Posts

Shareholder Stan Thompson Appointed Executive Director of the Iowa Civil Rights Commission

Litigation shareholder Stan Thompson was recently appointed Executive Director of the Iowa Civil Rights Commission by Governor Kim Reynolds.

“Protecting the civil rights of Iowans is one of the most important functions of state government,” said Gov. Reynolds in a recent press release. “Stan’s extensive experience in business litigation, practicing for the past 36 years, coupled with his knowledge in ethics and professional conduct will make him a valued leader for the commission.”

Over the last 36 years, Stan was a preeminent Iowa commercial litigator tackling complex issues. He tried approximately 40 cases to juries across Iowa. Stan’s clients – Iowa banks, businesses, medical practices, and construction companies – depended on his ability to efficiently process often complicated information as he worked toward a solution in their case.

During his time at Dentons Davis Brown, Stan served in several roles, including the Board of Directors, Litigation Division Chair and as a mentor to countless litigators over his three decades of service.

“Stan’s impact on our firm has been immeasurable. We appreciate his contributions as an advocate, colleague, and leader in the legal profession, in Iowa and nationally. We wish him the best and take great pride in his service to the State,” said Dentons Davis Brown President John Pietila.

In addition to his law practice, in 2002 and 2004 Stan competed in two highly competitive US House of Representatives campaigns that gained national recognition.

We appreciate Stan’s great service he provided clients and wish him the best as he moves into his role.

HHS Office for Civil Rights Enforcement Update

Right of Access Initiative

The Office for Civil Rights (“OCR”) continues to vigorously enforce an individual’s right to access their medical records.  OCR recently announced the nineteenth settlement as part of their Right of Access Initiative.

In 2019 OCR announced that it planned to focus its enforcement efforts on ensuring that patients receive their medical records in a timely manner consistent with the format and fee requirements set forth under the HIPAA Privacy Rule.  Since that time, OCR has entered into nineteen settlements ranging from $5,000 to $200,000, including several settlements involving solo providers, to address entities’ failure to provide patients access to their medical records.  OCR has announced five of those settlements since January, despite the change in administration, which typically results in a pause in settlement cases for at least a few months until the new leadership is brought up to speed.

As part of the most recent settlement, the Diabetes, Endocrinology & Lipidology Center, Inc. (“DELC”), a West Virginia-based practice providing treatment for endocrine disorders, agreed to take corrective actions and pay $5,000 after failing to provide a mother access to her minor child’s medical records.  According to OCR, the mother requested the records in July 2019, but DELC did not provide them until May 2021, almost two years after the mother made the initial request and well beyond the 30-day period required under HIPAA.  Similar to other settlements under the Right of Access Initiative, DELC also agreed to a Corrective Action Plan (“CAP”) with a two-year monitoring period that requires it to take the following actions:

  • Review and revise its policies and procedures related to an individual’s access to PHI;
  • Provide annual training and training materials to all workforce members concerning an individual’s access to PHI; and
  • Submit a list of requests for access to PHI received by DELC every ninety days during the term of the CAP.

Based on OCR’s continued focus on enforcement of an individual’s right of access, entities should prioritize responding to access requests in a compliant manner and address any access-related issues that are brought to their attention immediately.

Recent Security Rule Settlements

In addition to the Right of Access Initiative settlements, OCR has entered into two additional settlements to resolve potential violations of the HIPAA Security Rule during the past several months.  In May, OCR announced that Peachstate Health Management, LLC, dba AEON Clinical Laboratories (“Peachstate”), a Georgia lab certified under the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”), agreed to pay $25,000 to OCR.  OCR initiated a review of Peachstate’s HIPAA compliance in December 2017 as a result of OCR’s review of Peachstate’s parent company, related to a breach experienced by the parent company.  OCR’s investigation of Peachstate found systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and document HIPAA Security Rule policies and procedures.  In addition to paying $25,000 to settle the case, Peachstate agreed to a relatively robust CAP, which included engaging an independent monitor and a three-year monitoring period.

In January, Excellus Health Plan, Inc. (“Excellus”), a health plan based in New York, agreed to pay $5.1 million related to a breach affecting over 9.3 million people.  Excellus reported that cyber-attackers gained access to its information systems on or before December 23, 2013 until May 11, 2015.  OCR’s investigation determined that Excellus failed to conduct an enterprise-wide risk analysis, and implement risk management, information system activity review and access controls.

In addition to the HIPAA Security Rule’s risk analysis and risk management implementation specifications, entities continue to struggle with information system activity review.  We recommend ensuring that your organization regularly reviews records of information system activity, such as audit logs and access reports, for any unusual activity that may identify security incidents.

Recognized Security Practices

At the beginning of January 2021, the previous administration signed into law H.R. 7898, which amends the Health Information Technology for Economic and Clinical Health (“HITECH”) Act to require HHS to consider covered entities’ and business associates’ implementation of “recognized security practices,” when imposing fines or penalties under the HIPAA Security Rule.

Although HHS has not undertaken a formal rulemaking process, and the statute has not yet been implemented, OCR has begun requesting the following evidence of entities’ implementation of “recognized security practices” as part of ongoing investigations:

  • Policies and procedures related to the implementation of “recognized security practices”;
  • Completed project plans or similar documentation showing the dates of implementation of “recognized security practices”;
  • Documentation explaining how “recognized security practices” are implemented (e.g., the scope of implementation throughout the entity);
  • Names of any individual responsible for ensuring “recognized security practices” are implemented by the entity’s workforce members;
  • Training materials provided to workforce members regarding “recognized security practices” and the dates of such training; and
  • Documentation showing whether the “recognized security practices” were developed under:
    • Section 2(c)(15) of the National Institute of Standards and Technology (“NIST”) Act;
    • Section 405(d) of the Cybersecurity Act of 2015; and/or
    • Other programs and processes addressing cybersecurity that are developed, recognized, or promulgated through regulations under other statutory authorities.

While it is still unclear what HHS considers “recognized security practices,” it seems likely that implementation of any of the following security standards would arguably satisfy the Act’s documentation requirements: NIST Special Publications Guidance, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients Guidance, and any additional programs that address specific legal requirements.

Article By

Abby E. Bonjean

Polsinelli PC

‘Trust Me’ Kamala Harris Makes Big Play on Criminal Justice Reform

In an interview, Ms. Harris sought to paint her prosecutorial career as a reason voters should rely on her to deliver a criminal justice overhaul. But her critics say she has been part of the problem.

Senator Kamala Harris of California released a sweeping proposal on Monday to overhaul the criminal justice system, vowing to end mass incarceration and revamp police practices through a progressive wish list of policies, including some ideas Ms. Harris previously rejected during her years as a district attorney and state attorney general.

For months, Democratic presidential candidates have courted liberal activists with wide-ranging criminal justice plans, but Ms. Harris’s plan carries special significance. She has long cast herself as a “progressive prosecutor,” but some criminal justice experts and activists have balked at that characterization, saying she operated with the same “tough on crime” instincts that helped create the criminal justice problems she now seeks to solve.

The plan, perhaps the most ambitious effort of Ms. Harris’s campaign so far, focuses on reducing the prison population, creating national standards in policing, ensuring humane treatment for incarcerated people and prioritizing historically vulnerable communities. It also embraces ideas that have gone from the policy fringe to largely consensus positions popular among Democrats, including ending mandatory minimum sentences, eliminating private prisons, legalizing marijuana and incentivizing states to untether themselves from a cash bail system that disproportionately burdens the poor.

Astead W. Herndon is a national political reporter based in New York. He was previously a Washington-based political reporter and a City Hall reporter for The Boston Globe. @AsteadWesley
A version of this article appears in print on , Section A, Page 16 of the New York edition with the headline: Harris Says ‘Trust Me’ on Need for Criminal Justice Reform. Order Reprints | Today’s Paper | Subscribe