On demand 1h 5m 01s Basic

Avoiding HIPAA Violations

4.9 out of 5 Excellent(17 reviews)
View all credits4 approved jurisdictions
Play video
  • Credit information
  • Related courses

Avoiding HIPAA Violations

HIPAA celebrated its 25th birthday in August 2021. Given the current climate of increased cyberattacks and regulatory scrutiny, compliance is more important than ever. This webinar focuses on risk mitigation in relation to having adequate technical, administrative, and physical safeguards, as well as ensuring that the Privacy Rule’s obligations are met. The goal is to utilize recent civil and criminal enforcement actions to set the stage for utilizing NIST and other standards to avoid violations of HIPAA and the related laws – the HITECH Act, 21st Century Cures Act, and 42 CFR Part 2.

Transcript

- Hello, and welcome to today's presentation, "Avoiding HIPAA Violations." My name is Rachel Rose and I'm an attorney in Houston, Texas where I've had my own law firm for over a decade. My practice primarily focuses on transactional compliance and litigation related to healthcare, cybersecurity, securities laws, the False Claims Act, and Dodd-Frank. I'm also fortunate to teach bioethics at Baylor College of Medicine, something that I have done for nine years. Today I am presenting for Quimbee. And we're delighted to have you. No presentation is complete without a disclaimer. And the information presented here today is not meant to constitute legal advice. Consultant an attorney for advice on a particular situation. Additionally, HIPAA, cybersecurity, and healthcare are all very dynamic areas of the law. And the information presented is current as of the date of the original recording. Given the dynamic nature of the topic, participants are encouraged to check the relevant government websites as well as case law for the most recent information. So let's begin. I always like to begin presentations with notable news. From there I'll delve into cybersecurity terms and trends. Then I'll take you on a tour of HIPAA, the HITECH Act, and other relevant and related laws and rules. A new NIST publication was published related to telehealth and that's something which is of interest to a lot of covered entities as well as their business associates and subcontractors. Additionally, I will give a hint of how to avoid HIPAA violations. And I'm gonna do that by delving into instances where the Office for Civil Rights has penalized people where there have been breaches and also the illicit use of protected health information. From there, I'll delve back into the compliance side and I'll wrap up. So what are some noteworthy news items that relate to HIPAA? Well, first and foremost, ONC released information blocking by the numbers on its website. And information blocking is a component that relates back to the 21st century Cures Act of 2016. In May of 2020, there were two final rules released. One was released by CMS and then the other one was released by ONC. Now the final rule that was released by ONC is the one that really delved into information blocking. And fundamentally information blocking can be analogized in some ways to HIPAA's privacy law whereby you have a requirement, if you are a covered entity, to provide a person with their designated health record set or medical records within a prescribed period of time. And the prescribed period of time under federal law is 30 days. However, it can be extended to 60 days. What is very notable is that states often have a shorter time period in order to get a patient their medical records. Not only a patient, but an authorized patient's representative, which could be a guardian, it could be a parent in certain circumstances, if the person is a minor, or it could be someone with a durable medical power of attorney and someone who is released on the HIPAA authorization sheet. So those are all things to bear in mind. The intersection, from my perspective, between, really, the Privacy Rule, the Security Rule, and the component of information blocking is that A, it is related to getting the patients their information, as I just said. B, it says that the information needs to be provided to the patient in the manner that the patient requests. And because we've come a long way since 2005 in terms of technology, including apps on our smartphones, that is one way, the important notion for attorneys who often are business associates, business associates, subcontractors, and covered entities in particular to appreciate is that there are exceptions to information blocking whereby a person may say, you know what? We will get you your medical records, but we're not gonna send it to your TikTok account publicly. And those are all written exceptions in the Information Blocking Final Rule. So that's something to be very, very conscious of. Now just as there are reports that are generated for HIPAA enforcement, there's also a report that is required to be submitted and ONC did in fact publish their report. And this is what it says. So since April 5th of 2021, there have been 299 total number of submissions received indicating possible information blocking violations. Of that, 274 is the total number of possible claims involving information blocking, 25 the total number of submissions received that did not appear to be claims for information blocking. Now the majority of submissions came from patients, followed by attorneys, and then healthcare providers. So again, it's not surprising that a patient might look at this, but if you are the covered entity or the business associate who is getting the patients their information that they're requesting, you need to have a plan B ready, it needs to be written out in your policies and procedures, and you need to have a form letter ready so that you can send that to the patient or the patient's representative in the event that one of the exceptions to information blocking, such as the risk of sending it to an app that's unknown or not verified or openly into TikTok can actually constitute a privacy violation or a security violation, meaning that it puts potentially another IT infrastructure at risk or it could be a conduit for malware to come in, for example, and thereby everyone's records would be compromised. So again, just make sure that you have your plan B written in both your policies and procedures and have a letter ready to send out in the event that you cannot send information to the patient in the format that they requested. A couple of other notable items. Cybersecurity remains the single most pressing issue facing healthcare organizations. This absolutely is not surprising, because of the street value of protected health information and how much more aggressive cybercriminals have become in order to extract money more quickly. Unfortunately they're focusing on the patient care aspect of things. And if you think about it, if an electronic health record goes down and a person's information cannot be pulled right away, say during a change of shift or someone doesn't know when a last dose of a medication has occurred or how long a woman's been in labor or what a drug-drug reaction might be, that is something that could potentially render an adverse patient outcome, including death. A great resource for individuals and entities alike are the cyberalerts that are often published by the FBI, CISA, and DHS cybersecurity. And there's a really good one from October 28th of 2020. And this advisory was updated to include information on Conti TrickBot and Bazar Loader, which are all ransomware gangs or criminals, so to speak, including new IOCs and YARA rules for detection. Now Strengthening American Cybersecurity Act of 2022, it did pass the senate and it was notable for healthcare, but what's important and subsequent to this is that when the spending bill actually passed the house and the senate and was signed by the president this spring. There was a provision for cybersecurity, which was very similar to the provision set forth in the Strengthening Cybersecurity Act. So you have to look for the follow-up regulations promulgated by Department of Homeland Security and other government agencies. So I just mentioned that some of the most notable cybercriminals have upped their end game and become more aggressive. And one instance, and it's very unfortunate, was when a hospital in Alabama was hit by hackers, a baby was in distress and ultimately died. So the hospital was under a ransomware attack, which disabled computers on every floor for nearly eight days. The ransomware attack diverted the hospital staff's attention away from normally closed track heart rate monitors. And this is important because while a lot of the more seasoned healthcare providers, whether they're physicians or nurses or other ancillary care providers may have been trained on paper records or had a period where it was both paper and electronic health record, a lot of today's newer healthcare providers were only trained on EHR. This means that if you are any type of healthcare provider, but especially a hospital, you need to make sure that your staff are trained and they do drills related to business continuity and disaster recovery. And part of that is making sure that there is a system in place to go old school where you have fax machines, where you have items that can be scanned and uploaded into a patient record later, that you have a plan B after something's faxed for it to be put into a safe space where only a few people can access that before items can be uploaded into a patient's medical record once something is restored. It also means you wanna have what's known as a segregated IT infrastructure. So there aren't as many opportunities for back doors and all of those types of items. So again, the disaster recovery and business continuity plans are actually required under the HIPAA Security Rule. And it's a matter of training the staff to make sure that they know exactly what to do and how to maintain their focus on patient care as well as implementing the old school type system. So in this instance, the attending physician texted the nurse manager that she would have delivered the baby via C-section had she seen the monitor readout. I need you to help me understand why I was not notified that the fetus was in distress. The baby was delivered with the umbilical cord wrapped around its neck and died nine months later due to severe brain injuries from the lack of oxygen. Although the hospital denies any wrongdoing, if it is proven in court, it would be the first death linked to a ransomware attack. So what are some terms and trends that people should be aware of? Well, I mentioned ransomware, which is, in essence, a type of malware deployed by cybercriminals that just as the old school definition of ransom indicates, it is something that is taken and held hostage in exchange for payment. So here that something is data. It's not a human being. The area that continues to emerge is ransomware as a service, also known as capital R, small A, small A, capital S. What they did, this is kind of crafty, for those of you who are familiar with cloud computing, there are three major types of cloud computing. There is software as a service, there's infrastructure as a service, and there is platform as a service. And here the adoption of a software as a service model, which is subscription-based and enables affiliates to use already developed ransomware tools to execute ransomware attacks. It basically pays a portion of the recovered ransom to the RaaS provider or the RaaS developer. And Conti, that entity I mentioned at the beginning, pay developers a flat wage. So really what they're able to do is use what I would call like an Avon or a Mary Kay model whereby you have the one entity and they deploy all of these sales people, but they're ransomware criminals. So as the US Department of Health and Human Services relayed in its June, 2021 report, the top five ransomware actors providing RaaS impacting the global healthcare sector are one, Conti Ransomware as a Service Operators, two, Avaddon Ransomware as a Service Operators, three, REvil Operator, four, Mespinoza/Pysa Raas Operators, and then just the general category of RaaS operators. This love list is also one that you'll see on other government agency websites as well as INTERPOL's website. So the National Institute of Standards and Technology is also known as NIST. It was initially founded in 1901 and now falls under the umbrella of the US Department of Commerce. NIST is one of the nation's oldest physical science laboratories. And there are currently six research laboratories, including the Information Technology Laboratory. Now Congress established the agency to remove a major challenge to US industrial competitiveness at the time, but from World War II onward, it really has been focused on more of the computer side of the equation and technology as a whole. And today NIST measurements support the largest of technologies and creations down to the smallest item of nanoscale that we can imagine. A couple of other notable items. First, NIST is required to be adhered to by all government agencies. Second, oftentimes you'll see NIST either recommended in laws or cited is being required, for example, in the federal acquisition regulations, which makes sense if you think about it, because if the government agencies have to meet these standards, then requiring the government contractors to meet these standards who are interacting and interfacing with the US Government systems only makes practical sense. And last, NIST often works in concert with both public and private actors to come up with a lot of joint types of input in order to make the publications more applicable. Now FIPS, it actually also has a correlation to NIST and those are called the Federal Information Processing Standards. Typically these are technology standards for use within nonmilitary government agencies and by government contractors and vendors who work with the agencies. But again, oftentimes you'll see FIPS and NIST referenced in regulations and guidance and laws, and it is a best practice and a gold standard to use NIST and FIPS. So as I indicated, NIST and FIPS publications, they actually developed them for use, not only by the government, but by the private sector too. And NIST does work closely with a myriad of government, industry, academia, and other organizations during the FIPS process. And they also do something similar for the NIST process as well. So this framework is something that I really like, because it's practical and it's easy to understand. You wanna start any cybersecurity program and have it as your focus to identify, protect, detect, respond, and recover. Stated another way, I always break it down into three categories, and that is protection, which goes into identification, detection, again identification, and correction, because when you respond in recover, you were then going about a corrective point in your process. So it's not only the immediate issue that you're responding to, but it's also the debrief on what could've been done differently, what systems need to be changed, what policies and procedures need to be changed, is there any reprimand under a tiered sanction policy that needs to be invoked, et cetera? So all of that is part of the correction part. Now I mentioned FAR, the Federal Acquisition Regulations, and basically it governs the acquisition of goods and services by executive branch agencies. Secondly, the Federal Acquisition Regulations System consists of FAR, which is the primary document, and agency acquisition regulations that implement or supplement the FAR. So what does this mean? It means if you are doing business with the state department, you need to look specifically at FAR regulations related to the state department. If you're dealing with the Environmental Protection Agency or the FDA, you need to look very specifically at the individual agency regs. In general, FAR has four elements. Satisfy the customer, which is the government in terms of cost, quality, and timeliness of the delivered product or service. Minimize administrative operating costs. Conduct business with integrity, fairness, and openness, and fulfill public policy objectives. Now the Truth in Negotiations Act is also known as TINA and it stems back to December of 1962, so it's really not new, but it mandates that government contractors provide a full disclosure of the costs that are expected to be incurred during the performance of the contract. And here we have July 2nd, 2013, TINA, the False Claims Act suit. We have CyTerra Corporation agrees to pay 1.9 million. And here the liability arose from failing to provide the US Department of Army with accurate, complete, and current cost or pricing data for its sale of mine detectors. The justice department announced that under TINA, CyTerra was required to provide cost or pricing data that was accurate, complete, and current. The government alleged that if the army had received such information, it would've negotiated a lower price. This applies to cybersecurity, including the procurement of EHRs, electronic health record systems. In October of 2006, a $98.5 million penalty was paid by PeopleSoft, which was subsequently acquired by Oracle for defective disclosures that were not current, accurate and complete concerning the sale of software licenses and related maintenance services between March of 1997 and September of 2005. So here we have Federal Risk and Authorization Management Programs known as FedRAMP, established in 2011 to provide a cost effective risk-based approach for the adoption and use of cloud services by the federal government. It empowers agencies to use modern cloud technologies. Again, typically those are SaaS, PaaS, and IaaS, which I mentioned earlier, with an emphasis on security and protection of federal information. FedRAMP standardizes security requirements for the authorization and ongoing cybersecurity of cloud services in accordance with FISMA, the Federal Information Security Modernization Act, and OMB Circular A-130. It also leverages NIST standards and guidelines and federal agencies as well as assessors. Assessors are often referred to as 3PAO. And no, I'm not confusing it with the Star Wars droid. It is 3PAO, and that is the Third Party Assessor Organization. So let's delve into HIPAA and the related rules and laws. So who is under the HIPAA legal umbrella? Well, first and foremost, we have covered entities. And under HIPAA, that means healthcare providers, healthcare plans, and healthcare claims clearinghouses. Covered entities are in privity of contract with business associates. And there is a specific type of agreement called a business associate agreement, which needs to be executed between a covered entity and a business associate when the creation, receipt, maintenance or viewing of electronic protected health information is transpiring. A subcontractor is actually a type of business associate under the definition in the Security Rule. But what's important to note here is that the subcontractor, business associate and covered entity, again, you have to have that BAA in place between the covered entity and the business associate, and then the business associate and its subcontractor. So if you were to think of a line of, a covered entity would be a hospital, a business associate could be an electronic health records vendor, and a subcontractor could be an IT provider which has access to that EHR which contains the protected health information. Just by way of background, protected health information is any past, present or future diagnosis, treatment, or financial statements such as a bill or an explanation of benefits that ties the patient to that provider where they receive treatment from. And that's the easiest way to think of PHI. I'm often asked if addresses are PHI. They are actually a component of PHI, but they're not necessarily sensitive, what's known as sensitive personally identifiable information. So you may be asking or thinking, what is the difference between sensitive personally identifiable information, which is a component of PHI and regular PII, which is also a component of PHI? Well, if you think about your address and phone number, think old school Yellow Pages, something that is readily available and has been for a long time. So a person's name, their address and phone number is not considered in most circumstances to be sensitive personally identifiable information. Now sensitive personal identifiable information are items such as a social security number, your health insurance number, your VIN on your car, things of that nature are absolutely, as well as driver's license number, more sensitive personally identifiable information. So of the 18 listed types of PII which often are found in a record containing protected health information, you have both sensitive PII and just personally identifiable information. Now it's important to also look at state laws and the one in Texas known as House Bill 300, which became law in September of 2012 and was subsequently codified in the Texas Health and Safety Code And the Texas Business and Commerce Code has a variety of differences. But in this instance, the definition in Texas of a covered entity is much broader than federal. And it encompasses anyone who creates, receives, maintains, or transmits protected health information. There's also the federal trade commission, which is a separate government entity, and it also has a breach notification rule, but basically it fills the gap of the federal HIPAA definitions. And anyone who creates, receives, maintains or transmits PHI may have an obligation to customers or consumers, because the Federal Trade Commission is tasked with enforcing civil rights to in fact give notification of a breach. Again, different government agency, different breach notification law. So what about the legislative history as it relates to HIPAA? Well, HIPAA passed in 1996. So it's actually within its 25th year this year. In August of 1996, HIPAA passed and had a lot of different items associated with it, including the Kennedy-Kassebaum provision, which implemented COBRA, which you may be familiar with, that enabled a person to have basically gap coverage for a certain period of time of health insurance as they were transitioning jobs, so that they wouldn't lose coverage and then they would not be susceptible to a preexisting condition. They also set forth the need for the Privacy Rule, which was promulgated in August of 20, or 2002. And this is what I call the final Privacy Rule, because the initial one was actually published sooner in December of 2000. And it became effective in January of 2001, but again, the final Privacy Rule, which really brought everything together and added onto those initial rules came about in August of 2002. The Security Rule was published in the Federal Register in February of 2003, but it became effective in 2005. A key distinction between the Privacy Rule and the Security Rule is that the Privacy Rule applies to all forms of protected health information and the Security Rule applies only to what's known as electronic protected health information. Normally myself and other people who present call all types of protected health information protected health information unless there is a reason to delineate it as such. And as I began with some of the notable headlines, interestingly, the information blocking regulations use the term electronic health information, which references electronic protected health information. But there you go. If you are looking at something specific as a lawyer, then you need to make sure that you either use the exact vernacular that is stated in the rule law or regulation, or you need to have a caveat that all protected health information, whether electronic, verbal, whatever, is herein referred to as PHI, something along those lines. The Health Information Technology for Economic and Clinical Health Act actually was passed in February of 2009. It's known as Public Law 111-5. And after that, we had the Breach Notification Rule and then subsequently the proposed regulations related to privacy and security changes. And then in January of 2013, specifically January 25th, 2013, 78 Federal Register 5566, the long awaited omnibus rule was published. Its effective date was March of 2013 and the compliance date for most issues and areas in the omnibus rule was September 23rd, 2013. There were a couple of ones that came into effect after, but every one of those is in effect now. Another important item to note, especially as genetic testing becomes more and more mainstream is the Genetic Information Nondiscrimination Act, also known as GINA, is expressly referenced in this omnibus rule. So that's something to look at if you're dealing with genetic information. And then from there in 2015, we have the Cybersecurity Act of 2015. That was important because again we see this coming together of academic, public and private entities and the coming up with different volumes of best practices. Initially for small businesses, but now it's been expanded to all sizes of healthcare organizations and the business associates for a great website, which actually is part of Section 405d of the Cybersecurity Act of 2015. Go to ONC's website and type in 405d. And they have amazing resources and updates to ensure compliance that is ongoing. In 2016, as I mentioned previously, we had the 21st Century Cures Act of 2016 and the relevance there is in fact those two final rules, which were published in May of 2020. And one came from ONC, again, that's our information blocking focused item, and then the other one came from CMS. So now we also, as we'll see in a couple of slides, have new laws that were published in relation to HIPAA as well as new initiatives. And in fact, the Office for Civil rights just closed their comment period on a request for information or an RFI related to one of the items I'm gonna put up as well as a provision in the HITECH Act, which relates to how to compensate someone for bringing a breach to the attention of OCR. So here we have HR 7898, which was signed into Public Law 116-321 in January of 2021. And basically it addresses the recognition of security practices and amends the HITECH Act by adding Section 13412. It also corrected a technical section. The Public Health Service Act, for those who have been in healthcare through the pandemic, you've probably seen that a lot. And that's something that actually stems back to the 1940s. But the secretary, by secretary they mean secretary of HHS, shall consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognize security practices in place that mitigate fines, result in an early audit termination and mitigate remedies. Well, I will give you some inside baseball that when I represent clients in front of OCR and other government agencies, they don't just ask for the previous 12 months. Depending on the type of attack, they oftentimes will go back for several years. So that's something to be conscientious of. The term recognize security practices, I've mentioned all of them already in this presentation. We have the NIST standards. Then we have the 405d of the Cybersecurity Act of 2015. Again go to the ONC website for that. Other practices that are consistent with the HIPAA Security Rule. All of those, if you're having a HIPAA assessment done, or you are doing a HIPAA assessment as an external auditor, or if you're doing an internal audit, you absolutely need to make sure that you're using a crosswalk across the different types of laws and standards. So the NIST publications themselves are not laws. They are standards. But when they're incorporated into a law, it means that abiding by them or implementing them is in fact required under law. So the Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security as well as the availability of electronic protected health information. So I remember the technical administrative and physical by the acronym TAP. And then it makes sense that security is redundant in my opinion, because it relates to the Security Rule, but it's really the confidentiality, integrity and availability of that electronic protected health information. And I use CIA to remember that. So some examples of the safeguards, administrative safeguards are policies and procedures and training. Technical safeguards are individual user ID and passwords so that a person can be tracked. It is completely unlawful for one username and password to be given to multiple people within an organization. And that cannot be stressed enough. And then a physical safeguard would be, for example, an ID badge that swipes, or having someone at a front desk where visitors are logged in. So what does the CISA say in terms of ransomware guidance? Well, first it is a form of malware designed to encrypt files of a device rendering any files in the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Again, it is the illegal taking of data, holding it hostage in return for payment. But unfortunately cyber-criminals are not honest. Therefore, even if they say they're going to release your data, oftentimes they don't release the data or the data has been altered or not all of the data has been returned. Moreover, the data that's being released back could in fact have another malware that is intertwined in it, and it could be set off down the line, so you could be in fact reinfecting the system. So absolutely work with a forensic entity as well as a known and trusted cybertech company. Another item to be conscious of is what we're gonna delve into in terms of what the FBI says about paying ransom in the first place. In your first step, if you're the victim of a ransomware attack, whether it's a DoS or a DDoS attack, DoS just affects a single workstation, whether it's a laptop or a desktop, versus DDoS really infiltrates the whole IT infrastructure. So maintaining offline backups maintain regularly updated gold images of critical systems in the event that they need to be rebuilt and maintain a comprehensive incident response plan. All of these are absolutely critical to have in your policies and procedures. This is also important and relates to what the FBI is saying about paying ransom. First and foremost the Department of the Treasury's Office of Foreign Asset Control is issuing this advisory to highlight the sanctions, risks associated with ransomware payments, to malicious cyber-enabled activities. And why is this important? It's important because if you pay somebody, and you may not know it, who is on what I call the do not disturb list, and the list is on the next couple of slides, you actually could be sanctioned yourself for paying a known state actor. So these block persons lists, or specially designated nationals lists include Cuba, the Crimea region of Ukraine, Iran, North Korea and Syria. Additionally, any transaction that causes a violation under IEEPA, including transactions by a non-US person. So having an intermediary, this is very similar to Foreign Corrupt Practices Act type stuff. Going indirect versus going direct still can land a person in the hot seat and OFAC may impose civil penalties for sanctions violations based on just a strict liability. So those are things to be bearing in mind. If you are knowingly paying and you get into scienter, I would be conscious of other criminal laws which may be implicated as well. So the OCR and DOJ enforcement actions. This is becoming an emerging area for DOJ enforcement in particular. OCR, the Office for Civil rights, is basically tasked with ensuring civil rights and also making sure that people's healthcare information is protected and that in the event of a breach or in the event that a person is not given their medical records when they request it within a prescribed period of time, that OCR can take action to enforce those issues. So what are some recent areas to watch? Well, first we have the Privacy Rule violations and specifically OCR initiated its HIPAA Right of Access Program. Next, the Security Rule violations for not having adequate technical, administrative and physical safeguards in place, which result in impermissible disclosures of protected health information. So in March of 2022, there were four HIPAA enforcement actions and two involved not giving patients their medical records after they requested. Now in the first instance, it was a solo dental practitioner who agreed to pay 30,000 and take corrective actions to comply with the HIPAA Privacy Rule' Right of Access standard. The second one was a psychiatric medical services provider with two locations in California who agreed to take corrective actions and pay OCR 28,000 to settle potential violations of the HIPAA Privacy Rule, including provisions of the Right of Access standard. Then we had two impermissible disclosures and Security Rule violations. So again, a dental practice, I think what we're seeing here is a trend that dental practices are in fact under the umbrella of HIPAA as well, who impermissibly disclosed its patients' PHI to a campaign manager and a third-party marketing company hired to help with a state senate election campaign. Agreed to take corrective action and pay 62,500 to settle potential violations of the HIPAA Privacy Rule. Then another dental practice with offices in North Carolina impermissibly disclosed a patient's PHI on a webpage in response to a negative online review. UPI did not respond to OCR's data request, did not respond or object to an administrative subpoena and waived its rights to a hearing by not contesting the findings. OCR imposed a $50,000 civil monetary penalty. And the best piece of advice that I can give on this particular incident is if you receive a letter from the government and HHS, OCR, or CMS, or HHS-OIG, don't ignore it because it can actually be, in certain instances, very problematic in criminal types of investigations as well. And HIPAA does carry criminal penalties with it, so you really need to make sure that you are advising your clients appropriately in terms of the potential significance of HIPAA and ignoring OCR, what I call love letters. Enforcement actions on the Security Rule in May of 2021, Peachstate Health Management Company agreed to pay 25,000 and implement a corrective action plan to settle potential violations of the Security Rule. Again, one notable thing here is that it provides diagnostic and laboratory developed tests, including clinical and genetic testing services. So why are the Department of Justice's Civil Divisions priorities important? Well, a couple of items. I realize we're in 2022, but these two areas, which came out in 2021, which were emphasized by a high up at DOJ in October of 2021 are very relevant, not only to healthcare, but to HIPAA and the HITECH Act. So first electronic health records providers are increasingly relying on electronic records to improve treatment outcomes for patients while electronic software is intended to reduce errors and improve the delivery of care. The transition to a digital format has also introduced new opportunities for fraud and abuse. Then we have notably both of the last two areas, EHR and telemedicine reflect the increasing importance of technology in our healthcare system. And I mention that NIST Publication 1800-30, which specifically deals with telehealth. That is one that if your client or a provider is involved in telehealth, you absolutely want to read and know inside and out. But a good place to start is with the HIPAA Security Rule and just giving your patients general information on how to protect their data when engaging in certain types of information. So basically what this can lead into is a False Claims Act violation. And the False Claims Act stems back to 1863. It's also known as the Lincoln Law. There have been two major statutory amendments, one in 1943, and then the other in 1986. We then see more momentum coming down the pike in 2009 when Senators Grassley and Schumer introduced the Fraud Enforcement Recovery Act of 2009, which was eventually signed into law. Now FERA amendments to the FCA expand exposure to investigations and claims. It provided the Department of Justice with expanded tools to conduct civil investigations into possible healthcare fraud. Before an action is commenced, including civil investigative demands and FERA, parties are now liable under the FCA when they knowingly receive overpayments or conspire to conceal evidence of an overpayment This is known as a reverse false claim. And it actually is found at 31 USC 3729 A1G. The Affordable Care Act, which became law in the spring of 2010, also had some implications for the False Claims Act. First, it focused on the public disclosure bar. And second it emphasized the section 6402 of ACA that again, that overpayment is known and the non-return is known as the 60-day rule. So it's important to note that Medicare Part A, Part B, Part C and Part D all have different regulations associated with their 60-day rules. And in fact, Medicaid also has a 60-day rule as well. Cisco Systems settlement is important, and this, again, relates to allegations that it sold video surveillance equipment to a federal and state government agency, knowing that the equipment was susceptible to cyberattack. Now as we know, you can have different types of video surveillance or other types of surveillance that are used in healthcare, so you may actually see an intertwining of cybersecurity and healthcare in government procurement contracts. Electronic health record vendors, and False claims Act settlements, there have been three major ones over the past several years. eClinicalWorks, Greenway Health, LLC, and Inform Diagnostics, which totaled more than $275 million in False Claims Act liability. So one settlement for the HITECH Act and HIPAA non-compliance was the Coffey Health System case and that had to do with a hospital, a testing on their meaningful use attestation that it had reviewed all of its annual risk analyses, that it identified and corrected the gaps and that it was compliant with HIPAA. Well, it was found that in fact they hadn't done that and the significance and the distinguishing feature about Coffey Health System and the three other settlements in Greenway, eClinicalWorks, Inform Diagnostics, or those three are specific to EHR companies. Coffey was an actual hospital that was held accountable. So in 2011, CMS established the Medicare and Medicaid EHR Incentive Program. And its what I call the program formally known as meaningful use, independent certification bodies are used to review and determine if the EHR system submitted by the EHR vendor meets certain requirements. This is analogous to that 3PAO, or that Third Party Assessor that we saw in the FedRAMP and FAR regulations. So that's just something to be conscientious of. In April of 2018, CMS changed the name of the EHR Incentive Program to promoting interoperability programs or PI. The impact of this change is to move the programs beyond the existing requirements of meaningful use, to a new phase of EHR measurement with an increased focus on interoperability and improving patient access to health information. So what about eClinicalWorks? That came about in May of 2017. The DOJ announced $155 million settlement and the company entered into a corporate integrity agreement, which actually is up now. It would've been up in May of 2022. And it's complaint in intervention, the DOJ alleged that eCW's conduct caused the submission of false claims and false statements to the government. So that's why in this case, you didn't see the providers who relied on eClinicalWorks' attestations. That's why eClinicalWorks caused the submission. So that's why the case fell out as it did. The government alleged that to ensure the software was certified and customers received incentive payments under the incentive programs, eCW falsely attested that it meant certain criteria to the certification body and prepared its software to pass such testing without actually meeting the criteria. So on October 30th, 2019, the DOJ announced a $63.5 million FCA settlement arising from alleged claims that Inform violated the AKS and the Stark law. Now the allegations stem from Inform allegedly providing referring physician subsidies for EHR and free or discounted technology services. An important side note on this is that if your clients are engaged in this type of conduct, you need to read the new Stark and Anti-Kickback Statute laws, which has new safe harbors and exceptions in them. Those were published in December of 2020 and became effective on January 19th of 2021. Greenway, again, this is the misrepresentation of its capabilities as well as providing unlawful remuneration to providers. An unlawful remuneration can lead to an Anti-Kickback Statute violation, which incidentally the federal Anti-Kickback Statute turns 50 this year, or it can lead to a Stark law violation. The main difference between Stark and the Anti-Kickback Statute is that Stark only applies to Medicare and Medicaid and it is a civil penalty only. It's a strict liability. And it is limited to what are known as designated health services. Now the Anti-Kickback Statute is a civil and a criminal statute. So it can be used either civilly or criminally. It applies to all forms of remuneration and is not limited to designated health services as well. I mentioned the Coffey case. Again, it falsely attested that it conducted and/or reviewed security analyses in accordance with requirements under a federal incentive program for the reporting periods of 2012 and 2013. Submission of false and fraudulent claims under the EHR Incentive Program and then Medicare and Medicaid beneficiaries expect that providers ensure the accuracy and security of their electronic health records. Now this case in the interest in full disclosure, I was fortunate along with two other lawyers to represent Dr. Lawler in this False Claims Act case. It is a case that the United States Government intervened in. It also involved government procurement. It required compliance with HIPAA as well as the Federal Acquisition Regulations and FedRAMP. So in essence, the defendants attested that they were compliant with these NIST requirements and HIPAA and the HITECH Act and as the allegations indicate, they were not. Now if you read the DOJ's press release, the defendants made no admission of liability. The case was resolved. So that is how that played out. But this is a burgeoning area and definitely one to watch. Now as I mentioned, HIPAA has a criminal side, but as we know, the DOJ has a criminal side too. And here the Eastern District of Texas indicted several individuals, charging them with a conspiracy to obtain information from a protected computer and then to unlawfully possess and use those identifications for additional remuneration. Here, the PHI was stolen off the EHR, it was repackaged in the form of false and fraudulent physician orders and subsequently sold to DME providers and contractors. The defendants made more than 1.4 million from the sale of the stolen information. One of the individuals pled guilty on December 4th for conspiracy to obtain information from a protected computer and was sentenced to federal months in prison in July of 2021. So he's still serving his four-year sentence now. The Northern District of Texas is another US Attorney's Office which has honed in on similar conduct. And basically what happened here was that someone who actually worked with the hospital was indicted for the alleged attack on the medical center that involved disrupting phone services, obtaining information from a digitized device and disrupting network printer services. The indictment further alleged that the cyberattack was conducted in part for financial gain. If you're looking for something really salacious, there is a very disturbing case where a physician actually created a ransomware to go in and infiltrate and perpetuate a cyberattack on protected health information and EHRs. I believe he's in Brazil right now, but he's definitely out of the country. And as a criminal law colleague of mine said, there are extradition treaties and different rules, but that can take quite some time. So again, the important side note to my example with the physician who created the ransomware, is that just because a person may be located out of the country does not mean that they are immune from prosecution in the United States. The Southern District of California criminal action, again, is a juicy one because it includes, not only the taking of unauthorized health information, which is a felony, but also using that, again, that repackaging to submit the information for pandemic unemployment insurance benefits. But wait, there's more. On top of that, some of the defendants were also charged with aggravated identity theft and three of the defendants were charged with conspiracy to distribute illegal drugs, including MDMA, LSD, methamphetamine, cocaine and heroin with the intent to distribute. So what are some compliance tips for avoiding HIPAA violations? Well, first and foremost, you want to make sure that you have all of your technical, administrative and physical safeguards in place. The top five you really wanna hone in on are encryption of data at rest and in transit, adequate policies and procedures, adequate training, making sure that you have comprehensive business associate agreements in place. And then lastly, I often vary the last one, because there are different ones, but I would say it is making sure that you undergo an annual risk analysis. So spear phishing campaigns using tailored emails that contain malicious attachments or malicious links are something that should be part of your training as well as your external penetration test. Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware such as TrickBot or Cobalt Strike. To assist with lateral movement, again, that's what I had indicated that having segregated data and segregated networks is actually helpful to diminish lateral movement and later stages of the attack life cycle. Stolen or weak remote desktop protocol credentials, social engineering, which comes in the form of phone calls, that's vishing. Fake software promoted being search engines and malware distribution. As well as common vulnerabilities and external assets, so make sure you're updating your computers, your IT infrastructure, your smartphones, your tablets with the required patches. So why do fraudsters and cybercriminals find this data so attractive? It is very lucrative. Secondly, it is due to the potential of this information being monetized for a wide range of crimes, including the sale, which we saw in our criminal indictment from the Eastern District of Texas in particular. And what if pharmaceutical companies pay kickbacks for access to patient charts and in turn, fill out pre-authorizations, identify patients for a particular product the company sells and/or is involved in or influences the use without patient consent. Well, that's a Warner Chilcott case out of the United States District Attorney's Office in Boston. And there we had criminal indictments under the False Claims Act. We also had HIPAA liability as well, both civil and criminal. How can persons mitigate the risk of a cyberattack and fraud waste and abuse liability? As I said, those top five things are critical, training, adequate policies and procedures, annual risk analysis, encryption at rest and in transit, and making sure that you're getting reasonable assurances in your agreements with whom you're doing, the entities you're doing business. Cybersecurity is a team effort. Cybercriminals are becoming more sophisticated and also more aggressive. Patient education on selecting certain privacy settings during telehealth communication and appreciating why their medical record cannot be sent to their TikTok account as part of information blocking is also key as well as communicating with patients is absolutely fundamental. The DOJ's focus on cybersecurity intertwines with healthcare. Both of those have been identified as top priorities and they are not going away and stay abreast of alerts from the FBI, CISA, DHS, and other government agencies. So with that, I thank you for your time and attention here today. And I look forward to seeing you on another program.

Presenter(s)

RRJ
Rachel Rose, JD
Principal
Rachel V. Rose - Attorney at Law, PLLC

Credit information

Jurisdiction
Credits
Available until
Status
Alabama
    Not Offered
    Alaska
    • 1.0 voluntary
    Pending
    Arizona
    • 1.0 general
    Pending
    Arkansas
    • 1.0 general
    Pending
    California
    • 1.0 general
    Pending
    Colorado
    • 1.0 general
    Pending
    Connecticut
    • 1.0 general
    Pending
    Delaware
      Not Offered
      Florida
        Not Offered
        Georgia
        • 1.0 general
        Unavailable
        Guam
        • 1.0 general
        Pending
        Hawaii
          Pending
          Idaho
            Not Offered
            Illinois
            • 1.5 general
            Pending
            Indiana
              Not Offered
              Iowa
                Not Offered
                Kansas
                  Not Offered
                  Kentucky
                    Not Offered
                    Louisiana
                    • 1.0 general
                    Pending
                    Maine
                    • 1.0 general
                    December 31, 2026 at 11:59PM HST Pending
                    Minnesota
                      Not Offered
                      Mississippi
                        Not Offered
                        Missouri
                        • 1.0 general
                        Pending
                        Montana
                          Not Offered
                          Nebraska
                            Not Offered
                            Nevada
                            • 1.0 general
                            Unavailable
                            New Hampshire
                            • 1.0 general
                            Pending
                            New Jersey
                            • 1.3 general
                            January 16, 2025 at 11:59PM HST Approved
                            New Mexico
                              Not Offered
                              New York
                              • 1.0 areas of professional practice
                              Pending
                              North Carolina
                              • 1.0 general
                              Unavailable
                              North Dakota
                              • 1.0 general
                              Pending
                              Ohio
                              • 1.0 general
                              Unavailable
                              Oklahoma
                                Not Offered
                                Oregon
                                • 1.0 general
                                July 14, 2025 at 11:59PM HST Approved
                                Pennsylvania
                                • 1.0 general
                                Pending
                                Puerto Rico
                                  Not Offered
                                  Rhode Island
                                    Not Offered
                                    South Carolina
                                      Not Offered
                                      Tennessee
                                      • 1.0 general
                                      Unavailable
                                      Texas
                                      • 1.0 general
                                      Unavailable
                                      Utah
                                        Not Offered
                                        Vermont
                                        • 1.0 general
                                        Pending
                                        Virginia
                                          Not Offered
                                          Virgin Islands
                                          • 1.0 general
                                          Pending
                                          Washington
                                          • 1.0 law & legal
                                          July 14, 2027 at 11:59PM HST Approved
                                          West Virginia
                                            Not Offered
                                            Wisconsin
                                              Not Offered
                                              Wyoming
                                                Not Offered
                                                Credits
                                                  Available until
                                                  Status
                                                  Not Offered
                                                  Credits
                                                  • 1.0 voluntary
                                                  Available until
                                                  Status
                                                  Pending
                                                  Credits
                                                  • 1.0 general
                                                  Available until
                                                  Status
                                                  Pending
                                                  Credits
                                                  • 1.0 general
                                                  Available until
                                                  Status
                                                  Pending
                                                  Credits
                                                  • 1.0 general
                                                  Available until
                                                  Status
                                                  Pending
                                                  Credits
                                                  • 1.0 general
                                                  Available until
                                                  Status
                                                  Pending
                                                  Credits
                                                  • 1.0 general
                                                  Available until
                                                  Status
                                                  Pending
                                                  Credits
                                                    Available until
                                                    Status
                                                    Not Offered
                                                    Credits
                                                      Available until
                                                      Status
                                                      Not Offered
                                                      Credits
                                                      • 1.0 general
                                                      Available until
                                                      Status
                                                      Unavailable
                                                      Credits
                                                      • 1.0 general
                                                      Available until
                                                      Status
                                                      Pending
                                                      Credits
                                                        Available until
                                                        Status
                                                        Pending
                                                        Credits
                                                          Available until
                                                          Status
                                                          Not Offered
                                                          Credits
                                                          • 1.5 general
                                                          Available until
                                                          Status
                                                          Pending
                                                          Credits
                                                            Available until
                                                            Status
                                                            Not Offered
                                                            Credits
                                                              Available until
                                                              Status
                                                              Not Offered
                                                              Credits
                                                                Available until
                                                                Status
                                                                Not Offered
                                                                Credits
                                                                  Available until
                                                                  Status
                                                                  Not Offered
                                                                  Credits
                                                                  • 1.0 general
                                                                  Available until
                                                                  Status
                                                                  Pending
                                                                  Credits
                                                                  • 1.0 general
                                                                  Available until

                                                                  December 31, 2026 at 11:59PM HST

                                                                  Status
                                                                  Pending
                                                                  Credits
                                                                    Available until
                                                                    Status
                                                                    Not Offered
                                                                    Credits
                                                                      Available until
                                                                      Status
                                                                      Not Offered
                                                                      Credits
                                                                      • 1.0 general
                                                                      Available until
                                                                      Status
                                                                      Pending
                                                                      Credits
                                                                        Available until
                                                                        Status
                                                                        Not Offered
                                                                        Credits
                                                                          Available until
                                                                          Status
                                                                          Not Offered
                                                                          Credits
                                                                          • 1.0 general
                                                                          Available until
                                                                          Status
                                                                          Unavailable
                                                                          Credits
                                                                          • 1.0 general
                                                                          Available until
                                                                          Status
                                                                          Pending
                                                                          Credits
                                                                          • 1.3 general
                                                                          Available until

                                                                          January 16, 2025 at 11:59PM HST

                                                                          Status
                                                                          Approved
                                                                          Credits
                                                                            Available until
                                                                            Status
                                                                            Not Offered
                                                                            Credits
                                                                            • 1.0 areas of professional practice
                                                                            Available until
                                                                            Status
                                                                            Pending
                                                                            Credits
                                                                            • 1.0 general
                                                                            Available until
                                                                            Status
                                                                            Unavailable
                                                                            Credits
                                                                            • 1.0 general
                                                                            Available until
                                                                            Status
                                                                            Pending
                                                                            Credits
                                                                            • 1.0 general
                                                                            Available until
                                                                            Status
                                                                            Unavailable
                                                                            Credits
                                                                              Available until
                                                                              Status
                                                                              Not Offered
                                                                              Credits
                                                                              • 1.0 general
                                                                              Available until

                                                                              July 14, 2025 at 11:59PM HST

                                                                              Status
                                                                              Approved
                                                                              Credits
                                                                              • 1.0 general
                                                                              Available until
                                                                              Status
                                                                              Pending
                                                                              Credits
                                                                                Available until
                                                                                Status
                                                                                Not Offered
                                                                                Credits
                                                                                  Available until
                                                                                  Status
                                                                                  Not Offered
                                                                                  Credits
                                                                                    Available until
                                                                                    Status
                                                                                    Not Offered
                                                                                    Credits
                                                                                    • 1.0 general
                                                                                    Available until
                                                                                    Status
                                                                                    Unavailable
                                                                                    Credits
                                                                                    • 1.0 general
                                                                                    Available until
                                                                                    Status
                                                                                    Unavailable
                                                                                    Credits
                                                                                      Available until
                                                                                      Status
                                                                                      Not Offered
                                                                                      Credits
                                                                                      • 1.0 general
                                                                                      Available until
                                                                                      Status
                                                                                      Pending
                                                                                      Credits
                                                                                        Available until
                                                                                        Status
                                                                                        Not Offered
                                                                                        Credits
                                                                                        • 1.0 general
                                                                                        Available until
                                                                                        Status
                                                                                        Pending
                                                                                        Credits
                                                                                        • 1.0 law & legal
                                                                                        Available until

                                                                                        July 14, 2027 at 11:59PM HST

                                                                                        Status
                                                                                        Approved
                                                                                        Credits
                                                                                          Available until
                                                                                          Status
                                                                                          Not Offered
                                                                                          Credits
                                                                                            Available until
                                                                                            Status
                                                                                            Not Offered
                                                                                            Credits
                                                                                              Available until
                                                                                              Status
                                                                                              Not Offered

                                                                                              Become a Quimbee CLE presenter

                                                                                              Quimbee partners with top attorneys nationwide. We offer course stipends, an in-house production team, and an unparalleled presenter experience. Apply to teach and show us what you've got.

                                                                                              Become a Quimbee CLE presenter image