Heavy HIPAA Enforcement Efforts!

By Mathew J. Levy, Esq.
Email Mathew

To date, the U.S. Department of Health and Human Services’ Office of Civil Rights (“OCR”) has resolved 98% of nearly 257,000 Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule complaints. OCR has settled and imposed civil monetary penalties totaling $130,980,482.00. According to the HIPAA Journal, in recent years OCR’s enforcement efforts increased. Particularly, in 2020, OCR settled nineteen cases. This 2020 increase can be attributed to OCR’s 2019 HIPAA Right of Access Enforcement Initiative.

To avoid HIPAA violation(s), “covered entities” and “business associates” should take a proactive approach instead of a reactive one. “Covered entities” such as hospitals, healthcare providers or health plans and “business associates” (those providing services to covered entities involving protected health information or “PHI” disclosure) generally know their HIPAA obligations, but may not be aware of recent trends in HIPAA enforcement and priorities, and how to prepare accordingly. 


OCR’s 2020 report findings and its commitment to enforcement, as discussed in a previous publication, “OCR’ Audit Report Reveals Concerns That Continue To Guide HIPAA Enforcement,” remains relevant as Physicians and private practices (next to Hospitals) are among the most common violators of HIPAA privacy regulations. 

The top investigated issues in 2020 include: 

  • impermissible uses and disclosures;
  • safeguards including administrative (e.g., conducting risk assessments) and technical (e.g., implementing tools for encryption and decryption); and 
  • access.                                                                                                         

The top HIPAA violations resulting in financial penalties arise from failure to

  • perform an organization-wide risk analysis to identify risks to confidentiality, integrity, and availability of PHI; 
  • enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and 
  • safeguard PHI.

OCR has continuously pursued egregious violations of HIPAA Rules. Most recently, OCR announced resolution of its twentieth investigation in its HIPAA Right of Access Initiative, resulting in an $80,000 settlement and corrective action plan. Specifically, HHS’ investigation found that Children’s Hospital & Medical Center failed to provide timely access to PHI to the complainant, which violates HIPAA Right of Access requiring covered entities to take action on an access request within 30 days of receipt (alternatively, 60 days if an extension applies). 


Covered Entities: Most striking is a $6.85 million settlement and corrective action plan with a Premera Blue Cross, a health insurer, for noncompliance with the HIPAA risk analysis and risk management failures, and other potential HIPAA violations. The violations impacted 10.4 million patients. 

In January 2021, Excellus Health Plan, Inc. entered into a $5.1 million settlement and corrective action plan to settle potential HIPAA violations for a breach that impacted over 9.3 million people. The health insurer attributed the breach to cyber attackers that gained unauthorized access to its information technology system. Ultimately, OCR determined that the insurer failed to conduct an enterprise-wide risk analysis, to implement risk management, information system activity review, and access controls. 

Business associates: OCR announced at the end of September 2020 a $2.3 Million settlement with the business associate for a data breach attributed to hacking, which impacted 6 million people.


Just last month, the New York State Bar Association (“NYSBA”) HIPAA 2021 webinar highlighted OCRs enforcement efforts after OCR’s expressed commitment to increased enforcement following the audit report findings. Notably, NYSBA’s recommendations to stay proactive and avoid penalties include: 

(1) conducting an enterprise-wide risk analysis; 

(2) implementing risk management, information system activity, access and audit controls and 

(3) updating internal compliance plans.


Familiarize with the issued guidance and update your Compliance Work Plan accordingly.

In addition, it is always helpful to seek advice from a Health Care Attorney for specific concerns.

Importantly, if you are a provider seeking clarification on how these changes may affect you, you can contact Mathew J. Levy at 516-926-3320 or mlevy@weisszarett.com.

Weiss Zarett Brofman Sonnenklar & Levy, P.C. is a Long Island law firm providing a wide array of legal services to the members of the health care industry, including corporate and transactional matters, civil and administrative litigation, healthcare regulatory issues, bankruptcy and creditors’ rights, and commercial real estate transactions.


Banking in the Cannabis Industry: Update on the SAFE Banking Act

By Mauro Viskovic Esq.
Email Mauro

On April 19, 2021, the U.S. House of Representatives passed the Secure and Fair Enforcement (SAFE) Act of 2021, which would serve to greatly expand the financing alternatives to cannabis-related legitimate businesses and service providers for such businesses.  The bill is currently sitting within the Senate’s Committee on Banking, Housing and Urban Affairs awaiting consideration. As of now, it is uncertain whether the bill will remain stalled or if the committee’s chairman, Sen. Sherrod Brown, will move the bill forward.

To date, 47 states, 4 U.S. territories, and the District of Columbia have in varying degrees legalized the manufacturing, distributing and dispensing of cannabis products.  Nevertheless, most federally chartered banking institutions are reluctant to provide loans or offer other services to cannabis industry participants in any such states because cannabis transactions remain illegal at the federal level.  Under applicable anti-money laundering laws, federal banks are currently obligated to file a Suspicious Activity Report (SAR) when it knows, suspects, or has reason to suspect that a transaction involves funds derived from illegal activity. 

As a result, businesses participating in the cannabis industry have limited access to traditional banking and financial services, from basic bank account services to business loans and lines of credit.  Without suitable banking and financial services, these businesses have greater difficulty raising capital, obtaining loan facilities, safeguarding their profits, and generally expanding their businesses.  

The goal of the Safe Act would be to ensure access to financial services to cannabis-related legitimate businesses and service providers by removing some of the attendant legal and regulatory risks. The primary features of the Act include:

  • Providing that “proceeds from a transaction involving activities of a cannabis-related legitimate business or service provider” are not “proceeds from an unlawful activity,” so that processing transactions involving these proceeds will no longer constitute money laundering “solely” because the proceeds derived from cannabis.
  • Prohibiting federal regulators from terminating or limiting depository insurance solely because a financial institution provides services to a cannabis-related legitimate business.
  • Prohibiting federal regulators from taking adverse actions against, or otherwise discouraging, financial institutions from providing services to cannabis-related legitimate businesses.
  • Protecting depository institutions from civil, criminal, or administrative asset forfeiture for providing financial services to cannabis-related legitimate businesses.

Although the SAFE Act has received substantial bi-partisan support, there remain barriers to passage by many Senate members and lobbying groups.  There remains optimism that the bill will pass, especially with vast backing from organizations and businesses such as the American Bankers Association, the American Financial Services Association, and the Credit Union National Association.  

Should you have any questions regarding the SAFE Act and its implications to the cannabis industry, please contact Mauro Viskovic at 516-751-6537 or mviskovic@weisszarett.com.

Weiss Zarett Brofman Sonnenklar & Levy, P.C. is a Long Island law firm providing a wide array of legal services to the members of the health care industry, including corporate and transactional matters, civil and administrative litigation, healthcare regulatory issues, bankruptcy and creditors’ rights, and commercial real estate transactions.


Commercial Litigation: Enforcing Employee Non-Compete Clauses

By Joshua D. Sussman, Esq.
Email Joshua

Your Director of Sales suddenly quits and announces they are joining a direct competitor up the road. The new opportunity is in direct breach of their non-compete agreement, which prohibits them from competing with your company within ten miles of your office for two years after the end of their employment. 

 What do you do?

Employers frequently race into court to prevent former employees from violating non-compete clauses or other prohibitions contained within employment agreements, which are generally referred to as restrictive covenants. Although non-compete agreements are disfavored under New York law, and thus difficult to enforce, a court may issue an injunction preventing an employee from violating his or her non-compete clause in certain circumstances. Before commencing litigation, an employer and its attorneys should evaluate whether the clause at issue is enforceable and whether the legal standard for a preliminary junction can be satisfied in the circumstances. 

Courts employ a case-by-case analysis when determining whether to enforce non-compete clauses contained within employment agreements. To be enforced, a non-compete clause must be reasonable in scope (both duration and geographic area), necessary to protect the employer’s legitimate interests, not harmful to the general public, and not unreasonably burdensome to the employee.[i]

A court may find that an employer has a legitimate interest to enforce a non-compete clause to prevent the disclosure of its trade secrets or confidential customer information, if the former employee provided unique or extraordinary services (i.e., professionals, accountants, physicians[ii]etc.), or in other circumstances where an employer can demonstrate an injunction is necessary to protect its interests. 

In contrast, a non-compete clause may be unenforceable if it merely seeks to restrict a former employee’s use of generalized skills and knowledge acquired during their employment or from providing services to customers who the employer had no relationship with, if the employee did not provide unique or extraordinary services, if the restricted geographic territory is unrelated to employer’s business, or if restrictions go beyond what are necessary to protect the employer’s legitimate interests. As mention in a prior article, although non-compete agreements are not illegal, the New York State Attorney General has entered into settlement agreements with employers that allegedly had misused non-compete agreements with rank-and-file employees who did not have access to trade secrets or confidential information.

If a non-compete clause is deemed too restrictive, the Court may nonetheless choose to partially enforce it to the extent necessary to protect an employer’s legitimate interest if the employer can also demonstrate an absence of overreaching, coercive use of dominant bargaining power, or other anti-competitive misconduct. 

To obtain a preliminary injunction from a court to enforce a non-compete clause, an employer must establish a likelihood of success on the merits, irreparable harm, and that the harm it would suffer if the injunction is not granted is greater than the harm the employee will suffer if the injunction is granted (called, ‘balancing the equities in the movant’s favor’). Each factor must be separately established even though the underlying facts are often intertwined. A movant will likely establish a likelihood of success on the merits if it demonstrates the non-compete clause is enforceable and is being breached. To establish irreparable harm, one must show that the injury to be suffered is imminent and cannot be compensated by a monetary award or when calculating damages would be difficult. For example, irreparable harm may be shown if there is a loss of client relationships and customer goodwill or theft, misappropriation, or disclosure of  trade secrets. 

It is critical to move quickly if it is determined that suit will be commenced as an unreasonable delay can be fatal to obtaining an injunction from a court.

The foregoing analysis is based upon our experience and prior court decisions, but it is important to engage in a case specific analysis when determining whether to file suit as each situation and agreement are unique. Should you need the assistance of experienced counsel to assist you in determining whether your restrictive covenants may be enforceable and whether you could be successful in court, do not hesitate to contact Joshua D. Sussman at (516) 287-8035 or jsussman@weisszarett.com

Weiss Zarett Brofman Sonnenklar & Levy, P.C. is a Long Island law firm providing a wide array of legal services to the members of the health care industry, including corporate and transactional matters, civil and administrative litigation, healthcare regulatory issues, bankruptcy and creditors’ rights, and commercial real estate transactions.


[i] These factors differ if the agreed-upon non-compete clause is contained within a post-employment separation agreement or is related to the employee’s acceptance of postemployment benefits, both of which are not discussed here.

[ii] Read our earlier article about the courts’ treatment of non-compete agreements with physicians here.

Mandatory Vaccination for Healthcare Workers Expanded by New Emergency Regulations

By Jessica Woodrow, Esq.
Email Jessica

On August 26, 2021, the New York State Department of Health’s Public Health and Health Planning Council in Albany voted to amend the Official Compilation of Codes, Rules and Regulations of the State of New York (NYCRR), significantly expanding the emergency Covid-19 vaccination mandate previously announced by former Governor Andrew Cuomo. Whereas the previous mandate applied only to healthcare workers at general hospitals and long-term care facilities (LTCFs), the amended regulations now require workers in nearly all categories of healthcare facilities in New York State to comply. The stated purpose of the expanded vaccine mandate is to prevent or reduce the transmission of Covid-19 by those “who engage in activities such that if they were infected with COVID-19, they could potentially expose other covered personnel, patients or residents to the disease.”

Under the newly-added NYCRR § 2.61, covered entities must “continuously require personnel to be fully vaccinated against COVID19, with the first dose for current personnel received by September 27, 2021 for general hospitals and nursing homes, and by October 7, 2021 for all other covered entities absent receipt of an [allowed] exemption.” Significantly, the new regulations go on to provide that a covered entity “may terminate personnel who are not fully vaccinated and do not have a valid medical exemption and are unable to otherwise ensure individuals are not engaged in patient/resident care or expose other covered personnel.” Upon request by the Department of Health, all covered entities are required to report and submit documentation confirming the number and percentage of personnel who have been fully vaccinated, the number and percentage of personnel who have received medical exemptions, and the total number of covered personnel. 

In addition to general hospitals and LTCFs, “covered entities” now include: diagnostic and treatment centers, including community health centers, dental clinics, birthing centers, and rehabilitation facilities; certified home health agencies, including long term home health care programs and AIDS home care programs; hospices; and adult care facilities. “Personnel” includes all individuals “employed or affiliated with a covered entity, whether paid or unpaid, including but not limited to employees, members of the medical and nursing staff, contract staff, students, and volunteers.” However, physicians and dentists in private practice are not subject to the mandate, as the New York State Department of Health has primary regulatory jurisdiction only over the health care facilities it licenses.

Shortly after the Council voted, New York State Department of Health Commissioner Howard Zucker issued a Determination on Indoor Masking which states that, pursuant to NYCRR § 2.61, effective August 27, 2021, masks shall be required: in healthcare settings for personnel and all visitors, regardless of vaccination status; in adult care facilities (ACFs) regulated by the Department for personnel and unvaccinated visitors; in P-12 school settings for all teachers, staff, students, and visitors, regardless of vaccination status; in correctional facilities and detention centers for all incarcerated/detained persons and staff when social distancing cannot be maintained, and for all visitors (facilities may impose their own policies for private visitation); in homeless shelters (including overnight emergency shelters, day shelters, and meal service providers) for all clients, visitors, staff and volunteers, regardless of vaccination status; and on public transportation conveyances and at transportation hubs, for all persons regardless of vaccination status. Any applicable restrictions apply to all persons over the age of two who are able to medically tolerate a face covering.

Notably absent from the expanded mandate is the religious exemption, which was deliberately struck before the final vote. Religious exemptions have historically been granted to individuals belonging to religious organizations whose foundational beliefs and practices discourage or reject vaccination. Under NYCRR § 2.61, only medical exemption is available, and personnel seeking such exemptions must submit supporting documentation. The nature and duration of the medical exemption must be stated, either in the personnel employment medical record or other appropriate record, and must be in accordance with generally accepted medical standards, such as the recommendations of the Advisory Committee on Immunization Practices of the U.S. Department of Health and Human Services

The Council’s decision follows on the heels of an announcement by United States Supreme Court Justice Amy Coney Barrett on August 12, 2021, denying an emergency request to block Indiana University’s mandatory vaccine policy.  By rejecting the request without referring the application to the full court or asking the university for a response, Justice Coney Barrett appears to have sent a message that the Court is unlikely to revisit, let alone overturn, the landmark ruling in Jacobson v. Massachusetts (197 U.S. 11 (1905)). The Second Circuit has also upheld Jacobson in several cases in Connecticut and New York since the start of the pandemic. Given the courts’ demonstrated reluctance to revisit longstanding public health policy, it is unlikely a challenge to these regulations will succeed, especially since the circumstances here are factually similar to the policy at issue in Jacobson.

Since the new regulations do not include an enforcement provision, covered entities will be expected to self-enforce for the time being. The Department could impose financial penalties, but unlike the P-13 school mask mandate, which includes a $1000 fine per violation, NYCRR § 2.61 contains no penalty provision. It is unclear what consequences may result for covered entities that fail to comply and/or fail to terminate employees who refuse to be vaccinated. Although hospitals appear to be generally in favor of the new regulations, whether employers will actually terminate non-exempt employees who refuse vaccination could boil down to whether the employer will face a severe staff shortage. On the other hand, the latest Higher Education Research and Development (HERDS) survey indicates that a majority of healthcare workers are already vaccinated, with the lowest rates being reported by Dutchess and Wyoming Counties (63%). New York City is at 75% overall. Personnel who chose to be vaccinated before now will not enter into the calculus, so any turnover consequences may be limited. Covered entities may have to wait until after the initial Sept. 27 deadline passes to learn whether the Department intends to assume responsibility for enforcement.

NYCRR § 2.61 must be renewed by the Council every 90 days until emergency-basis renewal is deemed unnecessary or the Department issues a notice for proposed rule-making for permanent adoption.

Jessica Woodrow is an Associate Attorney in the litigation and administrative proceedings practice group, handling matters involving all aspects of civil litigation with a primary practice focus on healthcare law. She can be reached at jwoodrow@weisszarett.com or 516-627-7000.

Weiss Zarett Brofman Sonnenklar & Levy, P.C. is a New York law firm providing a wide array of legal services to the members of the health care industry, including corporate and transactional matters, employment counseling and controversies, civil and administrative litigation, healthcare regulatory issues, bankruptcy and creditors’ rights, and commercial real estate transactions.


New Jersey District Court Declares Cross-Plan Offsetting a Violation of ERISA

By David A. Zarett, Esq.
Email David

It has become commonplace for physicians and medical practices to face audits and payment reviews by commercial health insurers and third-party administrators (“TPAs”) under an ERISA plan. If an overpayment is identified, it is not unusual for the carrier or TPA to recoup the funds allegedly owing. One of the tactics used in recovering the alleged overpayments has become known as “cross-plan offsetting.” Simply put, cross-plan offsetting occurs when overpayment amounts allegedly due by a provider as a result of an audit under Plan A, are offset against payments otherwise owing to the provider under (a separate) Plan B. 

Very recently, a federal district court in New Jersey issued a decision, Lutz Surgical Partners PLLC, et al v. Aetna Inc., et al, Case No. 3:15-cv-02595 (BRM)(TJB) (D.N.J, June 21, 2021), holding that Aetna’s cross-plan offsetting was a violation of several sections of ERISA. (Click here to view case text).

The 52-page decision in Lutz is quite extensive, and addresses a variety of issues, including the proper parties to the lawsuit, standing, waiver and unique ERISA related legal issues, all of which are outside the scope of this Legal Alert. On the distinct issue of the legality of cross-plan offsetting, the Court reasoned that when a TPA serves in a fiduciary/trustee capacity for multiple plans, each plan is considered a separate entity and the TPA’s fiduciary obligations run separately to each. The Court continued that offsetting payments due from Plan A to a provider, in order to recoup alleged overpayments due from the provider to Plan B, violated the separate nature of the fiduciary obligations owing to each plan. Thus, the court ruled that Aetna’s cross-plan offsetting violated Section 406(b)(2) of ERISA, which prohibits plan fiduciaries from acting in “any transaction involving the plan on behalf of a party… whose interests are adverse to the interests of the plan or the interests of its participants or beneficiaries.”  In addition, the court determined that Aetna violated Section 404(a) of ERISA, which provides that ERISA fiduciaries must discharge their duties with respect to a plan “solely in the interest of the participants and beneficiaries and … for the exclusive purpose of… providing benefits to participants and their beneficiaries.”  Indeed, the Court recognized that, “failing to pay a benefit owed to a beneficiary under one plan, in order to recover money for the benefit of another plan [through cross-plan offsetting] may constitute a transfer of money from one plan to another,” all in violation of ERISA. 

While there are several other legal decisions that have touched on this issue, Lutz appears to be the first court decision to squarely hold that cross-plan offsetting violates ERISA. We doubt this will be last court opinion on the matter. 

About the Author: David A. Zarett is a founding member of Weiss Zarett Brofman Sonnenklar & Levy, P.C., and heads up the Firm’s Litigation Department. Mr. Zarett has extensive experience litigating a variety of cases in state and federal courts, which includes disputes with commercial health insurance carriers regarding plan participation and payments. If you have questions about any these issues, or other legal matters uniquely affecting healthcare providers, please reach out to David A. Zarett, Esq. at dzarett@weisszarett.com or (516) 926-3301.