Recent guidance from the U.S. Department of Justice can help structure compliance programs in relation to HIPAA and cybersecurity.
For decades, the “prosecution of corporate crime [has been] a high priority for the Department of Justice.” Regardless of the size of the entity or its public or private status, the goal is to promote critical public interests, which, not surprisingly mirror those of other government agencies including the U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC). These goals and interests are defined in memos, which are issued by either a Deputy Attorney General or the U.S. Attorney General.
In 2008, the “Filip Memo” was issued and defined the following goals and interests: “(1) protecting the integrity of our free economic and capital markets; (2) protecting consumers, investors, and business entities that compete only through lawful means; and (3) protecting the American people from misconduct that would violate criminal laws safeguarding the environment.”
Fast-forward to 2015 and the “Yates Memo.” Specifically, policy shifts are delineated in the “six key steps.” Specifically,
(l) In order to qualify for any cooperation credit, corporations must provide to the Department all relevant facts relating to the individuals responsible for the misconduct;
(2) Criminal and civil corporate investigations should focus on individuals from the inception of the investigation;
(3) Criminal and civil attorneys handling corporate investigations should be in routine communication with one another;
(4) Absent extraordinary circumstances or approved departmental policy, the Department will not release culpable individuals from civil or criminal liability when resolving a matter with a corporation;
(5) Department attorneys should not resolve matters with a corporation without a clear plan to resolve related individual cases, and should memorialize any declinations as to individuals in such cases; and
(6) Civil attorneys should consistently focus on individuals as well as the company and evaluate whether to bring suitI have directed that certain criminal and civil provisions in the United States Attorney's Manual, more specifically the Principles of Federal Prosecution of Business Organizations (USAM 9-28.000 el seq.) and the commercial litigation provisions in Title 4 (USAM 4-4.000 et seq.), be revised to reflect these changes. The guidance in this memo will apply to all future investigations of corporate wrongdoing. It will also apply to those matters pending as of the elate of this memo, to the extent it is practicable to do so.
So how does this relate to physicians and other healthcare providers? It is important to note that healthcare comprises nearly one-seventh of the GDP of the United States. And, the government receives and processes a plethora of Medicare and Medicaid claims on an annual basis. HIPAA compliance is required and physicians and other providers attest to being compliant on both their CMS provider agreements and meaningful use attestations. It has been shown that inadequate policies and procedures, not encrypting data and failing to undergo risk assessments and risk analyses on an annual basis can all lead to civil and criminal penalties. Moreover, filing fraudulent Medicare claims for services not rendered or coded inappropriately and knowingly can have severe consequences, as we have seen.
In sum, taking the goals of the Yates Memo into account when crafting policies and procedures, as well as integrating it into risk management programs could potentially thwart a more severe government response.