In order to cultivate a culture of compliance organizations need to take a “patient safety first” approach to cybersecurity.
In November 2022, Senator Mark R. Warner released an important policy paper entitled, Cybersecurity is Patient Safety. As an attorney with federal government experience, as well as focusing my practice on healthcare, cybersecurity, securities law, Dodd Frank, and False Claims Act compliance, transactions, litigation, and representing individuals on certain matters before government agencies post-reportable cybersecurity incidents, there are a couple of important items that stood out to me as already being available. The critical question is why persons are not reading what is out there and utilizing the National Institute of Standards and Technology (“NIST”)’s general framework for approaching cybersecurity, which I have distilled from five (5) words to three (3) words: prevention, detection, and correction. (emphasis added).
In my experience handling these issues from different vantage pointsfor over a decade, persons either ignore the risks and costs of non-compliance with fraud, waste, and abuse laws and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and related Rules and laws, gamble on not having a government action brought against them either organically by a government agency or through the False Claims Act’s qui tam provision, and/or view the monetary fines as a cost of doing business.
In order to address some of the items in the Cybersecurity is Patient Safety, I suggest the following:
Incentives or “carrots” are important. Equally as important is the appreciation that where there are incentives, there are also those who allegedly will exploit or attempt to exploit a government incentive program or government procurement contract. In other words, commit fraud by not following the laws. One example is the U.S. Department of Justice’s first False Claims Act settlement under its Civil Division Cyber-Fraud Initiative. Another follows a line of cases and settlements stemming back at least five (5) years – electronic health record companies both falsifying their own compliance with HIPAA and the HITECH Act under the Meaningful Use and Interoperability Program, which providers detrimentally relied upon and placed their patients and systems at risk, as well as the illegal payment of kickbacks and the causing of false claims to be submitted. A recent example is Modernizing Medicine agreeing to pay $45 million to resolve these types of allegations.
In order to cultivate a culture of compliance organizations need to take a “patient safety first” approach, whether the person is a covered entity, business associate, or subcontractor because of the connectivity between these different entities. Coordination between government agencies ia always beneficial. I would argue that HIPAA is not outdated. To the contrary, it has continued to evolve since its inception. The question is whether persons utilize the resources and refer to the laws, which have been available for years.
Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.