Interview: Dotty Bollinger, Founder, Integrity Healthcare Advisors

Posted by Steve Alder
Dotty Bollinger, Founder, Integrity Healthcare Advisors

Dotty Bollinger, Founder, Integrity Healthcare Advisors

The HIPAA Journal has spoken with Dotty Bollinger, who is a healthcare compliance consultant and founder of Integrity Healthcare Advisors.

Dotty graduated with a degree in Nursing from Maria College in Albany, New York, and later received a bachelor’s degree in management and marketing at the University of Maryland University College. Dotty earned a law degree from the University of South Dakota School of Law and holds a Master’s level certificate in healthcare compliance from George Washington University. Dotty Bollinger is an Executive Partner on the Compliance & Risk Management at SCALE Healthcare.

What is your current position?

I am a healthcare compliance consultant for a variety of healthcare practices – some private equity owned and others physician owned. I work across a wide range of healthcare specialties from physician practice to pharmacy services to DME.

Tell the readers about any significant event in your career.

As a registered nurse, I loved regulatory compliance and risk management. I loved the tie between smart application of rules to the outcome of excellent patient care. As a kid I had always dreamed I’d go to law school. My passion for all things risk and compliance, along with a supportive spouse led me to law school. Becoming an attorney really launched my executive healthcare career.

When did you first get involved with healthcare compliance?

DHH released the HIPAA privacy rule standards in December 2000. I was one of the first hires of a new long term care company in August 2001. The COO asked me whether or not these new standards applied to our operation, and low and behold my formal compliance career began!

As a compliance officer, what do you consider the primary challenges in your day-to-day responsibilities?

As a consultant, I often remind the folks I work with to ensure they are always looking to the day-to-day operations for compliance opportunities. It’s great to think about HIPAA compliance policies, or OIG elements, but at the end of the day the only thing that matters is whether or not what the team is doing the right thing, day in and day out. The primary challenge is to combine business sense and savvy along with managing risk. Rules and regulations are black and white. Growing a business isn’t. How can you best help your organization get to yes? Anyone can tell them what they can’t do. How can you help the team be successful AND compliant? It’s the compliance officer’s opportunity to help the team see their work flow or processes in a different way.

Specifically concerning HIPAA, what challenges do you often encounter, and how do you navigate them in your role?

Probably the biggest challenge with HIPAA is that anyone who has been in healthcare for a while has a preconceived idea about whether or not it’s an important regulation, whether patients care about what you do with their PHI, or whether there is anything new they need to know. You have to stay up on HIPAA changes, and make training fresh, new, funny – whatever it takes!

Managing healthcare compliance for large organizations can be complex. What are the key challenges you face, and how do you address them effectively?

Large organizations can have many parts operating independently. Whether its a group of clinics in multiple locations that have come together through acquisitions, or just one very large entity, unless the company is integrating in its systems, programs and procedures, it can be very difficult to manage a compliant operation overall. It is very important for a compliance officer in a large complex organization to have access to systems and support to track and organize compliance efforts. Otherwise, overseeing compliance will feel a bit like that arcade game “whack-a-mole” – you’ll accomplish one thing only to have another pop up.

Do you have any predictions for the future of HIPAA? Specifically in 2024.

From the proposed changes in HIPAA published on govinfo.gov, there may be multiple modifications of the HIPAA rules in 2024.

  • Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI;
    • shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension);
    • clarifying the form and format required for responding to individuals’ requests for their PHI;
    • requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy;
    • reducing the identity verification burden on individuals exercising their access rights;
    • creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR;
    • requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access;
    • limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR;
    • specifying when electronic PHI (ePHI) must be provided to the individual at no charge;
    • amending the permissible fee structure for responding to requests to direct records to a third party; and
    • requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests.
  • Amending the definition of health care operations to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management that constitute health care operations.
  • Creating an exception to the ‘‘minimum necessary’’ standard for individual-level care coordination and case management uses and disclosures. The minimum necessary standard generally requires covered entities to limit uses and disclosures of PHI to the minimum necessary needed to accomplish the purpose of each use or disclosure. This proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities
  • Clarifying the scope of covered entities’ abilities to disclose PHI to social services agencies, community- based organizations, home and community-based service (HCBS) providers,7 and other similar third parties that provide health-related services, to facilitate coordination of care and case management for individuals.
  • Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their ‘‘professional judgment’’ with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual. The proposed standard is more permissive in that it would presume a covered entity’s good faith, but this presumption could be overcome with evidence of bad faith.
  • Expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is ‘‘serious and reasonably foreseeable,’’ instead of the current stricter standard which requires a ‘‘serious and imminent’’ threat to health or safety.
  • Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP).
  • Modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights.

While the list is long and not yet published as final, some of these rules will require organizations with mature tried and true privacy and security policies to alter their duty to warn, and duty to comply as it relates to PHI disclosure to patients in hard copy or EHR form. In some cases, the modifications apply a bit of commonsense approach to the minimum necessary standard that may ease restrictions in care coordination and case management instances.

Are there specific tools or technologies that you find particularly useful in aiding your efforts to ensure compliance?

I’ve had access to a number of compliance software solutions as I’ve supported client compliance efforts. I prefer Compliancy Group’s The Guard. I find it’s easy to use, comprehensive in that I can use the programs it comes with along with customizing my own, it can house my 7 OIG elements, keep track of training and policy attestations, and helps me masterfully manage my business associate contracts, BAAs and audits. I also frequent the OIG workplan website and search for various healthcare sectors to see if the OIG is focused on the kind of healthcare my clients provide. Finally, believe it or not DHHS, SAMHSA and other government websites have some pretty good training videos, and when I find one I like, I can upload it to The Guard and use it in my staff training.

Do you have any predictions for the future of healthcare regulation? Specifically in 2024.

Care will continue to move to the least restrictive and expensive option. Inpatient to outpatient, outpatient to home. The use of technology will continue to play a bigger and bigger role, not just with telemedicine visits, but also remote care staff, remote diagnosticians, and now the use of AI to read test results and identify preliminary care planning, diagnosis and treatment. Every provider must embrace AI because its coming to your sector of healthcare whether we’re ready for it or not.

You an contact Dotty Bollinger via LinkedIn: https://www.linkedin.com/in/dottybollinger/

The post Interview: Dotty Bollinger, Founder, Integrity Healthcare Advisors appeared first on HIPAA Journal.

Former Executive Sentenced to Probation for HIPAA Violation

Posted by Steve Alder

Mark Kevin Robison, a former vice president of Commonwealth Health Corporation (now Med Center Health) in Kentucky has been sentenced to 2 years’ probation and ordered to pay $140,000 in restitution after reaching a plea agreement with federal prosecutors over a HIPAA violation.

Robison pled guilty to knowingly disclosing the protected health information of patients of Commonwealth Health Corporation (CHC) under false pretenses to an unauthorized third party between 2014 and 2015. Robison did not have authorization from the patients concerned nor from CHC to disclose the records.

While Vice President of CHC, Robison hired Randy Dobson as a patient account collection vendor for CHC. In March 2011, Robison and Dobson set up a corporation – OPTA LLC – in Kentucky. The pair were the only registered members and Robison was the registered agent. Dobson was developing a software solution and together the pair hoped to market the software to healthcare companies.

OPTA Kentucky was dissolved in 2014, and Delaware OPTA was incorporated the same year with Dobson listed as the sole owner. Delaware OPTA continued to develop the same software, and Robison hoped to share in the profits from the sale of the software when he left CHC. In 2014, Robison instructed the CHC IT department to share patient data with Dobson to test the software. The disclosures occurred between 2014 and 2015 without authorization from CHC or the patients concerned.

CHC learned of the relationship between Robison and Dobson, Robison was fired by CHC in December 2016, and the HIPAA violation was reported to law enforcement. Dobson is not believed to have disclosed the patient data to any other individuals and only used the data to test the software. While patients appear not to have suffered any harm, the potential penalty for the violation was severe.

Robison faced a maximum penalty of five years imprisonment and a fine of up to $100,000 for the HIPAA violation. Robison pled guilty to one count of impermissibly disclosing protected health information in a plea deal that saw him avoid jail and instead be placed on probation for 2 years. Robison was also ordered to pay CHC $140,000 in restitution. Half of that amount has already been paid and Robison intends to pay the remainder by the end of January.

The post Former Executive Sentenced to Probation for HIPAA Violation appeared first on HIPAA Journal.

Refuah Health Center Pays $450K HIPAA Fine; Agrees to $1.2 Million Cybersecurity Investment

Posted by Steve Alder

New York Attorney General Letitia James has announced that an agreement has been reached with Refuah Health Center Inc. to resolve allegations it failed to maintain reasonable and appropriate cybersecurity controls to protect and limit access to sensitive patient data stored on its network. Under the terms of the agreement, Refuah Health Center has agreed to invest $1.2 million in cybersecurity and will pay $450,000 in penalties and costs.

The NY AG launched an investigation of Refuah Health Center after being notified about a May 2021 ransomware attack that compromised the personal and protected health information of 260,740 individuals, including 175,077 New Yorkers.  The Lorenz ransomware group gained access to internal systems in late May 2021, initially compromising a system that was used for viewing videos from internal cameras monitoring its facilities. That system was only protected with a four-digit code.

The attackers stole administrator credentials that were used by a former IT vendor to remotely access the network. The credentials had not been changed for 11 years and had not been deleted or disabled, even though they had not been used by the IT vendor in 7 years. The account did not have multifactor authentication enabled. The credentials allowed access to a large number of files containing patient information that had not been encrypted at the file level.

The Lorenz group exfiltrated data and encrypted files with ransomware. They contacted Refuah and issued a ransom demand and provided proof of data theft, including a list of files that were copied and a screenshot of patient data consistent with a database associated with Refuah’s dental practice. The third-party forensic investigation concentrated on the files that were stored on the shared network space but Refuah did not investigate to determine whether the database had been accessed, even though the attackers provided a screenshot of that database that displayed the records of 34 patients.

Refuah completed its analysis of the files on March 2, 2022, then mailed notification letters on April 29, 2022. The data compromised in the attack included patient names, addresses, phone numbers, Social Security numbers, driver’s license numbers, state identification numbers, dates of birth, bank account information, credit/debit card information, medical treatment/diagnosis information, Medicare/Medicaid numbers, medical record numbers, patient account numbers, and health insurance policy numbers.

Multiple HIPAA Security Rule Failures Identified

The NY AG looked at the administrative and technical safeguards that had been implemented and identified widespread noncompliance with the HIPAA Security Rule. Refuah Health Center had not conducted a risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information since March 2017 in violation of 45 C.F.R § 164.308(a)(1)(ii)(A) and (B) and had not addressed vulnerabilities that were identified in that risk analysis in the four years since it was conducted, in violation of § 164.306(a).

There were insufficient policies and procedures to prevent, detect, contain, and correct security violations, in violation of § 164.308(a)(1)(i), a lack of policies and procedures authorizing access to ePHI in violation of § 164.308(a)(4)(i), and no procedures for regularly reviewing logs of information system activity, in violation of § 164.308(a)(1)(ii)(D).

Policies and procedures for granting right of access based on access authorization policies were not present, in violation of § 164.308(a)(4)(ii)(B) and (C), there were no procedures for monitoring log-in attempts and reporting discrepancies nor procedures for creating, changing, and safeguarding passwords, in violation of § 164.308(a)(5)(ii)(C) and (D), and insufficient policies and procedures to address security incidents, and identifying and responding to suspected or known security incidents, in violation of § 164.308(a)(6)(i) and (ii).

Further, there were insufficient periodic technical and nontechnical evaluations of security policies and procedures (§ 164.308(a)(8)), insufficient technical policies and procedures for systems that maintain ePHI to allow access to persons granted access rights and no mechanism to encrypt ePHI (§ 164.312(a)(1) and (2)(iv)), insufficient controls for recording and examining activity in systems that contain or use ePHI (§ 164.312(b)), and insufficient verification of persons seeking access to ePHI to ensure they are who they claim to be (§ 164.312(d)).

The NY AG also determined there had been two violations of New York General Business Law, which requires the implementation and maintenance of reasonable safeguards to protect consumer information (§ 899-bb), and the  disclosure of a data breach in the most expedient time possible and without unreasonable delay (§ 899-aa). The later was also determined to be a violation of the HIPAA Breach Notification Rule (§ 164.404).

The agreement with the NY AG includes the requirement to invest $1.2 million in cybersecurity and make substantial improvements to its information security program, data retention policies, and incident response policies and procedures. Refuah is also required to issue notifications to all individuals whose data was compromised within 90 days.

“New Yorkers should receive medical care and trust that their personal and health information is safe,” said Attorney General James. “This agreement will ensure that Refuah is taking the appropriate steps to protect patient data while also providing affordable health care. Strong data security is critically necessary in today’s digital age and my office will continue to protect New Yorkers’ data from companies with inadequate cybersecurity.”

The post Refuah Health Center Pays $450K HIPAA Fine; Agrees to $1.2 Million Cybersecurity Investment appeared first on HIPAA Journal.

Orrick, Herrington & Sutcliffe Data Breach Affected 637,000 Individuals

Posted by Steve Alder

The Californian law firm Orrick, Herrington & Sutcliffe has recently confirmed that a cyberattack that was detected in March 2023 has affected more than 637,000 individuals. The Orrick, Herrington & Sutcliffe data breach was reported to the HHS’ Office for Civil Rights on June 30, 2023, as affecting 40,823 individuals, then on July 20, 2023, the law firm notified the Maine Attorney General that the breach had affected 152,818 individuals. An updated notification was sent to the Maine Attorney General on August 18, 2023, with an increased total of 461,100 affected individuals. Another update was issued on December 29, 2023, with an increased total of 637,620 individuals. This appears to be the final total, as the law firm said it does not anticipate providing notifications on behalf of any further affected businesses.

The services provided by Orrick, Herrington & Sutcliffe include legal counsel for companies that have suffered security incidents and data breaches, including handling regulatory requirements such as notifications to state authorities and the individuals whose sensitive data was exposed. The law firm’s experience in issuing notifications has grown considerably in 2023 with its own consumer notifications, which were sent in July, August, September, and November.

The nature of the services provided by the law firm means many of the individuals affected by the data breach had been affected by data breaches at other companies who availed of Orrick, Herrington & Sutcliffe’s services for their own breach responses. For instance, individuals who had vision plans from EyeMed Vision Care, dental plans from Delta Dental, and health insurance from MultiPlan and Beacon Health Options (Carelon). Another client affected was the U.S. Small Business Administration.

Settlement Proposed to Resolve Class Action Data Breach Lawsuits

Several lawsuits were filed in response to the data breach that Orrick, Herrington & Sutcliffe has chosen to settle quickly. Four of those lawsuits made similar claims and were consolidated into a single class action lawsuit in California Federal Court – In Re: Orrick, Herrington & Sutcliffe LLP Data Breach Litigation. The lawsuits alleged the law firm should have been well aware of the risk of ransomware attacks and data breaches due to extensive media reports, warnings from the Federal Bureau of Investigation, and the attacks suffered by the law firm’s clients. They claimed the cyberattack and data breach could have and should have been prevented had the law firm implemented necessary and appropriate cybersecurity measures and followed industry best practices for cybersecurity.

In a court filing on December 21, 2023, Orrick, Herrington & Sutcliffe said a settlement is being finalized and an agreement in principle has been reached. The law firm said it expects to present the settlement to U.S. District Judge Susan Illston for approval in early January. Orrick, Herrington & Sutcliffe issued a statement saying it regretted the “inconvenience and distraction that this malicious incident caused,” and that the law firm is happy to have reached a settlement within a year to bring the matter to a close. Details of the settlement have yet to be made public; however, attorney William Federman, who is representing the plaintiffs, confirmed that the settlement is reasonable and fair and will resolve all pending litigation.

The post Orrick, Herrington & Sutcliffe Data Breach Affected 637,000 Individuals appeared first on HIPAA Journal.