HIPAA Trifecta: Proposed Privacy Rule Changes, Criminal Enforcement Actions, and the Unintended Consequences of COVID-19
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
HIPAA Trifecta: Proposed Privacy Rule Changes, Criminal Enforcement Actions, and the Unintended Consequences of COVID-19 RACHEL V. ROSE, JD, MBA TXHIMA – ANNUAL MEETING JUNE 27, 2021
THE INFORMATION PRESENTED IS NOT
MEANT TO CONSTITUTE LEGAL ADVICE.
CONSULT YOUR ATTORNEY FOR ADVICE
ON A SPECIFIC SITUATION.
THE INFORMATION PRESENTED IS CURRENT
Disclaimer AS OF THE DATE OF THE ORIGINAL
RECORDING OF THE PRESENTATION.
GIVEN THE DYNAMIC NATURE OF THE
TOPIC, PARTICIPANTS ARE
ENCOURAGED TO CHECK THE
RELEVANT GOVERNMENT WEBSITES FOR
THE MOST RECENT INFORMATION.Headline Highlights
HIPAA Overview
Proposed Privacy Rule Updates & 21st Century Cures Act
Agenda The DOJ’s Civil and Criminal Enforcement
The Unintended Consequences of COVID-19
Risk Mitigation & Compliance Tidbits
ConclusionHeadline Highlights
Copyright 2021 - Rachel V. Rose - Attorney at Law,
7/8/21 4
PLLC. All Rights Reserved.DOJ Remarks Regarding the Civil Division’s 2021
priorities
• Electronic Health Records – “Providers are increasingly relying on electronic records to
improve treatment outcomes for patients. While electronic software is intended to reduce
errors and improve the delivery of care, the transition to a digital format has also
introduced new opportunities for fraud and abuse.”
• Cybersecurity – “Notably, both of the last two areas – electronic health records and
telemedicine – reflect the increasing importance of technology to the health care
system. Our growing reliance on technology is not limited, of course, to the health care
arena, and thus neither are fraud schemes involving the development and use of
technology. For example, cybersecurity related fraud may be another area where we
could see enhanced False Claims Act activity. With the growing threat of cyberattacks,
federal agencies are relying heavily on robust cybersecurity protections to safeguard our
vital governmental data and information. To the extent that the government pays for
systems or services that purport to comply with required cybersecurity standards but fail to
do so, it is not difficult to imagine a situation where False Claims Act liability may arise.”
https://www.justice.gov/opa/speech/acting-assistant-attorney-general-brian-m-boynton-delivers-remarks-federal-bar
Copyrights - Rachel V. Rose, JD, MBA 2021. 5• Within 60 days of the date of this order, the
Director of the Office of Management and
Budget (OMB), in consultation with the
Secretary of Defense, the Attorney
General, the Secretary of Homeland
Security, and the Director of National
May 12, 2021 – Intelligence, shall review the Federal
Acquisition Regulation (FAR) and the
Defense Federal Acquisition Regulation
Executive Supplement contract requirements and
language for contracting with IT and OT
Order service providers and recommend updates
to such requirements and language to the
FAR Council and other appropriate
agencies. The recommendations shall
include descriptions of contractors to be
covered by the proposed contract
language.
Copyrights - Rachel V. Rose, JD, MBA 2021. 6HIPAA Overview
Copyright 2021 - Rachel V. Rose - Attorney at Law,
7/8/21 7
PLLC. All Rights Reserved.HIPAA
•Covered Entities - Health Care Providers, Health
Plans and Health Care Clearinghouses
•Business Associates – contract w/ Covered Entities
•Subcontractors – contract w/ Business Associates
Who Is Under TX House Bill 300 (TX HIPAA)
the Legal •Different definition of “covered entity” that
Umbrella?
encompasses anyone who creates, receives,
maintains and transmits PHI.
Federal Trade Commission
•Fills the “gap” of the Federal HIPAA definitions.
anyone who creates, receives, maintains and
transmits PHI.
Copyrights - Rachel V. Rose, JD, MBA 2021.Legislative History
• 1996 -HIPAA (Public Law 104-191) – need for consistent
framework for transactions and other administrative items.
• 2002 – The Privacy Rule (Aug. 14, 2002)
• 2003 – The Security Rule (Feb. 20, 2003)
• 2009 - Health Information Technology for Economic and Clinical
Health (“HITECH”) Act, Title XIII of Division A and Title IV of Division
B of the American Recovery and Reinvestment Act of 2009 (Pub.
L. 111-5) (Feb. 17, 2009)
• 2009 – The Breach Notification Rule (Aug. 24, 2009)
• 2010 – Privacy and Security Proposed Regulations (Feb. 17, 2010)
• 2013 – Omnibus Rule (Effective March 26, 2013, Compliance
Sept. 23, 2013).
Copyrights - Rachel V. Rose, JD, MBA 2021.• 45 CFR §§ 164.400-414 and 13407 of the HITECH Act.
• A breach is, generally, an impermissible use or
disclosure under the Privacy Rule that compromises the
security or privacy of the protected health information.
• Requires covered entities to notify affected individuals,
U.S. Department of Health & Human Services (HHS), and
in some cases, the media of a breach of unsecured
PHI.
HIPAA and the • Most notifications must be provided without
unreasonable delay and no later than 60 days
HITECH Act following the discovery of a breach.
• Notifications of smaller breaches affecting fewer than
500 individuals may be submitted to HHS annually.
• The Breach Notification Rule also requires business
associates of covered entities to notify the covered
entity of breaches at or by the business associate.
• NOTE: there are three exceptions to a breach.
Copyrights - Rachel V. Rose, JD, MBA 2021.The HITECH Act & HR 7898
• HR 7898 Signed into law on January 5, 2021
• Addresses the recognition of security practices and amends the Health Information Technology for Economic and
Clinical Health Act by adding Section 13412.
• A technical correction Section 3022(b) of the Public Health Service Act (“PHSA”) was added and “shall take effect as if
included in the enactment of the 21st Century Cures Act, [Pub. L. 114-255 (Dec. 13, 2016)].”
• Key Items
• The Secretary shall consider whether the covered entity or business associate has adequately demonstrated that it had,
for not less than the previous 12 months, recognized security practices in place that may mitigate fines, result in an early
audit termination, and mitigate remedies.
• The term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures,
and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the
approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes
that address cybersecurity and that are developed, recognized, or promulgated through regulations under other
statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the
HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title).
• NO LIABILITY FOR NONPARTICIPATION.—Subject to paragraph (4), nothing in this section shall be construed to subject a
covered entity or business associate to liability for electing not to engage in the recognized security practices defined
by this section.
Copyrights - Rachel V. Rose, JD, MBA 2021.Important • A portion of that rule was challenged in federal court,
Notice specifically provisions within 45 C.F.R. §164.524, that cover an
individual’s access to protected health information.
Regarding • On January 23, 2020, a federal court vacated the “third-party
directive” within the individual right of access “insofar as it
Individuals’ expands the HITECH Act’s third-party directive beyond
requests for a copy of an electronic health record with
respect to [protected health information] of an individual . . .
Right of Access in an electronic format.”
to Health
• Additionally, the fee limitation set forth at 45 C.F.R. §
164.524(c)(4) will apply only to an individual’s request for
access to their own records, and does not apply to an
Records individual’s request to transmit records to a third party.NOTE: a portion of the Final Omnibus Rule (78 Fed. Reg. 5566 (Jan. 25, 2013)) was
changed in Ciox Health, LLC v. Azar, et al., No. 18-cv-0040 (D.D.C. January 23,
2020).
A portion of that rule was challenged in federal court, specifically provisions
within 45 C.F.R. §164.524, that cover an individual’s access to protected health
information. On January 23, 2020, a federal court vacated the “third-party
directive” within the individual right of access “insofar as it expands the HITECH
Headline
Act’s third-party directive beyond requests for a copy of an electronic health
record with respect to [protected health information] of an individual . . . in an
electronic format.”
Nuggets - Ciox Additionally, the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only
to an individual’s request for access to their own records, and does not apply to
an individual’s request to transmit records to a third party.
The right of individuals to access their own records and the fee limitations that
apply when exercising this right are undisturbed and remain in effect. OCR will
continue to enforce the right of access provisions in 45 C.F.R. § 164.524 that are
not restricted by the court order.HHS issues proposed changes to HIPAA Privacy
Rule
Second, HHS published proposed changes to the HIPAA
Privacy Rule, which center around increasing an individual’s
rights and access to his/her protected health information
(“PHI”), expanding information sharing for purposes of care
coordination, providing disclosure flexibility in select situations
(i.e., opioid overdose, COVID-19), and reducing
administrative burdens on covered entities.
Copyrights - Rachel V. Rose, JD, MBA 2021.HIPAA PRIVACY RULE Proposal
Copyrights - Rachel V. Rose, JD, MBA 2021.
The three laws implicated are: HIPAA, the HITECH Act, and the 21st
Century Cures Act.
The key areas to focus on are as follows:
• reinforcing an individual’s right to access his/her own PHI,
including ePHI;
• improving the sharing of information for purposes of care
coordination; facilitating greater family and care giver
involvement through appropriate disclosures during crisis
situations (i.e., the COVID-19 pandemic, opioid crisis); &
• and reducing administrative burdens on providers.The Security Rule
The Security Rule requires
appropriate administrative,
physical, and technical The Security Rule is located
safeguards to ensure the at 45 CFR Part 160 and
confidentiality, integrity, Subparts A and C of Part
and security of electronic 164.
protected health
information.TAP and Safeguards
TAP = Technical, Administrative and Physical Requirements as set forth in CFR 164.302
Administrative safeguards are administrative actions, and policies and procedures, to
manage the selection, development, implementation, and maintenance of security
measures to protect electronic protected health information and to manage the conduct of
the covered entity's or business associate's workforce in relation to the protection of that
information.
Technical safeguards means the technology and the policy and procedures for its use that
protect electronic protected health information and control access to it.
Copyrights - Rachel V. Rose, JD, MBA 2021.Assessing Risk
• HHS advocates building a “culture of compliance.”
• Policies + Processes + TAP + Tracking = Visible
Demonstrable Evidence (“VDE”)
• VDE helps with the following:
• - Mitigating Risk
• - Minimizing the exploitation of vulnerabilities
• - Assisting a person achieve it’s commitment to
compliance
Copyrights - Rachel V. Rose, JD, MBA 2021.The 21st Century Cures
Act – A Glimpse of
HIPAA’s Evolution
Copyright 2021 - Rachel V. Rose - Attorney at Law,
7/8/21 19
PLLC. All Rights Reserved.April 21, 2020 CMS Announcement • The Interoperability and Patient Access final rule includes policies that impact a variety of stakeholders. Recognizing that hospitals, including psychiatric hospitals, and critical access hospitals, are on the front lines of the COVID-19 public health emergency, CMS is extending the implementation timeline for the admission, discharge, and transfer (ADT) notification Conditions of Participation (CoPs) by an additional six months. • In the version of the rule displayed on March 9, 2020 on the CMS website, it stated these CoPs would be effective 6 months after the publication of the final rule in the Federal Register. • We have changed this in the final rule now displayed on the Federal Register to state that the new CoPs at 42 CFR Parts 482 and 485 will now be effective 12 months after the final rule is published in the Federal Register.
Information Blocking
• Section 4004 – 21st Century Cures Act
• “Information blocking is a practice by a health IT
developer of certified health IG, health information
network, health information exchange, or health care
provider that, except as required by law or specified by
the Secretary of Health and Human Services (HHS) as a
reasonable and necessary activity, is likely to interfere with
access, exchange, or use of electronic health information
(EHI).”
Copyright 2021 - Rachel V. Rose - Attorney at Law,
7/8/21 21
PLLC. All Rights Reserved.Practices Likely to Constitute Information Blocking
Cures Act Section Item
4004 Practices that restrict authorized access,
exchange, or use under applicable state or
federal law of such information for treatment and
other permitted purposes under such applicable
law, including transitions between certified health
information technologies (health IT).
4004 Implementing health IT in nonstandard ways that
are likely to substantially increase the complexity
or burden of accessing, exchanging, or using EHI.
4004 Implementing health IT in ways that are likely to:
(a) Restrict the access, exchange, or use of EHI
with respect to exporting complete information
sets or in transitioning between health IT systems;
or (b) lead to fraud, waste, or abuse, or impede
innovations and advancements in health
information access, exchange, and use, including
care delivery enabled by health IT.
Copyright 2021 - Rachel V. Rose - Attorney at Law,
7/8/21 22
PLLC. All Rights Reserved.Information Blocking Exceptions
2 General Categories – (1) exceptions that involve
procedures for fulfilling requests to access, exchange, or
use EHI; and (2) not fulfilling requests to access, exchange,
or use EHI.
• Category 1 - Preventing Harm Exception, Privacy
Exception, Security Exception, Infeasibility Exception, and
Health IT Performance Exception.
• Category 2 - Content and Manner Exception, Fees
Exception, and Licensing Exception.
Copyright 2021 - Rachel V. Rose - Attorney at Law,
7/8/21 23
PLLC. All Rights Reserved.The DOJ’s Civil and Criminal Enforcement
Cisco Systems July 31, 2019 Settlement - $8.6 million
to settle allegations that it sold video
Settlement
Copyrights - Rachel V. Rose, JD, MBA 2021.
surveillance equipment to federal and
state government agencies knowing
that the equipment was susceptible to
cyberattack.
• Almost two years after the suit was filed, in mid-
2013, Cisco acknowledged that there were
“multiple security vulnerabilities in versions of
Cisco [Video Surveillance Manager] prior to
7.0.0, which may allow an attacker to gain full
administrative privileges on the system,”
including the ability to alter camera feeds.
• Notable because the case was filed in 2011
and it is believed to be the first FCA case
based on Cybersecurity fraud upon a
government agency.
25Electronic Health Records Vendor FCA Settlements
• 3 Settlements (eClinicalWorks, Greenway Health LLC, and Inform Diagnostics) that total
more than $275 Million.
• 1 Settlement for HITECH Act and HIPAA Non-Compliance – Coffey Health System Case
• The Basis for the Cases:
• In 2011, the Centers for Medicare & Medicaid Services (CMS) established the Medicare and Medicaid
EHR Incentive Program “to encourage clinicians, eligible hospitals, and CAHs to adopt, implement,
upgrade and demonstrate meaningful use of certified EHR technology (CEHRT).”
• Independent certification bodies are used to review and determine if the EHR system submitted by the
EHR vendor meets certain requirements.
• In April 2018, CMS changed the name of the EHR Incentive Program to Promoting Interoperability
Programs (PI). The impact of this change is to “move the programs beyond the existing requirements of
meaningful use to a new phase of EHR measurement with an increased focus on interoperability and
improving patient access to health information.”
• PI requirements include certifications, certification criteria, and use parameters. As incentive payments
for EHR continue, the government scrutiny on entities receiving these payments does as well.
Copyrights - Rachel V. Rose, JD, MBA 2021. 26eClinical Works
May 31, 2017 – DOJ announces $155 million settlement and ECW enters into a five year Corporate Integrity
Agreement (CIA)
DOJ’s Complaint in Intervention (Complaint) alleged that ECW’s conduct caused the submission of false claims and
false statements to the government.
The government alleged that to ensure the software was certified and customers received incentive payments
under the incentive programs, ECW falsely attested that it met certain criteria to the certification body and
prepared its software to pass such testing without actually meeting the criteria. ECW also allegedly caused its users
to report inaccurate information, such as using certified EHR technology and satisfying meaningful use requirements,
in the users’ attestations when requesting incentive payments from CMS.
Copyrights - Rachel V. Rose, JD, MBA 2021. 27United states ex rel. Awad et al v. Coffey health
system
• Case No. 2:16-cv-03034 (D. Kan)
• May 31, 2019 Settlement - $250,000
• About the case:
1. Coffey is a critical access hospital
2. Coffey falsely attested that it conducted and/or reviewed security risk
analyses in accordance with requirements under a federal incentive
program for the reporting periods of 2012 and 2013.
3. Submission of false and fraudulent claims under the EHR incentive
program.
4. “Medicare and Medicaid beneficiaries expect that providers ensure the
accuracy and security of their electronic health records.” – DOJ Press
Release.
Copyrights - Rachel V. Rose, JD, MBA 2021. 28GMC Former Employee’s Indictment
Copyright 2021 - Rachel V. Rose - Attorney at Law, PLLC. All Rights
Reserved.
Vikas Singla, a former employee of
Gwinnett Medical Center
Case No. 1:21-cr-0228 (N.D. Ga. Jun. 8,
(Lawrenceville, GA) who ran a
2021) - Disrupting the hospital’s Ascom phone
network security company that Stealing protected health information;
https://www.justice.gov/opa/press- system;
offered services for the healthcare
release/file/1403201/download
industry, was charged with the
following:
Accessing Lexmark printers and a 17 counts of intentional damage to a Obtaining information by computer
Hologic R2 Digitizer; protected computer; and from a protected computer.
29
7/8/21Risk Mitigation in the Era of Ransomware
COPYRIGHT 2021 - RACHEL V. ROSE - ATTORNEY
AT LAW, PLLC. ALL RIGHTS RESERVED.
NIST, FIPS, AND AGENCY TIDBITS
30
7/8/21What Is Ransomware?
Fundamentally, taking a person’s data and holding it
hostage in exchange for money.
Ransomware can disrupt the confidentiality, integrity,
and/or availability of data.
Copyright 2021 - Rachel V. Rose - Attorney at Law,
7/8/21 31
PLLC. All Rights Reserved.BRUTAL RANSOMWARE ATTACK TYPES
• Maze is the most infamous ransomware threat to enterprises all over the world at
the moment. The Maze ransomware encrypts all files and demands for the ransom
to recover the files. It threatens to release the information on the internet if the
victim fails to pay the demanded ransom. The most recent victims of Maze
ransomware are Cognizant, Canon allegedly, Xerox, and industries like
healthcare.
• REvil is a file blocking virus and is considered as a cyber threat that encrypts
victim’s files after infecting the system and sends a request message. The message
explains that the victim is required to pay the requested ransom in bitcoin. If the
victim fails to pay the ransom in time, the demand is doubled.
• Ryuk ransomware mainly targets business giants and government agencies that
can pay huge ransoms in return. It recently targeted a US-based Fortune 500
company, EMCOR and took down some of its IT systems.
Copyrights - Rachel V. Rose, JD, MBA 2021. 32GENERAL NIST FRAMEWORK
Copyrights - Rachel V. Rose, JD, MBA 2021. 33• Ransomware is a form of malware
designed to encrypt files of a
device, rendering any files and the
Copyrights - Rachel V. Rose, JD, MBA 2021.
systems that rely on them
unusable. Malicious actors then
demand ransom in exchange for
decryption.
• CISA “Best Practices”
• Maintain offline back-ups
• Maintain regularly updated “gold
images” of critical systems in the
event that they need to be rebuilt
• Maintain a comprehensive incident
response plan
https://www.cisa.gov/sites/default/files/
publications/CISA_MS-
ISAC_Ransomware%20Guide_S508C.pdf
CISA RANSOMWARE
GUIDANCE• Joint Government Agency Publication (Updated Oct.
Copyright 2021 - Rachel V. Rose - Attorney at Law, PLLC. All Rights
29, 2020), which came about in-light of six ransomware
attacks against hospitals across the United States.
• The primary tactics utilized to infect systems with ransomware
for financial gain were Ryuk and Conti.
Reserved.
• The primary activities “include credential harvesting, mail
exfiltration, cryptomining, point-of-sale data exfiltration, and the
deployment of ransomware.”
Joint Cybersecurity Advisory - Ransomware Activity Targeting the
Healthcare and Public Health Sector
35
7/8/21NIST Tips & Tactics - Ransomware
Copyright 2021 - Rachel V. Rose - Attorney at Law, PLLC. All Rights
Reserved.
Use Keep Block Allow Restrict Use Avoid Train
Use antivirus Keep Block access Allow only Restrict Use Avoid the Train the
software computer to authorized personally- standard use of workforce to
consistently; patches up- ransomware apps on owned user personal be aware of
to-date; sites by computers, devices; accounts apps and unknown
installing the tablets, and versus website on sources,
appropriate smart accounts company or social
software phones; with work engineering,
and administrativ computers; and be sure
services; e privileges and to run an
whenever antivirus
possible; and/or look
at links
carefully.
36
7/8/21NIST Tips & Tactics - Ransomware
Copyright 2021 - Rachel V. Rose - Attorney at Law, PLLC. All Rights
Reserved.
Use Keep Block Allow Restrict Use Avoid Train
Use antivirus Keep Block access Allow only Restrict Use Avoid the Train the
software computer to authorized personally- standard use of workforce to
consistently; patches up- ransomware apps on owned user personal be aware of
to-date; sites by computers, devices; accounts apps and unknown
installing the tablets, and versus website on sources,
appropriate smart accounts company or social
software phones; with work engineering,
and administrativ computers; and be sure
services; e privileges and to run an
whenever antivirus
possible; and/or look
at links
carefully.
37
7/8/21Conclusion
PREVENTION, DETECTION &
CORRECTION
Copyright 2021 - Rachel V. Rose - Attorney at Law,
38
PLLC. All Rights Reserved.Take-Aways
• The healthcare industry continues to be a top target of cybercriminals.
• The DOJ is increasingly taking action for cybersecurity attacks associated
with PHI, which ties back to HIPAA.
• Individual access to one’s own PHI/Medical Records will continue to be an
emphasis, which must be balanced against cybersecurity considerations.
• Top 5 Actions to Mitigate Risk
• Annual Risk Analysis
• Adequate Policies and Procedures
• Business Associate Agreements
• Annual Workforce Training
• Encryption at Rest & In Transit
Copyright 2021 - Rachel V. Rose - Attorney at Law,
39
PLLC. All Rights Reserved.Thank You & Questions
Rachel V. Rose, JD, MBA
rvrose@rvrose.com * (713) 907-7442
rvrose@rvrose.com
Copyright 2021 - Rachel V. Rose - Attorney at Law,
7/8/21 40
PLLC. All Rights Reserved.You can also read
