2023 HIPAA Summit Review – Ep 402 

As always the HIPAA Summit is very interesting and informative. This is the annual summit where we learn what’s going on in the “HIPAAsphere” and what things are coming down the pike. There is a lot of information to cover, so we will break this into two Help Me With HIPAA episodes. Here’s part 1 of our HIPAA Summit review.

In this episode:

2023 HIPAA Summit Review – Ep 402

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

HIPAA Summit Review

OCR Sessions

• Telehealth enforcement discretion will be withdrawn as stated in the original – end of Public Health Emergency. They will publish in Fed Register info on the ending of the discretion rule.
  • They believe the use of tools without a BAA would have happened initially, but over time been updated to meet security rule guidelines with a BAA in place.
  • Also pointed out that the guidelines recently released about using Audio only calls would be a solution if a BAA can’t be put in place.
  • They are monitoring the situation for need for further guidance.
• Lots of discussions about the website tracking guidelines.
  • There are many discussions about privacy officers making sure they ask questions about what marketing teams and outreach teams are doing with their websites.
  • Also pretty clear that everyone sees Google Analytics as a big problem. If you have any site that users authenticate to use it should not use analytics unless you have a detailed review of what is exchanged, how, and with whom.
  • A serious concern for OCR and they are looking into it.
• OCR Melanie Fontes Rainer (Fonte-s (not tez) & Rain – er) & Tim Noonan
  • Implementing Recognized Security Practices are not required, but they do “encourage” entities to adopt them.
  • Why not require annual SRAs? The law doesn’t allow it. They wished it did, but all they can do is require it be done according to the law.
    • If you did a word cloud of all HIPAA violations right in the middle would be a giant RISK ANALYSIS.
      • Noonan does not disagree they should be done annually, but the HIPAA law does not allow them to require it nor publish direct guidance to do it.

OCR/DOJ Connection

• DOJ and OCR criminal hipaa cases
  • OCR has referred 1,640 cases to DOJ as of Dec 2022
  • HIPAA rules enforced by DOJ
    • “Knowingly” disclose or obtain PHI
    • From a CE or BA
    • Outside rules allowed by HIPAA
  • Enforcement options
    • Misdemeanor happens in the smaller oops cases but there was intent cases
    • Felony charge applies when PHI is used or obtained under false pretenses
    • Felony charge goes to next level when malicious intent to harm others (physical harm, personal gains, financial gains, commercial business harm)
  • Conspiracy participant where individuals are aiding or abetting can apply
  • General principles of corporate criminal liability can apply to directors, officers, employees in a conspiracy as well
  • Knowingly means you knew you shouldn’t do it – No need for the DOJ to prove you understood all the ins and outs of HIPAA just that you knew PHI was supposed to be protected.
  • US vs Luthra very interesting example case
    • Massachusetts doctor paid $23.5K by drug company as “speaker” at 31 events
    • The particular drug was not approved by ins companies
    • Drug required prior auth write up for every case to get ins approval
    • Staff couldn’t keep up with the paperwork because there were so many auths to be done
    • Dr asks drug rep to come in and help
    • HHS starts investigating the drug company for kickbacks and fraud. Interview Dr as part of the investigation.
    • Dr said they paid for writing a research paper instead of speaking
    • Drug company records show payment was for speaking so HHS starts looking into the Dr.
    • Dr told assistant to say the drug rep never came by to work on the auths and no PHI was shown to the rep
    • Drug rep and assistant who filed the auths and worked on them together both testified that the dr knew they were doing it and even stopped at the desk to talk to them while they were both working on it.
    • Jury convicted Dr of aiding and abetting the wrongful disclosure of individually identifiable health information AND obstructing a criminal investigation of a health care offense for the research paper lie. No proof beyond the assistant’s word that witness tampering happened = acquitted
    • Got a light sentence of one year probation but the convictions are felonies which causes all kinds of problems with license renewals and job offers.
    • Appealed saying they did not prove the doctor knew about them working together, denied. They had two witnesses that never wavered on their statements that they were doing what they were instructed to do and no doubt dr knew it.

FTC

• FTC points
  • We cover unfair or deceptive practices which include CEs and BAs like other businesses
    • Deception is a material representation or omission of information to mislead consumer
    • Unfair practices cause or cause substantial harm (financial, reputational, physical) which the consumer can not avoid on their own (opting out, avoiding service, etc)
  • Any HIPAA seal or verification presented by a company must be “truthful and backed up with evidence” because it could be considered as deceptive or unfair practices in situations where data is mishandled.
  • Note the FTC has a Breach Notification requirement that they consider the “sister” rule to the HIPAA one – if HIPAA doesn’t apply this may apply

Covered the GoodRx case in ep 399 Recap.

OCR – Nick Heester – Security

Note: the security rule is referenced in 164.306(a) saying that all CEs and BAs MUST…. and refers to the rules themselves. Sometimes people seem to forget that part is where it starts. It does not start with the specific safeguards. In fact:

§ 164.306 Security standards: General rules.

(a) General requirements. Covered entities and business associates must do the following:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.

(4) Ensure compliance with this subpart by its workforce.

[37:01]

Frequent problems noted by OCR reviews and investigations

• Risk Management Plans should not:
• Be focused only on the EHR.
• Show the same risks every year that are never mitigated fully.
• Include plans to reduce risk but not do it sufficiently to protect PHI because the measures put in place were never reviewed to prove.
• Small entities not paying attention to system access logs.
• Cloud EHR app URLs have PHI in them because that’s how the vendors wrote the software.
• Default passwords not being changed.
• Authentication to common devices in the office or shared amongst staff are never changed.

• Information system activity reviews are not done properly. We need to be proactive vs reactive.
• Understanding your environment. You can’t secure things if you don’t know what it is or how it works.
• Review how authentication is done with your different types of devices, equipment and systems used
• Incident Response Plans and Business Continuity Plans are not complete.
• Lack of details about security incidents and their outcomes are not being documented.

Whew, that was a lot. And that was just the highlights of what I learned in just a little over a day of attending the 3-day HIPAA Summit.

We have plenty more to talk about, including discussions from the Privacy Officer’s round table, security points from CISOs and what to consider during mergers and acquisitions no matter which side you’re on. So, stay tuned for part 2 of our HIPAA Summit review.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.