Health Law Hot Topics Webinar Series

Please Join Us

Complimentary 3-Part CLE-Approved Health Law Webinar Series

May 3, 10, and 17

In partnership with Goodwin Law, Wolters Kluwer is offering a three-part webinar series focusing on issues of high impact on health law today.

 

CLE credits are only offered for live attendance and are complimentary.

 

Session 1

Title: Healthcare Law for Digital Health, Telemedicine, and Health IT Companies

Date: Thursday, May 3, 2018

Time: 1:00 PM Eastern Daylight Time

Duration: 1 hour

Register for Session One: Healthcare Law for Digital Health, Telemedicine, and Health IT Companies

 

Session 2

Title: FDA Regulation of Digital Health and Health IT

Date: Thursday, May 10, 2018

Time: 1:00 PM Eastern Daylight Time

Duration: 1 hour

Register for Session Two: FDA Regulation of Digital Health and Health IT

 

Session 3

Title: Data Privacy and Security for Digital Health and Health IT

Date: May 17, 2018

Time: 1:00 PM Eastern Daylight Time

Duration: 1 hour

Register for Session Three: Data Privacy and Security for Digital Health and Health IT

 

FEATURED PRESENTER:

Roger A. Cohen is a partner in Goodwin’s nationally recognized Life Sciences Practice.
He counsels healthcare services, life sciences, and healthcare IT clients concerning compliance with the myriad laws and regulations governing the delivery of healthcare services such as the Anti-Kickback Statute, the Physician Self-Referral Law (the Stark Law), the False Claims Act, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Medicare and Medicaid rules and regulations, and laws governing reimbursement, licensure, and certification.

MODERATOR:

Kathryn Beard is the Associate Managing Editor in the Health Law editorial team of Wolters Kluwer Legal & Regulatory U.S.
Her areas of expertise include the Affordable Care Act, health care reform, Medicaid expansion, social media, and the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), including the merit-based incentive payment system (MIPS), advanced alternative payment models (APMs), and the Quality Payment Program (QPP).

 

Wolters Kluwer Legal & Regulatory U.S. is pleased to partner with Above the Law for CLE accreditation.*  Upon the conclusion of each webinar an informal certificate of completion will be issued by Wolters Kluwer Legal & Regulatory U.S. Attendees will also receive an official certificate via email from Above the Law’s third party CLE provider, Marino Law. 

*CLE available for NY, NJ and CA. A Uniform Certificate of Attendance for CLE credit will be issued for all other states.

Perfecting cybersecurity through better training and testing

Various types of training and testing of health care professionals and staff can be used by health care entities to perfect their cybersecurity programs, according to a Health Care Compliance Association (HCCA) webinar presented by Steve Snyder of Smith Moore Leatherwood, LLP.

Snyder believes that perfecting cybersecurity training and testing is made especially challenging due to the uniqueness of the cybersecurity threat. Snyder listed the primary factors making cybersecurity unique, including:

  • the people trying to penetrate are adversarial and usually off-shore;
  • cyberattacks are evolving rapidly, with attacks designed to respond to new defenses;
  • cybersecurity involves highly technical concepts, which make staff hesitant to embrace safeguards; and
  • cybersecurity is outside the core competency for most of the staff to be trained and tested.

Training

Snyder believes that cybersecurity training must take a long term view, be about learning and reminding, have the objective of conditioning behavior, and must evolve over time as circumstances and threats change.

Opportunities for training, according to Snyder, could be when new job functions are created, when introducing new procedures, or when reinforcing integral work functions. He listed the possible training scenarios and their pros and cons as:

  • External programs offered by third parties. These programs offer specialized knowledge and instruction but can be costly, rely on the competency of others, and may suffer from the lack of familiarity of the third-party with the organization.
  • Internal learning management systems (LMS). These internal systems, relying on online or classroom training, can develop custom content and make tracking compliance easy. However, they require internal expertise and can create a record of noncompliance for government investigators.
  • This method can be particularly effective for conveying best practices to staff members in a new role. However, it requires competent mentors and is not ideal for new and evolving issues that the mentor is unfamiliar with.
  • Passive measures (e-mail reminders, etc.). This method is easy, cheap, and is agile enough to address emerging issues. However, it is easy for staff to ignore and therefore it is hard to access effectiveness.
  • Training tips. Snyder’s cybersecurity training tips included the following:
  • Start with objectives (such as increasing reporting of possible cyber incidents) and work back to prevention methods.
  • Try to find objective metrics (such as the rate of reporting vs. known incidents).
  • Make it digestible by staff (we live in a sound bite society).
  • Show a tangible purpose (clicks = malware = detriment to business).
  • Use varying approaches as people learn differently.
  • Make it interesting by using gamification, simulations, scoring, ranking, competitions, etc.

Testing

Snyder believes that testing should be focused on existing knowledge and established procedures. He favors a testing program with a narrow focus and reoccurring elements. The goals of testing, according to Snyder, should insure that cybersecurity procedures are known and understood, are effective, guarantee compliance, and identify gaps in policies and procedures.

Snyder listed several types of cybersecurity testing:

  • Penetration testing (looking for breach of security from the outside).
  • Vulnerability testing from the inside (looking for known bugs, unpatched software, or legacy systems that can be exploited).
  • Simulated testing (using drills and tabletop exercises).
  • Pop quizzes (discrete staff testing).
  • Final comprehensive exams.

Final takeaway

Snyder wrapped up his presentation by stressing that in training and testing for cybersecurity, and organization should: (1) be contemplative in designing their programs, (2) use a mix of internal and external resources, and (3) assess and revisit the programs often.

Recommendations for creating compliant security relationships with vendors

Recent regulatory changes have had an impact on what “covered entities” must do to create and maintain a compliant security relationship with their “business associates.” This impact, and how information technology (IT) and compliance departments can interact to improve business associate selection and management, were the topics of a recent Health Care Compliance Association (HCCA) webinar featuring Francois J. Bodhuin, Director, Information Security Officer, and Joseph A. Piccolo, Vice President, Corporate Compliance, at the Inspira Health Network. The presenters also offered a five-step life cycle approach to managing vendor security requirements.

Background

The term “covered entity” is defined in 45 C.F.R. sec. 160.103 as either a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic format. According to the presenters, the HITECH privacy provisions (Title XIII) of the American Recovery and Reinvestment Act (ARRA) (P.L. 111-5) resulted in the promulgation of the January 25, 2013 Final rule (78 FR 5566), which strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The rule also expanded the definition of “business associates” (BAs) to include subcontractors/vendors (and written assurance from subcontractors/vendors that they will uphold the security and privacy of protected health information (PHI)), increased reporting requirements, and enhanced penalties (see HIPAA final rule modifies Privacy, Security, and Enforcement Rules and establishes direct liability for business associates that violate certain rules, Health Law Daily, January 25, 2013).

Enforcement themes and challenges

The presenters noted several themes present in recent government enforcement actions, including accusations of inadequate risk assessment plans, outdated vendor agreements, the lack of risk analysis, and inadequate oversight (lack of communication). The presenters also laid out several new logistical challenges, including (1) insuring that vendor agreements are current (and incorporate the 2013 rule changes); (2) the need to educate board members, employees, and vendors; and (3) the monitoring of vendor agreements.

Interaction of IT and compliance

The presenters stressed the need for IT and compliance to jointly develop a process that makes use of (1) HHS Office of Civil Rights (OCR) guidance, audit criteria, and recent settlements; and (2) that sets guidelines for vendors, including a vendor code of conduct, specific policies and procedures for vendors, and vendor education requirements.

The presenters see the IT role as performing annual security assessments, frequent vulnerability scans, and the integration of risk analysis. In addition, in support of compliance, they believe that IT must: (1) be represented on the compliance committee; (2) have software that tracks vendors; (3) develop security questionnaires; and (4) evaluate the security programs of vendors.

Compliance, according to the presenters, must support IT by: (1) being a conduit for communication in understanding vendor relationships; (2) collaborating with IT on new and unique projects; (3) educating the board on the compliance/IT partnership; (4) developing and updating policies; and (5) including audits as part of the annual work plan.

Collaborative management of vendors

The presenters recommend language in vendor agreements that will allow for the covered entity to conduct a survey or questionnaire of the vendor. They suggest that the questionnaire incorporate the organizational values of the covered entity, not just government requirements. The questionnaire should be required of both new and existing vendors.

The presenters also recommend that the covered entity create an oversight group to review vendor responses, extrapolate risk levels, review actions taken with the vendor, tweak questionnaires, and report results to executives though the compliance committee.

Five-step approach

The presenters concluded by describing their five-step life cycle approach to managing vendor security requirements. Their approach centers on the following elements: (1) patient satisfaction; (2) quality outcomes; (3) electronic data security; (4) patient engagement/population management; and (5) stewardship and reputation.

Webinar gives tips on improving next eCQM submissions

Health care compliance professionals who are involved in electronic clinical quality measures (eCQM) submissions should prepare now for their 2017 submissions, according to Catherine Gorman Klug RN, MSN, Director, Quality Service Line, for Nuance Communications. In a Health Care Compliance Association (HCCA) webinar titled, “eCQM Lessons Learned and How to Prepare for 2017 Submissions,” Klug warned attendees about hidden dangers, including the lack of experience for eCQM vendors, inaccurate data submissions, and the challenges posed by multiple types of electronic health record (EHR) data files generated from more than one system. She also gave recommendations for reducing risk and listed sample questions for the information technology (IT) department.

CMS requires hospitals to report eight of 15 eCQMs, with data reported for the entire year. According to Klug, the agency expects “one file, per patient, per quarter,” that includes all episodes for care and measures associated with the patient. Many hospitals use vendors to assist with the eCQM submissions, but Klug noted that vendors must have an adequate amount of time to respond to required changes before submission, and that although many vendors support a broad number of eCQMs, they may lack adequate depth of coverage. Hospitals should choose vendors who are experienced in the eCQMs they are reporting. Further, there is no way to validate the files submitted. Possible consequences include an annual payment update reduction, failure to receive the EHR incentive payment, or poor quality scores on CMS’ Hospital Compare site.

To reduce risks, hospitals should ask the core measures vendor to validate files before submission to CMS. They should also review file error reports from the vendor and make corrections before the data is submitted. Aggregated file error reports should also be reviewed to ensure that formatting or data elements don’t result in an inaccurate submission. Klug said that accurate coding is absolutely essential. Therefore, hospital IT departments should be prepared to explain how files are validated prior to submission to ensure accuracy, and if not, what the remediation strategy is. Further, compliance professionals should request a file error report, and any other reports to help understand the data being submitted.