Florida Bill Seeks Safe Harbor for Organizations with Robust Cybersecurity Programs

Posted by Steve Alder

Healthcare organizations and businesses in Florida could soon be given protection against data breach lawsuits if they implement and maintain cybersecurity measures that meet government and industry standards. The Florida Cybersecurity Incident Liability Act (H.B 473) has been introduced in the Florida legislature and aims to introduce a “safe harbor” that limits liability for all businesses that implement reasonable and appropriate cybersecurity measures that meet industry standards and cybersecurity frameworks.

Businesses can make significant investments in cybersecurity to protect their networks and sensitive data from unauthorized access, but the sophisticated nature of cyber threats means that cyberattacks may still succeed. It is now common for multiple lawsuits to be filed over data breaches that allege a failure to implement appropriate cybersecurity measures, irrespective of the cybersecurity measures that have been implemented. The Florida Cybersecurity Incident Liability Act is intended to provide businesses with a legal defense against tort claims in data breach lawsuits and encourage the adoption of security frameworks.

The Florida Cybersecurity Incident Liability Act will place limitations on liability for cybersecurity incidents. Counties, municipalities, and businesses that acquire, maintain, store, or use personal information will not be liable in connection with a cybersecurity incident provided they have adopted a cybersecurity program that substantially aligns with any standards, guidelines, or regulations that implement any of the following:

  • The NIST Framework for Improving Critical Infrastructure Cybersecurity
  • NIST Special Publication 800-171 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • NIST Special Publication 800-53 and 800-53A – Security and Privacy Controls for Information Systems and Organizations / Assessing Security and Privacy Controls in Information Systems and Organizations
  • The Federal Risk and Authorization Management Program 42 security assessment framework
  • The Center for Internet Security (CIS) Critical Security Controls.
  • The International Organization for Standardization/International Electrotechnical Commission 27000 series (ISO/IEC 27000) family of standards

There will also be limitations on liability for entities that are regulated by the state or Federal Government or that are otherwise subject to the following laws and regulations:

  • The Health Insurance Portability and Accountability Act’s security requirements (45 C.F.R. part 160 and part 164 55 subparts A and C)
  • The Health Information Technology for Economic and Clinical Health (HITECH) Act requirements (45 C.F.R. parts 160 and 164.)
  • Title V of the Gramm-Leach-Bliley Act
  • The Federal Information Security Modernization Act of 2014

The scale and scope of substantial alignment of a cybersecurity program with these laws reflect the size, complexity, and nature of the business activities, as well as the sensitivity of the personal information collected and stored, the availability and cost of security improvement tools, and the available resources for cybersecurity. In data breach lawsuits, the defendant will have the burden of proof to establish substantial compliance with these laws, cybersecurity frameworks, and standards.

The post Florida Bill Seeks Safe Harbor for Organizations with Robust Cybersecurity Programs appeared first on HIPAA Journal.

The Benefits of Outsourced Healthcare Compliance

Posted by Steve Alder

Outsourced healthcare compliance is when external experts or agencies take responsibility for some of an organization’s compliance obligations – either working inhouse as a separate compliance unit, working inhouse as a consultant to a compliance team, or working remotely via healthcare compliance software. They can also work as outsourced compliance experts for one particular regulation (i.e., HIPAA), or one element of multiple regulations (i.e., workforce training).

Outsourced healthcare compliance services can perform a wide range of compliance tasks, including risk assessments, policy development, training programs, audits, and ongoing compliance monitoring. By outsourcing these tasks, healthcare organizations can leverage specialized knowledge and experience not readily available in-house or lacking the resources to keep up to date with changes to federal, state, and industry regulations.

The Benefits of Outsourced Healthcare Compliance

Outsourced healthcare compliance has the primary benefit of enabling organizations to concentrate on core healthcare operations while entrusting some or all of their compliance obligations to experts. Some of the other benefits of outsourced healthcare compliance include:

Access to Specialized Knowledge

It is difficult for small compliance teams to keep up to date with every federal, state, and industry healthcare compliance requirement. Outsourced healthcare compliance provides access to experienced compliance professionals who are not only up to date with current compliance requirements, but who are also aware of changes under consideration.

Enhanced Efficiency

Due to having specialized knowledge of all applicable compliance regulations, outsourced healthcare compliance services can enhance efficiency by eliminating duplicated requirements – for example, HIPAA, OSHA, and CMS’ conditions for participation in Medicare all include similar emergency preparedness requirements.

Risk Reduction

Having specialized knowledge can also help organizations reduce the risk of non-compliance in cases where (for example) a provision of state law preempts a provision of HIPAA or additional training requirements exist due to the nature of an organization’s operations. Reducing the risks of non-compliance reduces the likelihood of penalties for non-compliance.

Better Trained Workforce

Due to their experience with different types of healthcare organizations, outsourced healthcare compliance services are often more familiar with how workforces absorb and apply training. This means training sessions can be better compiled and delivered by an external source to increase the likelihood of a better trained and compliant workforce.

Cost Savings

Outsourcing healthcare compliance can lead to cost savings by avoiding the requirement to hire an employee with the necessary compliance experience (i.e., a HIPAA Privacy Official). By comparison, outsourcing healthcare compliance allows organizations to pay for external compliance services on an as-needed basis.

How to Evaluate External Compliance Services

Selecting an external compliance service requires careful consideration of several key factors. It is important that, if a service provider is offering a technology solution, that the technology solution is customizable to meet all the organization’s compliance obligations. It is also important the provider offers technical and administrative support to deploy and configure the solution.

Other tips include ensuring the provider can demonstrate expertise in healthcare compliance, and an  understanding of industry regulations and best practices. It may also be necessary to research the provider’s reputation via a reputable source to assess their previous successes and failures – particularly with regards to integrating their technology solution into an existing IT infrastructure.

Finally, it is vital that prospective outsourced healthcare compliance experts provide reasonable expectations of what their services might entail. These expectations should include loss of organization control and the potential for a lengthy transition period – during which time there may be operational disruptions. In all cases, before engaging an outsourced healthcare compliance service, it is best to seek independent compliance advice.

The post The Benefits of Outsourced Healthcare Compliance appeared first on HIPAA Journal.

What is a Clearinghouse in Healthcare?

Posted by Steve Alder

A clearinghouse in healthcare is a middleman between a healthcare provider and a health plan that checks claims from healthcare providers to ensure they don´t contain errors before forwarding them to a health plan for payment. Having a middleman to check for accuracy reduces workloads for both healthcare providers and health plans and accelerates the payment of claims.

A clearinghouse in healthcare has several definitions – and can have several interpretations of the definitions. For health plans and healthcare providers subject to the HIPAA Administrative Simplification Regulations, it can be important to understand how the Department of Health and Human Services defines a clearinghouse in healthcare to avoid unintentional HIPAA violations.

What is a Healthcare Clearinghouse under HIPAA?

In the definitions section of the HIPAA Administrative Simplification Regulations (§160.103), a healthcare clearinghouse under HIPAA is defined as a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value added” networks and switches, that performs either of the following functions:

(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data HIPAA elements, or

(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

Wasn’t HIPAA Supposed to Standardize the Claims Process?

To an onlooker from outside the industry, it might seem strange that healthcare providers and health plans still use healthcare clearinghouses when one of the objectives of the HIPAA Administrative Simplification Regulations was to standardize the claims process in order to reduce inefficiencies and reduce the likelihood of fraud in the healthcare industry.

However, healthcare billing is a challenging process. There are currently four medical data code sets permitted by HIPAA, one of which – ICD-10 – has more than 68,000 codes to represent different diagnoses and treatments. Once you multiply these by the number of HCPCS codes (for medical services and medical supplies) and numerous National Drug Codes, it is easy to see how errors can be made.

To further complicate the issue, there are thousands of health plans and thousands of hospitals in the United States. Some will have up-to-date claims software, others will not. A clearinghouse in healthcare not only has to ensure claims are correct but also that they are delivered to the health plan for payment if a healthcare provider and health plan use incompatible software.

Other challenges to take into account include state laws relating to the payment of healthcare claims, co-pays, and deductibles. It would be extremely difficult for a healthcare provider to manage all the codes and variables associated with the claims process accurately, which could delay payments and potentially result in cashflow problems for healthcare organizations on tight budgets.

Why it is Important to Understand what a Clearinghouse in Healthcare is

For health plans and healthcare providers subject to the HIPAA Administrative Simplification Regulations, it is important to understand when a clearinghouse in healthcare qualifies as a Covered Entity and when a clearinghouse in healthcare qualifies as a Business Associate to ensure that – in the latter case – a Business Associate Agreement is in place to comply with the HIPAA requirements.

A clearinghouse qualifies as a Covered Entity when it conducts business-to-business transactions as described in the definitions above. However, if Covered Entity A conducts its own clearinghouse activities (i.e., a healthcare provider that bills health plans directly), and is contracted by Covered Entity B to conduct clearinghouse activities on its behalf, Covered Entity A becomes a Business Associate of Covered Entity B, and it is necessary for a Business Associate Agreement to be in place.

Health plans and healthcare providers unsure about when a clearinghouse in healthcare qualifies as a Covered Entity and when it qualifies as a Business Associate should seek professional compliance advice.

What is a Healthcare Clearinghouse? FAQs

What is a Healthcare Clearinghouse in Medical Billing?

A healthcare clearinghouse in medical billing converts medical billing data into a standard format that can be understood by different payers and checks the claims for errors or missing information. A clearinghouse also verifies the patient’s insurance eligibility, submits the claims electronically, and tracks their status. A clearinghouse helps to streamline the billing process, reduce denials, and speed up reimbursements for healthcare providers.

How do Healthcare Clearinghouses Ensure the Security of Medical Data?

Healthcare clearinghouses ensure the security of medical data in several ways:

Compliance with HIPAA Regulations – Clearinghouses are required to comply with the applicable standards of the Health Insurance Portability and Accountability Act (HIPAA), which mandates the secure and confidential handling of sensitive patient data.

Secure Data Transmission – Healthcare clearinghouses function as electronic hubs that allow healthcare providers to transmit claims to health plans in ways that ensure Protected Health Information (PHI) remains secure.

Data Normalization – Clearinghouses process and convert medical claims into a standardized format, a process termed “normalization”. This involves transmuting the diverse data formats from healthcare providers into a uniform structure that health plans can readily process.

Claim Scrubbing – Healthcare clearinghouses review each claim (a process known as claim scrubbing) before it reaches the health plan, thereby minimizing errors, identifying potential security issues, and speeding up the reimbursement process.

By implementing these measures, healthcare clearinghouses play a pivotal role in ensuring accurate, efficient, and secure data exchange in the healthcare industry.

Are Healthcare Providers Required to Use a Clearinghouse?

Healthcare providers are not explicitly required to use a clearinghouse for processing medical claims. However, while it’s not a requirement, many healthcare providers choose to use a clearinghouse because of the benefits they offer – such as eligibility verification, electronic remittance advice, and the ability to handle a variety of medical claims. The decision to use a clearinghouse may depend on various factors, including the size of the healthcare provider, the volume of claims processed, and the resources available for handling claims internally.

The post What is a Clearinghouse in Healthcare? appeared first on HIPAA Journal.

Columbus Regional Healthcare System Reports 133K Record Data Breach

Posted by Steve Alder

Columbus Regional Healthcare System in Whiteville, NC, has notified the Maine Attorney General about a cybersecurity incident involving the theft of patient data. Unauthorized individuals had access to its network between May 19, 2023, and May 21, 2023, during which time files were removed from its network.

The file review was completed on December 28, 2023, and individual notifications have now been mailed to the affected individuals. The types of information involved varied from individual to individual and may have included names in combination with one or more of the following: Social Security number, date of birth, driver’s license number, state identification number, passport number, alien registration number, financial account information, medical information (date(s) of service, treatment/diagnosis information, medical record number, patient account number, and/or prescription information) and/or health insurance policy information.

The Notification to the Maine Attorney General indicates 132,887 individuals were affected. The healthcare system said no evidence has been found to indicate any actual or attempted misuse of that data. As a precaution against identity theft and fraud, Complimentary credit monitoring services have been offered to individuals who had their Social Security numbers exposed. Columbus Regional Healthcare said it had implemented safeguards to protect against unauthorized access and continually evaluates and modifies its practices and internal controls to enhance the security and privacy of personal information.”

Senior PsychCare Notifies 75,000 Patients About December 2022 Data Breach

Texas-based Psychological Holdings, PLLC, which does business as Senior PsychCare (SPC), has notified 75,000 patients that some of their protected health information was exposed in a December 2022 security breach. According to the breach notification letters, unauthorized individuals had access to its network between December 13, 2022, and December 22, 2022.

Senior PsychCare engaged third-party cybersecurity professionals to conduct a forensic investigation which was followed by a manual review of all files on the parts of its network that were accessible to the attackers. That process was completed on November 20, 2023, and confirmed that the exposed information included names, addresses, Social Security numbers, medical information, and health insurance information.

Senior PsychCare said it is unaware of any actual or attempted misuse of patient data and has offered the affected individuals complimentary credit monitoring services as a precaution. SPC said it had cybersecurity measures in place to protect against unauthorized data access and continually evaluates and modifies its practices and internal controls to enhance the security and privacy of personal data.

Primary Health & Wellness Center Discloses October 2023 Ransomware Attack

Primary Health & Wellness Center in Baltimore County, MD, has recently notified 4,792 individuals that some of their protected health information was potentially compromised in a ransomware attack that was detected on October 20, 2023. According to the substitute breach notice, the affected server contained the medical records of patients from 2018 to present, which included names, addresses, dates of birth, Social Security numbers, and medical record data. The forensic investigation uncovered no evidence to indicate data was exfiltrated from the server before files were encrypted, and typically threat actors that use Phobos ransomware are not known to exfiltrate data. That said, it was not possible to totally rule out the possibility of data theft.

While data theft is not thought to have occurred, the affected patients have been advised to monitor their account statements and credit reports for potential fraudulent activity and to promptly report any suspected fraudulent activity to law enforcement. Primary Health & Wellness Center said it takes its responsibilities under HIPAA and the Maryland Confidentiality of Medical Records Act very seriously and genuinely apologizes for the incident and inconvenience caused.

PHI Compromised in Coastal Hospice & Palliative Care Cyberattack

Coastal Hospice & Palliative Care in Salisbury, MD, has recently announced that it suffered a cyberattack on July 24, 2023, that caused network disruption. Cybersecurity experts were engaged to investigate the incident and confirmed that its network had been accessed by unauthorized individuals. A review was conducted of all files on the network that had been exposed and may have been obtained by the attackers, and that process was completed on November 20, 2023. Notification letters were mailed to the affected individuals on January 22, 2023.

The information exposed and potentially stolen included names, Social Security numbers, dates of birth, medical diagnosis information, health insurance policy numbers, physician or medical facility information, medical condition or treatment information, and patient account numbers. The incident has been reported to the appropriate authorities, but it is not currently displayed on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals were affected.

Aria Care Partners Discloses May 2023 Cyberattack

Aria Care Partners in Overland Park, KS, has recently disclosed a cybersecurity incident that occurred in May 2023. The forensic investigation confirmed there had been unauthorized access to its vision file server. A comprehensive review was conducted of all files on the server which was completed in December 2023 and confirmed that files had been exposed that contained patient names, dates of birth, Social Security numbers, driver’s license numbers, diagnosis, treatment information, and health insurance information.

Notification letters were mailed to the affected individuals on January 19, 2024, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services, which include a $1 million identity theft insurance policy, dark web monitoring, and identity theft recovery services.

The incident has been reported to the appropriate authorities, but it is not currently displayed on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals were affected.

The post Columbus Regional Healthcare System Reports 133K Record Data Breach appeared first on HIPAA Journal.