 advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, 

Rachel V. Rose, JD, MBA

As is said, “the devil is in the details.” In December 2022, the Centers for Medicare and Medicaid Services (CMS) issued a surprise proposed rule, which would change the 60-Day Overpayment Refund Rule (60-Day Rule) with a few words. On March 23, 2010, the 60-Day Rule was enacted as Section 6402 of the Affordable Care Act (ACA). Subsequently, CMS issued separate final regulations for Medicare Parts A, B, C, and D. Unsurprisingly, §3729(a)(1)(G) of the 

 often coincides with the 60-Day Rule because it “is known as the reverse false claims section; it provides liability where one acts improperly – not to get money from the government, but to avoid having to pay money to the government.”

An example of the intersection of the 60-Day Rule and the False Claims Act’s reverse false claim is the October 2017 settlement with 

Jacksonville First Coast Cardiovascular Institute, P.A. (FCCI)

 for $488,821.58 after “knowingly delaying repayment of more than $175,000 in overpayments owed to Medicare, Medicaid, TRICARE, and the Department of Veterans Affairs.”

“When FCCI learned that it had received over $175,000 in potential overpayments to federal health care programs in 2016, it had a legal obligation to return those funds within 60 days,” stated Acting U.S. Attorney Stephen Muldrow. “Instead, they delayed repayment, ultimately retaining thousands of dollars to which they were not entitled. This settlement should send a message that we will aggressively pursue those who seek to unjustly profit from our nation’s federal health care programs.”

The proposed rule would remove the following language at 42 C.F.R. § 401.305(a)(2):

A person has identified an overpayment when the person has, or should have through the exercise of reasonable diligence, determined that the person has received an overpayment and quantified the amount of the overpayment. A person should have determined that the person received an overpayment and quantified the amount of the overpayment if the person fails to exercise reasonable diligence and the person in fact received an overpayment.

The new proposed 42 C.F.R. § 401.305(a)(2), which would replace the previous language follows:

A person has identified an overpayment when the person knowingly receives or retains an overpayment. The term “knowingly” has the meaning set forth in 31 U.S.C. 3729(b)(1)(A).

As set forth in 31 U.S.C. 3729(b)(1)(A) of the False Claims Act “knowingly” means “that a person, with respect to information—(i) has actual knowledge of the information; (ii) acts in deliberate ignorance of the truth or falsity of the information; or (iii) acts in reckless disregard of the truth or falsity of the information.”

The take-away – public comments on the proposed rule are due by February 13. The potential liability for these seemingly small changes is significant. Compliance officers and in-house counsel alike should take note of the final rule and update training, as well as policies and procedures, because whistleblowers and the government certainly will.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.

Articles

On March 23, 2010, the 60-Day Rule was enacted as Section 6402 of the Affordable Care Act.

CMS proposes changes to the 60-day rule

For horse racing aficionados, the phrase, “and they’re off” should ring a bell! One week into 2023 and attention is being placed on HIPAA and the HITECH Act.

First, on January 3, 2023, HHS-OCR announced another 

settlement under its Right of Access Initiative bringing the total resolutions to 43

. There are three aspects of this $16,500 settlement for not providing patients their medical records in a timely manner which are notable:

The entity that paid the fine and entered into a corrective action plan (CAP) is a full-service diagnostic laboratory;

The length of time between the initial request by a patient’s legal representative and the receipt of the records was seven (7) months (NOTE: federal HIPAA’s timeframe is 30 days, unless there is a good faith basis for an additional 30-day extension, then the time allotted is 60 days); and

The CAP includes two (2) years of monitoring by HHS-OCR.

Second, comments are being sought until March 21, 2023 regarding the Centers for Medicare & Medicaid Services (CMS)-issued proposed rule, 

Adoption of Standards for Health Care Attachments Transactions and Electronic Signatures, and Modification to Referral Certification and Authorization Transaction Standard (CMS-0053-P).

 Although the primary purpose of this proposed is to implement requirements related to HIPAA and the Affordable Care Act (ACA), one area to note it the potential impact on Stark Law, Anti-Kickback Statute, and False Claims Act scrutiny because it proposes the adoption of“a modification to the standard for the referral certification and authorization transaction (X12 278) to move from Version 5010 to Version 6020.” Referrals are the 

of scrutiny under the Stark Law, AKS, and FCA. Importantly, not all referrals are impermissible. Also, as 

, “[a]ny provider who accepts payment from any health plan or other insurance company must comply with HIPAA if they conduct the adopted transactions electronically.”

Other key provisions of the proposed rule include the following:

Implement requirements of the Administrative Simplification subtitle of HIPAA and ACA such as adopting standards for “health care attachments” transactions related to supporting health care claims and prior authorization transactions;

Electronic signatures’ standard for utilization with health care attachments transactions; and

“Section 1175 of the Social Security Act prohibits health plans from delaying the transaction, or adversely affecting or attempting to adversely affect, a person or the transaction itself on the ground that the transaction is in standard format.”

HIPAA, cybersecurity, as well as enforcement of fraud, waste, and abuse laws, will remain a priority for HHS, the Department of Justice, and other government agencies in 2023. Compliance and risk management are essential to avoiding potential government investigations, adverse actions, and legal proceedings.

HHS Proposed Rule – electronic transactions and privacy rule enforcement action.

HIPAA 2023!

, there are 6,093 hospitals in the United States with investor-owned (i.e., for-profit) hospitals accounting for 1,228 facilities. While most hospitals have boards of directors, perhaps except for government facilities, those facilities that are part of a health system that is publicly traded, such as Tenet Healthcare Corp. (NYSE: THC), HCA Healthcare Inc. (NYSE: HCA), and Community Health Systems, Inc. (NYSE: CYH), have additional obligations imposed by securities laws and related U.S. Securities and Exchange Commission (SEC) requirements.

All persons with boards should be making sure that the individual board members are meeting their common law fiduciary duties, including those of loyalty and care. Arguably, since a board of directors always has a duty to act for the good of an organization, that duty should extend to the knowledge of board members to evaluate cybersecurity risk as part of the entity’s strategic plan and enterprise risk management strategy. It is imprudent for the board of directors to be involved in the day-to-day operations of an entity – it’s not their role and it could increase their liability.

For publicly traded companies, including the aforementioned health systems, appreciating current obligations under the Exchange Act of 1934, the Sarbanes-Oxley Act of 2002 (SOX), and previous guidance issued by the SEC regarding cybersecurity, it is imperative to appreciate the 

, which relate to public companies and cybersecurity. Specifically, the proposed rules both build on existing requirements and add some new obligations, as follows:

Require current reporting about material cybersecurity incidents on Form 8-K;

Require periodic disclosures regarding, among other things:

A registrant’s policies and procedures to identify and manage cybersecurity risks;

Management’s role in implementing cybersecurity policies and procedures;

Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and

Updates about previously reported material cybersecurity incidents; and

Require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL).

A couple of notable observations: (1) the board of directors is specifically mentioned; (2) policies and procedures (NOTE: an organization should have two sets - one that is comprehensive and one that provides enough substance for most employees and the public without putting an organization at risk); and (3) 

 has been around for a while and “is a freely available global framework of accounting standards used for exchanging business information.” Public companies and registrants (those persons who are registered with the SEC), should have already integrated XBRL with SOX Sections 302 and 404.

For those in the healthcare sector, here are a few key areas that boards and companies alike should be focused on in relation to cybersecurity, risk mitigation, and liability for both individuals and companies:

 – whether it is a medical device, a ransomware attack on a hospital, or having a request to send patient information to TikTok, organizations need to be proactive and implement a protection, detection, and correction strategy;

 – on November 28, 2022, HHS released a proposed rule to address Substance Use Disorder (SUD) under 42 CFR Part 2 and HIPAA, to ensure that these two laws are more aligned in terms of patient protections to avoid treatment discrimination;

 - Data tracking technologies are becoming more of a focus for a variety of government agencies, including the 

Federal Trade Commission and the U.S. Department of Health and Human Services

. Making sure your IT department knows how different software, such as Pixel, is integrating with an EHR and/or website to collect and use patient data and personally identifiable information is critical; and

 – certain states, including Illinois through its Biometric Information Privacy Act (BIPA), have very robust laws, which expressly state that a private cause of action exists in relation to potential violations of biometric information. Importantly, biometric information is also an “identifiable factor” on the list of personally identifiable information as it relates to HIPAA. On April 25, 2022, the U.S. District Court for the Northern District of Illinois in 

, Case No. 20-cv-4247, held that “faceprints derived from photographs are biometric identifiers and should be regulated under BIPA.” Notably, the court parsed out normal photographic images from facial geometric scans. Pursuant to BIPA Section 15(a), an individual must provide consent for an entity to collect or obtain their biometrics or the entity must provide notice that biometrics are being collected. Organizations/Persons must also have written policies and procedures.

In putting the final “bow” on this gift, placing qualified individuals on publicly traded companies’ boards in particular, may lead to reduced risk, lessened legal liability, and greater peace-of-mind. Government investigations, individual lawsuits, and class actions are unequivocally more expensive than an annual risk analysis and adequate due diligence when acquiring or merging with companies. Yet, many persons choose to ignore this and end up paying a much large price – financially, legally, and reputationally, later.

All persons with boards should be making sure that the individual board members are meeting their common law fiduciary duties, including those of loyalty and care.

The greatest gift to give your board: Cyber awareness

The Holidays are always a hectic time of year. Here are some timely events that healthcare industry participants should appreciate.

First, a significant number of people at one point in their lives, have “peaked” at presents before the actual holiday. When it comes to medical records “peaking” out of curiosity, self-gain, and/or financial remuneration is prohibited under HIPAA and may lead to either a

, as well as adverse action from a state licensure board. 

 occurred at a health system in Kentucky, where software detected a physician’s illegal access of patient records, including mental health records. Specifically, the physician accessed “the patient records of women he wanted to pursue romantically.” The health system’s Chief Medical Officer filed a related grievance with the Kentucky Board of Medical Licensure and the physician was terminated as a member of the medical staff. The Kentucky Board investigated, the physician underwent additional training, his attorney was involved in the communications, and the physician’s medical license is on probation for five years.

Second, most people have “regifted” an item at some point. Many forms of ransomware are “opened” by one person, only to be “reopened” again by another individual. On November 21, 2022, the Office of Information Security (HHS) and the Health Sector Cybersecurity Coordination Center 

. This particular ransomware has been around for approximately two years and engages in “big-game hunting” or whale phishing – that is targeting larger organizations in the extortion process. “Lorenz is known to target organizations globally using customized code, and can demand hundreds of thousands of dollars in ransoms.” One of the key take-aways from the report follows:

Lorenz is human-operated ransomware, run by operators known to be customize their executable code, tailoring it for their targets. This implies that they may maintain persistent access for reconaissance purposes for some extended period of time prior to ransomware deployment. They often follow the pattern of initial access, followed by reconaissance and lateral movement, ultimately seeking a Windows domain controller in search of administrator credentials.

 article, cybercriminals use holidays and weekends to strike. Be sure to have appropriate safeguards and remain vigilant in both personal and professional transactions.

Finally, for those who celebrate Christmas, an alignment of incentives often occurs between children and adults - improved behavior because Santa is watching. On 

November 28th, HHS issued a Notice of Proposed Rule Making

 (NPRM) that “would implement provisions of Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) that, among other things, require HHS to bring [42 CFR] Part 2 into greater alignment with certain aspects of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Breach Notification, and Enforcement Rules.” Part 2 and HIPAA currently diverge in relation to substance use disorder (SUD) records – posing different requirements and creating barriers and compliance challenges. 

Public comments are due 60 days after November 28, 2022

. HHS is encouraging all stakeholders, including patients and their families, as well as facilities and medical professionals, to submit comments. The 

Today’s proposed rule outlines several important changes that can help safeguard the health and outcomes of individuals with SUD and create greater flexibility for information sharing envisioned by Congress in its passage of Section 3221 of the CARES Act. Proposed changes include:

Permitted use and disclosure of Part 2 records based on a single patient consent given once for all future uses and disclosures for treatment, payment, and health care operations.

Permitted redisclosure of Part 2 records in any manner permitted by the HIPAA Privacy Rule, with certain exceptions.

New patient rights under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.

Expanded prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings.

New HHS enforcement authority, including the imposition of civil money penalties for violations of Part 2.

Updated breach notification requirements to HHS and affected patients.

Updated HIPAA Privacy Rule Notice of Privacy Practices requirements to address uses and disclosures of Part 2 records and individual rights with respect to those records.

In sum, maintaining a culture of compliance is critical for any person. The Holiday Season can be particularly challenging; however, the stakes are high.

Don't let the holidays get in the way of legal compliance.

Recent HIPAA, ransomware & data privacy issues to put at the top of your list

The Holidays and weekends are a time for disconnecting, which can also create distractions. Cybercriminals are poised to capitalize on this, especially during the Holiday Season.

 was issued by the Federal Bureau of Investigation (FBI) and Cybersecurity & Infrastructure Security Agency (CISA) highlighting their observation that “an highly impactful ransomware attacks occurring on holidays and weekends – when offices are normally closed.” The FBI and CISA reminded readers to remain vigilant in network defense practices and implement the recommended “best practices and mitigations” to mitigate the risk of cyberthreats, which includes ransomware.

, which reinforces that weekend and Holiday ransomware attacks remain an issue and result in greater revenue losses and increased recovery time. In 2021, Cybereason conducted a global survey, which led to alarming results. Specifically, “most companies were unprepared for a ransomware attack during ‘non-business’ hours, largely because they didn’t have contingency plans in place to address them and because they cut staffing levels during these times.” A year later, the findings remained the same – many persons were not prepared to handle a ransomware attack on weekends or holidays.

Thirty-four percent of 1,200 surveyed cybersecurity professionals whose organizations had been hit by ransomware on a holiday or weekend said it took them longer than usual to assemble an incident response team.” Meanwhile, 34% of health care “respondents said that it took their organizations longer to assess the attack scope, and 35 percent of” health care “respondents reported lengthier recovery times.

One startling question that was posed – “[h]ave you ever missed celebrating a holiday or participating in a weekend event because of a ransomware attack?” 88 percent “Yes”. So what are some suggestions to mitigate cybercriminals ruining your holiday or weekend? The following items are prudent solutions:

Explore different staffing models for SOC analysts and incident responders;

Identify optimal staffing for holidays and weekends;

Lock down privileged accounts during weekends and holidays;

Replace traditional antivirus products with behavior-based tools, which are capable of identifying attacks at their earliest stages.

In sum, don’t neglect cybersecurity hygiene while attempting to prevent your turkey or pumpkin pie from burning. Being proactive now can lead to reduced risk and a more enjoyable Holiday Season with peace of mind.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website,

Cybercriminals are waiting for your guard to be down.

Turkey, pumpkin pie, ransomware safeguards – Check!

In November 2022, Senator Mark R. Warner released an important policy paper entitled, 

. As an attorney with federal government experience, as well as focusing my practice on healthcare, cybersecurity, securities law, Dodd Frank, and False Claims Act compliance, transactions, litigation, and representing individuals on certain matters before government agencies post-reportable cybersecurity incidents, there are a couple of important items that stood out to me as already being available.

 The critical question is why persons are not reading what is out there and utilizing the National Institute of Standards and Technology (“NIST”)’s general framework for approaching cybersecurity, which I have distilled from five (5) words to three (3) words: prevention, detection, and correction

In my experience handling these issues from different vantage pointsfor over a decade, persons either ignore the risks and costs of non-compliance with 

Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and related Rules and laws

, gamble on not having a government action brought against them either organically by a government agency or through the False Claims Act’s 

 provision, and/or view the monetary fines as a cost of doing business.

In order to address some of the items in the 

 in particular on certain cybercriminals overt statements about targeting hospitals and the healthcare system in order to put pressure on the hospitals to pay the ransom demand because of the threat of adverse patient outcomes, including a patient death;

Appreciating what has been in the HIPAA Security Rule since its effective date in 2005 – the fundamental purpose of the security rule is to protect 

 by ensuring that the confidentiality, integrity, and availability of the data remain intact. Hence, privacy and security go hand in hand;

Understanding that there are already laws in place, including the Cybersecurity Act of 2015 and the subsequent efforts under §405(d) which leveraged a public-private partnership to provide resources that now available through 

Evaluating compliance with recognized security practices (i.e., NIST standards, §405(d) guidelines and best practices, and HIPAA Security Rule) as expressed in 

HR 7898 (Pub. L. 116-321 (Jan. 5, 2021)),

 which are factors the government will consider when assessing fines and conducting an investigation; and

Ensuring that False Claims Act liability is mitigated using the new 

Anti-Kickback Statute’s safe harbors and Stark Law exceptions, most of which became effective on January 19, 2021

. In particular, those that relate to cybersecurity.

Incentives or “carrots” are important. Equally as important is the appreciation that where there are incentives, there are also those who allegedly will exploit or attempt to exploit a government incentive program or government procurement contract. In other words, commit fraud by not following the laws. One example is the 

U.S. Department of Justice’s first False Claims Act settlement

 under its Civil Division Cyber-Fraud Initiative. Another follows a line of cases and settlements stemming back at least five (5) years – electronic health record companies both falsifying their own compliance with HIPAA and the HITECH Act under the Meaningful Use and Interoperability Program, which providers detrimentally relied upon and placed their patients and systems at risk, as well as the illegal payment of kickbacks and the causing of false claims to be submitted. A 

recent example is Modernizing Medicine agreeing to pay $45 million to resolve these types of allegations.

In order to cultivate a culture of compliance organizations need to take a “patient safety first” approach, whether the person is a covered entity, business associate, or subcontractor because of the connectivity between these different entities. Coordination between government agencies ia always beneficial. I would argue that HIPAA is not outdated. To the contrary, it has continued to evolve since its inception. The question is whether persons utilize the resources and refer to the laws, which have been available for years.

In order to cultivate a culture of compliance organizations need to take a “patient safety first” approach to cybersecurity.