Failure to Update Business Associate Agreement Leads to Health System’s Settlement with OCR

A hospital’s breach notification to the Department of Health and Human Services, Office of Civil Rights (“OCR”) led to a Resolution Agreement, payment of $400,000 and a Corrective Action Plan for an east coast health system. On September 23, 2016, OCR issued a press release advising that Woman & Infants Hospital of Rhode Island (“WIH”) a member of Care New England Health System (“CNE”) notified OCR of a reportable breach in November of 2012, stemming from its discovery that unencrypted backup tapes containing electronic Protected Health Information (“PHI”) were missing from two of its facilities. CNE provides centralized corporate support to the covered entities under its common ownership and control, including technical support and information security for WIH’s information systems, as its business associate. Although WIH had in place a business associate agreement (“BAA”) with CNE, it was dated from March of 2005 and had not been updated since implementation and enforcement of the HIPAA Omnibus Final Rule.

OCR’s investigation of WIH’s HIPAA Compliance program, triggered by the report of the missing tapes, uncovered the outdated BAAs. WIH updated their BAA on August 28, 2015, as a result of OCR’s investigation. OCR then determined that from September 23, 2014, the date enforcement of the Final Rule began, until August 28, 2015, WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate when WIH provided CNE with access to PHI without obtaining satisfactory assurances, in the form of a written business associate agreement, that CNE would appropriately safeguard the PHI. The settlement was reached without any admission of liability by CNE or WIH.

The settlement is a jolt to many covered entities and their business associates for a number of reasons. The key take-aways are: (1) There is an inference in the OCR’s actions that a well worded BAA, wherein the business associates agrees to abide by the specifications required by the Privacy and Security Rules, is sufficient to satisfy the covered entity’s obligation to obtain “satisfactory assurances” the business associate will appropriately safeguard the PHI (meaning those often lengthy and burdensome security questionnaires or audits business associates are being asked to complete may be unnecessary and not required); (2) documentation of intent and action, including policies, procedures and BAAs, is extremely important in establishing HIPAA Compliance (i.e., the fact that the mistake occurred—tapes went missing—is being treated as the result of the absence of a written agreement, justifying the enforcement action, when in reality it is likely, or at least conceivable, that human error, inadvertence or lack of attention is the root cause and this could have occurred even if an updated BAA was in place and being followed); and (3) policies, procedures and continuous training and retraining of the workforce handling PHI is imperative to a successful HIPAA compliance program, and remains on the radar of any OCR investigation.

A copy of the Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/wih.
OCR’s sample BAA may be found at http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

Arizona Anesthesia Group Notifies 882,590 Patients of Data Breach

Valley Anesthesiology and Pain Consultants (“VAPC”), a physician group of more than 200 anesthesiologists and pain management specialists with several locations near Phoenix, Arizona, began notifying patients on August 11, 2016, of a potential data breach involving protected health information (“PHI”), despite the fact their retained forensic consultant found no evidence that the information on the computer system was accessed. However, the consultant was unable to definitively rule that out after investigation, and it did confirm that an individual gained access to a system containing PHI. The physician group elected to take the proactive route of notifying affected individuals. The forensic firm was apparently called in shortly after VAPC learned on June 13, 2016, that a third party may have gained unauthorized access to VAPC’s computer system on March 30, 2016, including records of 882,590 current and former patients, employees and providers.

On its website, VAPC says they value their relationship with patients and so decided to mail the notification letters. Law enforcement was also advised, and a dedicated call center has been set up to answer patients’ questions. Patients have been advised to review the statements they receive from their health insurer and to advise the insurer of any unusual activity. The computer system accessed is believed to have contained patient names, limited clinical information, name of health insurer, insurance identification numbers, and in some instances, social security numbers (“SSN”). No patient financial information was included in the computer systems. For providers, the information included credentialing information such as names, dates of birth, SSN, professional license numbers, DEA (Drug Enforcement Agency) and NPI (National Provider Identifier) numbers, as well as bank account information and potentially other financial information. The employee records on the system included names, dates of birth, addresses, SSNs, bank account information and financial information. Individuals that had their SSN or Medicare number exposed are being offered credit monitoring and identity theft protection services.

The circumstances of the incident illustrate the quandary regarding the presumption that it is a reportable breach if you can’t prove there was no access to the information, and the interplay between the HIPAA Security Rule and the Privacy Rule. Here, it was apparently established the system’s security was breached, but unclear whether personal health information was accessed once the unauthorized individual was in the system.

More information is available on VAPC’s website: https://valley.md/securityupdate.

Ransomware: Preparing for the Storm That’s A Brewin’

On July 11, 2016, the Office for Civil Rights (“OCR”) published guidelines for ransomware attack prevention and recovery, including the role HIPAA has in assisting covered entities and business associates to prevent and recover from such attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack. According to the OCR report, there have been 4,000 daily ransomware attacks since early 2016, up 300% from 2015. Earlier this week a healthcare IT Security Consultant told me the chatter he hears is that the hackers out there are working on stronger, more aggressive, more deadly hacks to unleash, and he fears a hacking storm a brewin’. Time to get serious and batten down the hatches, folks!

8-3The OCR report describes what a ransomware attack is, and explains that maintaining strict HIPAA Security Rule compliance can help prevent the introduction of malware, including ransomware. Some of the required security measures discussed include:

  • Implementing a security management process, which includes conducting a risk analysis and taking steps to mitigate or remediate identified threats and vulnerabilities;
  • Implementing processes to guard against and detect malicious software;
  • Training users on malicious software protection; and
  • Implementing access controls.

Since ransomware  gets into your system and then ties up your data, denying you access to your data (usually through encryption), and then directs you to pay a ransom to the hacker in order to receive a decryption key, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack. Again, HIPAA compliance protects entities because the Security Rule requires covered entities and business associates to implement a data backup plan as part of maintaining an overall contingency plan, which includes periodic testing of the plan to be sure it works.

The presence of ransomware – or any malware – is considered a security incident and triggers the need to initiate security incident response and reporting procedures. Based upon an analysis of the investigation results, breach notification may be required. Additionally, if there is an impermissible disclosure of PHI in violation of the privacy rule there is a presumed breach which may trigger notification. Whether or not the presence of ransomware would be a breach under HIPAA Rules is thus fact specific. However, unless the entity demonstrates there is a “…low probability that the PHI has been compromised,” a breach of PHI is presumed to have occurred and the entity must comply with the applicable breach notification provisions.

Further information and a copy of the OCR report can be found here.

Regulating Ethics in Telemedicine

Advancing technology is allowing access to healthcare providers, quite literally, at your fingertips.  Patients can reach their doctors by telephone, text, FaceTime, email and webcam.  They can send vital signs, medical records and pictures of problems (like a nasty cut or a weird rash) to their doctors instantaneously.  Likewise, doctors are making quick diagnoses of diabetes, heart attacks, strokes and other life-changing conditions.  According to a recent article in The Wall Street Journal, over 15 million Americans received telemedical care in 2015 and those numbers could rise an additional 30% this year.

With all of this medical care being provided via rapidly changing technology this begs the question, “Who is keeping this all in check?”

The American Medical Association met in Chicago on June 13, 2016 at its Annual Meeting and adopted new ethical guidelines which will steer physicians in learning the differences in the delivery of medical care by telemedicine as compared to traditional office or hospital visits. The greater than 230,000-member group determined that while the fundamental ethical responsibilities of a physician providing care via telemedicine do not change, emerging technologies required the need for further guidance.

Some of the new guidelines include:

Disclosure of potential conflicts of interest 

A physician is required to disclose to the patient any financial or other interest in particular telemedicine applications or services.

Privacy protections 

Telemedicine applications and/or services must have appropriate safeguards in place for patient privacy and confidentiality. Those safeguards must help prevent unauthorized access to a patient’s account.

Disclosure of the limitations of telemedicine 

Physicians should discuss the limitations of providing medical care via telemedicine and encourage patients who have a primary care physician to inform him/her about their telehealth care and follow-up in person when needed.

Recognition of the limitations of technology

Physicians must recognize that all of the relevant information needed to diagnose or treat may not be available through the technology used. For example, a physician conducting an exam via webcam may not be getting a clear picture of the patient’s current condition. The guidelines suggest having another health care professional at the patient’s location conduct an exam or obtaining vital information through other remote technologies.

The AMA’s full report and guidelines will be published and available in the next several months.  The new guidelines will become part of the AMA’s Code of Medical Ethics.

‘The Dark Overlord’ Places Healthcare Databases on Dark Web

Once again news reports teach us that the time to have your robust data privacy and security program in place and continually monitored was yesterday!

On June 26 it was reported on DataBreaches.net that 655,000 patient records from three different healthcare databases were up for sale on the dark net. According to reports on the DeepDotWeb, at least one of the hacked entities was using SRS EHR v.9 patient management software. DeepDotWeb also reports that the hacker communicated with them over an encrypted Jabber conversation, and included images from the largest database hack from the hacker’s internal network. The seller/hacker asked the website to add a note to the breached companies: “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”

Apparently it was shortly after that a fourth stolen database consisting of a reported 9.3 million individuals records from a health insurer went up for sale. The hacker taking credit for all refers to himself as “The Dark Overlord”. He claims to have contacted the entities to warn them about the vulnerabilities of their systems, and offered to fix or reveal the problems, for an undisclosed amount, which the healthcare organizations declined. In other words, the hacker offered the stolen data back to its owners for an extorted ransom. When the demand was not paid the hacker moved on to Plan B – sell the data on the dark web. The hacker offered the data from the four hacked healthcare organizations for prices ranging from $96,000 to $490,000 in bitcoin.

In the past week two of The Dark Overlord’s targets – Athens Orthopedic Clinic in Georgia and a Missouri group of clinics owned by Dr. Scott Van Ness – have been identified. The hacker accessed electronic medical records of both targets using the credentials of a third-party vendor. Personal information of current and former patients was breached, including names, addresses, social security numbers, dates of birth and telephone numbers, and in some cases diagnoses and partial medical history. Athens Orthopedic Clinic is advising its current and past patients to place a fraud alert on their credit reports with the major credit bureaus. This notice, however,  is alleged to have materialized only after events of last weekend, when 500 patients records from Athens Orthopedic Clinic appeared on Pastebin, with a note to their CEO to “pay the [expletive omitted] up.”

Notably, according to reports on Databreaches.net, both entities have acknowledged that the attacker likely got access by an unnamed third party contractor (presumably the EMR vendor). Databreaches.net claims however that neither entity mentioned the ransom demands or that patient data was being dumped in public and was still up for sale on the dark net. Athens Orthopedic Clinic apparently did work to get the information removed from Pastebin, but the other group’s data was still posted as of July 16.

Several lessons- or at least questions- must be in the minds of any healthcare organization as they learn of these events. First is to question of whether your own data security is protected from such attacks, or are you vulnerable as well? How safe is your EMR system? How closely do you audit and monitor the third party vendors you contract with? Second, and something I think every organization should have at least a working framework to use for analysis in the event they find themselves the recipient of a post-breach ransom demand, is, what will your response be in the event you receive such a demand?

OCR Provides Further Clarification on Charging Flat Rate for Copies of PHI

The Office of Civil Rights (OCR) at the Department of Health and Human Services recently provided further clarification about the amount that an individual may be charged for a copy of their protected health information (PHI). After releasing guidance earlier this year about individuals’ rights under HIPAA to access and obtain a copy of their health information, OCR provided clarification in response to questions it received after releasing the guidance. In a new frequently asked questions, OCR clarifies that $6.50 is not the maximum amount that can be charged to provide individuals with a copy of their PHI. Rather, OCR states that charging a flat fee of $6.50 is an option available to those covered entities (or business associate acting on behalf of the covered entity) that do not want to calculate the allowable fees for providing individuals with copies of their PHI as provided by the Privacy Rule.

The Effects of Medicaid Expansion under the ACA: Findings from a Literature Review — The Henry J. Kaiser Family Foundation

Research on the effects of Medicaid expansions under the Affordable Care Act (ACA) can help increase understanding of how the ACA has impacted coverage; access to care, utilization, and health outcomes; and various economic outcomes, including state budgets, the payer mix for hospitals and clinics, and the employment and labor market. These findings also may…

via The Effects of Medicaid Expansion under the ACA: Findings from a Literature Review — The Henry J. Kaiser Family Foundation

CMS Releases Nursing Home Enforcement Information

On June 3, 2016, the Centers for Medicare and Medicaid Services (CMS) posted information about nursing home provider enforcement from 2006 to 2014 as part of the agency’s “ongoing efforts to ensure transparency, consistency of application of enforcement remedies, and data management to track enforcement actions across the nation.” The report includes general information about nursing home enforcement, frequently asked questions about enforcement, and enforcement reports detailing the distribution of federal enforcement remedies from 2006 to 2014.

The CMS enforcement reports provide information about CMS and state survey agency enforcement actions for all Health Inspection and Life Safety Code Standard and Complaint surveys from 2006 to 2014. The reports show the percent of providers with remedies in effect (rather than imposed) and detail civil monetary penalties by region, as well as the frequency of per day and per instance civil monetary penalties in effect. There is additional data on the number of facilities by region with the following enforcement remedies: denial of payment; discretionary and mandatory denial of payment for new admissions; directed in service training; directed plan of correction; termination; state monitoring; temporary management; transfer of residents; and facility closure.

The CMS report also discusses the impact of the recession that began in December 2007 and officially ended in June 2009. The period before the recession showed an increase in survey activities, initiatives, and deficiency citations, while there was a decline in overall survey activities and enforcement actions after the recession began.

HIPAA – Are you ready for an audit?

HIPAA (the Health Insurance Portability and Accountability Act) is well known to all health care providers, as it governs the privacy of patient information, among other things. The basic parameters of the Privacy Rule should be known to all providers who handle protected health information.

The Office of Civil Rights for the U.S. Department of Health and Human Services (“OCR”) has launched a new audit initiative to make sure that health care providers are complying with HIPAA. Concerning its initiative, OCR says, “OCR’s audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits.” Providers would be well advised to ensure that they are ready for a HIPAA audit and are in full compliance with the Privacy Rule.

The Yates Memo: A Wake-Up Call for Individual Executives

What is the Yates memo?

The Yates memo is a memorandum written by Sally Quillian Yates, Deputy Attorney General for the U.S. Dept. of Justice, dated September 9, 2015.

It basically outlines how federal investigations for corporate fraud or misconduct should be conducted  and what will be expected from the corporation getting investigated. It was not written specifically about health care providers; it is a general memo outlining the investigations of corporate wrongdoing across the board. But it is germane to health care providers.

By far the most scary and daunting item discussed within the Yates memo is the DOJ’s interest in indicting individuals within corporations as well as the corporate entities itself, i.e., the executives…the management. Individual accountability.

The Yates Memo outlines 6 steps to strengthen audits for corporate compliance:

  • To be eligible for any cooperation credit, corporations must provide to the DOJ all relevant facts about individuals involved in corporate misconduct.
  • Both criminal and civil corporate investigations should focus on individuals from the inception of the investigation.
  • Criminal and civil attorneys handling corporate investigations should be in routine communication with one another.
  • Absent extraordinary circumstances, no corporate resolution will provide protection from criminal or civil liability for any individuals.
  • Corporate cases should not be resolved without a clear plan to resolve related individual cases before the statute of limitations expires and declinations as to individuals in such cases must be memorialized.
  • Civil attorneys should consistently focus on individuals as well as the company and evaluate whether to bring suit against an individual based on considerations beyond that individual’s ability to pay.

Since its dissemination, a few points have been clarified that were otherwise in question.

About a month after its publication, U.S. Assistant Attorney General Leslie Caldwell emphasized the Yates memo’s requirement that corporations must disclose all relevant facts regarding misconduct to receive cooperation credit. Caldwell went so far to say that companies must affirmatively seek relevant facts regarding misconduct.

For example, Hospital X is accused of Medicare fraud, waste, and abuse (FWA) in the amount of $15 million. The Yates memo dictates that management at the hospital proactively investigate the allegations and report its findings to the federal government. The memo mandates that the hospital “show all its cards” and turn itself in prior to making any defense.

The problem here is that FWA is such a subjective determination.

What if a hospital bills Medicare for inplantable cardioverter defibrillator, or ICD, for patients that had coronary bypass surgery or angioplasty within 90 days or a heart attack within 40 days? What if the heart attack was never documented? What if the heart attack was so minor that it lasted under 100 milliseconds?

The Medicare National Coverage Determinations are so esoteric that your average Medicare auditor could very well cite a hospital for billing for an ICD even when the patient’s heart attack lasted under 100 milliseconds.

Yet, according to the Yates memo, the hospital is required to present all relevant facts before any defense. What if the hospital’s billing person is over zealous in detecting mis-billings? The hospital could very well have a legal defense as to why the alleged mis-billing is actually compliant. What about a company’s right to seek counsel and defend itself? The Yates memo may require the company to turn over attorney-client privilege.

The second point that has been clarified since the Yates’ memo’s publication came from Yates herself.

Yates remarks that there will be a presumption that the company has access to identify culpable individuals  unless they can make an affirmative showing that the company does not have access to it or are legally prohibited from producing it.

Why should this matter? It’s only a memo, right?

Since its publication, the DOJ codified it into the revised U.S. Attorneys’ Manual, including the two clarifying remarks. Since its inception, the heads of companies have been targeted.

A case was brought against David Bostwick, the founder, owner and chief executive officer of Bostwick Laboratories for  allegedly provided incentives to treating physicians in exchange for referrals of patients who would then be subjected to these tests.

When the pharmaceutical company Warner Chilcott was investigated for health care fraud prosecutors also went after W. Carl Reichel, the former president, for his alleged involvement in the company’s kickback scheme.

Prior to the Yates’ memo, it was uncommon for health care fraud investigations to  involve criminal charges or civil resolutions against individual executives. But executives of health care companies accused of fraud, waste, and abuse should be very wary given this apparent new focus of law enforcement.