Kusserow on Compliance: Inova Health System another victim of ransomware attack

Inova Health System is the latest of a dozen health systems affected by a ransomware attack at a third-party software vendor. The Virginia-based health system issued a notice on September 9, 2002 notifying up to 1,045,270 patients and donors, according to a notification Inova submitted to the HHS Office for Civil Rights (OCR). The incident is traced back to Blackbaud Inc., a third-party service vendor used for fundraising and alumni or donor engagement efforts at non-profits and universities. Inova’s notice stated that it was notified by Blackbaud of a ransomware attack which it had discovered and stopped in May 2020.

The attack involved intermittently removing data from the Blackbaud system, which included certain information maintained for Inova. Investigation by Inova found that the personal information affected by the attack may have contained certain personal information of some patients and donors, including: full names, addresses, dates of birth, phone numbers, provider names, dates of service, hospital departments, and/or philanthropic giving history such as donation dates and amounts. The notice also stated there is no evidence that the data will be misused, disseminated or made publicly available and Inova was assured that all compromised data was destroyed and the vulnerability that allowed the incident was closed. The incident did not expose Social Security numbers, financial account information, payment card information, or electronic health records. Blackbaud reportedly prevented the cybercriminals from blocking its system access and fully encrypting its files, however the criminals were able to remove a copy of a subset of data. Blackbaud also reported paying a ransom so that the attackers would destroy their backup file of stolen information.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Hospitals pay nearly $1 million over ABC television documentary

After allegations that the privacy of patients was compromised by inviting film crews for an ABC television documentary series without first obtaining authorization, three hospitals in Boston have agreed to pay nearly $1 million to settle potential violations. The HHS Office for Civil Rights (OCR) has reached separate settlements with Massachusetts General Hospital (MGH), Brigham and Women’s Hospital (BWH), and Boston Medical Center (BMC) for compromising the privacy of patients’ protected health information (PHI) by inviting film crews for an ABC television network documentary series, without first obtaining authorization from patients. Collectively, the three entities paid OCR $999,000 to settle potential violations of the HIPAA Privacy Rule. HHS has also provided specific guidance about the Health Insurance Portability and Accountability Act (P.L. 104-191) and media coverage, including direction that blurring or pixilation is insufficient to protect patient privacy (Resolution Agreement, August 3, 2018; Resolution Agreement, September 6, 2018; Resolution Agreement, September 6, 2018).

Settlements 

To resolve potential HIPAA violations, MCH agreed to pay $515,000, BWH agreed to pay $384,000, and BMC agreed to pay $100,000. Each entity also agreed to provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media. HHS initiated the investigation of BWH based on information in a Boston Globe newspaper article that indicated BWH permitted ABC News to film a medical documentary program at BWH. HHS also initiated of an investigation of MGH based on a news story posted to MGH’s website indicating that ABC News would be filming a medical documentary program at MCH.

This is the second HIPAA case involving an ABC medical documentary television series. In 2016, New York-Presbyterian Hospital entered into a settlement in association with the filming of “NY Med.” “Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” said Roger Severino, OCR director. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

Guidance on media coverage

HHS reaffirmed that health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible. This includes any written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media. It is not sufficient for a health care provider to request or require media personnel to mask the identities of patients. Using techniques such as blurring, pixelation, or voice alteration software for whom an authorization was not obtained is insufficient.

Only in very limited circumstances does the HIPAA Privacy Rule permit health care providers to disclose protected health information to members of the media without a prior authorization signed by the individual. For example, a covered entity may seek to have the media help identify or locate the family of an unidentified and incapacitated patient in its care. The HIPAA Privacy Rule does not require health care providers to prevent members of the media from entering areas of their facilities that are otherwise generally accessible to the public, which may include public waiting areas or areas where the public enters or exits the facility. A health care provider may also utilize the services of a contract film crew to produce training videos or public relations materials on the provider’s behalf if certain protections are in place.

Kusserow on Compliance: OCR releases new guidelines on software vulnerabilities and patching

The HHS Office for Civil Rights (OCR) recently released a report focuses on software bugs and patches designed to reduce the vulnerability of computer systems that put electronic personal health information (ePHI) at risk. The OCR noted that last year researchers discovered a widespread vulnerability in computer processors that were sold over the previous decade. These vulnerabilities, known as Spectre and Meltdown, allow “malware” to bypass data access controls and potentially access sensitive data. This security flaw has been present in nearly all processors produced in the last 10 years and affects millions of devices. Upon discovery of these defects, vendors scrambled to release patches that addressed this problem. Managing patches plays an important role in maintaining HIPAA Security Rule compliance and without them vulnerabilities will not be fixed. The health care sector relies on software to manage ePHI and organizations are required under the HIPAA Security Rule to use appropriate technical safeguards to ensure the security of ePHI, including the evaluation of software vulnerabilities, the assessment of potential risks, and the implementation of solutions to keep risk at a reasonable minimum. The OCR suggested the following for effective patch management:

  • Evaluate patches to determine if they apply to your software/systems.
  • Test patches on an isolated system for any unwanted side effects.
  • Once patches have been evaluated and tested, approve them for
  • Deploy patch installation on live systems.
  • Test and verify to ensure correct patch installation and no unforeseen side effects

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Emerging government enforcement priorities for 2018

At the HCCA conference in April, there were several presentations regarding the government’s enforcement priorities. There were a number of emerging issues that were the subject of considerable attention: the opioid crisis, electronic health record (EHR) fraud, and telehealth/telemedicine. By far, the area given the most attention was the opioid crisis.  More than a dozen presenters included comments in their presentations on this subject, including presenters from the DOJ, OIG, CMS, and the OCR. This is not surprising in that last October the President declared this to be a national public health care crisis and marshaled regulatory and enforcement agencies to actively focus on steps to alleviate it. Other agencies not present at the HCCA are included in this effort, such as the FDA, FCC, CDC, Indian Health Service, Veterans Administration, Department of Defense TRICARE program, and others. At the federal and state level, there is increased legislative, regulatory, and enforcement actions activity related to substance abuse and behavioral health services. In January, the Attorney General announced the DEA was increasing its focus on pharmacies and prescribers who dispense unusual or disproportionate amount of such drugs. He also has created the Prescription Interdiction and Litigation (PIL) task force to aggressively deploy and coordinate all available criminal and civil law enforcement tools to address the crisis. Both DOJ and OIG presenters noted the July 2017 “take down” of 412 defendants in 41 different judicial districts. The defendants included over 100 doctors, nurses, and other medical license professionals. Together these individuals were responsible for over $1.3 billion in false billings.

The second most reported topic concerned cyber and IT security of Protected Health Information (PHI). This was a main topic in the presentation by OCR, but was alluded to in seven other presentations on cybersecurity and threats and complying with HIPAA Privacy and Security standards. The OCR reported that since 2009, there have been 2178 reports of breaches over 500 files with more than 300,000 cases of breaches affecting fewer than 500 files. The OCR has responded to over 170,000 complaints that resulted in over 25,000 cases being resolved with corrective action measures.  The OCR expects about 17,000 new complaints this year.  The top 10 recurring issues involve: (1) disclosure of sensitive paper information, (2) business associate agreements, (3) risk analysis, (4) failure to manage risks, such as with encryption, (5) lack of transmission security, (6) failure of ongoing auditing, (7) no patching of software, (8) insider threats, (9) improper disposal of records, and (10) insufficient backup of information and contingency planning.

Several sessions focused on physician arrangements and how they could implicate the Anti-Kickback Statute and Stark Laws.  Statistics from DOJ indicated the continuing trend of increased number of qui tam cases that has grown from 426 in 2015 to around 500 in 2017 with annual settlements averaging about $2.5 billion per year.

New cases involving Meaningful Use Fraud were reported with the promise that more new cases were under development.  Another area getting a lot of enforcement attention by the DOJ and OIG relate to telehealth and telemedicine. Cases surfacing now are focusing on claims arising from billings for these areas that did not qualify as such.  Only certain telehealth services are covered by Medicare and providers should take care to follow CMS guidance on what qualifies.

It is interesting to compare these priorities with results for the 2018 Compliance Benchmark Survey of compliance officers. There was no mention of the opioid crisis, as it was just an emerging national issue at the time the survey was taken. HIPAA security/cyber-security was the highest priority. It is troubling that corrupt arrangements with referral sources remains the number one regulatory and enforcement priority for the OIG and DOJ but is ranked fifth in priority to respondents. The other major and continuing enforcement priority related to claims submissions and that ranked third in priority by compliance officers.  A complementary webinar relating to this survey will be presented on May 9th.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.