What is the OIG Stark Law?

Posted by Steve Alder

The OIG Stark Law is the section of the Social Security Act that prohibits physicians from referring Medicare and Medicaid patients to a non-exempted “designated health service” when the physician or an immediate family member has a financial interest in the service. The Law is named after Congressman Fortney “Pete” Stark who introduced the original “Ethics in Patient Referrals” bill in 1988.

The background to the OIG Stark Law is that, in 1972, Congress added an Anti-Kickback Statute to the Social Security Act in order to combat fraud and abuse in the Medicare and Medicaid programs. The Statute prohibits anyone from “knowingly and willfully receiving or paying anything of value to influence the referral of federal health care program business [to a particular healthcare provider]”.

The penalties for violating the Anti-Kickback Statute are up to five years in prison, criminal fines of up to $25,000, civil monetary penalties of up to $50,000, and – since 1977 – being included on the HHS OIG Exclusions List. Under the Civil Monetary Penalties Law, physicians who pay or accept kickbacks can be fined up to $50,000 per kickback plus three times the amount of the remuneration.

Self-Referral Loophole Closed by Stark

To circumnavigate the Statute, some physicians “self-referred” patients to health services in which they or a family member had a financial interest either through ownership, investment, or reimbursement (i.e., “consulting fees”). To close this loophole, Congressman Stark introduced the “Ethics in Patient Referrals” bill in 1988, prohibiting providers of Medicare services from accepting referrals from physicians with an ownership interest or other compensation arrangement.

The bill’s proposals for prohibiting referrals to clinical laboratories were adopted in the Omnibus Budget Reconciliation 1990. Three years later, the OIG Stark Law was extended to include designated health services other than clinical laboratories and patients covered by Medicaid as well as Medicare. Since 2001, the Centers for Medicare and Medicaid Services (CMS) has published regulations in the Federal Register to implement and revise provisions of the OIG Stark Law.

What does the OIG Stark Law Cover?

The OIG Stark Law covers physician “self-referrals” to designated health services when the service is billed to Medicare or Medicaid, and a financial relationship exists between the physician (or an immediate family member) and the health service. In such cases, not only is the referral a violation of the OIG Stark Law, but it is also a violation if the health service subsequently files a claim for payment – directly or indirectly – with a federal health care program. Designated health care services are:

  • Clinical laboratory services.
  • Physical therapy services.
  • Occupational therapy services.
  • Outpatient speech-language pathology services.
  • Radiology and certain other imaging services.
  • Radiation therapy services and supplies.
  • Durable medical equipment and supplies.
  • Parenteral and enteral nutrients, equipment, and supplies.
  • Prosthetics, orthotics, and prosthetic devices and supplies.
  • Home health services.
  • Outpatient prescription drugs.
  • Inpatient and outpatient hospital services

Exemptions and Advisory Opinions

In 2003, Congress authorized the Secretary of HHS to promulgate regulations exempting physician self-referrals from the OIG Stark law provided certain conditions are met and provided the referral is in the patient’s best interests. Since 2003, the list of exemptions has grown to include (but is not limited to) in-office ancillary services, indirect physician compensation (i.e., to a group practice rather than to an individual), self-referrals in rural areas, and compliance training.

The conditions that have to be met for an exemption to qualify as such are that there must be a written agreement in place, any compensation paid to a referring physician must not be based on the volume of referrals, and the amount of compensation must be commercially reasonable. If physicians or health services are unsure of whether a referral relationship qualifies as an exemption, they can apply to CMS for an advisory opinion. To date, CMS has published nineteen advisory opinions.

Penalties for OIG Stark Law Violations

Violations of the OIG Stark Law are civil violations, so there are no criminal penalties for violations of the law. However, because the law is linked to the Anti-Kickback Statute, the civil penalties for OIG Stark Law violations are substantial. Self-referring physicians can be fined $15,000 for each service they knew or should have known was provided in violation of the OIG Stark Law, with a potential fine of $100,000 if it is proven they deliberately attempted to circumnavigate the Anti-Kickback Statute.

The health service that benefitted from the self-referral will have to refund payments improperly collected, plus three times the amount if the payment was received from Medicare. Both the physician and the health service can also be added to the HHS OIG Exclusion List or required to comply with an OIG Integrity Agreement. For these reasons, if you have any doubts a referral may be in violation of the OIG Stark Law, it is recommended you seek professional compliance advice.

The post What is the OIG Stark Law? appeared first on HIPAA Journal.

Multiple Threat Groups Exploiting Ivanti VPN/NAS Zero-Days

Posted by Steve Alder

Urgent action is required to fix two zero day flaws in Ivanti Connect Secure VPN and Policy Secure NAS appliances. The vulnerabilities were discovered by researchers at Volexity and were disclosed by Avanti last week. While they have been exploited in the wild since December 2023 by an Advanced Persistent Threat group, the attacks have been highly targeted and at the time of the disclosure, fewer than 20 customers had been attacked but the situation has now changed. On January 11, 2023, multiple threat actors started mass exploiting the flaws in indiscriminate attacks on businesses of all sizes across multiple sectors.

Ivanti will be releasing patches to fix the flaws starting in the week of January 22, 2024, and final patches will be released in the week of February 19, 2024; however, there is a workaround that can prevent exploitation of the flaws until the patches are released Any HIPAA-regulated entity that uses one of the vulnerable products should ensure that the workaround is implemented immediately given the extent to which the flaws are being exploited.

The vulnerabilities are CVE-2023-46805, an authentication bypass flaw (CVSS 8.2) that is present in of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure, and CVE-2024-21887, a command injection vulnerability (CVSS 9.1) in Ivanti Connect Secure 9.x, 22.x and Ivanti Policy Secure. The authentication bypass flaw allows an unauthenticated remote attacker to bypass security controls and access restricted resources, and the command injection flaw allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

The initial attacks were conducted by an unknown APT group that downloaded malware tool kits for espionage purposes. The latter attacks have been conducted by multiple threat actors. One actor has already attacked hundreds of appliances and backdoored targets’ systems using a GIFTEDVISITOR webshell variant. According to Volexity, as of January 14, 2023, more than 1,700 ICS VPN appliances had been compromised with the webshell.

In addition to applying the mitigation measures, customers have been advised to run the Ivanti Integrity Checker Tool to identify signs of compromise.

The post Multiple Threat Groups Exploiting Ivanti VPN/NAS Zero-Days appeared first on HIPAA Journal.

Novant Health Settles $6.6 Million Pixel Privacy Breach Lawsuit

Posted by Steve Alder

Novant Health has agreed to settle a class action lawsuit that stemmed from its use of tracking pixels on its MyChart patient portal. The pixel code on the patient portal collected the personally identifiable information of users with the goals of “improving access to care through virtual visits and to provide increased accessibility to counter the limitations of in-person care,” however the information collected was also transferred to third-party technology companies that were not authorized to receive the data.

The North Carolina Health System was the first healthcare provider to report a pixel-related HIPAA violation to the HHS Office for Civil Rights (OCR). In the summer of 2022, Novant Health said the protected health information of up to 1,362,296 individuals had been disclosed to third parties such as Meta (Facebook) between May 1, 2020, to Aug. 12, 2022. The HIPAA breach was reported several months before OCR issued guidance on HIPAA and tracking pixels confirming that pixel-related disclosures of protected health information to third parties violated HIPAA. Novant Health was one of many health systems to use the code on its patient portal. According to one study, 99% of hospitals in the United States used pixels or other tracking technologies on their websites, apps, or patient portals that collected visitor information and transferred that data to third parties.

The lawsuit against Novant Health was filed on behalf of 10 Novant Health patients and similarly situated individuals who used the patient portal while the Meta Pixel code was present and alleged invasion of privacy, breach of contract, and violations of the Health Insurance Portability and Accountability Act. Novant Health maintains there was no wrongdoing and the decision to settle the lawsuit was taken to put an end to the litigation and avoid further legal costs and the uncertainty of trial.

“Novant Health takes privacy and the care of personal information very seriously and values patient trust to keep patients’ medical information private. Novant Health will continue to be as transparent as possible and provide information to patients,” said a spokesperson for Novant Health regarding the proposed settlement. “The proposed settlement is not admission of wrongdoing, and the court did not find any wrongdoing on the part of Novant Health.”

Under the terms of the settlement, class members – individuals who used the MyChart portal between May 1, 2020, to Aug. 12, 2022 – will be eligible to submit claims for a share of the $6.6 million settlement fund. Claims will be paid pro rata once legal costs, expenses, and attorneys’ fees have been paid. Novant Health is one of several healthcare providers to have been sued over the use of pixels and other tracking technologies, including Advocate Aurora Health, which chose to settle its lawsuit for $12.225 million.

The post Novant Health Settles $6.6 Million Pixel Privacy Breach Lawsuit appeared first on HIPAA Journal.

How long is HIPAA training good for?

Posted by Steve Alder

HIPAA training is good for one year because HIPAA training is required to be completed annually to ensure best practice compliance with evolving regulations and organizational policies, though the frequency can vary depending on specific job roles, updates in HIPAA laws, or organizational requirements. New employees who will have access to Protected Health Information (PHI) are mandated by law to receive HIPAA training to ensure compliance with privacy and security regulations. The HIPAA Privacy Rule and HIPAA Security Rule each have HIPAA training requirements for entities handling PHI.

Under the HIPAA Privacy Rule, training is mandated for all workforce members of covered entities and business associates who handle or have access to PHI, ensuring they understand how to maintain the confidentiality and security of this sensitive information. This includes education on the proper use and disclosure of PHI, the rights of individuals under HIPAA, and the entity’s privacy policies and procedures. The HIPAA Privacy Rule states that “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information”. The frequency of training is specified “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity”, which is generally interpreted as being at least annual refresher training for all staff.

The HIPAA Security Rule specifically focuses on training regarding electronic PHI (ePHI), emphasizing the importance of securing electronic health records and other digital forms of PHI. It requires that relevant staff are trained on the entity’s security policies and procedures, the handling of ePHI, and awareness of potential security threats.  The HIPAA Security Rule states “Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).”

Both the HIPAA Privacy Rule and the HIPAA Security Rule require that HIPAA training be provided to new employees within a reasonable time frame after hiring and thereafter as needed, typically annually, to ensure staff are up-to-date with the latest regulations, technologies, and threats to PHI privacy and security. The aim is to create a knowledgeable workforce that contributes to the prevention of unauthorized PHI disclosures and enhances the overall protection of patient privacy and data security. It is general best practice that new employees receive HIPAA training as soon as possible.

Documenting HIPAA training helps in proving compliance with federal requirements, reducing the risk of legal issues or fines during audits. Training records are useful for confirming that new hires and staff with access to PHI are properly trained. Training records also allow organizations to track and manage their employees’ training, identifying areas that need further education and ensuring everyone is up to date with current HIPAA rules.

 

The post How long is HIPAA training good for? appeared first on HIPAA Journal.

LockBit Ransomware Group Behind Capital Health Cyberattack

Posted by Steve Alder

Capital Health Systems in New Jersey has recently announced that it fell victim to a cyberattack in late November that temporarily disrupted its IT systems. Capital Health operates two hospitals in New Jersey – Capital Health Regional Medical Center in Trenton and Capital Health Medical Center in Hopewell – and an outpatient facility in Hamilton Township. While the attack caused a network outage, care continued to be provided to patients at its hospitals and their emergency rooms continued to receive patients.

Capital Health has confirmed that all systems have now been restored and all services are available at Capital Health facilities; however, the investigation into the cyberattack is ongoing and it has yet to be determined to what extent patient and employee data was involved. Capital Health said law enforcement was immediately notified about the attack and third-party forensic and information technology experts were engaged to assist with the investigation and breach response.

Capital Health has yet to confirm the extent of any data breach but the hacking group behind the attack claims to have stolen more than 10 million files, including 7 TB of medical confidentiality data, and threatened to publish the stolen data if the ransom is not paid. The LockBit ransomware group usually engages in double extortion tactics, where sensitive data are stolen and files are encrypted using ransomware. A ransom demand is issued, and payment is required to obtain the keys to decrypt files and to prevent the publication of the stolen data. In this attack, the group said it deliberately did not encrypt files and only stole patient data as it was not its intention to cause any disruption to patient care. While ransomware was not used, these attacks can still cause network outages as part of incident response processes and therefore still have the potential to disrupt patient care.

Capital Health was given a deadline of January 9, 2024, to prevent the release of the stolen data. While Capital Health was added to the LockBit 3.0 data leak site, the listing has since been removed. Further information on the extent of the data breach will be released as the investigation progresses and notification letters will be issued if data theft is confirmed.

Lawsuit Filed Over Capital Health Cyberattack

The extent of the data breach has yet to be confirmed and notification letters have not yet been mailed by Capital Health but a lawsuit has already been filed against Capital Health over an alleged data breach. The lawsuit was filed on behalf of Capital Health patient Bruce Graycar and similarly situated individuals by attorney Ken Grunfeld of Kopelowitz Ostrow Ferguson Weiselberg Gilbert.

The lawsuit alleges the plaintiff has suffered injuries as a result of the attack and that the failure of Capital Health to issue prompt notifications to the affected individuals has exacerbated the injuries, as the plaintiff and class were unaware that it was necessary to take steps to protect themselves against misuse of their private healthcare information. The lawsuit alleges injuries have been suffered including damage to and the diminution in the value of private information, invasion of privacy, and a present, imminent, and impending injury due to an increased risk of identity theft and fraud.

The post LockBit Ransomware Group Behind Capital Health Cyberattack appeared first on HIPAA Journal.

OSHA Increases Penalties for Workplace Health and Safety Violations

Posted by Steve Alder

The Occupational Safety and Health Administration (OSHA) has increased the minimum and maximum civil monetary penalties (CMPs) for workplace safety violations, as required by the Federal Civil Penalties Inflation Adjustment Act.

To maintain the deterrent effect of CMPs and to promote compliance with the law, the Federal Civil Penalties Inflation Adjustment Act requires an annual adjustment of CMPs to account for inflation. Each year, the Office of Management and Budget (OMB) calculates an inflation multiplier, and all federal agencies are required to apply that multiplier to their CMP structures by January 15. For 2024, the OMB has calculated a multiplier of 1.03241 to reflect the cost-of-living increase over the past 12 months.

OSHA confirmed the cost-of-living increase in a final rule published in the Federal Register on January 11, 2023. The final rule is effective on January 15, 2024, and will apply to all citations issued by OSHA on or after January 16, 2024. The new penalty structure also applies to open inspections that commenced before January 16, 2024. The new CMP structure is detailed in the table below.

Type of Violation Penalty Minimum Penalty Maximum
Serious $1,190** per violation $16,131 per violation
Other-Than-Serious $0 per violation $16,131 per violation
Willful or Repeated $11,524* per violation $161,323 per violation
Posting Requirements $0 per violation $16,131 per violation
Failure to Abate N/A $16,131 per day unabated beyond the abatement date [generally limited to 30 days maximum]

* For a repeated other-than-serious violation that otherwise would have no initial penalty, a  Gravity Based Penalty (GBP) of $460 shall be proposed for the first repeated violation, $1,152 for the second repeated violation, and $2,304 for a third repetition.
**This amount reflects the actual minimum penalty with all penalty reductions which rectifies error in the previous years’ serious minimum penalty posted.

In several U.S. states, state agencies enforce the Occupational Safety and Health Act rather than OSHA, and penalties for workplace safety violations may differ in those states.

The post OSHA Increases Penalties for Workplace Health and Safety Violations appeared first on HIPAA Journal.