance Group CEO George Conser.

The Massachusetts experience is not unique.  Other states also are experiencing significant funding and other problems dealing with the ACA mandates and implementation.  See, e.g.,  Funding Woes Imperil Future of State Run Exchanges;  State Insurance Exchanges Face Challenges In Offering Standardized Choices Alongside Innovative Value-Based Insurance.

This mounting evidence of serious cost, financing and other concerns in state-run exchanges creates new reason for concern about the future of ACA’s health care reforms even for those citizens of states whose eligibility for subsidies is not challenged by the King v. Burwell Supreme Court challenge.   These state exchange funding difficulties create concerns not only for state lawmakers, but also for the health care providers and patients that are relying upon adequate funding to ensure that patients can receive promised care and coverage and the health care providers caring for these patients will receive promised payment for these services.These and other budget overruns and operational challenges raise serious questions about the ability of the federal government or the states to fund the promises currently made by ACA in its present form.  Congress and state governments almost certainly will be forced to deal with these broader challenges regardless of the outcome of King v. Burwell.   As American leaders continue to struggle to deal with these and other mounting problems impacting the U.S. health care system, the input of individual Americans and businesses and community leaders is more critical than ever.  Get involved in helping to shape improvements and solutions to the U.S. health care system and the Americans it cares for by sharing your ideas and input through the Coalition For Responsible Health Care Policy  and exchanging information and ideas for helping American families deal with their family member’s illnesses, disabilities and other healthcare challenges through Project COPE: Coalition for Patient Empowerment here.

About Project COPE: The Coalition On Patient Empowerment &  Coalition on Responsible Health Policy

Do you have ideas or experiences to share about medical debit, ACA or other health care challenges?  Have ideas for helping improve ACA and other health care policies impacting the US health care system, helping Americans cope with these and other health care challenges or other health care matters? Know other helpful resources or experiences that you are willing to share?  Are you concerned about health care coverage or other health care and disability issues or policy concerns?  Join the discussion and share your input by joining Project COPE: Coalition for Patient Empowerment here.

Sharing and promoting the use of practical practices, tools, information and ideas that patients and their families, health care providers, employers, health plans, communities and policymakers can share and offer to help patients, their families and others in their care communities to understand and work together to better help the patients, their family and their professional and private care community plan for and manage these  needs is the purpose of

The Coalition and its Project COPE arise and operate on the belief that health care reform and policy must be patient focused, patient centric and patient empowering.  The best opportunity to improve access to quality, affordable health care for all Americans is for every American, and every employer, insurer, and community organization to seize the opportunity to be good Samaritans.  The government, health care providers, insurers and community organizations can help by providing education and resources to make understanding and dealing with the realities of illness, disability or aging easier for a patient and their family, the affected employers and others. At the end of the day, however, caring for people requires the human touch.  Americans can best improve health care by not waiting for someone else to step up:  Step up and help bridge the gap when you or your organization can. Speak up to help communicate and facilitate when you can.  Building health care neighborhoods filled with good neighbors throughout the community is the key.

The outcome of this latest health care reform push is only a small part of a continuing process.  Whether or not the Affordable Care Act makes financing care better or worse, the same challenges exist.  The real meaning of the enacted reforms will be determined largely by the shaping and implementation of regulations and enforcement actions which generally are conducted outside the public eye.  Americans individually and collectively clearly should monitor and continue to provide input through this critical time to help shape constructive rather than obstructive policy. Regardless of how the policy ultimately evolves, however, Americans, American businesses, and American communities still will need to roll up their sleeves and work to deal with the realities of dealing with ill, aging and disabled people and their families.  While the reimbursement and coverage map will change and new government mandates will confine providers, payers and patients, the practical needs and challenges of patients and families will be the same and confusion about the new configuration will create new challenges as patients, providers and payers work through the changes.

We also encourage you and others to help develop real meaningful improvements by joining Project COPE: Coalition for Patient Empowerment here by sharing ideas, tools and other solutions and other resources. The Coalition For Responsible Health Care Policy provides a resource that concerned Americans can use to share, monitor and discuss the Health Care Reform law and other health care, insurance and related laws, regulations, policies and practices and options for promoting access to quality, affordable healthcare through the design, administration and enforcement of these regulations.

You also may be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here such as:

 You also can find out about how you can arrange for training for you, your employees or other communities to participate in training on “Building Your Family’s Health Care Toolkit,”  using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Board Certified in Labor & Employment Law, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.  The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights,  Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns.  Her clients include employers and their health and other employee benefit plans,  public and private health care providers, health insurers, plan fiduciaries and service providers, technology and other vendors, and others.  In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans,  as well as  HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for  Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

Other Helpful Resources & Other Information

We hope that this information is useful to you.   If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available hereYou also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,”  using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Examples of some of these recent health care related publications include:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2015 Cynthia Marcotte Stamer, P.C. Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.


Health Care Employer’s Discrimination Triggers Medicare, EEOC Prosecutions

March 2, 2015

Health care employers and organizations should review and tighten their employment and other discrimination policies and risk management in light of recent employment discrimination enforcement actions targeting health care organization staffing decisions by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) and the Equal Employment Opportunity Commission.

OCR Race Discrimination Medicare Action

A new OCR Voluntary Resolution Agreement with Shiawassee County Medical Facility reminds health care providers of the frequently underappreciated Medicare/Medicaid program participation risks of certain types of employment discrimination to be careful not to allow patient preferences to lead them into the trap of violating the prohibition against race, color, and national origin under Title VI of the Civil Rights Act of 1964 or other federal nondiscrimination laws when making patient staffing assignments.

Title VI of the Civil Rights Act prohibits discrimination in the administration of any federally-funded program based on race, color, or national origin.   OCR’s longstanding “Guidelines for Compliance of Hospitals with Title VI of the Civil Rights Act of 1964,” make clear that OCR interprets Title VI prohibits assignment of hospital staff based on the racial preference of the patient.

A newly announced OCR investigation and Resolution Agreement Shiawassee County Medical Care Facility, a 136-bed Medicare and Medicaid certified skilled nursing facility, illustrates the need for Medicare and Medicaid certified health care providers of all types to ensure their compliance with Title VI and, in particular, to refrain from making any staff assignments based on racial considerations.

The Resolution Agreement between OCR and Shiawassee, a 136-bed Medicare and Medicaid certified skilled nursing facility, resolved charges that the facility violated Title VI by giving a nursing staff instruction to not assign African-American staff to a Caucasian Resident. Based on an investigation, OCR found Shiawassee needed to change its policies and procedures to bring them into full compliance with Title VI.  To implement fully the prohibition against consideration of race in staff assignments, Shiawassee signed a with OCR which calls for the appointment of a Title VI Coordinator to oversee Shiawassee’s overall compliance with Title VI including special responsibilities for the investigation and adjudication of any Title VI complaints filed internally with Shiawassee.  In addition, Shiawassee must train its workforce on Title VI, and submit reports to OCR regarding compliance.

The Shiawassee charges and Resolution agreement follow a similar Agreement in August 2014 between OCR and Hurley Medical Center in Flint, Michigan , which also resolved OCR charges arising from that facilities staff assignment based on a patient’s racial preference.  Read the Hurley Agreement here.

Phoenix EEOC ADA Discrimination Action

The HHS against Shiawassee enforcement action coincides with an Equal Employment Opportunity Commission (EEOC) announcement of its filing of disability discrimination lawsuit under the Americans With Disabilities Act (ADA) against another health care provider, ValleyLife of Phoenix, Arizona. EEOC charges that ValleyLife engaged in illegal disability discrimination in violation of the ADA when it allegedly fired employees with disabilities instead of providing them with reasonable accommodations when their eligibility for family leave ended under the Family & Medical Leave Act ended and allegedly failed to keep employees’ medical records confidential.  See EEOC v. ValleyLife, Civil Action No. 2:15-cv-00340-GMS (N.Az).

In EEOC v. ValleyLife,  the EEOC charges that ValleyLife fired employees with disabilities rather than provide them with reasonable accommodations due to its inflexible leave policy.  The policy compelled the termination of employees who had exhausted their paid time off and/or any unpaid leave to which they were eligible under the Family Medical Leave Act (FMLA).   According to the EEOC, ValleyLife fired supervisor, Glenn Stephens, due to his need for further surgery when his FMLA leave eligibility ended.  EEOC claims this termination violated the ADA because ValleyLife did not engage in any interactive process to determine whether any accommodations (including additional leave) were possible.  Stephens had worked for ValleyLife for over ten years at the time of his termination.  The EEOC contends that ValleyLife’s failure to offer extended leave or other accommodation to Stephens when his leave eligibility ended violated the ADA, which protects workers from discrimination based upon disability and requires employers to provide reasonable accommodations to the known physical or mental impairments of disabled employees unless doing so would cause an undue hardship.

The suit also alleges that ValleyLife commingled medical records in employee personnel files and failed to maintain these medical records confidential in violation of the medical record confidentiality requirements of the ADA, which requires employees’ to keep medical documents confidential and separate from other personnel records.

The lawsuit seeks lost wages and compensa­tory and punitive damages for the alleged victims, as well as appropriate injunctive relief to prevent discriminatory practices in the future.

Prepare Employment Discrimination Defenses

The OCR action against Shiawassee and the EEOC suit against ValleyLife remind health industry employers of the need to use care to monitor and manage employment discrimination risks.  Health care organizations should avoid the temptation to assume that their organizations can rely upon patient preferences or other common industry concerns to defend against claims of disability, race or other discrimination.  Instead, health care organizations should review and update their policies and practices to ensure that they properly comply with applicable employment and other federal and state disability discrimination law and are operationalized in a manner to create and keep appropriate documentation to defend staffing decisions against potential claims of illegal discrimination under the ADA, Civil Rights, or other laws that could adversely impact their organization’s eligibility to participate in Medicare, Medicaid or other federal programs, trigger judgments or penalties, or both.

Health care organizations also need to exercise care to ensure that their patient access, care and other policies also comply and are administered to withstand scrutiny under Medicare terms of participation, the ADA, the Civil Rights Act and other federal discrimination laws.   These health industry employers should both evaluate their existing policies and practices, as well as their processes for conducting and documenting investigations and other activities associated with the administration of FMLA or other disability accommodation, patient and other staffing and other activities to position their organization to identify potential exposures and position themselves to defend their decisions against OCR, EEOC or other government agency investigations, private plaintiff claims or both.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Board Certified in Labor & Employment Law, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.  The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights,  Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns.  Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.  In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans,  as well as  HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for  Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

Other Helpful Resources & Other Information

We hope that this information is useful to you.   If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available hereYou also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,”  using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Examples of some of these recent health care related publications include:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2015 Cynthia Marcotte Stamer, P.C. Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.


Parkview Hospital To Pay $800K To Settle HIPAA Charges After Retiring Physician Blows The Whistle

July 6, 2014

Health care providers, health plans, heath care clearinghouses and their business associates heed both the lesson about properly protecting protected health information and the more subtle lesson about the role of employees and other whistleblowers in bringing these violations to the attention of regulators contained in the latest Health Insurance Portability & Accountability Act (HIPAA) resolution agreement.

Late last month, the Department of Health & Human Services Office of Civil Rights (HHS) announced that complaints of a retiring physician over the mishandling of her patient records by Parkview Health System, Inc. (Parkview) prompted the investigation that lead Parkview to agree to pay $800,000 to settle charges that it violated HIPAA’s Privacy Rule.

The resolution agreement settles charges lodged by HHS based on an OCR investigation into the retiring physician’s allegations that Parkview violated the HIPAA Privacy Rule by failing to properly safeguard the records when it returned them to the physician following her retirement.

As a covered entity under the HIPAA Privacy Rule, HIPAA requires that Parkview appropriately and reasonably safeguard all protected health information in its possession, from the time it is acquired through its disposition.

In an investigation prompted by the physician’s complaint, OCR found that Parkview breached this responsibility in its handling of certain physician patient records in helping the physician to transition to retirement.

According to OCR, in September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice.

Subsequently on June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. OCR concluded this conduct violated the Privacy Rule.

To settle OCR’s charges that these actions violated HIPAA, OCR has agreed to pay the $800,000 resolution amount and to adopt and implement a corrective action plan requiring Parkview to revise their policies and procedures, train staff, and provide an implementation report to OCR.

The resolution agreement highlights the role that current or former physicians, employees or others can play in helping OCR to identify HIPAA violations.  Health care providers and other covered entities and their business associates should take into account the likelihood that physicians on their own or other facility medical staffs, their employees and other participants in the care delivery system often may have and be motivated to report to government sensitive information about violations of HIPAA or other laws.  Since HIPAA and most other laws prohibited covered entities from forbidding or retaliating against a person for objectiving to or reporting the concern and offer whistleblowers potential participation in the reporting and prosecution of violations, employees or other workforce members increasingly make the complaints bring violations to OCR and other regulators.

Whether from an internal employee complaint, a  patient or competitor complaint or other source, HIPAA violations carry significant liability risks.  The HITECH Act tightened certain rules applicable to the use, access or disclosure of protected health information by covered entities and their business associates.  In addition, the HITECH Act added breach notification rules, extended direct responsibility for compliance with HIPAA to business associates, increased penalties for noncompliance with HIPAA and made other refinements to HIPAA’s medical privacy rules and made certain other changes.  Furthermore, enforcement of HIPAA and the resulting penalties have increased since the HITECH Act took effect.

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

For Help With Investigations, Policy Review & Updates Or Other Needs

If you need assistance in auditing or assessing, updating or defending your HIPAA, or other health or other employee benefit, labor and employment, compensation, privacy and data security, or other internal controls and practices, please contact the author of this update, attorney Cynthia Marcotte Stamer at cstamer@solutionslawyer.net or at (469)767-8872.

The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on HIPAA and other privacy and data security, health plan, health care and other human resources and workforce, employee benefits, compensation, internal controls and related matters.

For more than 23 years, Ms. Stamer has counseled, represented and trained employers and other employee benefit plan sponsors, plan administrators and fiduciaries, insurers and financial services providers, third party administrators, human resources and employee benefit information technology vendors and others privacy and data security, fiduciary responsibility, plan design and administration and other compliance, risk management and operations matters.  She also is recognized for her publications, industry leadership, workshops and presentations on privacy and data security and other human resources, employee benefits and health care concerns.  Her many highly regarded publications on privacy and data security concerns include “Privacy Invasions of Medical Care-An Emerging Perspective.” ERISA Litigation Manual. BNA, 2003-2009; “Privacy & Securities Standards-A Brief Nutshell.” BNA Tax Management and Compliance Journal. February 4, 2005; “Cybercrime and Identity Theft: Health Information Security beyond HIPAA.” ABA Health eSource. May, 2005 and many others.  She also regularly conducts training on HIPAA and other privacy and data security compliance and other risk management matters for a broad range of organizations including the Association of State and Territorial Healthcare Organizations (ASTHO), the Los Angeles County Health Department, a multitude of health plans and their sponsors, health care providers, the American Bar Association, SHRM, the Society for Professional Benefits Administrators and many others.  Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see www.CynthiaStamer.com or contact Ms. Stamer directly.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing some of our other Solutions Law Press resources available at http://www.solutionslawpress.com including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at www.SolutionsLawPress.com.

©2014 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press.  All other rights reserved.


Health Care & Other HIPAA Covered Entities Should Review New Reports As Part of HIPAA Risk Management Efforts

June 11, 2014

Health care providers, health plans and insurers, health care clearinghouses (collectively “Covered Entities”), their business associates, and others concerned about medical privacy regulations or protections should check out two new reports to Congress about breach notifications reported and other compliance data under the Health Insurance Portability & Accountability Act (HIPAA) by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).   Reviewing this data can help Covered Entities and their business associates identify potential areas of exposures and enforcement that can be helpful to minimize their HIPAA liability as well as to expect OCR enforcement and audit inquiries.

Required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, the two new reports discuss various details about HIPAA compliance for calendar years 2011 and 2012.  They include the following:

  • Report to Congress on Breach Notifications, discussing the breach notification requirements and reports OCR received as a result of these breach notification requirements; and
  • Report to Congress on Compliance with the HIPAA Privacy and Security Rules, summarizing complaints received by OCR of alleged violations of the provisions of Subtitle D of the HITECH Act, as well as of the HIPAA Privacy and Security Rules at 45 CFR Parts 160 and 164 .
  • Covered entities and their business associates should review the finding reported as part of their compliance practices. Others concerned about medical or other privacy or data security regulations or events also may find the information in the reports of interest.

Under HIPAA, covered entities generally are prohibited from using, accessing or disclosing protected health information about individuals except as specifically allowed by HIPAA,  In addition, HIPAA also requires Covered Entities to establish safeguards to protect protected health information against improper access, use or destruction, to afford certain rights to individuals who are the subjects of protected information, to obtain certain written assurances from service providers who are business associates before allowing those service providers to use, access or disclose protected health information when carrying out covered functions for the Covered Entity, and meet other requirements.

The HITECH Act tightened certain rules applicable to the use, access or disclosure of protected health information by covered entities and their business associates.  In addition, the HITECH Act added breach notification rules, extended direct responsibility for compliance with HIPAA to business associates, increased penalties for noncompliance with HIPAA and made other refinements to HIPAA’s medical privacy rules and made certain other changes.

Enforcement of HIPAA and the resulting penalties have increased since the HITECH Act took effect.

Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the HITECH Act since March 26, 2013 and to have updated business associate agreements in place since September 23, 2013.  Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the rule changes implemented in  the Omnibus Final Rule.

Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance on its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:

Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

For Help With Investigations, Policy Review & Updates Or Other Needs

If you need assistance in auditing or assessing, updating or defending your HIPAA, or other health or other employee benefit, labor and employment, compensation, privacy and data security, or other internal controls and practices, please contact the author of this update, attorney Cynthia Marcotte Stamer at cstamer@solutionslawyer.net or at (469)767-8872.

The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on HIPAA and other privacy and data security, health plan, health care and other human resources and workforce, employee benefits, compensation, internal controls and related matters.

For more than 23 years, Ms. Stamer has counseled, represented and trained employers and other employee benefit plan sponsors, plan administrators and fiduciaries, insurers and financial services providers, third party administrators, human resources and employee benefit information technology vendors and others privacy and data security, fiduciary responsibility, plan design and administration and other compliance, risk management and operations matters.  She also is recognized for her publications, industry leadership, workshops and presentations on privacy and data security and other human resources, employee benefits and health care concerns.  Her many highly regarded publications on privacy and data security concerns include “Privacy Invasions of Medical Care-An Emerging Perspective.” ERISA Litigation Manual. BNA, 2003-2009; “Privacy & Securities Standards-A Brief Nutshell.” BNA Tax Management and Compliance Journal. February 4, 2005; “Cybercrime and Identity Theft: Health Information Security beyond HIPAA.” ABA Health eSource. May, 2005 and many others.  She also regularly conducts training on HIPAA and other privacy and data security compliance and other risk management matters for a broad range of organizations including the Association of State and Territorial Healthcare Organizations (ASTHO), the Los Angeles County Health Department, a multitude of health plans and their sponsors, health care providers, the American Bar Association, SHRM, the Society for Professional Benefits Administrators and many others.  Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see www.CynthiaStamer.com or contact Ms. Stamer directly.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing some of our other Solutions Law Press resources available at http://www.solutionslawpress.com including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at www.SolutionsLawPress.com.

©2014 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press.  All other rights reserved.


Small Smiles Dental Centers Excluded As Federal Health Program Provider For 5 Years

April 4, 2014

Yesterday’s announcement of the exclusion of the operator and manager of the national dental chain, Small Smiles Dental Centers, from exclusion in Medicaid, Medicare and other federal health programs highlights the risks health care providers run by failing to comply with a Corporate Integrity Agreement.

Daniel R. Levinson, Inspector General of the U.S. Department of Health and Human Services, announced April 3, 2014 that the operator and manager of the Small Smiles Dental Centers, CSHM, LLC (formerly known as FORBA Holdings and Church Street Health Management (CSHM), has signed an Exclusion Agreement that bars CSHM from participating in Medicare, Medicaid, and all other Federal health care programs for 5 years. Small Smiles Dental Centers provides services primarily to children on Medicaid.

Mr. Levinson said that this exclusion “makes clear to the provider community that OIG closely monitors our CIAs, critically evaluates providers’ representations and certifications, and will pursue exclusion actions against providers that fail to abide by their integrity agreement obligations.”

According to the announcement, the exclusion is based on CSHM’s alleged material breaches of its Corporate Integrity Agreement (CIA) with the Office of Inspector General (OIG).

CSHM’s corporate predecessor entered into the CIA in 2010, as part of the resolution of a False Claims Act case involving allegations that the company had provided dental services to children on Medicaid that were medically unnecessary or failed to meet professionally recognized standards of care.

On March 7, 2014, OIG issued a Notice of Exclusion to CSHM based upon numerous material breaches of its obligations under the CIA. CSHM failed to report serious quality-of-care reportable events, take corrective action, or make appropriate notifications of those events to the State dental boards as required by the CIA, OIG found. CSHM also failed to implement and maintain key quality-related policies and procedures, comply with internal quality and compliance review requirements, properly maintain a log of compliance disclosures, and perform training as required by the CIA. Finally, CSHM submitted a false certification from its Compliance Officer regarding its compliance with CIA obligations.

This exclusion marks the culmination of a series of alleged failures by CSHM and its corporate predecessors to comply with its CIA. Under the CIA, an independent quality monitor conducted more than 90 site visits and reviews to monitor CSHM’s compliance. Since the 2010 settlement, OIG repeatedly cited CSHM and took actions to address those violations, promote improved compliance, and maintain access to care for an underserved population. These actions included imposing financial penalties and forcing the divestiture of one of the company’s clinics.

Despite these actions, CSHM remained in material breach of its CIA and OIG issued Notices of Intent to Exclude to the company in December 2013 and January 2014. In such cases, providers get the chance to show OIG that they have cured, or are in the process of curing, the material breaches. CSHM represented to OIG that it would cure the material breaches. However, through meetings with CSHM and its Board of Directors and review of its written submissions, OIG determined that CSHM had failed to cure the material breaches and proceeded with the exclusion.

CSHM disputed OIG’s determination that it was in material breach of the CIA. However, under the Exclusion Agreement, CSHM now has waived its objections to these findings.

To minimize immediate disruption of care to the hundreds of thousands of children treated at CSHM clinics and to enable an orderly, controlled shutdown of the company or divestiture of its assets, the exclusion takes effect September 30, 2014. CSHM waived its right to appeal this exclusion in any judicial forum.

Until the exclusion goes into effect on September 30, 2014, an independent monitor will continue to monitor the quality of care being provided to patients at CSHM clinics. CSHM is required to inform patients at least 30 days before closing a clinic. CSHM is also required to keep State Medicaid agencies abreast of developments and provide monthly status reports to OIG. Any divestiture of assets by CSHM must be through bona fide, arms-length transactions to an entity that is not related to or affiliated with CSHM.

Beyond the implications for Small Smiles Dental Centers, the announced exclusion carries important implications for other health care providers.  First, of course, the exclusion means that Small Smiles Dental Centers and CSHM as excluded providers are ineligible for hiring by other providers participating in Medicare or other Federal Health Programs.  Second, the exclusion also highlights the advisability for other providers covered by CIAs not only to see to comply with their CIA and in the event the OIG questions of the adequacy of that compliance to look for opportunities to work with OIG to rectify alleged concerns as cooperatively as possible unless a high degree of certainty that the provider can prove that OIG’s concerns are unfounded.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help.

Board Certified in Labor & Employment Law, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters.

Throughout her career, Ms. Stamer has advised and represented health care providers and other health industry clients to establish and administer compliance and risk management policies and to respond to health care, human resources, tax, privacy, safety, antitrust, civil rights, and other laws as well as with internal investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns including a number of programs and publications on OCR Civil Rights rules and enforcement actions. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to ask about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at www.solutionslawpress.com.

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2014 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press. All other rights reserved.


 


APDerm To Pay $150k To Settle 1st HIPAA Breach Rule Charges

December 27, 2013

A new settlement agreement announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) shows health plans, health care providers, health care clearinghouses and their business associates the perils of failing to properly implement the necessary policies and procedures to comply with the breach notification requirements added to the Health Insurance Portability & Accountability Act of 1996 (HIPAA) added by the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

APDerm Settlement Overview

Private dermatology practice, Adult & Pediatric Dermatology, P.C., (APDerm) has agreed to pay $150,000 and implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy,  Security, and Breach Notification Rules.  The APDerm Settlement  marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the HITECH Act.

According to its December 26, 2013 announcement of the settlement, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered.  The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.  Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The APDerm settlement provides more evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On WebsiteIt joins the  growing list of settlement or resolution agreements under HIPAA announced by OCR.

The APDerm also is notable both as it settles the first ever charges against a covered entity for failing to adopt required Breach Notification policies and procedures and the relatively most settlement payment required in comparison to other announced settlement.  Other settlements have been significantly higher.  For instance,  OCR required that Blue Cross Blue Shield of Tennessee (BCBST) to pay $1.5 million to resolve HIPAA violations charges.

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s audit,  investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, evolving rules and technology, and other developments to determine if additional steps are necessary or advisable. For tips, see here.

For Representation, Training & Other Resources

If you need assistance monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help.

Board Certified in Labor & Employment Law, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters.

Throughout her career, Ms. Stamer has advised and represented health care providers and other health industry clients to establish and administer compliance and risk management policies and to respond to health care, human resources, tax, privacy, safety, antitrust, civil rights, and other laws as well as with internal investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns including a number of programs and publications on OCR Civil Rights rules and enforcement actions. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at www.solutionslawpress.com.

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2011 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press. All other rights reserved.


[1] WHD’s announcement of the planned rule notes that this draft shared December 15 remains subject to change before formally published in the Federal Register


Reminder To Follow Confidentiality, Due Process When Conducting Peer Revew & Credentialing

December 16, 2013

Hospitals, physicians, health plans and others participating in credentialing and peer review activities need to use care to ensure that they and others involved in these matters understand and comply with the confidentiality requirements of the Health Care Quality Improvement Act and similar state laws.

Hospitals and their medical staffs, physician and other practice groups and other health care organizations commonly require or query the National Practitioner Data Bank (NPDB) established under HCQIA and other sensitive professional and personal when checking the backgrounds and credentials of physicians seeking admission to the medical staff, employment, staff privileges, participation in provider panels or other positions.  These health care organizations and providers also frequently may receive inquiries from other health care providers or organizations seeking information about a provider who is applying for admission, employment or other status.  Finally, medical staffs, practices and other health care organizations from time to time may conduct credentialing, peer review or other disciplinary activities, or quality assurance reviews that may involve the discussion of information about the conduct, quality, discipline or other credentials and qualifications of current or former physicians at their own or another health care organization.

The investigation or discipline of a physician and certain other information regarding potential performance or credentialing concerns about a physician or other health care worker often by necessity involves the receipt, sharing, or use of sensitive professional or personal information with credentialing, management, medical staff leadership or others involved in the investigation, review or process.  When participating in any of these activities, all parties involved in the activities or providing input or participation in their conduct need to understand and be required to comply fully with all applicable confidentiality and privacy requirements.   While participants in these processes often may feel great temptation to circumvent formal processes in the name of expediency, to share sensitive insight with special relationships or other inducements to cut corners on confidentiality, the participants in these activities and the organizations conducting the activities should take all necessary steps to ensure that the participants carefully comply with the confidentiality and privacy requirements and only obtain and share information as allowed by and in accordance with the procedures established by these rules.

The background check rules of the Fair Credit Reporting Act (FCRA) generally require that health care organizations, as well as other businesses, conducting background check or other investigations using third party data or investigators comply with the notice, consent and disclosures of the FCRA.  Parties requesting or providing information as part of a credentialing, peer review or other investigation should ensure that the necessary disclosures, notices and consents have been obtained before requesting or sharing information.  The fulfillment of these requirements should not be assumed as experience demonstrates that these requirements are commonly overlooked by many health care and other organizations engaged in these activities.

In addition to meeting the FCRA, HCQIA, most state peer review, and medical staff bylaws generally require that credentialing, peer review, quality assurance, and other performance and discipline activities be conducted in accordance with carefully prescribed rules, including specific requirements concerning the protection of the confidentiality of information about a provider.  While relatively rare, violation of HCQIA’s confidentiality rules can create significant liability.  For instance, after it self-disclosed conduct to the Department of Health & Human Services Office of Inspector General (OIG), The Queen’s Medical Center (QMC), Hawaii, agreed to pay $150,500 in civil money penalties for allegedly violating the NPDB in 2009.

Beyond the rare sanctions under HCQIA, failing to following the rules of HCQIA and state laws can undermine the defensibility of peer review and credentialing decisions by undermining the ability of participants in the process to rely upon the peer review privilege to protect deliberations and discussions conducted in connection with the peer review and credentialing process from discovery, as well as by providing evidence of bad faith, malice or other bad motivation or acts corrupted the process and determination.  Beyond hurting the defensibility of the credentialing and peer review process, violations of confidentiality or other procedures often also give rise to antitrust, defamation, invasion of privacy, tortious interferences, and other damage claims by physicians who feel their ability to practice and reputations have been injured by alleged improper conduct in connection with a peer review, credentialing or quality assurance process.

Beyond avoiding giving rise to claims by the targeted physician or other health care provider, all participants in these processes also need to use care to properly protect any individually identifiable patient information.  Records and information about a patient, his medical condition, payment history and other related patient data and information often involved in these activities typically qualifies as personal health information, the use, access, and disclosure of which is restricted by the Privacy Rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and state common law, HIPAA and other medical records privacy and confidentiality laws.  In addition to the specific requirements of HIPAA and other medical information privacy laws, patient financial information and certain other sensitive information also may be protected by a broad range of federal and state laws protecting personal financial and other sensitive personal information, contractual rights created by privacy policies of the organizations involved or other laws.

Conducting proper credentialing, peer review and quality assurance activities is a critical aspect of the hiring and oversight of physicians and others providing care.  As important as these requirements are, health care providers and organizations participating in these activities need to remember that the physicians who are subjected to these requirements also enjoy confidentiality, due process and other legal protections, which can create significant liability when violated.  Consequently, health care organizations, physicians and members of management, and other staff and participants should use care to follow the proper procedures to ensure that physician rights to confidentiality, due process and other protections are honored as these activities are conducted.

Using care when discussing these concerns is equally important for a physician or other health care provider who is the subject of an investigation, credentialing, peer review, quality assurance or other activity.  While a physician whose personal or professional conduct or credentials are questioned understandably feels a strong urge to defend him or herself through a campaign of communication or other actions, physicians on the receiving end also need to follow the process and restrict their discussions.

Cynthia Marcotte Stamer, for additional information or representation.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help.

Board Certified in Labor & Employment Law, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters.

Throughout her career, Ms. Stamer has advised and represented health care providers and other health industry clients to establish and administer compliance and risk management policies and to respond to health care, human resources, tax, privacy, safety, antitrust, civil rights, and other laws as well as with internal investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns including a number of programs and publications on OCR Civil Rights rules and enforcement actions. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at www.solutionslawpress.com.

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2011 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press. All other rights reserved.


[1] WHD’s announcement of the planned rule notes that this draft shared December 15 remains subject to change before formally published in the Federal Register


Follow

Get every new post delivered to your Inbox.

Join 751 other followers

%d bloggers like this: