Two different HHS office items to note

Both the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and Office of the Inspector General (OIG) announced noteworthy items that healthcare industry participants should review.

First, on Oct. 31, OCR announced a settlement under HIPAA related to a ransomware attack, which impacted nearly 206,000 individuals. Doctors’ Management Services (DMS) agreed to pay $100,000 or approximately fifty cents ($0.50) per individual affected to settle the breach. Initially, the ransomware attack occurred in April 2017; however, DMS did not even detect the breach until nearly 20 months later in December 2018. OCR began its investigation in 2019.

None of the vulnerabilities that were exploited should be surprising, nor should the compliance suggestions. Specifically,

• Conducting an annual risk analysis and addressing the gaps
• Making sure that policies and procedures are comprehensive and updated at least annually
• Documenting adequate workforce training on HIPAA and cybersecurity
• Encrypting data both at rest and in transit
• Implement an enterprise risk management program to protect the confidentiality, integrity and availability of the data

Building on the compliance suggestions related to HIPAA, let’s transition to OIG’s November 6th announcement – the release of its General Compliance Program Guidance. While a compliance program is mandatory pursuant to 42 C.F.R. § 483.85, OIG’s Guidance is not legally binding. Having said that, the seven (7) elements mirror those set forth in the CFR. Moreover, in the event a person enters into a corporate integrity agreement (CIA), compliance is measured against these 7 elements of a successful compliance program. The “dirty seven” relate to fraud, waste and abuse laws and are comprised of the following: (1) written policies and procedures; compliance leadership and oversight; (3) training and education; (4) effective lines of communication with the compliance officer and disclosure program; (5) enforcing standards: consequences and incentives; (6) risk assessment, auditing, and monitoring; and (7) responding to detected offenses and developing corrective action initiatives.

Particularly striking was the suggestion on pages 84-85 related to Advisory Opinions, which are available under the Anti-Kickback Statute. The key take-away, “[a] party that receives a favorable advisory opinion is prospectively protected from OIG administrative sanctions, so long as the arrangement at issue is conducted in accordance with the facts submitted to OIG through the advisory opinion process.” (emphasis added). According to Webster’s Dictionary, “prospective” means “relating to or effective in the future.” Hence why an OIG Advisory Opinion occurs before the questionable conduct commences. Like a salmon, once the conduct starts upstream, halting it and then saying it never occurred is preposterous.

In sum, these two notable items are worth reviewing and including into both HIPAA compliance and fraud, waste and abuse compliance.