Valley Oaks Health Reports 50,000-Record Data Breach

Posted by Steve Alder

Cyberattacks and data breaches have been reported by Valley Oaks Health and Sycamore Rehabilitation Services in Indiana, Plymouth Tube Company in Illinois, and Weirton Medical Center in West Virginia.

Valley Oaks Health, Indiana

Valley Oaks Health in Niles, IL, has recently notified 50,352 individuals about a breach of its network environment. Unauthorized individuals gained access to parts of its network between June 8, 2023, and June 13, 2023. Its network was secured, and third-party cybersecurity experts were engaged to assist with the investigation and confirmed that files containing patient data had been exposed and may have been stolen.

The forensic investigation and document review were completed on February 2, 2024. The breach notice sent to the Maine Attorney General has the specific types of compromised data redacted but the notice confirmed that names have been exposed along with Social Security numbers. Consumer notifications were mailed on March 18, 2024, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were exposed.

Weirton Medical Center, West Virginia

Weirton Medical Center in West Virginia identified suspicious activity within its computer network on January 18, 2024. Systems were immediately secured, and third-party cybersecurity experts were engaged to investigate the breach and determined there had been unauthorized access to the network between January 14, 2024, and January 18, 2024, and files were copied from its systems.

The information involved varied from individual to individual and may have included one or more of the following: name, Social Security number, date of birth, medical information, health insurance information, treatment information, and the balance due on medical bills. While files were confirmed as having been removed from the network, Weirton Medical Center is unaware of any misuse of patient data. Weirton Medical Center said strict security measures were already in place and they have been augmented to prevent similar incidents in the future. Notification letters were sent to the affected individuals on March 18, 2024. The incident has been reported to the HHS’ Office for Civil Rights as affecting 26,793 individuals.

Sycamore Rehabilitation Services, Indiana

Sycamore Rehabilitation Services, Inc. in Danville, IL, has reported a breach of its email system and the exposure of the personal data of 3,414 individuals. The breach was detected on September 21, 2023, with the forensic investigation confirming there had been unauthorized access to its network between July 29, 2023, and August 9, 2023. During that time, there may have been unauthorized access to names, dates of birth, Social Security numbers, driver’s license/state identification numbers, account numbers, routing numbers, medical information, and health insurance information. It was not possible to determine exactly what types of information were acquired in the attack.

Sycamore Rehabilitation Services said it had implemented security measures prior to the breach. Multi-factor authentication was enabled on all email accounts, a VPN was required for access to internal resources from outside the organization, critical patches were applied each month, email security solutions were in place, all endpoints were protected with Sentinel One anti-virus, Azure PowerShell access was off by default, and POP/IMAP was disabled by default. Those measures have now been augmented with Proofpoint email scanning and security, Breach Secure Now phishing testing, and DUO MFA on VPN accounts.

The affected individuals were notified by mail on March 1, 2024, and have been offered complimentary credit monitoring and identity theft protection services. Sycamore Rehabilitation Services said the delay in issuing notifications was due to the time taken to investigate the breach and identify the affected individuals.

Plymouth Tube Company, Illinois

Plymouth Tube Company in Warrenville, IL, has identified unauthorized access to its computer network. The forensic investigation confirmed that there was unauthorized access between January 27, 2024, and January 29, 2024, and during that time, the unauthorized actor accessed or acquired files on its servers which included files that contained employee benefit plan data.

The review of the affected files confirmed that 2,652 current and former employees and their dependents had been affected and had one or more of the following compromised: name, date of birth, Social Security number, driver’s license number, and plan information. The affected individuals were notified on March 13, 2024, and complimentary credit monitoring and identity theft protection services have been made available.

The post Valley Oaks Health Reports 50,000-Record Data Breach appeared first on HIPAA Journal.

OCR Updates Guidance on the Use of Online Tracking Technologies by HIPAA Regulated Entities

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued updated guidance for entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) on the use of online tracking technologies. The updated guidance is intended to provide greater clarity for HIPAA-regulated entities on the use of these technologies. OCR has not changed its position on the use of these technologies or how HIPAA applies.

Why OCR Issued Guidance on Online Tracking Technologies

OCR first issued the guidance in December 2022 after research into the use of these technologies revealed that most U.S. hospitals had added these technologies on their websites, which transmit user data to third parties such as Meta (Facebook), Google, and others. A variety of user data is collected and transmitted about users’ interactions on websites and apps, and some of that data can include protected health information.

The initial guidance explained that these technologies could not be used by HIPAA-regulated entities unless there was a business associate agreement in place with the provider of the technologies and the disclosures of protected health information are permitted by the HIPAA Privacy Rule. Alternatively, consent must be obtained from individuals before the information is transmitted to third parties. OCR has previously stated that non-compliant use of online tracking technologies is an enforcement priority, and in July 2023, OCR and the Federal Trade Commission (FTC) sent warning letters to around 130 hospitals and telehealth providers about the risks of using these technologies and the potential for impermissible disclosures of PHI.

OCR Sued Over its Tracking Technology Guidance

Since the providers of these technologies typically do not sign business associate agreements with HIPAA-regulated entities and obtaining consent from individuals is costly and challenging, these technologies can generally not be used by HIPAA-regulated entities without risking violating the HIPAA Rules.  The American Hospital Association (AHA) urged OCR to reconsider its guidance, and when OCR failed to do so, AHA filed a lawsuit challenging the legality of the guidance. The AHA maintains that these technologies are critical to the function of websites, and that prohibiting their use ultimately harms healthcare providers and patients. Further, while HIPAA-regulated entities were not permitted to use these technologies, the code remained on many government websites, including Medicare.gov, Tricare.mil, Health.mil, and various Veterans Health Administration sites.

Online Tracking Technology Guidance Updated to Clear up Confusion

OCR’s updated guidance provides a general overview of how the HIPAA Rules apply to the use of tracking technologies and includes additional examples of when the code can and cannot be used, tips for complying with HIPAA, and OCR’s enforcement priorities regarding online tracking technologies. In the updated guidance, OCR stressed that “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” Protected health information is information that relates to the past, present, or future health, health care, or payment for health care, that has identifiers that link that information to an individual or allow that individual to be identified. If any of that information is collected on a web page, the technologies cannot be used without a business associate agreement with the provider of the code and the disclosures must be permitted by the HIPAA Privacy Rule, or consent must be obtained from individuals. Consent cannot be obtained by including information about these disclosures in the Notice of Privacy Practices, via a pop-up on the websites or banner stating that use of the site may involve the disclosure of health information to a third party, or by asking a user to either accept or reject cookies. A valid HIPAA authorization is required.

OCR suggests that if a vendor will not sign a BAA covering the use of the code, then a different vendor should be found that will sign a BAA. Alternatively, a customer data platform vendor could be used, which de-identifies the PHI before the information is sent to a third party. It is not permitted to transfer PHI to a vendor without a BAA even if the vendor claims that they will strip out any identifying information after the disclosure. The collection of PHI is more likely on user-authenticated pages such as patient portals; however, there is the potential for PHI to be disclosed on unauthenticated web pages. For instance, on an appointment booking page that collects no health information, if the user enters their email address and that information is transmitted to a third party, that would be classed as an impermissible disclosure of PHI.

For some web pages, the nature of the visit determines whether HIPAA applies. For instance, if a student is searching for information on oncology services when researching the availability of those services pre- and post-pandemic, the collection and transmission of their IP address and other personally identifiable information to a third party without a BAA is not a HIPAA violation, as HIPAA does not apply as there is no PHI involved. If a patient is visiting the same pages to get a second opinion about their diagnosis or cancer treatment, the transmission of the same data would be a HIPAA violation without a BAA, as that information would be classed as PHI. Other examples have been added to the guidance to make it clear when HIPAA applies and when it does not.

OCR explained its enforcement priorities with respect to online tracking technologies and said it is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies. “OCR’s principal interest in this area is ensuring that regulated entities have identified, assessed, and mitigated the risks to ePHI when using online tracking technologies and have implemented the Security Rule requirements to ensure the confidentiality, integrity, and availability of ePHI,” explained OCR in the guidance. “OCR investigations are fact-specific and may involve the review of technical information regarding a regulated entity’s use of any tracking technologies. OCR considers all of the available evidence in determining compliance and remedies for potential noncompliance.”

The post OCR Updates Guidance on the Use of Online Tracking Technologies by HIPAA Regulated Entities appeared first on HIPAA Journal.

The Role of Compliance Officers in HHS OIG Regulations

Posted by Steve Alder

The role of compliance officers in HHS OIG regulations is to ensure policies and procedures are in place to mitigate the risk of a healthcare organization violating a law protecting HHS programs and beneficiaries from fraud or abuse. It is also the role of compliance officers in HHS OIG regulations to monitor compliance with the policies and procedures, and to enforce sanctions on workforce members when they fail to comply with the policies and procedures.

While this explanation of the role of compliance officers in HHS OIG regulations may sound complicated, it is not as difficult as it seems. There are usually only five healthcare regulations enforced by the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) – these being:

  • The False Claims Act
  • The Anti-Kickback Regulations
  • The Physician Self-Referral Law
  • The HHS OIG Exclusion Statute
  • The Emergency Medical Treatment and Active Labor Act (EMTALA)

The False Claims Act

The False Claims Act protects HHS programs from being fraudulently charged for medical items or services. It is an offense to submit any claim that a healthcare organization knew or should have known was inaccurate; and, depending on the degree of intent, the penalties for violations of the False Claims Act can be civil (up to $27,894 per violation) or criminal (up to $250,000 per violation plus jail time for individuals and up to $500,000 per violation for organizations).

The role of compliance officers in HHS OIG regulations in this case is to ensure processes exist to verify the authenticity of reimbursement claims, that billing irregularities are flagged for investigation, and that security gaps are closed to prevent internal or external bad actors compromising HHS transactions. In the event that claims and billing are outsourced, the role of compliance officers is to conduct due diligence on third party service providers.

The Anti-Kickback Regulations

The anti-kickback regulations exist to prevent inducements for referrals and “paid-for” recommendations for medical items or services. The consequences of “healthcare by inducement” are not only higher reimbursement claims, but also the risk that patients may not receive the most appropriate healthcare. Consequently, penalties for violations of the anti-kickback regulations are imposed on both the payer of an inducement and its recipient.

Because it is usually individuals who succumb to inducements, it is rare that an organization is investigated for an offense against the anti-kickback regulations. However, compliance officers need to be alert to individual members of the workforce accepting non-exempt inducements. This is because any induced reimbursement claims submitted via the organization will have to be repaid to HHS if a kickback allegation against a workforce member is proven.

The Physician Self-Referral Law

The Physician Self-Referral Law (aka The Stark Law ) prohibits healthcare providers from referring patients to “designated health services” when the healthcare provider or an immediate family member has a financial interest in the designated health service. To prevent violations of this law, compliance officers will need to know if any workforce members have business interests (including indirect family business interests) outside the healthcare organization.

However, when the HHS OIG investigates a violation of the Stark Law, the perpetrators are the referring healthcare provider (i.e., a member of the workforce) and the health service that benefitted from the self-referral. The organization for whom the compliance officer works will not be responsible for repaying the proceeds of any unlawful activity. Nevertheless, workforce members violating HHS OIG fraud laws is not something compliance officers want on their CVs!

The HHS OIG Exclusions List

In 1977, the Medicare-Medicaid Anti-Fraud and Abuse Amendments gave HHS OIG the authority to exclude individuals and entities from participating in HHS programs if they were found to have violated a healthcare fraud or abuse law. Depending on the violation, an exclusion can be mandatory (typically five years) or discretionary (no minimum or maximum limits) – during which time excluded individuals and entities cannot bill HHS programs directly or indirectly.

The role of compliance officers in HHS OIG regulations in this case is to ensure that no excluded individual becomes a member of the workforce and that no goods or services are supplied by an excluded entity. Healthcare organizations that employ excluded individuals or who contract goods or services from an excluded entity can be fined up to $20,000 for each good or service unlawfully claimed plus three times the amount claimed from an HHS program.

The Emergency Medical Treatment and Active Labor Act (EMTALA)

EMTALA requires qualifying healthcare organizations that participate in HHS programs to examine an individual requesting emergency care and provide emergency treatment regardless of the individual’s insurance coverage or ability to pay. If the healthcare organization cannot provide appropriate emergency treatment, they must stabilize the individual and arrange a transfer to another healthcare organization that has appropriate treatment capabilities.

Qualifying healthcare organizations that fail to examine an individual or who fail to accept an individual transferred from another healthcare organization can be fined up to $129,233 and added to the HHS OIG Exclusions List. What can complicate the role of compliance officers in HHS OIG regulations such as EMTALA is when exemptions exist depending on location, the nature of the emergency treatment required, and the professional affiliation of healthcare workers.

How to Fulfil the Role of Compliance Officers in HHS OIG Regulations

The way to fulfil the role of compliance officers in HHS OIG regulations is to adapt existing policies and procedures to mitigate the risk of violating a healthcare fraud or abuse law. For example, most healthcare organizations are required to audit their claims and billing processes as a condition of participation in Medicare and Medicaid. Existing procedures could be adapted so that reimbursement claims are verified and irregularities are flagged in the audit process.

Similarly, with regards to conducting due diligence on third party service providers, this is a condition of HIPAA compliance when PHI is shared with a business associate – as are reasonable and appropriate measures to protect the confidentiality, integrity, and availability of electronic PHI whether it is shared with a business associate or processed inhouse. Complying with HIPAA Security Rule automatically ensures that Part 162 transactions are more secure.

With regards to identifying violations of the anti-kickback regulations, induced reimbursement claims should be flagged as part of an effective audit process, while the requirement to check individuals against the HHS OIG Exclusions List is an extra check to add to the existing Level 2 checks many healthcare organizations already have to do before engaging a new member of the workforce in order to comply with state employment laws.

As many of the policies and procedures required to fulfil the role of compliance officers in HHS OIG regulations are adaptions or extensions of existing policies and procedures, monitoring workforce compliance with the policies and procedures should not create an additional compliance burden – nor should enforcing sanctions on workforce members when they fail to comply with the policies and procedures. Nonetheless, compliance officers uncertain about how to fulfil their role with regards to HHS OIG regulations should seek independent compliance advice.

The post The Role of Compliance Officers in HHS OIG Regulations appeared first on HIPAA Journal.