HHS, OIG, DOJ & OTHER INDUSTRY LEADERS RELEASE COMPLIANCE GUIDANCE

If HHS or another regulator knocked on your door today – would you “pass” the audit?30647-doctors-and-nurses

On April 29, 2015, HHS (Dept. of Health and Human Services), OIG (Office of the Inspector General), HCS (Healthcare Compliance Association) and AHLA (American Health Lawyers Association) along with other industry leaders released a first of its kind joint collaboration education resource entitled “Practical Guidance for Healthcare Boards on Compliance Oversight” providing helpful tools for identifying risks, preparing for audits and responding to incidents. The document provides diverse tools and insights to governing boards, compliance officials and those reporting to them. Recognizing there is no uniform approach to compliance – no “one size fits all” approach, this multi-faceted guidance document will be a valuable resource for organizations both large and small to evaluate the scope and adequacy of their compliance programs.

In addition to asking the right questions of the right people to evaluate the risks posed to an organization, having an incident response plan before it’s needed is one of the best ways to ensure an organization can effectively respond to and recover from a security incident. Working with qualified legal and other professionals with strong compliance experience is one of the best ways to avoid problems.

This guidance emphasizes the importance of organization-wide accountability and offers decision makers a variety of tools to evaluate the effectiveness of policies and procedures within their organizations. The guidance – I believe correctly – concludes that asking the right questions is critical to staying ahead of problems.

The DOJ (Dept. of Justice) has also just released its guidance document entitled “Best Practices for Victim Response and Reporting of Cyber Incidents” providing practical advice for fending off and responding to cyber attacks. Offering guidance on what businesses should do before, during or after a cyber attack, DOJ outlines what’s expected in the event of a security incident, including the preservation of evidence and cooperation with their investigations.

As more and more healthcare and other entities are affected by illegal intrusions, these guidance documents offer practical advice for protecting against the ever present risk of cyber attack. An organization’s risk analysis (or lack of one) is a primary area of focus for regulators – knowing insufficient analysis to be the single, biggest culprit behind many known breaches. The absolute worst time to develop a breach response plan is after an attack – having the right people, processes and resources in place before it’s needed puts every organization in the best position to respond and successfully recover from a security breach.

With more than a decade of experience helping companies prepare for and respond to regulatory audits and security incidents, we welcome your inquires on how we can help.

HEALTHCARE DATA SECURITY

TODAY’S BIGGEST CHALLENGES

As recent news once again shows – no organization is safe from intrusion and healthcare has been a particular favorite for hackers. Huge amounts of personal, financial, health and other information was harvested in the Anthem breach with as many as 80 million personal and health records illegally harvested – and all without detection. As changes in federal and state healthcare legislation and new technologies abound, so does the threat of illegal intrusion and theft of vast repositories of personal patient information.

Internet lock

Not that long ago, medical records were stored in large, paper files typically free from intrusion unless thieves gained access to a medical provider’s facility. Not so today, as doctors and patients have many more ways of using and sharing information, including online patient portals (VPNs), large networked healthcare exchanges, digital medical records (e-PHI), meaningful use records (EMR) and cloud (Saas) technologies. Many of the newer technologies have been driven by Affordable Care Act (ACA) mandates and other regulatory directives to improve patient care and outcome.

Did you know?

1. Patient and consumer data are top targets for hackers.

Patient data is a valuable source of information for hackers – allowing quick sales of large pools of medical, personal and financial data to the highest bidder on the black market.

In the post-Target breach days consumers learned the lesson of judiciously reviewing credit card statements and credit reports to detect improper use of their credit. The same advice is prudent for consumers to periodically review their insurance billing statements and medical records for potential misuse. Credit cards often limit exposure to $50 or less, but identity theft is costly to fix and often takes years to correct. “Medical identity theft” the latest entrant – poses not only a significant financial risk to carriers and consumers, but more importantly can pose huge medical risks to patients in need of care. Imagine someone’s “medical identity – name, address, policy no., etc.” is stolen and someone posing as the patient receives medical care – unless quickly caught (and it often takes many months for it to be detected, if at all) this treatment and diagnosis becomes a part of the insured’s medical record posing potentially serious consequences to a patient.

2. Fraud and abuse has significant consequences on the quality and cost of care.

Fraudsters use patient medical identity to gain medical services, procure drugs, defraud insurers and benefit programs, as well as posing potentially life threatening outcomes for patients whose identity was stolen. The Medical Identity Fraud Alliance estimated the cost of medical identity theft at $20 billion last year (excluding the Anthem breach, which is largely conjecture at this time) and costs are expected to significantly rise. This figure doesn’t include physician fraud for improper billing practices under Medicare, Medicaid, False Claims Act or similar laws.

3. More HIPAA-related enforcement actions (with increased fines) are anticipated.

Federal and state agencies responsible for regulating healthcare from Health and Human Services (HHS) to Office for Civil Rights (OCR) Department of Justice (DOJ) and Federal Trade Commission (FTC) have announced aggressive audit plans to ensure patient data safety and limit fraud and abuse. And compliance audits won’t be limited to just “Covered Entities” – those with direct access to patients and patient data (hospitals, doctors and other direct providers), but also extend to “Business Associates” those with access to patient records, who provide services to Covered Entities. HIPAA-regulated entities not in compliance with the final omnibus rules implemented under the Privacy and Security Rules of the Health Insurance Portability Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) will be faced with higher fines and sanctions for non-compliance.

Since HIPAA’s enactment in 1996, Covered Entities (direct providers) face rigorous requirements for protecting patient information (PHI, PII, ePHI, EMR) and must have appropriate security practices to protect patient data. There are multiple layers of security protocols, including technical, physical, administrative controls, as well as general organizational requirements designed to protect patient data. Since the implementation of the final omnibus rules, HIPAA compliance now extends governmental oversight and liability to all sorts of other individuals, businesses and vendors engaged by Covered Entities as their “Business Associates”. Appropriate privacy and security standards must be in place and enforced to limit the ever present risk of cyber attack.

4. More private litigation by patients is likely.

Although the HIPAA statute itself does not give patients the right to sue for violations, last year the Connecticut Supreme Court in Byrne v. Avery (as well as courts in several other states) ruled that HIPAA’s lack of a private right of action does not necessarily prevent an individual from bringing an action under state law. While the contractual provisions of most data security agreements between CEs and BAs (Business Associate Agreements) typically contain language limiting the rights of persons who can assert rights directly against them – the end result of recent court decisions seems to be opening the door for individuals affected by breach to pursue remedies against Covered Entities and Business Associates directly.

5. ACA, Final Omnibus Rules and HIPAA Privacy and Security standards impact more than just healthcare providers.

Whether working within the healthcare community or another field entirely, every business must carefully evaluate the risks poses by a breach of its data – whether from outside threats (hackers), inside threats (employee human error) or risks posed by access to sensitive data arising from services by Business Associates (third party vendors). Under the final omnibus rules, many vendors and their subcontractors fall under the definition of “Business Associate” requiring the same rigorous compliance with HIPAA Privacy and Security standards required of direct healthcare providers. Knowing the rules and incorporating best practices to ensure data is secure must be a top priority for the healthcare industry and any downstream providers falling under the definition of Business Associate.

It’s incumbent on any individual or business having access to patient data (or any personal consumer data) to implement appropriate security practices and to investigate the practices of their subcontractors. All it takes is one mishap to be in the same position as Anthem and other healthcare providers who found themselves on the wrong side of this issue. In addition to conducting annual risk and compliance assessments, any individual or entity falling within the scope to the HIPAA/HITECH requirements should consider including or expanding cyber security coverage sufficient to protect against this increasing risk exposure – with many experts estimating the cost at $200/record for each record actually or potentially exposed to breach.

The healthcare industry and their downstream vendors can avoid trouble by:

1. Periodically assessing and addressing potential security risks;
2. Adequately training employees to understand the risks posed by the use of technology;
3. Adopting appropriate privacy and security practices;
4. Developing a Data Security Incident Response Plans with a team qualified to quickly respond if the worst should happen;
5. Adequately evaluating the risks and adding appropriate coverage for data security compromise/breach response costs; (or be prepared to self-insure);
6. Reviewing/updating all data security contracts to ensure they meet the new legal requirements;
7. Vetting all technologies and vendors to make sure they measure up; and
8. Appointing a qualified HIPAA Compliance Officer to ensure the required standards are met.

If you’re thinking you’re too small to be noticed, you’re not. There’s an abundance of reliable information available showing the true cost to those not in compliance or suffering a breach. The reputational harm posed by a breach or potential security incident can have devastating consequences for the ill-prepared. Our firm regularly provides compliance counseling, HIPAA assessments and training to help our clients avoid trouble. Having represented a number of companies hacked by off-shore organized crime, I can tell you a data breach, even a suspected data breach, is something you want to avoid. And all it takes is some careful analysis and planning.

We invite inquires on how we can assist with evaluating your needs in this critical area.

Health Law News

HIPAA OMNIBUS COMPLIANCE – COVERED ENTITIES AND BUSINESS ASSOCIATES

Sweeping changes to the HIPAA/HITECH (Health Insurance Portability and Accountability Act “HIPAA” and Health Information Technology for Economic and Clinical Health Law “HITECH”) changes came into play September 23, 2013. This long anticipated final omnibus rule greatly expands the reach of those directly liable under HIPAA. Under the new rules, healthcare providers who are “Covered Entities” (covered healthcare providers, health plans and others defined in the rule) must update their Business Associate Agreements (See Note 3 below). “Business Associates” are now directly liable for any breach of protected patient health information (PHI) and must comply with the rule changes concerning sub-contractors and their own obligations to protect PHI.

Entities with compliant Business Associate Agreements in place before the rule change have until September 23rd of 2014 to update agreements to bring them in line with the new requirements. Business Associates must also enter into Business Associate Agreements with sub-contractors and should exercise great care in vetting new hires and compliance by their sub-contractors. Other professionals such as attorneys and financial advisors working with regulated entities, who are not directly characterized as Covered Entities or Business Associates must exercise care in accessing, using or transmitting any confidential, protected information so as not to expose themselves or clients to potential violations. Periodic training to those handling PHI and conducting regular audits of all systems and processes involving PHI will help minimize any accidental violation of the rules.

In large part, the new omnibus rulemaking was driven by the massive amount of patient health information (PHI) shared by healthcare providers and their vendors through open networks, e-transmissions, digital media, mobile devises, and e-health exchanges, therefore, leaving the door open to additional vulnerabilities to PHI during use or transmission.

Key changes to the HIPAA rules include:

  1. Expanding Privacy, Security and Breach Notification Policies and Procedures (with new form and work flow requirements for some providers). Breaches are now presumed reportable unless after completing the mandated risk analysis (defined by 4 factors) the entity has determined that there is a “low probability of PHI compromise”. The rules do not modify the actual reporting requirements. Covered Entities and Business Associates must still adhere to providing individual notifications, HHS notifications and where applicable media posting of the breach.
  2. Notices of Privacy Practices (NPPs) must be amended to reflect major changes in the rules concerning breach notification, disclosures to health plans, and marketing and sale of PHI. Updates to NPP policies should be posted to a healthcare provider’s website and adhere to other requirements of the privacy rules.
  3. Business Associate Agreements (BAA’s). The new rules greatly expand the universe of individuals and entities that will now be treated as “Business Associates”, including health information exchanges, e-gateways, personal health record vendors and others. Covered Entities have until September 23, 2014 to bring all of their existing BAAs into conformance with the new rules. (The September 23, 2013 compliance deadline affected Business Associates not yet under contract as of that date.) Those characterized as “Business Associates” under HIPAA will now be directly liability for any compromise of PHI and must comply with all of the privacy, security and breach policy amendments of the rules or suffer the consequences.

Next Steps: Some of the most sweeping changes to HIPAA privacy and security rules expand the obligations of Business Associates making them directly liability for any compromise of PHI. Covered Entities and Business Associates should immediately take steps to ensure that their Business Associate Agreements (including those with sub-contractors) are fully compliant with the new rules. Additional care should be taken to ensure that updates to privacy practices and work flows are actually being carried out. Those covered by the final omnibus rule must conduct periodic audits and training to ensure that all systems, processes and devises accessing, using, transmitting or storing PHI fully comply with the new HIPAA/HITECH standards. With the potential for $1.5 million in fines, not to mention serious damage to a provider’s reputation, these new rules must be taken seriously.

Note: This commentary is not intended to and should not be construed as legal advice and is provided only as a summary of key changes to HIPAA/HITECH.

Last Updated (Tuesday, 18 February 2014 09:14)