HIPAA Summit Review 2024 – Ep 449 

For more than a decade, Donna has immersed herself in the plethora of sessions from the National HIPAA Summit, extracting a wealth of insights into the present and future landscape of HIPAA. Today, she will impart her top three takeaways from this year’s Summit, essential knowledge for navigating the road ahead. Buckle up folks, because these insights are far from trivial.

In this episode:

HIPAA Summit Review 2024 – Ep 449

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

The HIPAA Privacy and Security Boot Camp

3.5 day In Person Event

April 9, 10, 11 and 12, 2024

PriSecBootCamp.com

HIPAA Say What!?!

• #StopRansomware: ALPHV Blackcat | CISA
• Healthcare sector warned of ALPHV BlackCat ransomware after surge in targeted attacks | Tripwire
• Outages from Change Healthcare cyberattack causing financial ‘mess’ for doctors
• Change Healthcare sets up new electronic prescription service, funding program as cyberattack drags

HIPAA Summit Review 2024

Melanie Fontes Rainer Address

2024 Priorities for OCR

• Prioritizing based on complaints and breaches reported
• “More to come” when she was reviewing the Phishing enforcement actions
• New Enforcement Initiative on Security Risk Analysis (SRA)
• Still seeing a large volume of complaints about right of access so that initiative will continue
• More to come on cyber attack assistance and SRA

Specific points made in her address:

There are 3 things OCR will be looking for in the SRA enforcement cases:

1. Not doing an SRA at all.
2. Doing an SRA but doing it wrong. There is a difference between a SRA and a gap analysis.
3. Having done an SRA, but nothing done with it. That is the biggest issue they want to address. Watch the OCR SRA video to see what they expect to see done.

There is a fundamental misunderstanding by patients (and providers) about what HIPAA does and does not cover.

A ransomware attack is a data breach, but all are not treated the same. It is reviewed on a case by case basis.

Some apps claim to be HIPAA certified and they are working with FTC on making sure patients are redirected to the FTC when they see those claims.

Security Rule Changes:

The current HIPAA Security Rule is 20 years old. It hasn’t changed at all in that time. But HHS is looking into updating the Security Rule to include threats not previously contemplated. Gone are letters and faxes for communication. The primary method of communication is now electronic means. Theft of devices is no longer a big issue. Healthcare and Public Health (HPH) Cybersecurity Performance Goals (CPGs) (HPH Sector Cyber Performance Goals Released – Ep 444) will be included. HHS is working with industry and stakeholders to make sure they get it right.

Audit program notice – Sup with that?

The audits never really stopped, but they don’t have resources to do them. They want to restart them this year. They plan to use audits as a training mechanism to help show entities what to do to meet the requirements.

They also pointed out that there has been a 264% increase of ransomware reports since 2017. There were 135 million patients in 2023 that were involved in large breaches. Basically, the same number of breaches, but they continue to involve more patients. More has to be done simply based on the numbers.

Security Rule changes, Audit Restarts and SRAs are the

biggest things happening with OCR right now.

AI plans

FTC Enforcement Update

The FTC enforces consumer protections and competition protections and rule making on the federal level as well as consumer education and business outreach. They are tasked with investigating and preventing unfair (injury or likelihood of injury to consumers or competition that can not be avoided based on business practices) or deceptive practices (likely to mislead consumers acting under reasonable circumstances).

FTC breach notification is a “sister” to HIPAA breach notification. FTC also applies to most HIPAA entities.

Cyber safety is patient safety Greg Garcia

AI Discussions Abound

Is AI processing the “Use” of PHI?

• December 2000 commentary to proposed HIPAA Privacy Rule: “We interpret ‘use’ to mean only the uses of the product of the computer processing, not the internal computer processing that generates the product.”
• The world has changed a great deal since 2000, and it’s not clear whether this interpretation would hold today.
• HHS 2019 guidance on ransomware provides that access and encryption of data by a third party’s malware constitutes a “disclosure”.
• Is there a distinction between a search query that identifies specific data, as opposed to AI’s broad use of data to “learn”?
• If PHI is not de-identified, then this question of what constitutes a use is critical.
• If it is a use, then what is allowed, if anything, under TPO? What about research?
• What about your BAs using it without proper consent or authorization?
  • Add to your vetting process!!!
  • If used, how is it secured?
  • If allowed, how will the PHI be destroyed if the contract is terminated?

HIPAA and other privacy laws don’t address AI well, if at all. New laws will be needed.

Implications for Clinical, Privacy, and Business Operations – Opportunities and Risks

• Break AI down to the parts we need to deal with one at a time. We all need to understand the common language of AI to have effective conversations about what we are dealing with on each AI project or tool.
• If you can ask intelligent questions that is where you need to be as a compliance officer.
• The AI applications already in use have been surprising for most officers who start looking into it.
• “What is overkill for oversight and governance” is a question every organization must evaluate. What does it require vs not overlooking risks that AI brings to the table?
• Add AI to your normal evaluation of any project or vendor application. The faster it is embedded in your day to day processes the better off we will be.
• There is no going back from using AI. It is here to stay.
• Business-use AI tools used to improve the way the business operates, like patient workflows, financial modeling, etc., get evaluated differently than clinical tools using AI. Everyone needs to agree who evaluates them.
• Also, getting requests for data that can be used in AI tools by vendors, payers, and more. Everyone claims they will take care of the data, but you need to figure it out on a case by case basis. AI has a huge thirst for data. Businesses close or get sold and they have your data just to train their tools – what happens?
• All clinical cases should have a specific vetting process relating to security, privacy but more importantly about patient safety.
• FDA risk matrix for assessing AI in those cases can be very helpful.
• Deidentified statements are not enough because everything is very new and all players may not have a complete understanding of privacy rules.
• Massive amounts of money is being poured into AI development and all of them want a lot of data. The process is going to be harder, not easier, the longer you wait to address it.
• Treat data as an asset under these circumstances from now forward. Deidentification of data parts of BAAs need to be looked at to protect the value of the asset. Are the BAs using your data to deID and then make $$ off it as their asset? You are not obligated to allow that to occur, because you can control the BAA downstream options.
• Where to start?
  • Learn about AI and how there are all different types of things.
  • What is the difference between chatgpt vs neural networks just enough to have the conversations?
  • Clinicians, IT, privacy, legal, financial, business operations, security, everyone needs to get together and discuss the big picture and the impacts of AI in all their areas. Then, develop a plan for how the organization will manage all of these risks to take advantage of the opportunities.
  • Create policies and procedures that reflect how the organization will manage AI tools. It must start by defining what those tools are because there are so many applications for different types of AI.

State laws

• This is the big one that may become a standard for other states – pay attention to it
• Very muscular and broad law – more businesses are covered than with HIPAA due to the broad definition of health data
• Could there be a national privacy law based on this eventually? We’ll have to wait and see.

Washington State Law

• Potentially onerous compliance obligations
• Strict consent requirements
• Specific and different privacy policy that does not contain other requirements and that does not apply so you must have a separate Consumer Health Privacy Policy or a separate section in the current policies.
  • Must include the specific affiliates you share health data with
• Conduct business in WA or produce or provide products and services targeted to WA consumers
• Excludes only data-level exclusions for things like HIPAA
• Nonprofits not excluded.
• Applies to small businesses with specific definitions for what constitutes a small business which has until June to meet all requirements
• Applies to consumers, a resident or someone who’s data is collected in WA state regardless of their residency
• Includes normal health data plus location data, seeking services information, anything that is used to connect to individuals by other means
• Consent driven for everything collected or shared, not just some things dealing with data. You can only use the data you collect to provide the services. Any other use must be approved. Very specific requirements. Don’t need separate consent for all of your BA type entities, though.
• Must get additional authorization for selling or sharing data for monetary or other valuable consideration. Does that mean targeted advertising? Must include 9 elements and expires every year and must be renewed annually.
• Rights to revoke consent and delete data requests. Must be done in 45 days and include all BA type vendors that they call processors who have been given the data. (What about medical record retention requirements?)
• Processors failing to adhere to instructions or processes outside the scope of their contract makes them subject to enforcement as if they are a covered entity under the law.
• Restrict access and safeguards that satisfy accepted standards of protections to secure it.
• No geofencing used based on location of consumer to provide health services, advertise, etc using health data.
• Private right of action included, but must prove actual damage.
• Effective 3/31/24

Challenges companies are dealing with now.

• Broad scope includes other data not usually included. Tracking grocery store purchases that may be used to infer or determine health conditions.
• Fitness apps, health record apps and others who are associated with health data.
• Hardest part is the consent requirements. If you don’t interact directly with the consumers. If you are dealing directly with them you can get the consent. If you don’t interact directly, what do you do?
• Could other uses be considered selling the data?
• Lots of litigation is expected once it is active. At least do the policies and get started even if you are willing to wait for the dust to settle in the courts.
• Other states are copying these consent rules including Nevada and Connecticut.

Using Fraud Claims Act to penalize health data breaches

A whole new ball game here!! If you deal with government data or provide services related to government data – heads up!

FCA – Prohibits knowingly presenting a false claim or knowingly making a false record or statement material to a false claim.

Damages, penalties, and whistleblowers:

• Government may recover treble damages
• Civil penalties of $13,508 to $27,018 per claim
• Whistleblower provisions allow individuals to sue and share in recovery

When does it apply?

There is a false claim made with the knowledge that it is false and is material to the payment of a claim that caused the government to pay money when they shouldn’t have.

More Details

Whistleblowers get 15-25% of massive judgments. $2-3 billion collected annually. Mostly medical billing fraud. Data privacy is fairly new amounting to $293k in 2023. They believe it will be growing rapidly.

Due to the broader attack surface with EHR, telemedicine, medical devices, etc. HISAC study: 993 vulns found in 2023 966, healthcare products evaluated in 2023.

Things like failure to report a HIPAA breach could be an implied or expressed legal fallacy, in theory. Federal contractor definition is key. The law can also include not just the ones who submitted the false claim, but it could include a subcontractor that caused the claim to be submitted. Did I just bury my head in the sand? Not settled that a HIPAA violation itself be considered a reason for an FCA claim. Watch for cases moving through the courts.

False claims act include private right of action, but HIPAA does not. Can this be used for those actions too?

Cases were settled under FCA with the DOJ.

March 2022 – Comprehensive Health Services had a contract with the Air Force and State Dept. The contract said they were required to use a HIPAA compliant EHR. They scanned records and kept them on internal drives outside the EHR with open access by those who shouldn’t see them. Staff brought it up and they did nothing to fix it. So, they were inconsistent in the use of EHR. $930k settlement.

A website hosting provider didn’t maintain patches and update the site they were contracted to provide for Medicaid. $293k settlement by single employee Jelly Bean Comms.

NextGen paid $31m to settle FCA case due to misrepresentation of its EHR abilities; it actually did not have those abilities but “misrepresented” them to get certified. July 2023.

Lawyers encourage adoption of CPGs. Smaller entities should know that they will be treated differently, but you must figure out how it applies to you too.

It’s evident that the quest for keeping healthcare data safe and secure keeps evolving. Donna’s top three nuggets of wisdom from the 2024 National HIPAA Summit are like road signs helping us navigate the twists and turns of compliance and cutting-edge tech. And the pressure on enforcement is growing. The sheer volume of developments in the industry regarding privacy and data security can be overwhelming. We’ve got to catch up and keep up if we stand to have a fighting chance.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.