Updated HIPAA Breach Reporting Tool Launched by HHS

Linda Hunt Mullany, JD, RN, CHPC

July 31, 2017

“…a more positive, relevant resource of information for concerned consumers.”

On July 25, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), unveiled a revised Health Insurance Portability and Accountability Act (HIPAA) Breach Reporting Tool (HBRT) that provides consumers improved access to information on breach data, and also provides greater ease-of-use for organizations reporting incidents. The HBRT makes required reporting information public, such as name of the entity suffering the breach; state where the breach occurred; number of individuals affected; date of the breach; type of breach (e.g. hacking/IT incident, theft, loss, unauthorized access or disclosure); and the location of the breached information (e.g. laptop, paper records, desktop computer). HIPAA also requires health care providers and other covered entities to promptly notify individuals of a breach and, in some cases, notify the media.

HHS Secretary Tom Price, M.D., explained, “HHS heard from the public.  . . .To that end, we have taken steps to make this website, which features only larger breaches, a more positive, relevant source of information for concerned citizens.”

The HRBT may be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.

The Yates Memo: A Wake-Up Call for Individual Executives

What is the Yates memo?

The Yates memo is a memorandum written by Sally Quillian Yates, Deputy Attorney General for the U.S. Dept. of Justice, dated September 9, 2015.

It basically outlines how federal investigations for corporate fraud or misconduct should be conducted  and what will be expected from the corporation getting investigated. It was not written specifically about health care providers; it is a general memo outlining the investigations of corporate wrongdoing across the board. But it is germane to health care providers.

By far the most scary and daunting item discussed within the Yates memo is the DOJ’s interest in indicting individuals within corporations as well as the corporate entities itself, i.e., the executives…the management. Individual accountability.

The Yates Memo outlines 6 steps to strengthen audits for corporate compliance:

  • To be eligible for any cooperation credit, corporations must provide to the DOJ all relevant facts about individuals involved in corporate misconduct.
  • Both criminal and civil corporate investigations should focus on individuals from the inception of the investigation.
  • Criminal and civil attorneys handling corporate investigations should be in routine communication with one another.
  • Absent extraordinary circumstances, no corporate resolution will provide protection from criminal or civil liability for any individuals.
  • Corporate cases should not be resolved without a clear plan to resolve related individual cases before the statute of limitations expires and declinations as to individuals in such cases must be memorialized.
  • Civil attorneys should consistently focus on individuals as well as the company and evaluate whether to bring suit against an individual based on considerations beyond that individual’s ability to pay.

Since its dissemination, a few points have been clarified that were otherwise in question.

About a month after its publication, U.S. Assistant Attorney General Leslie Caldwell emphasized the Yates memo’s requirement that corporations must disclose all relevant facts regarding misconduct to receive cooperation credit. Caldwell went so far to say that companies must affirmatively seek relevant facts regarding misconduct.

For example, Hospital X is accused of Medicare fraud, waste, and abuse (FWA) in the amount of $15 million. The Yates memo dictates that management at the hospital proactively investigate the allegations and report its findings to the federal government. The memo mandates that the hospital “show all its cards” and turn itself in prior to making any defense.

The problem here is that FWA is such a subjective determination.

What if a hospital bills Medicare for inplantable cardioverter defibrillator, or ICD, for patients that had coronary bypass surgery or angioplasty within 90 days or a heart attack within 40 days? What if the heart attack was never documented? What if the heart attack was so minor that it lasted under 100 milliseconds?

The Medicare National Coverage Determinations are so esoteric that your average Medicare auditor could very well cite a hospital for billing for an ICD even when the patient’s heart attack lasted under 100 milliseconds.

Yet, according to the Yates memo, the hospital is required to present all relevant facts before any defense. What if the hospital’s billing person is over zealous in detecting mis-billings? The hospital could very well have a legal defense as to why the alleged mis-billing is actually compliant. What about a company’s right to seek counsel and defend itself? The Yates memo may require the company to turn over attorney-client privilege.

The second point that has been clarified since the Yates’ memo’s publication came from Yates herself.

Yates remarks that there will be a presumption that the company has access to identify culpable individuals  unless they can make an affirmative showing that the company does not have access to it or are legally prohibited from producing it.

Why should this matter? It’s only a memo, right?

Since its publication, the DOJ codified it into the revised U.S. Attorneys’ Manual, including the two clarifying remarks. Since its inception, the heads of companies have been targeted.

A case was brought against David Bostwick, the founder, owner and chief executive officer of Bostwick Laboratories for  allegedly provided incentives to treating physicians in exchange for referrals of patients who would then be subjected to these tests.

When the pharmaceutical company Warner Chilcott was investigated for health care fraud prosecutors also went after W. Carl Reichel, the former president, for his alleged involvement in the company’s kickback scheme.

Prior to the Yates’ memo, it was uncommon for health care fraud investigations to  involve criminal charges or civil resolutions against individual executives. But executives of health care companies accused of fraud, waste, and abuse should be very wary given this apparent new focus of law enforcement.