What's New with the False Claims Act and Healthcare Compliance?
April 12, 2019
Cybersecurity concerns continue to drive significant activity among healthcare compliance professionals. A team of content experts from HCCS, A HealthStream Company, recently attended the Health Care Compliance Association’s 2018 Enforcement Conference, where some sessions focused on measures to ensure appropriate cybersecurity measures are in place.
Employees Are a Permanent, Common Risk
Cybersecurity follows closely behind the False Claims Act as a focus for healthcare compliance. While news of cybersecurity crimes has become commonplace, it is disturbing to learn that the top information security risks in healthcare are associated with employees! Half of breaches are due to lost devices containing unsecured protected health information (PHI). Many of the remaining privacy breaches are associated with identify theft, tax fraud and financial fraud by employees. There are also breaches caused by improper mailings, errant emails and faxes but, the largest breaches have been the result of hacking.
Growing Frequency and Sophistication of Attacks
Healthcare cybersecurity attacks are growing in frequency and have become extremely sophisticated. Risk priorities have moved from business-critical and mission-critical to now life-critical as patient care medical devices are being targeted. The Office for Civil Rights (OCR) and others have identified significant failures to identify, protect, and detect security concerns within healthcare organizations. Fines for these shortfalls are in the millions of dollars. Some of the major breakdowns have resulted from a failure to disconnect a former employee's access to electronic protected health information (ePHI) and for neglecting to encrypt mobile devices containing PHI.
The Emergence of Spear Phishing
Recently, a large health plan was fined $16 billion for a breach affecting 78.8 million individuals due to access gained though spear phishing. Spear fishing is an email or other digital communication scam targeting a specific individual, organization, or company for the purposes of stealing data or installing malware. This company also had issues involving failures in risk analysis, system activity review, incident response and reporting as well as issues associated with access controls.
Focus on Encryption and Safeguards
Currently, the OCR's attention is on encryption and safeguards. Many of the recent settlements were a result of the Phase 2 Audit Provisions. The OCR's focus is not only on covered entities, but business associates as well. In order to optimize the outcome from an OCR audit, covered entities and business associates are advised to provide timely notice of a breach, post a Notice of Privacy Practices (NPP) on their website, and provide the required content in their NPP. OCR also notes that the areas requiring the most improvement are in risk management, risk analysis, and the enabling and disabling of individual access to PHI.
Download the article that summarizes learning from this HCCA Conference.