April 7, 2023 | By Rachel Rose, JD, MBA
Overview
Whenever I present, which is often, I often receive follow-up questions from participants regarding resources to utilize when creating, reviewing, and/or supplementing a compliance program, including relevant policies and procedures. One resource which should be utilized is the Health Care and Public Health Sector Cybersecurity Framework Implementation Guide (Version 2 (March 2023) (hereinafter “Guide”), which assists organizations (large and small) in appreciating and “leveraging the NIST Cybersecurity Framework’s Informative References in their implementation of sound cybersecurity and cyber risk management programs.” The overarching goals include aligning with national standards, assisting organizations improve their level of cyber resiliency, and provide suggestions on creating a nexus between risk management and information security.
These statistics, which are listed in the forward of the Guide, are compelling. “Many, if not most, health care organizations struggle with managing cybersecurity effectively. OCR’s HIPAA Audits Industry Report found that 86% of Covered Entities (CEs) and 83% of Business Associates (BAs) (85% collectively) did not meet expectations for a Risk Assessment. For Risk Management, 94% of CEs and 88% of BAs (91% collectively) did not meet expectations.” A corporate culture, which begins with senior leadership and the board of directors, is critical for setting the right tone and making cybersecurity risk management a priority.
Considerations
On January 5, 2021, HR 7898 was signed into law and amends the HITECH Act, 42 U.S.C. §17931, et seq. by adding Section 13412. In essence, HR 7898 provides that so long as recognized security practices (i.e., NIST, Cybersecurity Act of 2015 §405(d), HIPAA Security Rule) for at least a year, then HHS will consider mitigation fines or terminating an audit early.
Recent enforcement actions underscore the importance of, to paraphrase Wayne Gretzky, looking to where the puck is going. These examples highlight where the “puck is going” in terms of federal government enforcement.
- GoodRx (February 1, 2023) – the first case where an enforcement action was taken under the FTC’s Health Breach Notification Rule. Here, GoodRx, a telehealth and prescription drug discount provider “fail[ed] to notify consumers and other of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.” Moreover, “[i]n a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect.” GoodRx paid the government $7.8 million to settle the allegations.
- BetterHelp, Inc. (Mar. 2, 2023) – in another first of its kind case, the FTC provided remuneration to customer who were harmed by “online counseling service BetterHelp revealed consumers’ sensitive data with third parties such as Facebook and Snapchat for advertising after promising to keep such data private.”
The DOJ and whistleblowers utilize the False Claims Act. As the March 14, 2023 DOJ press release illustrates, Jelly Bean Communications Design and its Manager (collectively “JellyBean”), cybersecurity failures and not having the requisite technical, administrative, and physical safeguards are two areas that may form the basis of a False Claims Act cause of action. As a disclaimer, the False Claims Act is a very complex and intricate area of law.
Some key take-aways from the JellyBean settlement include the following:
- From January 1, 2014 through December 14, 2020 – a period of over six (6) years) – JellyBean failed to provide secure hosting of protected health information (PHI) despite its representations in its agreements and invoices and put patients, specifically children, and their PHI at risk.
- JellyBean created, hosted, and maintained a federally funded Florida children’s health insurance website and failed to secure personal information. Over 500,000 applications were hacked and the settlement amount to resolve the allegations amounted to $293,771.
- “The agreement required that Jelly Bean provide a fully functional hosting environment that complied with the protections for personal information imposed by the Health Insurance Portability and Accountability Act of 1996.” (DOJ Press Release).
- The government alleged that numerous outdated and vulnerable software applications were being utilized and fundamental patches were not being done.
In sum, “[l]everaging the NIST Cybersecurity Framework also aligns with the National Association of Corporate Directors (NACD) Director’s Handbook on Cyber-Risk Oversight,9 which provides five key issues that corporate boards should consider as they oversee cybersecurity and cyber risk management programs:
- Approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
- Understand the legal implications of cyber risk as they apply to the company’s specific circumstances.
- Ensure they have adequate access to cybersecurity expertise and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
- Set the expectation that management will establish an enterprise-wide cyber-risk management framework.
- Include identification of which risks to either avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach, in discussions of cyber risks between the Board and organizational management.”
Conclusion
Evaluating the current appetite for risk within an entity’s culture is the first step to cultivating a culture of compliance. Implementing a practical approach for addressing cybersecurity risk management is the second step. Utilizing resources, such as the Guide, and adhering to training and policies and procedures is a prudent third step. Overall, cyber threats in health care are not going away. In fact, they will only increase with the adoption of new medical devices. Being proactive can mitigate risk and a variety of liabilities, including legal, financial and reputational.
Your next steps:
- Contact NAMAS for full auditing, documentation, and compliance consultation.
- Read more blog posts to stay updated on the 2023 Revisions to the 2021 E&M Guidelines.
- Subscribe to the NAMAS YouTube channel for more auditing and compliance tips!
NAMAS is a division of DoctorsManagement, LLC, a premier full-service medical consulting firm since 1956. With a team of experienced auditors and educators boasting a minimum of a CPC and CPMA certification and 10+ years of auditing-specific experience, NAMAS offers a vast range of auditing education, resources, training, and services. As the original creator of the now AAPC-affiliated CPMA credential, NAMAS instructors continue to be the go-to authorities in auditing. From DOJ and RAC auditors to CMS and Medicare Advantage Auditors to physician and hospital-based auditing professionals, our team has educated them all. We are proud to have helped so many grow and excel in the auditing and compliance field.
Looking to start up a medical practice or grow your existing practice? Contact our parent company, DoctorsManagement.