Cyber-security incident prevention has been at the top of the list of Health IT agendas in recent years, and pressure will only grow more intense as we turn the corner into 2020.  An explosion of systems exploitation in recent months has caused Health IT professionals to be more vigilant than ever to implement procedures to monitor, track and test their systems for vulnerabilities and threats on a regular basis.  The Office of Civil Rights (OCR) issued a Spring 2019 OCR Cybersecurity Newsletter which provided information relevant to the recent zero-day exploit[1] (“Zero Day”) or and advanced persistent threat[2] (“APT”) recently occurring across the globe. Both pose serious and dangerous threats to our information and operations, so it is not enough to simply know the difference between a zero-day and an APT, but to prevent the exploits behind these threats from launching more assaults.

Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (the “security rule”), covered entities and business associates are required to conduct on going risk assessments (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii) to ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards.   The purpose of the security risk assessment (SRA) is to identify areas where an organization’s protected health information (PHI) could be at risk.  Examples of circumstances that could lead to vulnerabilities or threats include, but are not limited to planned or actual changes in ownership, operations, workflows, technology, turn-over of key staff or following a known or suspected security incident.

The SRA and timely response to SRA results will allow an organization to mitigate damage and reduce the associated risks to reasonable and appropriate levels.  Some vendors offer tools that assist in this process that can be very effective.  The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR), developed a free SRA tool which assists organizations with evaluation of their SRA practices.  This tool should be used as a supplement to the SRA documentation that each organization collects during its SRA process.   It allows the user to answer questions and rate its current state, while offering guidance on the most effective protections.  The tool also allows the user to input assets which is highly useful in maintaining an inventory of technical assets[3], along with current disposal, encryption, data and activity status of assets.   

The security rule is not prescriptive in specifying an exact frequency in which an SRA should be conducted because each organization’s frequency will vary depending upon their specific circumstances.   However, AMS recommends as a rule of thumb, that an SRA should occur at least annually with ongoing reevaluation, and whenever the organization has an event or circumstance that could lead to a security vulnerability or threat.

[1] The “zero day” exploit or attack takes advantage of a previously unknown hardware, firmware, or software vulnerability.

[2] The APT is a long-term cybersecurity attack that continuously attempts to find and exploit vulnerabilities in a target’s information systems to steal information or disrupt the target’s operations.

[3] Examples of asset types include laptops, desktops, PDAs, printers, copiers, facsimile, and other clinical devices such as EKG/EEG/ECG, ultrasonography and radiological equipment.

Everyone knows that nurse staffing is critical to the care and outcomes of patients.  Massachusetts passed a law in 2014 requiring a maximum of two patients for every nurse in intensive care units[1]. California is currently the only state with hospital-wide required minimum nurse-to-patient ratios.

Aside from mandated ratios, state staffing laws in nursing tend to fall into one of two other buckets[2]:

  • The first is to require hospitals to have nurse-driven staffing committees[3]that develop unique staffing plans.
  • The second requires facilities to disclose staffing levels to the public or regulatory body[4].

Minimum staffing regulations however, are not only relevant to hospital-based nursing; as examples, they also apply to infection control, daycare and hospital-based schools in some states. So how does this impact AMS’ approach to benchmarking?

AMS’ benchmark development approach involves a combination of art and management science. AMS has an extensive benchmarking database that consists of benchmarking projects performed on-site at hospitals and for healthcare clients throughout the United States. Factors such as minimum staffing requirements must be considered in the labor benchmarking analysis and development process.  AMS’ comparative database considers state-specific regulations. In particular, the database incorporates mandatory staff-to-patient ratios whenever required by law.  AMS focuses on determining and validating the operational intricacies and unique demands of the departments it assesses and incorporates those into our best-practice benchmark developed ranges.

Minimum staffing regulations underscore how vital a thorough understanding of the regulations that pertain to each state are when developing labor benchmarks. Adherence to these rules ensures that healthcare providers in each state are compliant, furthering the provision of quality care, and performance improvement.

[1] An attempt to broadly regulate nurse-to-patient ratios in Massachusetts was struck down in 2018.

[2] About 35% of states also prohibit or limit the amount of mandatory overtime assigned to nurses.

[3] CT, IL, NV, OH, OR, TX, WA

[4] IL, NJ, NY, RI, VT

Healthcare entities that accept credit card payments are subject to PCI-DSS requirements.  PCI-DSS provides “mandated” requirements for the protection and security of credit card transactions. It is not a law. Rather, it was born out of collaboration between major credit card brands (Visa, MasterCard, American Express, Discover and JCB-Japan Credit Bureau) to regulate and prevent credit card data breaches. The requirements are mandated for any vendor or entity that accepts credit card payments regardless of size or number of transactions, and compliance is monitored by this same group (Payment Card Industry Security Standards Council-“Council”) of credit card brands. Technically, the group cannot “force” a vendor to comply with the requirements but can limit or prohibit a vendor’s ability to process credit card transactions and, hence, impede cash flow.

PCI-DSS focuses on “descriptive” steps to follow to ensure the security of the stored credit card data, audit mechanisms, suggested breach protocols and pre-determined fines for noncompliance. If followed, these actions would be part of the Healthcare entities’ response to the HIPAA Security standards.

HIPAA is much more encompassing. Compliance is mandated by federal law, requires risk assessments, policies/procedures for administrative, physical and technical safeguards, use of Business Associate Agreements and includes breach protocols, fines, and civil/criminal actions for noncompliance.

Yes, PCI-DSS impacts healthcare. Yes, PCI-DSS activities may be part of a healthcare entity’s HIPAA Security Plan. No, PCI-DSS compliance does not equate to HIPAA Security Compliance and vice versa because the HIPAA plan may not proscribe every step mandated by the council. Instead, it is best to view both through its’ own set of rules!

For more information on complying with PCI-DSS, please contact Linda Mancini at 781-272-8001

The Gramm Leach Bliley Act (GLBA) of 1999 (Pub. L 106-102, 113 Stat.1338) has two parts.

The first allows for the consolidation/merger of financial institutions such as banks, insurance companies and investment/security firms.

The second regulates the use, disclosure (sharing) and security of the massive amounts of personal information (which includes health records) that will result from these mergers/consolidations by mandating adherence to the following three rules.

  1. Financial Privacy
    • Enforced by Federal Trade Commission,
    • Privacy Agreements (signed by both parties, lists use of, types of, parties who will receive/share personal information), and
    • Opt Out Clauses to include details as to when a consumer may and may not opt out.
  2. Safeguard
    • Written security plan for all personal information,
    • Plan must be “managed” by at least one “dedicated” employee, and
    • Plan must be continuously monitored for “future” threats.
  3. Pretexting Provisions
    • Financial institutions must monitor and prevent disclosure of personal information to unauthorized parties (i.e. unauthorized individual attempts to access by phone, text, email and personal appearance).

While GLBA expands consumer protections pertinent to the security of health information, it does not invoke HIPAA privacy regulations pertinent to entities who may/may not receive health information.  Instead, the consumer must do through “opt out” provisions.  This is of concern because the average consumer may not be aware of HIPAA purpose/protections (i.e. minimum necessary) and the potential ramifications if not followed.

For more information on Gramm Leach Bliley’s impact on healthcare law, please contact Linda Mancini at 781-272-8001.

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, (Public Law 111-203), contains a “sweeping series of core provisions” to reform federal oversight of the financial services industry. The Act includes amendments to exiting consumer protection, banking, derivatives and securities industries.

Dodd-Frank was not written with the healthcare sector in mind and does not contain any general provisions applicable to healthcare. However, there may be a “spillover” effect.

This Act was a “one of a kind sweeping endeavor” by Congress to “fix” a facet of an industry that appeared to be broken. Can the same argument be made for the healthcare industry? If yes, Congress may decide to make the same type of sweeping changes to healthcare especially in the not for profit sector which faces similar risk and transparency issues.

In fact, the following four provisions of the Act may be readily transferred to the not for profit healthcare industry at a moment’s notice.

  1. Enterprise Risk Management (ERM) – Regulate systemic risk; establish risk monitoring committees with independent directors (Financial Stability Oversight Councils), adoption of board-level ERM activity towards “best practices” level.
  2. Corporate Governance – Regulations promulgated by federal government (traditionally purview of state), promote board independence and decrease conflicts of interest with increased public disclosure; consider views of community and constituent groups on executive salaries (i.e. role similar to shareholders).
  3. Corporate Compliance – Increased emphasis on whistleblowers and protections (increased rewards, can sue in federal court without having to exhaust available administrative remedies).
  4. Executive Compensation – Need to consider feedback from compensation committees/ independent advisors/community/constituents and to, publicly, report the “ratio of the total compensation of the CEO to the median employee compensation

Please refer to the law for details pertinent to the four provisions cited.

For more information on the Dodd-Frank Act’s application to healthcare, please contact Linda Mancini at (781) 272-8001.

The Sarbanes-Oxley (SOX) Act of 2002 (Public Law 107-204) was designed to protect the interests of investors and enhance corporate oversight and accountability of public traded companies.  Specifically, SOX mandates auditing, quality control, ethics, detailed/timely disclosures and independent /informed authentication of all financial statements.

To date, there are only two provisions of SOX that apply directly to HealthCare (Non-Profit) Organizations — whistleblower protections and retention of all documentation pertinent to an investigation. However, the healthcare legal industry is advising hospitals to look at SOX as “best practice” and adhere to as many provisions as possible.

This advice is based on increasing challenges to the tax exempt status and increased regulations passed by state legislatures and Attorneys General. Currently, 20 states are involved in class action suits claiming that hospitals haven’t provided enough “charity care” to justify tax exempt statuses.  In addition, many state legislatures have passed healthcare financial accountability legislation that is stricter than SOX.

For more information on the Sarbanes-Oxley Act’s relevance to healthcare, please contact Linda Mancini at (781) 272-8001.

What is an expectation to privacy?  The Fourth Amendment provides this constitutional right. An expectation of privacy is related to, but is not the same as, a right to privacy, a much broader concept which is found in many privacy laws. In general, one cannot have a reasonable expectation of privacy in things held out to the public. But, what about email and other electronic communications/information?

The Stored Communications Act (SCA) was enacted in 1986 to provide “Fourth-Amendment” like privacy protection (search warrant, probable cause) to email and other digital communications stored on the internet. The Fourth Amendment to the U.S. Constitution protects the people’s rights to “be secure in their persons, houses, papers and effects, against unreasonable searches and seizures.” It is seen as a right that extends to people only and not places. In many cases, the Fourth Amendment doctrine has held that users relinquish “any expectation of privacy” when they entrust the security of online information to a third-party Internet Service Provider (IPS).

The SCA holds that ISPs will be criminally liable for disclosure of the contents of any communication which is carried or maintained on its service to any person or entity without proper authorization or a search warrant and court order. ISPs are allowed to share non-content information such as log data and name/address of email recipient to anyone other than a governmental entity.

The SCA is a starting point for any questions we may receive in our AMS capacities pertinent to “non-patient care” email/electronic communication privacy.

For more information on the Stored Communications Act, please contact Linda Mancini at (781) 272-8001.

The March 18, 2019 post of Legal Topics in Healthcare provided a definition of Cooperation Credit when undergoing a False Claims Act (FCA), HIPAA Investigation or the like.  In 2015, Deputy Attorney General Yates issued a memorandum detailing a policy on “individual accountability”.  The memo, Individual Accountability for Corporate Wrongdoing, is known as the “Yates Memo.”

This memo essentially limited the availability of cooperation credit to only those organizations that provide the Department of Justice (DOJ) all relevant facts relating the individuals responsible for the misconduct. Individual accountability addresses DOJ concern that too many individuals evaded punishment for wrongdoing related to the financial crisis, but this policy has significant implications for healthcare providers and their employees.  Prior to the Yates Memo, cooperation credit was potentially available under DOJ policy even if an organization failed to disclose basic facts about its employee(s) involvement in criminal misconduct.

For more information on the Yates Memo, please contact Linda Mancini at (781) 272-8001.

On August 17, 2018, the Centers for Medicare and Medicaid Services (CMS) announced that it is adding a sub-section (3.2) into Chapter 3 of its Medicare Program Integrity Manual (MPIM, Publication 100-08) entitled “Verifying Potential Errors and Taking Corrective Actions,” The new section references Medicare’s Targeted Probe and Educate (TPE) Program, first initiated as a pilot in 2016. The initial pilot focused only on nursing home and inpatient claims. The pilot has now been expanded to a permanent program which encompasses all claim types and can occur as either a pre-payment or a post-payment audit.

TPE audits subject providers and suppliers to up to three rounds of medical reviews. Claims are selected through data analysis. MPIM, Subsection 3.2 states:

“MACs shall target providers/suppliers who have historically high claim denial rates, who have billing practices that vary from their peers, or when evidence suggests that there is a potential risk to the Medicare Trust Fund.”

The MACs have the discretion to select target areas because of:

  • High volume of services;
  • High cost;
  • Dramatic change in frequency of use;
  • High risk problem-prone areas; and/or,
  • Recovery Auditor, CERT, Office of Inspector General (OIG) or Government Accounting Office (GAO) data demonstrating vulnerability. Probe reviews are not required when targeted areas are based on data from these entities.

Claims determined to be in error result in a provider’s notice of adverse determination and education from their MAC prior to the initiation of the next round of the TPE audit. Providers may, at their discretion, appeal TPE audit results, and this process mimics the standard Medicare appeals process.

Continued claims errors after three (3) rounds of TPE audit may be referred to CMS for further disciplinary actions. Subsection 3.2 also states:

“The MAC shall refer providers/suppliers for potential escalation to CMS at their discretion after three rounds of TPE review. Referrals shall include details regarding the reason the provider/supplier was selected for TPE review, TPE review results, any education provided (or offered and refused), and any other relevant information that may be helpful in determining appropriate next steps. The MAC shall refer suspected fraudulent providers to the Unified Program Integrity Contractor (UPIC) at any time during the TPE process.”

Given the potential impact of escalation outcome, and burden on providers with this programs continued emphasis, it is vital that providers carefully weigh the value of appealing adverse determinations when there is a valid justification to do so.  Personnel responsible for the review and response to adverse determinations must take immediate action by way of either internal education and corrective action or appeal the findings without delay. Regardless of which step a provider takes, immediate action will ensure that the provider is being paid the right services in an amount which it is legally entitled to receive every time.

For more information on the Targeted Probe and Educate Program, please contact Linda Mancini at (781) 272-8001.

Qui Tam lawsuits are what we also refer to as whistleblower suits, whereby a private individual assists the government with the prosecution of illegal activities and can receive all or part of any penalty imposed.

In healthcare, these usually involve False Claims Act (FCA) allegations directly against a provider. But the provider is not always at the center of these types of Qui Tam suits. One of the longest running Qui Tam cases that still lurks in the federal court system, initially filed in 2003 against a pharmaceutical company is United States ex rel. King v. Solvay Pharmaceuticals, Inc.

In this case, two former Solvay employees alleged that Solvay had been engaging in misleading marketing ploys to encourage providers to prescribe their drugs for off-label use. Off-label use means that the FDA has not approved the drug for a prescribed diagnosis, and submission of a claim for this drug would violate the FCA. Solvay spent millions to promote these drugs for off-label uses. Salespersons visited doctors, urging them to consider Solvay’s drugs for off-label indications. Solvay also paid physicians to attend lavish dinners and speaker events about its drugs, and paid physicians who prescribed its drugs, which in turn could implicate the Anti-Kickback Statute (AKS). The final outcome of this case is still pending as there have been a series of appeals that are still ongoing.

Are providers insulated in these type of cases where inducement is involved? Not so much. Of particular significance is that providers have a responsibility in the pharma-physician relationship to recognize when they are at risk of a violation of the AKS. A Qui Tam case against a manufacturer could give rise to an FCA action, placing the provider front and center under the microscope.

For more information on Qui Tam or whistleblower situations, please contact Linda Mancini at 781-272-8001.