 advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, 

Rachel V. Rose, JD, MBA

, Tenet healthcare Corporation (NYSE: THC) announced that a cybersecurity incident occurred a week before. “The Company immediately suspended user access to impacted information technology applications, executed extensive cybersecurity protection protocols, and quickly took steps to restrict further unauthorized activity.” In essence, and in accordance with HIPAA, the two hospitals that were impacted immediately invoked its disaster recovery and business continuity plans in order to, first and foremost, mitigate the impact on the delivery of patient care.

Tenet is a publicly traded company, so the timing of its disclosure to the market is also crucial in avoiding potential liability under a variety of SEC rules and regulations. On March 9th, the 

 on a variety of items related to cybersecurity, including incident disclosure by public companies. As SEC Chair Gary Gensler stated, "cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors.”

What can organizations do to be proactive in protecting personally identifiable information (PII) and protected health information (PHI)? The National Institute of Standards and Technology (NIST) published 

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

, which provides sage advice for maintaining the confidentiality, integrity, and availability of data through prevention, detection, and correction. When I conduct audits, one item that never ceases to amaze me is the use of the following for passwords: PASSWORD, LAST 4 DIGITS OF SS#, OR a DATE OF BIRTH. These partial identifiers are also “considered PII because they are still nearly unique identifiers and are linked or linkable to a specific individual.” (p. 2-2).

NIST proscribes the following action items:

Identifiability. Organizations should evaluate how easily PII can be used to identify specific individuals. For example, a SSN uniquely and directly identifies an individual, whereas a telephone area code identifies a set of people.

De-identify records and information so that the individual cannot be identified.

Update policies and procedures and have tiered sanctions in place for failing to adhere to the basic tenet of not using PII or PHI as part of or a whole a password.

The scrutiny on cybersecurity measures will only become more intense. In healthcare, one must always consider the ultimate adverse patient outcome – death. As cybercriminals ratchet up their tactics on hospitals and other providers, prevention and detection are going to be critical to mitigating the risk of an attack, as well as responding to one.

 advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, 

Articles

What can organizations do to be proactive in protecting personally identifiable information (PII) and protected health information (PHI)?

Tips for protecting the confidentiality and integrity of patient data

While the government appreciates that telemedicine and telehealth were vital through the pandemic and can be an effective tool in certain situations as people increasingly return to in-person visits, it is also acutely aware that this area is ripe for fraud. “Generally, 

 is the remote or virtual delivery of health care services. Patients can receive a wide range of telehealth services, including check-ins with their primary care providers, mental health care, and specialty services. Similarly, telehealth can be provided through a wide range of technologies, including video chats, remote patient monitoring devices, and phone calls.”

U.S. Department of Health and Human Services Office of the Inspector General

 (“HHS-OIG”) noted, “[i]t is important that new policies and technologies with potential to improve care and enhance convenience achieve these goals and are not compromised by fraud, abuse, or misuse.” As part of its Work Plan, HHS-OIG issued 

, which has a reported issue date in 2023. As part of their compliance program, providers and business associates should incorporate telehealth into their policies and procedures and annual HIPAA risk analysis. As 

, “[i]f telehealth cannot be provided in a private setting, covered health care providers should continue to implement reasonable HIPAA safeguards to limit incidental uses or disclosures of protected health information (PHI).” Reasonable safeguards include technical, administrative, and physical safeguards, which every person should be evaluating on the respective annual risk analysis. 

HHS-OIG is not the only government agency looking at telehealth. On April 21, 2022, the United States Department of Justice 

 that “[a]n indictment was unsealed today in federal court in Brooklyn charging Elemer Raffai, an orthopedic surgeon, with health care fraud in connection with a $10 million scheme involving the submission of false and fraudulent claims in Medicare and Medicare Part D plans.”This matter focuses on the payment of kickbacks by telemedicine companies to a physician, who in turn allegedly submitted millions of dollars in false and fraudulent claims to Medicare on behalf of beneficiaries without even examining them or based on conversations on the phone that lasted less than three minutes.” For $25 to $30 per patient, the physician and other allegedly caused the submission of false and fraudulent claims.

This begs the question – was it worth it? This physician and other could, if they are found guilty or enter a guilty plea, be sentenced under the Federal Sentencing Guidelines. Additionally, their participation in government programs could be revoked or excluded. Having a robust compliance program in place that strives to cultivate a culture of compliance is critical to mitigating fraud.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website,

With the public health emergency possibly coming to an end, the government is looking to continue telemedicine expansions.

The government’s focus on telemedicine

On March 30, 2022, Sara McClean, Assistant Director of the Litigation Branch of the Department of Justice, appeared in her individual capacity on 

Fraud in America – The Department of Justice’s Civil Cyber-Fraud Initiative

highlighted the first settlement by the Department of Justice under its civil cyber-fraud initiative

, which involved two main areas of false and fraudulent claims: (1) failure to store medical records on a secure EMR system; and (2) illicit procurement of controlled substances that were not FDA or EMA approved.

This article highlights DOJ and HHS-OCR settlements, which involve cybersecurity and/or privacy violations related to the creation, receipt, transmission, maintenance, and/or sale of protected health information, which could trigger liability under the False Claims Act:

United States ex rel. Lawler v. Comprehensive Health Servs., Inc. et al. 

United States ex rel. Watkins et al. v. CHS Middle East, LLC

– civil settlement in the amount of $930,000 to resolve two False Claims Act 

cases. While both cases raised the issue of illicit procurement of controlled substances, only Dr. Lawler’s case addressed the lack of cybersecurity standards and HIPAA compliance, which put confidential medical records at risk. “The investigation and resolution of this matter illustrates the government’s emphasis on combatting cyberfraud.”

United States ex rel. Delaney v. e ClinicalWorks, LLC (D. Vt.)

– civil settlement in the amount of $155 million and a Corporate Integrity Agreement (CIA) to resolve a False Claims Act 

case for “ECW falsely obtaining that certification [under the EHR Incentive Program] for its EHR software when it concealed from its certifying entity that its software did not comply with the requirements for certification.” In turn, providers relied on the ECW’s EHR being certified as meeting certain standards in its attestations to the government that the requisite criteria were met and approved by an accredited independent certifying entity. “In its complaint-in-intervention, the government contends that ECW falsely obtained that certification for its EHR software when it concealed from its certifying entity that its software did not comply with the requirements for certification.”

United States ex rel. Awad v. Coffey Health System (D. Kan.)

 - civil settlement in the amount of $250,000 to resolve a False Claims Act 

case for the hospital’s “submission [of] false claims to the Medicare and Medicaid Programs pursuant the Electronic Health Records (EHR) Incentive Program. … To obtain the payments, providers must attest that they satisfy applicable HHS-adopted criteria, including measures for analyzing and addressing security risks to electronic health records.” Said another way, the attestation that providers were required to sign in order to obtain the funds included complying with HIPAA’s Security Rule, which has defined technical, administrative, and physical safeguard requirements.

Warner Chilcott Health Care Fraud & HIPAA Violations (D. Mass.)

 – criminal and civil liability for pharmaceutical company Warner Chilcott, as well as individuals, for the illegal promotion of drugs through paying kickbacks to physicians in order to gain access to patient medical records and submit and cause to submit claims for payment by government agencies. In addition to the former president of Warner Chilcott being arrested, “three former district managers pleaded guilty or agreed to plead guilty to conspiracy to commit healthcare fraud and criminal HIPAA violations, and a Springfield, Mass. Physician was indicted for taking kickbacks, criminal HIPAA violations and obstruction of justice.” The then Inspector General of HHS-OIG added, “[p]aying kickbacks and even providing instructions on how to defraud Medicare are practices that will not be tolerated.”

These four cases highlight that failing to adhere to government contract and claims submission requirements and attesting that the requisite HIPAA technical, administrative, and physical safeguards are being met and/or that patients’ protected health information is kept private and not accessed or sold without their knowledge and consent in exchange for some form of remuneration, is material to the government’s willingness to pay claims and even enter into contracts in the first place – whether through the State Department or participation in various programs administered through HHS.

, the division that is tasked with enforcing HIPAA and relatedly, an individual’s civil rights, announced an enforcement action that is in line with the DOJ’s cybersecurity initiatives and the types of cases that led to False Claims Act liability previously mentioned in this article. Specifically, “a dental practice in Fairhope, Alabama, who impermissibly disclosed its patients’ PHI to a campaign manager and a third-party marketing company hired to help with a state senate election campaign, agreed to take corrective action and pay $62,500 to settle potential violations of the HIPAA Privacy Rule.” Providing access to PHI for remuneration, including to a third-party marketing company, is analogous to what happened in the Warner Chilcott case – instead of prescriptions, it was for votes.

In sum, the DOJ has highlighted four paths that led to False Claims Act liability involving cybersecurity and/or HIPAA violations. This is an important area to watch as more laws are passed and coordinated enforcement by various government agencies increases.

Cybersecurity scenarios leading to false claims act recoveries

Before delving into a recent U.S. Department of Justice (DOJ) settlement, which involved employing an “excluded” individual, it’s important to appreciate some of the tools that the U.S. Department of Health and Human Services Office of the Inspector General (HHS-OIG) has at its disposal – 

 – are negotiated by HHS-OIG “with healthcare providers and other entities as part of the settlement of Federal health care program investigations arising under a variety of civil false claims statutes. Providers or entities agree to the obligations, and in exchange, OIG agrees not to seek their exclusion from participation in Medicare, Medicaid, or other Federal health care programs.” Typically, a CIA lasts 5 years and the person who enters into the CIA must make scheduled reports to HHS-OIG. Importantly, CIAs are specific to the facts and circumstances of a particular matter and include breach and default provisions, which enable HHS-OIG to impose additional monetary penalties (i.e., Stipulated Penalties). A 

 “constitutes an independent basis for the provider’s exclusion from participating in Federal healthcare programs.”

; however, they may arise because of a False Claims Act case or other matter that was initiated through or by DOJ. HHS-OIG’s authority to impose exclusions is derived from the Social Security Act §§ 1128, 1156.“The scope of an exclusion under section 1128 of the Act is from all Federal health care programs, as defined in 42 CFR 1001.2. … Exclusions under section 1156 of the Act do not reach other Federal programs (although HHS or another Federal agency could separately initiate a suspension or debarment of an excluded person from other Federal procurement or nonprocurement programs).” The process begins when a person receives a Notices of Intent to Exclude (NOI). From there, the recipient of the NOI is given the opportunity to respond. Once all the information is considered, HHS-OIG renders its decision. If the findings substantiate exclusion, the person is notified. From there, they may appeal to an HHS Administrative Law Judge and further appeal to the HHS Departmental Appeals Board (DAB). After the DAB renders its decision, judicial review in a U.S. District Court is also available. Reinstatement of an individual or entity is not automatic; rather, the person must apply for reinstatement. If reinstated, the person receives written notice from HHS-OIG that they have been reinstated. The excluded individual may begin the process 90 days before their period of exclusion ends.

On March 18, 2022, the DOJ announced that 

Windham Eye Care Practice and its Owners Pay $192K for Employing “Excluded” Individual

. Specifically, the federal and state governments entered into a civil settlement agreement “to resolve allegations that they improperly employed an individual who was excluded from all federal healthcare programs.” Windham Eye Group (WEG) employed Michael Vallone as its practice administrator from February 2010 through May 2021. Previously, Mr. Vallone was convicted of healthcare fraud in the District of New Jersey and was excluded from all federal healthcare programs under §1128 of the Social Security Act.

As noted by the DOJ, when HHS-OIG “excludes an individual or entity from federal health care programs, 

no program payments may be made for items or services furnished by that excluded individual or entity

.” (emphasis added). The relevance to the WEG was that a portion of the reimbursements received from the federal healthcare programs were used to pay Mr. Vallone’s salary and benefits.

I have often reiterated the phrase, “an ounce of prevention is worth a pound of cure.” HHS-OIG issued an 

Updated Special Advisory Bulletin in May 2013

, emphasizing that in order to avoid potential liability, health care providers and organizations providing services directly or indirectly should check the List of Excluded Individuals/Entities on the HHS-OIG website. It is imperative that entities receiving remuneration from Federal health care programs – whether directly or indirectly, have both background checks and exclusion checks as part of their policies and procedures.

Contracting with or employing an excluded person can result in a government enforcement action.

CIAs, Exclusions, and your practice

With cyberattacks on the rise, the Strengthening American Cybersecurity Act is an item not to overlook.

 on March 2, 2022, could have ramifications for the healthcare industry. First, a bit about the legislation. It is comprised of the following:

Cyber Incident Reporting for Critical Infrastructure Act of 2022

Federal Information Security Modernization Act of 2022 (FISMA 2022)

Federal Secure Cloud Improvement and Jobs Act of 2022

Federal Information Security Modernization Act of 2022

For those unfamiliar with the Federal Information Security Management Act of 2002 (FISMA) and the Federal Information Security Modernization Act of 2014 (also FISMA, which enhances and clarifies the 2002 FISMA), require U.S. Government agencies to implement information security controls using a federal risk-based approach to information security assessment. The primary framework for FISMA compliance is detailed in NIST SP 800-53 (rev. 5). FISMA 2022 builds on the previous FISMA laws. Importantly, FISMA applies to government contractors, if they operate federal systems, such as cloud-based platforms.

CMS Form 855 or its electronic counterpart PECOS

, for example, there is no express requirement to adhere to FISMA. Having said that, if a cloud provider or an EHR is contracting with the State Department, the Department of Defense, or the Veteran’s Administration, then that is a different procurement process, which has an express provision for complying with FISMA. FISMA also extends to government contractors who subcontract with cloud providers and EHR vendors, so ensuring that all the requisite technical, administrative, and physical safeguards set forth in HIPAA Security Rule, as well as the NIST counterparts, are critical for making truthful attestations.

Another section includes important definition, which appears in Section 3598 of the SACA is the term "major security incident" which is distinct from a definition of "breach" under CFR §164.402 of HIPAA, which states,“[t]he acquisition, access, use, or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information.” The best course of action is always to err on the side of the shorter timeframe and incorporate the requirements into relevant policies and procedures, as well as enterprise risk management programs.

While we think of critical infrastructure as being relevant to all hospitals – both private and public, neither HIPAA nor hospitals are expressly mentioned in SACA. HHS-OCR is tasked with enforcing civil liberties, as it relates to a person's protected health information. And, protecting the "civil liberties or public health, and safety of the people of the United States" is expressly stated. It is crucial to watch for the developments and guidance regarding the term "major incident."

Finally, there is a lot of chatter surrounding the shortened breach reporting periods. For those in the healthcare industry who either fall under HIPAA or the Federal Trade Commission’s Breach Notification Rule, the notion of shorter reporting periods should not come as a shock because many states have enacted shorter reporting periods. Second, it is imperative to read SACA § 3592 – Notification of Breach. SACA differs from HIPAA in its language for reporting to a government agency and to any individual potentially affected by the breach, so read it closely. In closing, this is a piece of legislation to stay apprised of. Now is a good time to ensure that an organization’s Breach Notification Policies and Procedures are updated to reflect the most current state reporting requirements, as well as ensuring that the requisite annual Risk Analysis is done to assess technical, administrative, and physical safeguards.

Keep abreast of the new cybersecurity laws.

Recent cybersecurity legislation to put on your reading list

As part of the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191 (Aug. 21, 1996) (

), Sections 261 through 264 required the HHS Secretary to create both privacy and security standards regarding protected health information. The Privacy Rule was initially published in the Federal Register on December 28, 2000, with subsequent modifications to the Privacy Rule being published on August 14, 2002. Hence, Privacy Rule requirements are not new. The HIPAA Enforcement Rule (71 Fed. Reg. 8390 (Feb. 16, 2006)), as well as the 

HITECH Act Enforcement Interim Final Rule

 and the Final Omnibus Rule (78 Fed. Reg. 5566 (Jan. 25, 2013)), have provided HHS-OCR with the option of imposing penalties – both civil and criminal.

Before delving into a recent enforcement action, whereby criminal HIPAA penalties were assessed, it’s important to appreciate that the U.S. Department of Justice (DOJ) is responsible for criminal prosecutions for violations of the Privacy Rule, Security Rule, and Breach Notification Rule (collectively “HIPAA Rules”) – not HHS-OCR. HHS-OCR’s jurisdiction covers four tiers of possible civil penalties, which may be assessed. The four categories used for the penalty structure are as follows:

 A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules.

 A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA Rules).

 A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation.

 A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation.

Now that the background has been established, let’s turn to a

 December 2021 DOJ criminal HIPAA enforcement action

, which involved a medical biller and the theft of protected health information (PHI). According to the December 3, 2021 press release, which led to the medical biller pleading guilty to four counts of healthcare fraud, four counts of aggravated identity theft, one count of filing a false federal income tax return, and two counts of failing to file federal income tax returns, the following facts were set forth in the court documents:

The perpetrator was a medical biller at a Clearwater, Florida company that furnished credentialing and medical billing services to its medical provider clients, where he had access to the company’s financial, medical provider, and patient information.

The perpetrator was responsible for submitting claims to Florida Medicaid HMOs for services rendered by Physician 1 to Medicaid recipients.

abused his role as a medical biller by wrongfully access and utilizing the company’s patient information and Physician #1’s name and identification number, and using those to submit false and fraudulent claims

The perpetrator knowingly signed and filed a false federal 2019 income tax return substantially understating his income by reporting only his employment wages and not the substantial amounts of income, which were not a result of expenses, that were derived from his fraudulent activities.

The end result? The perpetrator “faces a maximum penalty of 10 years in federal prison for each healthcare fraud count, a 2-year mandatory consecutive sentence on the aggravated identity theft counts, a maximum penalty of 3 years for filing a false income tax return, and up to 2 years for each failure to file an income tax return offense.” The Government also informed him that it seeks to forfeit $2.2 million in funds and real property – all of which were traceable to the ill-gotten gains of his alleged offenses.

Grievous HIPAA violations can lead to dire consequences.