Health Law

If HHS or another regulator knocked on your door today – would you “pass” the audit?

On April 29, 2015, HHS (Dept. of Health and Human Services), OIG (Office of the Inspector General), HCS (Healthcare Compliance Association) and AHLA (American Health Lawyers Association) along with other industry leaders released a first of its kind joint collaboration education resource entitled “Practical Guidance for Healthcare Boards on Compliance Oversight” providing helpful tools for identifying risks, preparing for audits and responding to incidents. The document provides diverse tools and insights to governing boards, compliance officials and those reporting to them. Recognizing there is no uniform approach to compliance – no “one size fits all” approach, this multi-faceted guidance document will be a valuable resource for organizations both large and small to evaluate the scope and adequacy of their compliance programs.

In addition to asking the right questions of the right people to evaluate the risks posed to an organization, having an incident response plan before it’s needed is one of the best ways to ensure an organization can effectively respond to and recover from a security incident. Working with qualified legal and other professionals with strong compliance experience is one of the best ways to avoid problems.

This guidance emphasizes the importance of organization-wide accountability and offers decision makers a variety of tools to evaluate the effectiveness of policies and procedures within their organizations. The guidance – I believe correctly – concludes that asking the right questions is critical to staying ahead of problems.

The DOJ (Dept. of Justice) has also just released its guidance document entitled “Best Practices for Victim Response and Reporting of Cyber Incidents” providing practical advice for fending off and responding to cyber attacks. Offering guidance on what businesses should do before, during or after a cyber attack, DOJ outlines what’s expected in the event of a security incident, including the preservation of evidence and cooperation with their investigations.

As more and more healthcare and other entities are affected by illegal intrusions, these guidance documents offer practical advice for protecting against the ever present risk of cyber attack. An organization’s risk analysis (or lack of one) is a primary area of focus for regulators – knowing insufficient analysis to be the single, biggest culprit behind many known breaches. The absolute worst time to develop a breach response plan is after an attack – having the right people, processes and resources in place before it’s needed puts every organization in the best position to respond and successfully recover from a security breach.

With more than a decade of experience helping companies prepare for and respond to regulatory audits and security incidents, we welcome your inquires on how we can help.

TODAY’S BIGGEST CHALLENGES

As recent news once again shows – no organization is safe from intrusion and healthcare has been a particular favorite for hackers. Huge amounts of personal, financial, health and other information was harvested in the Anthem breach with as many as 80 million personal and health records illegally harvested – and all without detection. As changes in federal and state healthcare legislation and new technologies abound, so does the threat of illegal intrusion and theft of vast repositories of personal patient information.

Not that long ago, medical records were stored in large, paper files typically free from intrusion unless thieves gained access to a medical provider’s facility. Not so today, as doctors and patients have many more ways of using and sharing information, including online patient portals (VPNs), large networked healthcare exchanges, digital medical records (e-PHI), meaningful use records (EMR) and cloud (Saas) technologies. Many of the newer technologies have been driven by Affordable Care Act (ACA) mandates and other regulatory directives to improve patient care and outcome.

Did you know?

1. Patient and consumer data are top targets for hackers.

Patient data is a valuable source of information for hackers – allowing quick sales of large pools of medical, personal and financial data to the highest bidder on the black market.

In the post-Target breach days consumers learned the lesson of judiciously reviewing credit card statements and credit reports to detect improper use of their credit. The same advice is prudent for consumers to periodically review their insurance billing statements and medical records for potential misuse. Credit cards often limit exposure to $50 or less, but identity theft is costly to fix and often takes years to correct. “Medical identity theft” the latest entrant – poses not only a significant financial risk to carriers and consumers, but more importantly can pose huge medical risks to patients in need of care. Imagine someone’s “medical identity – name, address, policy no., etc.” is stolen and someone posing as the patient receives medical care – unless quickly caught (and it often takes many months for it to be detected, if at all) this treatment and diagnosis becomes a part of the insured’s medical record posing potentially serious consequences to a patient.

2. Fraud and abuse has significant consequences on the quality and cost of care.

Fraudsters use patient medical identity to gain medical services, procure drugs, defraud insurers and benefit programs, as well as posing potentially life threatening outcomes for patients whose identity was stolen. The Medical Identity Fraud Alliance estimated the cost of medical identity theft at $20 billion last year (excluding the Anthem breach, which is largely conjecture at this time) and costs are expected to significantly rise. This figure doesn’t include physician fraud for improper billing practices under Medicare, Medicaid, False Claims Act or similar laws.

3. More HIPAA-related enforcement actions (with increased fines) are anticipated.

Federal and state agencies responsible for regulating healthcare from Health and Human Services (HHS) to Office for Civil Rights (OCR) Department of Justice (DOJ) and Federal Trade Commission (FTC) have announced aggressive audit plans to ensure patient data safety and limit fraud and abuse. And compliance audits won’t be limited to just “Covered Entities” – those with direct access to patients and patient data (hospitals, doctors and other direct providers), but also extend to “Business Associates” those with access to patient records, who provide services to Covered Entities. HIPAA-regulated entities not in compliance with the final omnibus rules implemented under the Privacy and Security Rules of the Health Insurance Portability Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) will be faced with higher fines and sanctions for non-compliance.

Since HIPAA’s enactment in 1996, Covered Entities (direct providers) face rigorous requirements for protecting patient information (PHI, PII, ePHI, EMR) and must have appropriate security practices to protect patient data. There are multiple layers of security protocols, including technical, physical, administrative controls, as well as general organizational requirements designed to protect patient data. Since the implementation of the final omnibus rules, HIPAA compliance now extends governmental oversight and liability to all sorts of other individuals, businesses and vendors engaged by Covered Entities as their “Business Associates”. Appropriate privacy and security standards must be in place and enforced to limit the ever present risk of cyber attack.

4. More private litigation by patients is likely.

Although the HIPAA statute itself does not give patients the right to sue for violations, last year the Connecticut Supreme Court in Byrne v. Avery (as well as courts in several other states) ruled that HIPAA’s lack of a private right of action does not necessarily prevent an individual from bringing an action under state law. While the contractual provisions of most data security agreements between CEs and BAs (Business Associate Agreements) typically contain language limiting the rights of persons who can assert rights directly against them – the end result of recent court decisions seems to be opening the door for individuals affected by breach to pursue remedies against Covered Entities and Business Associates directly.

5. ACA, Final Omnibus Rules and HIPAA Privacy and Security standards impact more than just healthcare providers.

Whether working within the healthcare community or another field entirely, every business must carefully evaluate the risks poses by a breach of its data – whether from outside threats (hackers), inside threats (employee human error) or risks posed by access to sensitive data arising from services by Business Associates (third party vendors). Under the final omnibus rules, many vendors and their subcontractors fall under the definition of “Business Associate” requiring the same rigorous compliance with HIPAA Privacy and Security standards required of direct healthcare providers. Knowing the rules and incorporating best practices to ensure data is secure must be a top priority for the healthcare industry and any downstream providers falling under the definition of Business Associate.

It’s incumbent on any individual or business having access to patient data (or any personal consumer data) to implement appropriate security practices and to investigate the practices of their subcontractors. All it takes is one mishap to be in the same position as Anthem and other healthcare providers who found themselves on the wrong side of this issue. In addition to conducting annual risk and compliance assessments, any individual or entity falling within the scope to the HIPAA/HITECH requirements should consider including or expanding cyber security coverage sufficient to protect against this increasing risk exposure – with many experts estimating the cost at $200/record for each record actually or potentially exposed to breach.

The healthcare industry and their downstream vendors can avoid trouble by:

1. Periodically assessing and addressing potential security risks;
2. Adequately training employees to understand the risks posed by the use of technology;
3. Adopting appropriate privacy and security practices;
4. Developing a Data Security Incident Response Plans with a team qualified to quickly respond if the worst should happen;
5. Adequately evaluating the risks and adding appropriate coverage for data security compromise/breach response costs; (or be prepared to self-insure);
6. Reviewing/updating all data security contracts to ensure they meet the new legal requirements;
7. Vetting all technologies and vendors to make sure they measure up; and
8. Appointing a qualified HIPAA Compliance Officer to ensure the required standards are met.

If you’re thinking you’re too small to be noticed, you’re not. There’s an abundance of reliable information available showing the true cost to those not in compliance or suffering a breach. The reputational harm posed by a breach or potential security incident can have devastating consequences for the ill-prepared. Our firm regularly provides compliance counseling, HIPAA assessments and training to help our clients avoid trouble. Having represented a number of companies hacked by off-shore organized crime, I can tell you a data breach, even a suspected data breach, is something you want to avoid. And all it takes is some careful analysis and planning.

We invite inquires on how we can assist with evaluating your needs in this critical area.