HHS OIG penalties vary depending on the nature of the offense, the scale of the offense, and the cooperation of the violating party during the investigation of the offense. Other factors that can influence HHS OIG penalties include the regulatory limits applied to each type of violation and the violating party’s previous history of compliance with healthcare regulations.
Among its many roles, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) is responsible for investigating allegations of fraud, waste, and abuse in Federal healthcare programs. When HHS OIG identifies fraud, waste, or abuse, it has the authority to recover funds, exclude individuals and organizations from Federal healthcare programs, and pursue civil monetary penalties or criminal penalties depending on the nature of the offense.
The amount of HHS OIG penalties is calculated on a case-by-case basis, and quite often cases can be settled for a mutually agreed amount to avoid potential litigation. The amount of HHS OIG penalties can also be reduced if the violating individual or organization agrees to comply with a Corporate Integrity Agreement. In these cases, compliance with a Corporate Integrity Agreement can save an individual or organization from being added to the HHS OIG Exclusions List.
The department of HHS OIG responsible for enforcement actions is the Office of Investigations. The Office of Investigations can be alerted to possible fraud, waste, or abuse by other departments of HHS OIG – for example, the Office of Audit Services or the Office of Evaluation and Inspection – by other operating divisions of HHS – for example, HHS’ Office for Civil Rights – or by members of the public and healthcare employees via the HHS OIG Complaints Hotline.
The Office of Investigations prioritizes HHS OIG enforcement actions according to the nature and scale of the alleged offense and the evidence to support the allegation. The Office then issues subpoenas to acquire documents from the accused “target”, conducts interviews with witnesses and/or employees, and conducts inspections of the target’s workplace. The additional evidence is then reviewed to determine what laws and regulations have been violated.
Depending on the outcome of the reviews, HHS OIG enforcement actions can be settled by mutual consent, by an administrative hearing, or by a court if the offense is criminal in nature. The location can also have an influence on the outcome of HHS OIG enforcement actions if a state law has harsher penalties for a violation than the equivalent Federal law. For example, under California’s WIC Code §15630(h), the failure to report elder abuse carries a jail term of up to one year.
State laws aside, the amount of HHS OIG penalties is governed by the regulatory limits of whatever federal law the target has violated. For example, the current (February 2024) regulatory limits for civil violations of the False Claims Act are a minimum civil monetary penalty of $13,946 and a maximum civil monetary penalty of $27,894 per violation. The HHS OIG can also add fines of up to three times the amount falsely claimed from an HHS program.
If the violation of the False Claims Act is criminal, HHS OIG penalties increase to a maximum fine of $500,000 for organizations and $250,000 for individuals. For individuals, criminal convictions under the False Claims Act can also carry a jail term of up to five years. These HHS OIG penalties apply to each individual count filed, and are in addition to penalties prosecutors may seek for conspiracy to defraud the United States, mail fraud, wire fraud, or other federal crimes.
Other laws have different regulatory limits. For example, hospitals that violate the Emergency Medical Treatment and Active Labor Act (EMTALA) are subject to civil penalties of between $64,618 and $129,233 per violation, violations of the HHS OIG Anti-Kickback Regulations can attract fines of up to $27,894 (plus jail terms), while the penalties for violations of the OIG Stark Law are up to $15,000 per item or service charged to an HHS program plus up to $100,000 per arrangement considered a deliberate attempt to circumnavigate the Anti-Kickback Regulations.
It is not unusual to read HHS press releases announcing multi-million dollar settlements that appear to be more than the maximum civil monetary penalty multiplied by the number of violations – even allowing for the recovery of three times the funds falsely claimed from an HHS program. This is because HHS OIG sanctions can be combined if (for example) a physician has violated the OIG Stark Law by accepting a non-excluded kickback which then results in a false claim to an HHS program.
By combining HHS OIG sanctions, the Office of Investigations can negotiate one financial settlement with an individual or organization rather than multiple settlements, and impose a more relevant Corporate Integrity Agreement (if applicable). Alternatively, the department can exclude an individual or organization from HHS programs for a longer period of time than if each set of HHS OIG Sanctions had been dealt with independently of each other.
The takeaway from this is that there is no specific answer to the question how much are HHS OIG penalties. In the worst possible scenario, violators of Federal healthcare laws can be fined millions of dollars and/or jailed, and be excluded from HHS programs. Due to the risk of effectively losing the business, individuals and organizations concerned that they may not be complying with all applicable healthcare regulations should seek compliance advice from a legal professional.
The post How Much are HHS OIG Penalties? appeared first on HIPAA Journal.
Adoption of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) improves resilience to cyberattacks and the reduced risk is reflected in cyber insurance premiums. A recent Healthcare Cybersecurity Benchmarking Study has confirmed that healthcare organizations that have adopted the NIST CSF had lower annual increases in their cyber insurance premiums than healthcare organizations that have not adopted the NIST CSF.
The study was the result of a collaboration between Censinet, KLAS Research, the American Hospital Association, Health-ISAC, and the Healthcare and Public Health Sector Coordinating Council and was conducted on 54 payer and provider organizations and 4 healthcare vendors in Q4, 2023. Adoption of the NIST CSF indicates a higher level of preparedness and resiliency and therefore lower risk for insurers. Healthcare organizations that use the NIST CSF as their primary cybersecurity framework report premium increases of one-third (6%) of the percentage reported by organizations that have not adopted the NIST CSF (18%).
The report assesses cybersecurity coverage, specifically coverage of the NIST CSF and Health Industry Cybersecurity Practices (HICP), and reveals little has changed in the past 12 months with average NIST CSF coverage increasing from 69% in 2023 to 72% in 2024, and average HICP coverage increasing from 71% in 2023 to 73% in 2024. Average coverage across the 5 NIST CSF core functions – identify, protect, detect, respond, recover – ranged from 65% to 75%, with the lowest coverage in the identify function and the highest in the respond function. This indicates most healthcare organizations that participated in the study were generally more reactive than proactive in their approach to cybersecurity. Out of all categories within the NIST CSF, supply chain risk management (identity) had the lowest coverage, which is concerning given the number of third-party data breaches in healthcare. The study revealed this to be a key consideration for insurers when setting premium increases. Higher coverage of supply chain risk management was associated with smaller increases in cyber insurance premiums.
Average HCIP coverage was better, with most organizations having email protection systems (84%) in place and cybersecurity oversight and governance (83%), but there was only 50% coverage of medical device security and 60% coverage of data protection/loss prevention. 25 healthcare delivery organizations also participated in last year’s benchmarking study and their average NIST CSF and HCIP coverage was higher than other provider and payer organizations. Those repeat organizations also had lower increases in their cyber insurance premiums than other healthcare organizations, on average.
The benchmarking studies have confirmed that high program ownership by information security leaders leads to higher cybersecurity coverage. Across all organizations, average NIST CSF and HICP coverage was between 71% and 72%, but organizations that assign information security leaders higher percentages of program ownership achieved above-average cybersecurity coverage, especially in the HCIP areas of endpoint protection systems and data loss and loss prevention.
“For the second year in a row, the Benchmarking Study sets the highest standard for collaborative, impartial, and transparent insight into the current state of the health sector’s cyber maturity, and, more importantly, enables providers and payers to make more informed investment decisions to close critical gaps in controls and elevate overall cybersecurity program preparedness,” said Steve Low, President of KLAS Research.
“With comprehensive benchmarks across ‘recognized security practices’ like NIST CSF and HICP, the Benchmarking Study will drive greater, more enduring cybersecurity maturity and resilience across both our Health-ISAC member community and the broader health sector,” said Errol Weiss, Chief Security Officer of Health-ISAC.
The post Higher NIST CSF and HCIP Coverage Linked with Lower Cyber Insurance Premium Growth appeared first on HIPAA Journal.
Healthcare cyberattacks are increasing each year in number and severity. In 2023, almost 740 healthcare data breaches were reported to the HHS’ Office for Civil Rights, and those breaches affected more than 136 million individuals, breaking previous records for both the number of data breaches and the individuals affected. It is clear that cybersecurity in healthcare is in a critical state and if nothing changes, more unwanted records will be broken in 2024.
The Health Sector Coordinating Council (HSCC), a public-private coalition that represents 425 healthcare industry entities and government agencies, recently unveiled a 5-year strategic plan for the healthcare and public health sector at the ViVE 2024 conference. HSCC explained that cyberattacks and data breaches are occurring due to increasingly connected and remote use of digital health technology, widely distributed portability of health data, and shortages of qualified healthcare cybersecurity professionals. The sprawling and increased complexity of the connected healthcare ecosystem creates risks such as unanticipated and poorly understood interdependencies; unknown inherited security weaknesses; overreliance on vendor solutions; systems that fail to adequately account for human factors related to cybersecurity controls; and inconsistencies between software and equipment lifecycles, and hackers are finding it far to too easy to exploit the vulnerabilities.
The Health Industry Cybersecurity Strategic Plan (HIC-SP) aims to improve healthcare cybersecurity from the current critical status to stable by 2029. HSCC explained that the cybersecurity status of the healthcare industry was rated critical in 2017 when the Health Care Industry Cybersecurity Task Force issued a report on improving cybersecurity in the healthcare industry. The HIC-SP builds on the recommendations made in the report and aims to improve healthcare cybersecurity through the implementation of foundational cybersecurity programs that address the operational, technological, and governance challenges posed by significant healthcare industry trends over the next five years.
HSCC has worked to establish current industry trends that are likely to continue over the next 5 years, determined their likely impact on healthcare cybersecurity, and made recommendations for proactively addressing those trends. The sector is likely to continue to incorporate emerging technologies, is unlikely to address current workforce and management challenges, and there is likely to be continued instability in the healthcare supply chain. The HIC-SP assesses how these and other trends may present continuous or emerging cybersecurity challenges, and recommendations are made on how the healthcare sector and government should prepare for those changes with broad cybersecurity principles and specific actions.
The aim is to provide C-Suite executives with actionable and measurable risk reduction activities based on the current cybersecurity landscape and projected industry trends. Healthcare security decision-makers can use the HIC-SP to inform decisions about cybersecurity investments and the implementation of specific cybersecurity measures, and since the HIC-SP is modular, organizations can use it to identify high-level goals and implement objectives to address the areas in most need of attention.
The HSCC says the HIC-SP complements other efforts to improve healthcare cybersecurity, such as the HHS’ Healthcare Sector Cybersecurity Strategy that was published in December 2023 and the voluntary healthcare cybersecurity performance goals announced by the HHS in January, and together with its government partners, the HSCC Cybersecurity Working Group will be working to achieve the goals of the plan through education and policy incentives and plans to release a set of measurable outcomes and metrics for success by the end of the year. By 2029, it is hoped that healthcare cybersecurity will have become as ingrained as a public health and patient safety standard.
The post HSCC Releases 5-Year Strategic Plan for Improving Healthcare Cybersecurity appeared first on HIPAA Journal.