Government Does a 180 on Password Protocols

my password

It seems apparent that the United States government is FINALLY ready to recognize that easier/simpler is better, and in fact act on it.

While cyber breaches are becoming everyday news and no longer raise eyebrows, it is understandable that one of the key vulnerabilities enabling anyone to access anyone else’s data is the ease with which the passwords can be accessed or breached.

The problem is that the average person has numerous places in which they store passwords and the current protocol of 6-8 characters with at least one letter being capital and at least one being a special character creates a challenge in memorizing the many different passwords a person has. Conversely, if they keep one password, it means that if someone breaches one account they have access to all of the accounts. The current system where government and corporate websites require changing passwords at regular intervals, e.g. 30 or 60 days, only compounds the problem. As such, the user is faced with a dilemma. How does one remember all of these passwords that are nonsensical, ever-changing, and usually significant in number?

The National Institute of Standards and Technology (NIST) is an agency of the Department of Commerce. The federal government is supposed to follow NIST’s directives, HHS directs Covered Entities and Business Associates to draw guidance from NIST, and NIST’s directives generally trickle down to corporate America and thereby to individual users. NIST is now developing a major overhaul to the rationale behind – and the resultant protocols for – passwords.

NIST seems to be working with the basic premises that most people make sure that others are not looking over their shoulder when they enter their passwords, that the current system of random passwords with uppercase and lowercase letters and special characters that are confined to 6-8 characters are burdensome to computer users, and as such it may force people to write down their passwords somewhere. In addition, the number of characters used allows for computer programs to run through lists (dictionaries) of previously broken and common passwords, as well as using software that can run through the permutations that can be contained in a small 6-8 character password.

To answer these issues and the resulting vulnerabilities of general computer security, NIST is effectively in the final stages of developing dramatically new protocols which include:

  • Minimum password size of 8 characters, maximum of at least 64 characters.
    • With a strong recommendation that all passwords have a minimum of 15 characters, in an easy to enter, easy to remember phrase.
  • Spaces may be used in passwords.
  • All ASCII characters may be used in a password.
  • All Unicode characters should (not must) be accepted for passwords, including emojis.
  • Password hints and prompts shall not be used.
    • Note: Using a password hint makes it too easy for an attacker to find the answer to a hint through social media etc.
  • 2-factor authentication via SMS (texts to your cell phone to authenticate) is being depreciated, and may be recommended against! This is huge, as using SMS may be intercepted or compromised via smartphone malware and other tactics.
    • Secondary authentication with a Minimum PIN size of 8 characters or 6 random digits.
    • It is most likely that biometrics will become the new standard for 2-factor authentication (see next).
  • Biometrics shall be bound to a specific device that uses approved encryption, with a hard limit of 10 consecutive failed attempts.

In summary, it appears that the direction NIST is taking favors large easy to remember passwords that may be a string of sentences with full punctuation and an occasional emoji to bolster password security. It is almost like a breath of fresh air to see the government recognize that efficacy and implementation are improved by simplifying the process. If only this rationale could be extended to the myriad regulations and statutes which are growing in both volume and complexity at an alarming rate.

Please follow and like us:
LinkedIn
Twitter
SHARE

Opioid Abuse – Financial Realignment May Be The Answer

Empty Pills

Opioid abuse is a complex problem with tragic and staggering consequences. It has recently gained prominence because of federal and state initiatives, as well as increased coverage by the media.

I write this post because I tried to make sense of the various reports I read, and realized that it may be necessary to take a more holistic view of the problem for a meaningful result to be achieved.

By way of introduction, I feel duty bound to point out that because I am not a doctor there may be certain gaps in the analysis.

That said, the basic starting point and most relevant question is why the United States prescribes more opiate drugs on a per capita basis than any other nation in the world. The United States makes up only 4.6 percent of the world’s population, but consumes 80 percent of its opioids and 99 percent of the world’s hydrocodone (the opiate that is in Vicodin).  With respect to the effects of opioid abuse, according to the CDC more than 165,000 Americans died from prescription related opioid overdoses between 1999 and 2014, with 2014 claiming 14,000 lives.  Per capita opioid prescriptions grew by 7.3% between 2007 and 2012, and in 2014 approximately 2,000,000 people abused or were dependent on prescription.  More than 1,000 people per day are treated in emergency departments for misusing prescription opioids.

The problem is real – the causes are complex – and developing a meaningful solution that achieves substantial and measurable results will require significant thought and resources.

I will try to view my assessment of the problem and possible solution through the prism of a lesson I learned from my contracts professor in law school. He basically said you that if you want to understand contracts just follow the money.

A friend of mine once commented very cynically that the government has two essential tools – bribery and extortion.  It pays you to do what it wants you to do and fines you for doing what it does not want you to do.

A recent feature article in Medical Economics magazine has related important information that is relevant to the opioid issue.  In 2013, a study of Medicare Part D claims showed that most of the over the 54 million prescriptions for opioids were written by internists and family practitioners. Current reimbursement trends for primary care physicians (outside of Medicare) are set up to financially rewards primary care physicians to spend 15 minutes or less with their patients. Arguably, when a patient complains of pain, it takes a lot less time to prescribe a painkiller than to: work through a detailed history; complete a full analysis of all of the medications the patient is taking; obtain an accurate and truthful response to gauge the amount of pain and ferret out what other prescription or otherwise-obtained pain killers the patient may be taking.  To really get a full picture, the medical professional must get a sense of painkillers or other drugs that may be bought on the street, borrowed from friends, stolen from other people’s medicine cabinets, etc.  If the government truly wanted to make a meaningful difference, I believe the first step would be to align reimbursement with the objectives we try to achieve.  Doctors must be reimbursed for the time and effort we expect them to expend.

This disconnect rears its ugly head in the realm of hospital-based care as well. Hospitals are financially incentivized based on a final score of HCHAPS – which in simple English is a score of patient satisfaction.  It seems rather obvious that when people are in pain they will reasonably be happier if they get painkillers.  It has been argued that issues of pain should be taken out of the survey.  However, that might be too broad a brush with which to make deletions to the survey.  Obviously, pain management is central to how patients are treated.  I believe that a first step would be to align financial incentives with expected outcomes.

I am certainly not asserting that doctors do not place patient care above personal financial gain. However, at the end of the day doctors are human, appointments are scheduled and given particular timeslots, hospitals have real budgetary concerns, and the government has enacted numerous laws subjecting doctors to financial rewards and financial fines.  Therefore, it would be most sensible to address the opioid issue by aligning reimbursement with expected outcomes.  The government has legislated Pharma rep activity, anti-kickback statutes, and reengineered reimbursement to effect all the various changes they want. Meaningful use, MIPS and MACRA are just a few examples/acronyms that come to mind. It would be helpful if the government’s power of the purse were utilized to address the opioid problem.

It might also be helpful if there were a national database of all Schedule II and III drugs which medical professionals prescribing any painkillers would have to personally access with an additional administrative ICD code that would reimburse the medical professional for the time and effort.

Lawmakers have recently sought to address the opioid problem.  On March 10, 2016, the U.S. Senate passed the Comprehensive Addiction and Recovery Act (CARA), which mandates the development of best practices for prescribing opioids and authorizes grants for drug education, prevention, and treatment programs. CARA directs the Secretary of HHS to convene a task force composed of numerous agencies and organizations to review, modify, and update best practices for managing pain and prescribing pain medication.  On May 13, 2016, the House passed the Bill; therefore, it next goes to the President who may sign or veto the Bill. The website www.Govtrack.us estimates that there is a 40 percent chance that the President will sign the bill.

Several states have also recently sought to address opioid over prescribing; however, the enacted laws seem to be more symbolic than substantive.

Massachusetts – enacted the first law in the nation to limit an opioid prescription to a 7-day supply for a first time adult prescription and a 7-day limit on every opiate prescription for minors unless the medical professional feels that a larger amount is appropriate.

Connecticut – enacted similar legislation, but requires the medical professional to note the condition which required deviation from the seven day limit.

New York – enacted similar legislation that lowers the limit for opioid prescriptions for acute pain from 30-days to no more than a 7-day supply, with exceptions for chronic pain and other conditions.

Obviously each state has bells and whistles added to their legislation.  Examples include the need for education, disclosures, and distribution of kits for overdoses among other features.  However, if the majority of opioid prescriptions are written by primary care physicians, would it be unreasonable to mandate that before the third refill, the patient must go to a doctor with a specialty in pain management for an evaluation or provision of alternative therapies? Furthermore, if the state or federal government wants alternative interventions to opioids (such as epidurals, nerve blocks, trigger shots, acupuncture, physical therapy, or massage therapy, etc.) it should use the power of the purse to effect change.

The looming question is how long it will take to move the needle (figuratively) with respect to the opioid problem, and whether it may be too little too late.

In sum, there seems to be significant competing interests that come into play. The government would like to lower health care costs, commoditize medicine, and lower reimbursements, while at the same time it wants the medical professionals to spend extra time with and give increased attention to patients, and effectively become the first line of protection to deal with and police patients.  The government wants the medical community to oversee issues that originate with real people who are in real pain while in the care by doctors who were charged with helping patients with their health related issues – a significant health issue being pain management.  Of course, the government’s expectation of doctors seems to fall somewhat short of actually paying for the objectives they hope to achieve.

If I am missing something, I ask the readers to comment publicly online or directly to me.

Please follow and like us:
LinkedIn
Twitter
SHARE

Did the Supreme Court open the Floodgates for FCA Whistleblower Claims

Did the Supreme Court open the Floodgates for FCA Whistleblower Claims

The U.S. Supreme Court may have opened the floodgates for whistleblower lawsuits based on its unanimous opinion in the whistleblower case of Universal Health Services. v. United States ex rel. Escobar, in which the Court found that the implied false certification theory can be a basis for liability under the False Claims Act (FCA).

 

The FCA, imposes very significant penalties on those who defraud the Government, including statutory fines for every invoice plus triple the amount of the paid amount.  I ask readers to think of the following article as it might apply to (for example) a long term pattern of upcoding(or other incorrect coding) which a whistleblower and then the government claim violates the FCA, even if the doctors were unaware that improper codes were used.

 

The case before the Court involved allegations against a mental health clinic in Massachusetts that submitted claims for payment for treatment of a teenage beneficiary of Massachusetts’ Medicaid program. The allegations were that the clinic used payment codes corresponding to different services and that staff members misrepresented their qualifications and licensing status to obtain NPI numbers which were submitted in connection with the claims. Massachusetts’ Medicaid program was unaware of the misrepresentation and paid the claims. The whistleblower plaintiffs’ complaint alleged that the clinic violated the FCA by submitting claims while failing to disclose serious violations of regulations pertaining to staff qualification and licensing requirements.  The plaintiffs did not allege that the health care clinic expressly certified compliance with the regulations; rather, the health care provider was alleged to have impliedly certified compliance when it submitted claims for payment.

 

The trial court dismissed the case, making a distinction between conditions of payment and conditions of participation, and held that only noncompliance with statutory or regulatory conditions of payment could render claims for payment actionable under the FCA.  The Court of Appeals for the First Circuitreversed the decision, and found that the Medicaid supervision and licensure requirements impose conditions of payment, and the health care clinic did, in fact, impliedly certify its compliance when it submitted its request for payment.

 

The Supreme Court did not address whether all claims for payment implicitly represent that the billing party is legally enti­tled to payment. Instead, the Court found that the claims in this case “fall squarely within the rule that half-truths—representations that state the truth only so far as it goes, while omitting critical qualifying information—can be actionable misrepresentations”. The Court found the clinic’s representations in submitting claims while omitting its violation of regulatory requirementswere clearly misleading. As such, the Court held that the implied certification theory can be a basis for liability “where two conditions are satisfied: first, the claim does not merely requestpayment, but also makes specific representations about the goods or services provided; and second, the defendant’sfailure to disclose noncompliance with material statutory, regulatory, or contractual requirements makes those representations misleading half-truths”.

 

The Supreme Court also held that the FCA is not limited to violation of a contractual, statutory, or regulatory provision that is expressly designated as a condition of payment.  Instead, in order to be actionable under the FCA, a misrepresentation about compliance with a statutory, regulatory, or contractual requirement must be material to the Government’s decision to make payment and the Government’s decision to specifically identify a provision as a condition of payment is irrelevant.  As such a case-by-case analysis as to whether a statutory, regulatory, or contractual requirement is material to the decision to make payment is necessary.

 

In sum, a party may be liable for violations of FCA when it submits a claim making representations about services or goods provided, but fails to disclose noncompliance with statutory, regulatory, or contractual requirements that are material to the Government’s decision to pay the claim.

 

Today’s Supreme Court decision, which adopts implied false certification theory as a basis for liability under the FCA significantly broadens the reach of FCA, particularly, because it may encompass a violation of any statutory, regulatory, or contractual requirement that is deemed material to the Government’s decision to pay a claim.

Please follow and like us:
LinkedIn
Twitter
SHARE

Government’s Emerging Triple Play–Why Every Doctor Should be Concerned

Government’s Emerging Triple Play–Why Every Doctor Should be Concerned

Introduction

The reach of the government in recovering payments under the False ClaimsAct (FCA) seems to be entering into a new era based on a number of seemingly disparate developments working their way through U.S. Attorney’s offices, the federal trial courts and courts of appeals as well as a currently pending case in front of the U.S. Supreme Court. The individual and collective implications of these developments amount to a greater likelihood of FCA actions being brought, particularly, against individuals or entities that might have gone unnoticed in the past, as well as the likelihood of obtaining larger fines.

 

While there are many broad medical related industries whose constituent members can be subject to the FCA (considering the fact that 17% of GDP lands in the medical arena), and thereare many millions of invoices that are submitted to Medicaid and Medicare on a monthly basis, I believe that in reading this post it is important to view the implications of the developments discussed with a particular eye towards the individual and collective medical billing that reaches Medicare and Medicaid.

 

By way of introduction, the FCA in very simplistic terms is a statute which allows the government to seek recourse against individuals or entities that billed the government improperly (hence the term “false claims”). The penalties under the statute can be extremely onerous because it allows for $5,500 – $11,000 per incident as well as treble (triple) damages for what the government paid. To be clear, to the extent that a series of false invoices are submitted to the government, each invoice would qualify as a separate claim which would require the defendant to pay a mandatory penalty for each false claim.

 

To illustrate the scope of how onerous FCA claims can be, I will list a few recent settlements and set forth the amounts for which they were settled:

  • Pfizer and its subsidiary Wyeth agreed to pay $785 million to the federal government and state Medicaid programs to settle FCA claims that they failed to report to Medicaid certain drug rebates that were given to hospitals.
  • Dignity Health, which operates hospitals and ancillary care facilities, agreed to pay $37 million to the government settle FCA claims that it submitted false claims to Medicare and Tricare by admitting patients who could have been treated on a less costly, outpatient basis.
  • DaVita Healthcare Partners, Inc., the largest provider of dialysis services in the U.S., agreed to pay $450 million to settle FCA claims that itcreated unnecessary waste in administering the drugs Zemplar and Venofer to dialysis patients, and then billed the federal government for the avoidable waste.

 

Historically, FCA claims were primarily brought on behalf of the government by whistleblowers.  The cases are commonly called qui tamactions, and the whistleblower is known as the “relator”.  A thumbnail sketch of the qui tam action is that an individual can initiate a lawsuit against a person or entity who they suspect is violating the FCA. The case is initially filed under seal, and the government has a chance to intervene and take over the case. If the government declines to take over the case the individual has the ability to maintain the case (essentially in the name of the government).   The whistleblower is rewarded by receiving a certain percentage of the government’s ultimate recovery. The percentage varies and depends on whether the government intervened and the extent to which the whistleblower contributed to the prosecution of the case.  In more simple terms, the government has essentially deputized and incentivized anyone with knowledge of a false claim to come forward and blow the whistle.

 

Three New Developments

 

Moving past the introduction to the FCA (which many of you may have been aware of, and if so, I apologize for not starting at this point), there are a number of developments that have very far-reaching implications.

 

First Development    An Assistant U.S. Attorney for the District of Maryland, Thomas F. Corcoran, recently stated the government’s displeasure with the fact that to a large extent it is in the reactive position with respect to FCA claims, because the government is in large-part dependent on whistleblowers initiating a claim or otherwise relating false claims. Mr. Corcoran said the district was tired of having whistleblowers “determine the direction of our FCA cases”. In an effort to take a more proactive stance, the U.S. Attorney’s office in Maryland has begun to data mine various available public records using algorithms to flag anomalies with respect to various bills submitted to the government. While at first glance this may appear to be nothing more than a question of role reversal, and in-fact one might argue that the government itself might not even be more aggressive than the many individuals who can potentially obtain commissions for ultimate government recoveries, there is an additional facet through which this development can be viewed. Essentially, there may be numerous cases in which an individual or investigator might not otherwise be able to isolate any suspected or actual wrongdoing, but an algorithm can red-flag certain circumstances, which will lead to an investigation and a provider or entity facing the challenges and rigor of government scrutiny either because of their misdeeds or because they were flagged through an automated data mining process.

 

Let’s face it, data mining will unearth top billers of Medicare merely because in every category that can be reviewed someone has to be at the top.  And, if we were to imagine billing and reimbursement as a bell curve, there are always going to be the outliers, irrespective of any wrongdoing.  These top billers and outliers are likely to be flagged and investigated.  The take away from this development is that the government’s reach can rise to a higher order of magnitude, and the potential burdens on providers will increase, irrespective of the accuracy of a “false claim” allegation.

 

Second Development: The second development relates to the government’s or a whistleblower’s ability to assemble a randomand relatively small but statistically relevantdata sample of all of the claims raised in a pending FCA case, and prove liabilitywith respect to all of the claims based on thatrandom and small statistical sampling.

 

In June of 2015 afederal district court in South Carolina held, in the case of United States ex rel. Michaels v. Agape Senior Community, Inc., et al., No. 15-238 (L) (0:12-cv-03466-JFA), that establishing liability under the FCA cannot be made by proving the falsity of a relatively small portion of the claims through statistical sampling. Instead, the whistleblower must provide an analysis of all individual claims.  The net effect is that the cost of bringing the case is increased as every single false claim alleged in the FCAcase must be documented and prosecuted with the proofs that the random small sample would require. The whistleblower estimated that the cost of an expert review of all of the claims alone would be between $16.2 million – $36.5 million.

 

The Court of Appeals for the Fourth Circuit (which covers South Carolina, North Carolina, Maryland, Virginia and West Virginia) will be addressing this case and use of sampling in FCA cases.  Several federal district courts have ruled both ways on the issue of sampling; however, the pending Court of Appeals case could result in the first federal appeals court decision directly addressing the issue.

 

If sampling is ultimately allowed, obviously this can reasonably lead to very large settlements if the potential downside is either not worth the fight or the potential loss is too great for the organization to bear.

 

Third Development: The third development relates to one of the elements of an FCA claim. Essentially, the FCA requires that the claim being submitted be “false” or “fraudulent”. The question that has arisen is what makes a claim actually “false” or “fraudulent”.Obviously, if someone works 100 hours and bills for 200 hours, or submits an invoice for goods or services that were never provided, the majority of people would concur that the claim was false or fraudulent.

 

However, the question becomes much more nuanced when claims are submitted that could be the result of oversight, accident, miscommunication, or a long list of other situations that result in a mistake but would not necessarily reach the level of “false” or “fraudulent” within the meaning of the FCA.

 

The question of the falsity of claims arose in Universal Health Services, Inc. v. United States ex rel. Escobar, a case that was brought in the federal district court inMassachusetts.  The district court’s decision was appealed to the Court of Appeals for the First Circuit(which covers the states of Massachusetts, Rhode Island, New Hampshire, and Maine).  The basic holding of the Court of Appeals was that if and to the extent a claim for payment is submitted to the government, it inherently means that the providerhas impliedlycertified that it is in compliance with all rules and regulations that are a condition of payment.  Accordingly, the provider has violated the FCA if it has not actually complied with those rules and regulations which are a condition of payment

 

There is a split in the Circuit Courts of Appeal regarding thevalidity of the implied certification theory, and the U.S. Supreme Court granted certiorari to review the decision of the First Circuitin Universal Health Services, Inc. v. United States ex rel. Escobar.  Oral argument before the Supreme Court was held on April 19, 2016.

In addition to the First Circuit, the Second, Third, Fourth, Sixth, Ninth, Tenth, Eleventh, and D.C. circuits have accepted the implied certification theory in some fashion.The Fifth and Seventh circuits have found that implied certification is not a valid theory.

 

Because of the unfortunate passing of Supreme Court Justice Antonin Scalia there are three possibilities. The first is that the Court of Appeals’ decision will be upheld by a majority of the sitting justices in which case the implied certification theory will become the law of the land (thus expanding the reach of the FCA). The second possibility is that a majority of the justices will overturn the Court of Appeals in which case, subject to the particulars of the Supreme Court’s written opinion, the implied certification will be partially or totally limited.  The third possibility is that there will be a four – four tie decision in which case the circuits will remain split until another case reaches the Supreme Court. If the third scenario plays out,the location of where the FCA cases are initiated might be outcome determinative. The First, Second, Third, Fourth, Sixth, Ninth, Tenth, Eleventh, and D.C. circuits, which have accepted the implied certification theory in some fashion may permit a broader scope of liability by recognizing that claims may be false when a party impliedly represents compliance with a precondition to payment. The Fifth and Seventhmay limit the scope of the FCAby finding liability only when the party submitting a claim for payment expressly certifies compliance with a precondition of payment. For a list of which states fall under which circuits please see http://www.uscourts.gov/file/document/us-federal-courts-circuit-map

 

Conclusion

In conclusion, as many of the readers of this post may be directly or indirectly involved in the vast medical world, it is self-evident that every time a doctor sees a Medicare or Medicaid patient there is a bill being submitted to the government. Over time, because of the quantum of incidents of billing as well as the aggregate amount being billed to Medicare or Medicaid, the FCA becomes a real issue.

This issue is particularly relevant if and to the extent that medical providers or similarly situated entities rely on office managers, frontline employees, or billing companies.

Please follow and like us:
LinkedIn
Twitter
SHARE

Precluding a HIPAA Breach is not enough

darts

 

A recent settlement between a Minnesota hospital system, North Memorial Health Care, and the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), is highly instructive with respect to the liability of CE’s (covered entities), BA’s (business associates) and both the liability and interplay between them. Furthermore, it underscores the fact that although the HIPAA Omnibus Rule is a set of federal regulations, covered entities and business associates face further vulnerabilities because state attorneys general have in effect been deputized to prosecute claims for violations of HIPAA and HITECH.

 

Now for the story: In March 2011,North Memorial Health Care, a Minnesota hospital system, hired Accretive Health, Inc. to provide revenue cycle operations.In July 2011, an employee of Accretive, left an unencrypted laptop containing PHI in the back seat of a rental car parked in a bar and restaurant district in Minneapolis. The laptop was stolen. For those of you that follow current news about HIPAA breaches, the lost laptop saga and resulting HIPAA breach is all too common. However, it is important to remember that in the old days (2011) the lost laptop, HIPAA breach, need for encryption, and resulting consequences were not as well-known as they are today.

 

  1. In 2012, the Minnesota Attorney General brought an action against Accretive for the HIPAA breach, together with state law claims. The Minnesota Attorney General initiated the civil action pursuant to her authority under HITECH to bring claims on behalf of the state residents for violations of HIPAA. Ultimately, Accretive settled the case with the Minnesota Attorney General for $2.5 million.

This appears to be the first time an action was brought against a business associate under the provisions of HITECH that made business associates directly and statutorily liable for violations of HIPAA.

  1. In addition to the Minnesota Attorney General, the Federal Trade Commission brought an action against Accretive asserting that it had inadequate data security. In late 2013, a final consent order was entered which forced Accretive to establish a comprehensive information security programthat will be evaluated every two years by a third party for the next 20 years.
  1. Furthermore, OCR initiated an investigation of North Memorial Health Care following receipt of the breach report in September 2011. OCR’s investigation found that the hospital system failed to have in place a business associate agreement with Accretive and that it failed to perform a risk analysis to address all potential risks and vulnerabilities. This month, (March 2016) well over four years after OCR received the breach report, North Memorial Health Care agreed to pay a $1.55 million settlement

 

It is of particular interest that bythe time of Accretive’s breach in 2011, the HIPAA Omnibus Rulehad not been issued, therefore, although covered entities had to enter into a BAA(business associate agreement) with its business associates and take certain steps once a breach by the associate occurred, it could not be held directly liable for a breach by its business associate except for the contractual liability created by the BAA. Under the HIPAA Omnibus Rule issued in 2013, a covered entity may be directly liable based on both the stature and contract law.

 

Therefore, technically,North Memorial Health Care could not be held directly liable for the 2011 breach by its BA, Accretive. Nevertheless, by sheer virtue of the fact that the hospital system did not enter into a business BAA with Accretive and/or have a risk analysis, they will pay $1.55 million.

 

Post 2013, a CE may be held directly liable for breaches by its BA’s, in addition to liability for any other failure, including lack of risk analysis or business associate agreements.

 

In closing, we are not living in the olden days when HIPAA compliance was viewed as abstract, theoretical or aspirational- we have come a long way from 2011. But, the reality is that:

 

  1. Many CE’s and their respective BA’s do not recognize the ever increasing resources that the government is devoting to HIPAA audits and compliance, and the ease of any patient or whistleblower to report a breach. Let’s face it, we live in a digital world, and there are almost daily news reports of data breaches.
  2. CE’s and BA’s are not enclosed in a protected zone or cocoon;much to the contrary, healthcare information is of great value to computer hackers or a wrongdoer that finds a lost laptop.
  3. The importance of conducting a proper and robust risk analysis and entering into business associate agreements is ever increasing. If nothing else this case indicates that separate and apart from the liability of a data breach, CE’s and/or BA’s can be fined for failure to have a risk analysis or proper BAA’s
  4. There are numerous governmental agencies that can enforce HIPAA, HITECH and state statutes and regulations

 

Please follow and like us:
LinkedIn
Twitter
SHARE

Texas Expands and Redefines HIPAA

HIPAA
The fact that HIPAA traces its origins back to 1996, seems almost insignificant. In fact, in the various presentations I have seen or participated in that begin with the history of HIPAA, my general reaction is – why bother, who cares about its origins.

However, I can identify one particular point about HIPAA’s origins that is of current interest.

The origins of HIPAA and the privacy of patient records began at a time when the digital world was relatively in its infancy, and the general focus of the law was on paper records.  The HITECH component was later added in an attempt to catch up with the then emerging digital technology.

However, HIPAA legislation starts with and focuses on information that is in the possession of a covered entity.

The HIPAA definition of a Covered entity is:

  1. A health plan.
  2. A health care clearinghouse.
  3. A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter of the Omnibus rule.

Typically, this straightforward definition is meant to mean a doctor or healthcare provider, or the entities referenced in (1) and (2) that by their nature receive or transmit health information. However, there are many other individuals and/or entities that are provided with an individual’s medical records. Obviously, the privacy and HIPAA coverage is extended to Business Associates and subcontractors with the caveat that they are downstream from Covered Entities. Medical information that does not flow from a Covered Entity may be covered by laws regarding the privacy of information, but they would not necessarily be covered by HIPAA, HITECH or the Omnibus Rule.

This gap seems to be mostly attributable to the genesis and development of HIPAA.

Based on the general understanding of HIPAA and its definition of a “Covered Entity” a plaintiff’s personal injury law firm that came into possession of its client’s medical records would not be subject to HIPAA. While the attorney might be subject to other restrictions on the privacy of legal records, as a general proposition those rules are not as restrictive as HIPAA, do not require a risk analysis, do not require privacy security and breach protocols and do not necessarily have the fines associated with HIPAA violations.

Texas recently passed revisions to the Texas Medical Records Privacy Act which in section 181 incorporates HIPAA but broadens the definition of a covered entity as follows:

“Covered entity” means any person who:

(A) for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information. The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site;

(B) comes into possession of protected health information;

(C) obtains or stores protected health information under this chapter; or

(D) is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.

It seems that based on the expanded definition, Texas plaintiff’s personal injury attorneys would be subject to the additional requirements and/or restrictions and increased fines. Obviously, this expanded definition goes well beyond plaintiff’s personal injury attorneys. Examples might be cloud-based storage companies that become subject to the Texas law, software applications that store and/or utilize an individual’s medical records supplied directly by the individual, and the list goes on.

There may be other state laws which further expand the requirements of individuals or entities that possess ePHI, however these additional states are beyond the scope of this post.

Obviously, it is important to carefully read the Texas statute in its entirety, and understand its applicability on a case specific basis. However there is very little doubt that it dramatically expands the people and/or entities that are subject to HIPAA equivalent analysis, safeguards, and protection of ePHI and ePHI.

In addition, the importance of reviewing individual state laws is becoming more important and raises the question if the federal government will broaden the applicability of the current Omnibus Rule.

What do you think?

 

DISCLAIMER – This post and the analysis submitted are not a legal conclusion and should not be construed as such but are presented for discussion and informational purposes.

I am not admitted to practice in the state of Texas, I am not certain that my analysis is correct under Texas law, and invite any practitioners who disagree with my analysis to comment and explain why this analysis is incorrect. As always, legal advice and training should be obtained from licensed professionals within the jurisdiction. This post and the analysis submitted are not legal conclusions and should not be construed as such but are presented for discussion and informational purposes.

 

Please follow and like us:
LinkedIn
Twitter
SHARE

While some entities are busy with HIPAA and cybersecurity — others are frolicking at patient’s expense

Snapchat

 

Nursing home workers have been posting abusive photos of elderly on social media

 

http://wapo.st/1m3HYfS

 

Ornstein is a senior reporter at ProPublica, www.propublica.org, a nonprofit news organization in New York.

Please follow and like us:
LinkedIn
Twitter
SHARE

There’s No Such Thing As a Free Lunch Do you think we can run this as is

Free Lunch

There’s No Such Thing As a Free Lunch – Especially from your Pharma Rep.

While the first part of this title was popularized by the 1975 book authored by economist and Nobel prize winner Milton Friedman, the totality of the title should leave a chilling and lasting impression in light of the following recent release.

Department of Justice
U.S. Attorney’s Office
District of Massachusetts
_______________________________________________________________________________________________
FOR IMMEDIATE RELEASE
Thursday, October 22, 2015

Springfield Doctor Indicted in Anti-Kickback Case

BOSTON – A Springfield gynecologist was arrested today in connection with allegedly accepting free meals and speaker fees from a pharmaceutical company in return for prescribing its osteoporosis drugs, allowing pharmaceutical sales representatives to access patient records and lying to federal investigators.

Rita Luthra, M.D., 64, of Longmeadow, was indicted on one count of violating the Anti-Kickback Statute, one count of wrongful disclosure of individually identifiable health information and one count of obstructing a criminal health care investigation by lying to federal agents and directing an employee to do the same. The indictment also seeks $23,500 in criminal forfeiture.

According to court documents, from October 2010 through November 2011, Warner Chilcott, a pharmaceutical company based in Rockaway, N.J., allegedly paid Luthra $23,500 to prescribe its osteoporosis drugs, Actonel® and Atelvia®. On 31 occasions, a Warner Chilcott sales representative allegedly brought food to Luthra’s medical office for her and her staff, and paid Luthra $750 to talk with her for 25-30 minutes while she ate. On another occasion, Warner Chilcott paid to cater a barbeque that Luthra hosted at her home for her friends. Warner Chilcott also paid Luthra $250 for speaker training, despite the fact that she never spoke to any other physicians. It is alleged that Luthra’s prescriptions of Warner Chilcott’s osteoporosis drugs increased during the time that she was paid by the company, and precipitously declined once she stopped being paid. Luthra also allowed a Warner Chilcott sales representative to access protected health information in her patients’ medical files. She further provided false information to federal agents when interviewed about her relationship with Warner Chilcott, and allegedly directed one of her employees to also lie.

The charge of violating the Anti-Kickback Statute provides a sentence of no greater than five years in prison, three years of supervised release and a fine of $25,000. The charge of disclosure of individually identifiable health information provides a sentence of no greater than one year in prison and/or a fine of $50,000 and one year of supervised release. The charge of obstructing a criminal health care investigation provides a sentence of no greater than five years in prison, three years of supervised release and a fine of $250,000. Actual sentences for federal crimes are typically less than the maximum penalties. Sentences are imposed by a federal district court judge based upon the U.S. Sentencing Guidelines and other statutory factors.

United States Attorney Carmen M. Ortiz and Phillip Coyne, Special Agent in Charge of the U.S. Department of Health and Human Services, Office of the Inspector General, Office of Investigations, made the announcement today. The case is being prosecuted by Assistant United States Attorneys Miranda Hooker and David S. Schumacher of Ortiz’s Health Care Fraud Unit.

The details contained in the indictment are allegations. The defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.

Please follow and like us:
LinkedIn
Twitter
SHARE

Cost of Stolen Laptop Hits record High

Laptop Theft

Massachusetts Lahey Hospital has agreed to pay $850K over a stolen laptop containing the ePHI of 599 individuals. That works out to over $1,400.00 per individual. It goes without saying that the 2011 incident led to an investigation that found numerous instances of noncompliance with HIPAA rules throughout Lahey Hospital, including a failure to conduct a risk analysis on all electronic protected health information (PHI) as well as a failure to safeguard a workstation that had access to ePHI. Equally unremarkable is the fact that the hospital also agreed to implement a corrective action plan that includes a full risk analysis as well as a risk management plan.

The risk of losing mobile devices is real, the lack of encryption is tragic, the apparent norm of a failure to have a proper risk analysis is almost the expected result of an investigation/audit, and the corrective action plan is to be expected.

However this incident traces back to 2011 – before there was heightened awareness of these issues and consequences.

The real issue is the current reality where many small, medium and relatively large Covered Entities think that breaches only happen to others, that they will never have a breach, that the likelihood of a random audit is too remote to worry about, and that they will never have to consider the cost of being wrong. The penalties seem to be rising, the associated legal expense, and ultimately the cost of a compliance agreement as well as reputational cost, may be more than many Covered Entities can sustain.

Please follow and like us:
LinkedIn
Twitter
SHARE

Gene therapies offer dramatic promise but shocking costs from The Washington Post

Gene therapies

 

The Possibilities are Awesome

The Benefits are Incalculable

The Cost is Staggering

While Consistent with Outcome Based Reimbursement

Insurers taking on long term mortgages is Sobering and Transformative

http://wpo.st/rInm0

Please follow and like us:
LinkedIn
Twitter
SHARE
« Older posts

© 2016

Theme by Anders NorenUp ↑