What is Required for HIPAA Compliance?

Posted by Steve Alder

What is required for HIPAA compliance is for covered entities and business associates to comply with all applicable standards and implementation specifications of the HIPAA Administrative Simplification Regulations in order to protect the privacy and security of individually identifiable health information.

Due to the complexity of the HIPAA Administrative Simplification Regulations, misunderstandings can sometimes exist about what HIPAA is, who it applies to, what is protected by HIPAA, and who is responsible for HIPAA compliance. These misunderstandings can make it difficult to determine what is required for HIPAA compliance.

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act – an Act passed in 1996 with the purpose of reforming the health insurance industry. Due to the cost of the reforms, a second Title was added to the Act which aimed to counter the cost by reducing fraud in the healthcare industry and simplifying the administration of healthcare transactions.

The Administrative Simplification Regulations are what most people refer to when discussing what is required for HIPAA compliance. The Regulations include the General Provisions and the procedures for the enforcement of HIPAA (Part 160), the standards for electric healthcare transactions (Part 162), and the Privacy, Security, and Breach Notification Rules (Part 164).

Individuals and organizations to whom HIPAA applies have to comply with all applicable standards and implementation specifications of the Administrative Simplification Regulations. This means that, if – for example – a medical office outsources its healthcare transactions to a third party, the medical office does not have to comply with the standards in Part 162 of HIPAA.

Who does HIPAA Apply To?

§160.102 of the HIPAA Administrative Simplification Regulations states that the standards and implementation specifications apply to health plans, health care clearinghouses, and health care providers that conduct or outsource transactions for which a standard exists in Part 162. Individuals and organizations that fall into these categories are called “covered entities”.

HIPAA also applies to “business associates” – third party individuals and organizations that provide a service to or on behalf of a covered entity that involves the creation, receipt, storage, or transmission of Protected Health Information (PHI). Business associates can include outsourced billing companies, cloud service providers, and medical transcriptionists.

Examples of who HIPAA does not apply to include auto insurance companies that provide health benefits as a secondary service, healthcare providers that bill patients directly, publicly funded schools, and employers in their role as an employer. HIPAA also does not apply directly to members of a covered entity’s or business associate’s workforce for reasons explained later.

What does HIPAA Protect?

One of the most common misunderstandings about HIPAA – and one of the biggest barriers to determining what is required for HIPAA compliance – is what does HIPAA protect. The misunderstanding exists due to some sources confusing what is considered PHI under HIPAA with the requirements for de-identifying PHI using the safe harbor method in §164.514(a).

To summarize what does HIPAA protect, any information relating to a patient’s health condition, treatment for the condition, or payment for the treatment is protected by HIPAA. In addition, any information that could be used to identify the patient is protected by HIPAA when it is maintained in the same designated record set as health, treatment, or payment information.

This means – for example – that a patient’s name and cellphone number are protected by HIPAA when they are maintained in the same designated record set as the patient’s health, treatment, or payment information, but they are not protected when they are maintained in a separate database that does not contain health, treatment, or payment information (i.e., for marketing purposes).

Who is Responsible for HIPAA Compliance?

Covered entities are required by §164.530(a) to designate a privacy official who is responsible for the development and implementation of policies and procedures to meet the requirements of the Privacy and Breach Notification Rules. The privacy official does not have to be an existing member of the workforce. The position can be outsourced on a temporary or permanent basis.

In addition, §164.308(a) requires covered entities and business associates to identify a security official who is responsible for the development and implementation of policies and procedures to meet the requirements of the Security Rule. Again, this position can be outsourced, or it can be combined with the responsibilities of the privacy official in a single HIPAA compliance role.

In most cases, covered entities and business associates will already have an individual or team responsible for managing compliance with other federal, state, or voluntary regulations. In many cases, what is required for HIPAA compliance can overlap with what is required for complying with other regulations – for example, the conditions of participation in Medicare, OSHA, and SOC 2.

What is Required for HIPAA Compliance by Workforce Members?

It was mentioned earlier that HIPAA does not apply directly to members of a covered entity’s or business associate’s workforce. The reason for this is that covered entities are required to provide HIPAA training to members of the workforce on the policies that are relevant to their roles. It is not necessary for every member of the workforce to be trained on every HIPAA policy.

In addition, covered entities and business associates must provide security awareness training to all members of the workforce and “ensure compliance” with their policies and procedures by implementing and applying a sanctions policy. Rather than it being necessary for workforces to comply with the HIPAA Rules, workforces are required to comply with the organization’s rules.

There is one exception to this explanation of workforce compliance with HIPAA. When HIPAA was passed by Congress in 1996, it extended §1177 of the Social Security Act to members of the workforce. In the context of what is required for HIPAA compliance by workforce members, a violation of §1177 can result in a workforce member being convicted for the wrongful disclosure of PHI.

What is Required for HIPAA Compliance? Conclusion

It is not surprising some covered entities and business associates have difficulty determining what is required for HIPAA compliance. Misunderstandings about what HIPAA is, who it applies to, and what is protected by HIPAA can be compounded by assuming members of the workforce are required to comply with HIPAA when their compliance obligations are indirect.

Organizations that are unsure of what is required for HIPAA compliance should take advantage of our HIPAA compliance checklist to compare existing privacy and security measures against the standards that apply to their activities. Thereafter, it will be possible to conduct a gap analysis and develop a healthcare compliance program that incorporates the requirements of HIPAA.

Covered entities and business associates that encounter difficulties in conducting a gap analysis, developing a healthcare compliance program, or incorporating the requirements of HIPAA into existing compliance activities are advised to review the HHS Office for Civil Rights Help Pages or speak with an independent compliance professional.

The post What is Required for HIPAA Compliance? appeared first on HIPAA Journal.

LockBit Affiliate Sentenced to 4 Years in Jail and Ordered to Pay $860,000 in Restitution

Posted by Steve Alder

An affiliate of the notorious LockBit ransomware group has been sentenced in Canada to almost four years in jail and has been ordered to pay more than $860,000 in restitution. Mikhail Vasiliev, 34, is a Russian-Canadian national who was born in Moscow and moved to Canada more than 20 years ago. During the COVID-19 pandemic, Vasiliev became an affiliate of the LockBit ransomware operation, one of the most prolific ransomware-as-a-service groups over the past few years. Around 18 months ago, Vasiliev was arrested following a raid of his home in Bradford, Ontario. The search of his property uncovered a list of prospective and historical victims, instructions on how to deploy LockBit ransomware, the source code of the ransomware, the control panel used to deliver the ransomware, and screenshots of conversations with a core member of the LockBit Group – LockBitSupp – on the Tox messaging platform.

Vasiliev admitted to being an affiliate of the LockBit group between 2021 and 2022 and having conducted attacks on businesses in Saskatchewan, Montreal, and Newfoundland, from whom he stole data, encrypted files, and demanded ransom payments. Vasiliev pleaded guilty to eight counts, including cyber extortion, mischief, and weapons charges. Vasiliev has also been under investigation by law enforcement in the United States for around two years, and last month, the U.S. Department of Justice charged Vasiliev with conspiracy to intentionally damage protected computers and to transmit ransom demands. Vasiliev has consented to extradition to the United States and his extradition is pending. If convicted in the United States, Vasiliev faces a maximum sentence of five years in jail. The DOJ also announced charges against four other individuals suspected of working with the LockBit group.

The LockBit group is alleged to have conducted over 2,000 ransomware attacks in the United States alone and generated more than $144 million in ransom payments in its four years of operation. Several healthcare organizations have fallen victim to LockBit ransomware attacks including Capital Health in New Jersey, Saint Anthony Hospital in Chicago, and Varian Medical Systems in California. In February 2024, the group’s infrastructure was seized as part of an international law enforcement operation, and three individuals suspected of involvement with the operation were arrested in Poland and Ukraine. A few days later, the U.S. State Department announced rewards of up to $15 million for information about the leaders of the group and any information that could lead to the arrest of any individual who participated in the LockBit operation. The LockBit group restored its data leak site within a week of the takedown, set up new infrastructure, and started listing new victims on its data leak site.

The post LockBit Affiliate Sentenced to 4 Years in Jail and Ordered to Pay $860,000 in Restitution appeared first on HIPAA Journal.

HHS-OIG: Pennsylvania Improperly Claimed $551 Million in Medicaid Funds

Posted by Steve Alder

Audits conducted by the Department of Health and Human Services Office of Inspector General (HHS-OIG) of states that claim Medicaid school-based costs with the assistance of contractors have revealed some states have claimed unallowable federal funds due to their contractors improperly conducting random moment time studies (RMTSs). Pennsylvania is the latest state to be audited by HHS-OIG, which found that approximately $590 million was claimed in federal Medicaid payments for school-based services between July 1, 2015, and June 30, 2019, $551.4 million of which was improperly claimed.

For the audit, HHS-OIG reviewed a stratified random sample of 310 random moments, each of which was coded as a health service or administrative activity. HHS-OIG also looked at the methods Pennsylvania used to allocate health services costs to Medicaid.

Based on the sample, HHS-OIG estimated that Pennsylvania claimed $182.5 million in unallowable Federal funds because it did not support that all moments used in RMTSs and coded as Medicaid-eligible were actually for Medicaid-eligible health services or Medicaid administrative activities. Pennsylvania also improperly claimed $368.9 million when it used unsupported ratios to allocate costs to Medicaid. The RMTSs conducted by contractors for Pennsylvania did not cover all days worked by staff members because they were not conducted for the first month of the school year.

HHS-OIG said that the improper claims were due to complex cost allocation methods that were developed by the state and its contractor which were difficult or impractical to support with documentation, or that CMS guidance was not followed. HHS-OIG recommended that the state refund the $182.5 million as these funds were used for unsupported Medicaid-eligible health services and Medicaid administrative activities. HHS-OIG also recommended that the state either support or refund the $368.9 million, as these funds were claimed using an unsupported cost allocation method. HHS-OIG also provided guidance to the state to help with the preparation of accurate and supportable claims.

Pennsylvania agreed with the guidance but disagreed with the monetary and procedural recommendations, specifically disagreeing with the HHS-OIG finding that the moments were not supported as Medicaid-eligible. Pennsylvania claimed that it was not required to provide documentation other than what RMTS participants provided and that it was not responsible for ensuring that all service providers were appropriately licensed. Pennsylvania also claimed that the ratios it used for allocating costs to Medicaid are accurate.

The post HHS-OIG: Pennsylvania Improperly Claimed $551 Million in Medicaid Funds appeared first on HIPAA Journal.

What is an HHS OIG Compliance Program?

Posted by Steve Alder

An HHS OIG compliance program consists of best practices that should be included in an integrated healthcare compliance program to avoid violating fraud and abuse laws enforced by the Department of Health and Human Service (HHS) Office of Inspector General (OIG). Adding HHS OIG compliance best practices to an integrated program not only helps avoid penalties for HHS OIG compliance failures, but may also improve compliance with the integrated program.

Integrated healthcare compliance programs are programs that combine some or all applicable healthcare rules, regulations, and standards into a single compliance program. For example, a healthcare facility might combine CMS’ Emergency Preparedness Rule (81 FR 63860) with OSHA’s Emergency Planning Regulation (§1910.38) and HIPAA’s Contingency Plan Standard (§164.308(a)(7)) to comply with all three requirements via a single activity.

Although integrated healthcare compliance programs can be complicated to develop and keep up to date, they have multiple benefits. In addition to reducing the compliance burden (for example, by reducing the three compliance requirements above to just one), it is also simpler to train workforce members on one integrated compliance program – which has the secondary benefit of simultaneously complying with the CMS, OSHA, and HIPAA training requirements.

What Does an HHS OIG Compliance Program Consist Of?

There is no one-size-fits-all HHS OIG compliance program because some healthcare facilities might not conduct all the activities covered by fraud and abuse laws, while other healthcare facilities might outsource some activities to a third party (i.e., claims and billing) – in which case the third party is liable for compliance violations. However, there are five main fraud and abuse laws most healthcare organizations have to consider in an HHS OIG compliance program:

The False Claims Act

The False Claims Act protects the government from being overcharged for goods or services. In the context of an HHS OIG compliance program, it is a violation of the False Claims Act to submit claims for payment to Medicare, Medicaid, or any other HHS program that a healthcare facility knew – or should have known – were fraudulent. For this reason, it is important to monitor claims and billing activities – even when these activities are outsourced to a third party.

The penalties for violations of the False Claims Act vary depending on whether HHS OIG considers violations to be civil or criminal offenses. HHS OIG has the authority to impose fines of up to $27,894 per civil violation (March 2024) and up to three times the amount falsely claimed from HHS programs. Criminal violations are referred to the Department of Justice, who can pursue fines of up to $500,000 per violation and jail terms of up to five years per violation.

The Anti-Kickback Regulations

In addition to an HHS OIG compliance program consisting of measures to prevent fraudulent billing events, a program should also include measures to prohibit the receipt of – or payment for – kickbacks to induce referrals for items and services reimbursable by an HHS program. HHS OIG considers kickbacks to not only be monetary, but also “in-kind remunerations” such as cost-sharing waivers, shares, subsidies, free items, space, equipment, and services.

The important thing for healthcare facilities to be aware of with regards to the anti-kickback regulations is that both parties involved in a kickback transaction can be found guilty of a violation (i.e., the payer and the recipient of the kickback). In addition, as with violations of the False Claims Act, the penalties for violating the anti-kickback regulations can be criminal and civil – although in this case, the maximum criminal fine is $100,000 per violation.

The Stark Law

The Stark Law, also known as the Physician Self-Referral Law, prohibits physicians from referring patients to receive “designated health services” when the physician or an immediate family member has a financial interest in the designated health service. It is important to be aware the term designated health services not only relates to the provision of treatment, but can also refer to the provision of therapy, medical items, and outpatient prescription drugs.

Both the physician that violated the Law and the health service that benefitted from the violation are considered liable for the violation by HHS OIG. Self-referring physicians can be fined up to $15,000 per violation (or up to $100,000 if the violation is considered an attempt to circumnavigate a criminal anti-kickback regulation), while the health service will have to refund up to three times the amount of any payments received from an HHS healthcare program.

The Exclusion Statute

The Exclusion Statute requires HHS OIG to exclude individuals and organizations from participating in HHS programs if they are found guilty of Medicare or Medicaid fraud, patient abuse or neglect, intentionally violating the anti-kickback regulations, or unlawfully manufacturing, distributing, prescribing, or dispensing controlled substances. HHS OIG also has the discretionary authority to exclude individuals and organizations for misdemeanors.

Being excluded from participating in HHS programs not only means they cannot bill HHS directly. It also means they cannot bill HHS indirectly by providing goods or services via a third party healthcare facility. To make it harder to circumnavigate the Statute, third party healthcare facilities are prohibited from – and can be fined for – contracting goods or services from an individual or organization that appears on the HHS OIG Exclusions List.

The Emergency Medical Treatment and Active Labor Act (EMTALA)

EMTALA requires healthcare facilities that participate in HHS programs to conduct a medical screening examination on any individual requesting emergency care. If the examination identifies an emergency medical condition, the facility must stabilize the individual and provide treatment until the emergency medical condition is resolved. If the facility does not have the capability to treat the individual, it must transfer the individual to a facility that can provide treatment.

Healthcare facilities that fail to conduct a medical screening examination, or who fail to accept an individual transferred from another healthcare facility for emergency treatment, can be fined up to $129,233 and added to the HHS OIG Exclusions List. Individuals to whom a screening or treatment is denied can also take civil action in some states, whereas in other states conditions may apply with regards to the provision of emergency labor and psychiatric treatments.

What are HHS OIG Compliance Best Practices?

Similar to an HHS OIG compliance program, there are no one-size-fits-all HHS OIG compliance  best practices. In order to determine what HHS OIG compliance best practices should be included in a compliance program – whether an integrated compliance program or not – healthcare facilities should assess their exposure to violations of all applicable fraud and abuse laws, and develop policies and procedures to mitigate the risk of a violation occurring.

Recommendations for assessing the risk of an HHS OIG violation include auditing HHS claims and billing processes – even when outsourced to a third party – in order to identify potential vulnerabilities, irregularities, or opportunities for fraud. There is HHS OIG-issued software that can help with the audit process, but smaller healthcare facilities might find it quicker to conduct an audit manually, rather than work out how to use the software on smaller data sets.

One of the most important HHS OIG compliance best practices that all healthcare providers should integrate into a compliance plan is an HHS OIG Background Check. Policies should be put in place to check the HHS OIG Exclusions List before any new hire or supplier is engaged, while procedures should exist to periodically recheck the Exclusions List due to the length of time it can take for an individual or organization under investigation to be added to the Exclusions List.

With regards to EMTALA, it is a best practice for qualifying healthcare facilities to train members of the workforce on what medical conditions qualify for mandatory emergency screening and/or treatment, and when exceptions apply – either due to location, medical discipline, or the professional affiliation of healthcare workers. EMTALA can have several gray areas, so it may be important HHS OIG compliance best practices are enforced when EMTALA is applicable.

The Benefits of HHS OIG Compliance Risk Management

The benefits of HHS OIG compliance risk management are that healthcare facilities mitigate the risk of an HHS OIG violation – reducing the chance of a fine, criminal conviction, or private action by an individual that has been denied emergency care. Even when these consequences of an HHS OIG violation do not happen, healthcare facilities may be required to comply with a Corporate Integrity Agreement – which can be costly to comply with as well as being disruptive.

However, HHS OIG compliance risk management does not have to be particularly complicated. It has already been demonstrated how combining multiple compliance requirements into one integrated healthcare compliance program can reduce the compliance burden and help healthcare facilities save time and money – and adding HHS OIG compliance best practices to an existing integrated healthcare compliance program should be equally as beneficial.

For example, most Medicare Part D and Medicare Advantage providers already have to conduct claims and billing audits as a condition of participation in Medicare. Similarly, most states have laws that require healthcare facilities to conduct Level 2 background checks on new employees (i.e., professional license verification, sex offenders list, etc.) – so adding one more background check (the HHS OIG Exclusions List) is barely going to increase the compliance burden.

Healthcare facilities that are unsure about which fraud and abuse laws apply to their activities (including outsourced activities) and how to comply with them – or when exceptions apply to certain activities under the Safe Harbor regulations – should contact HHS OIG for advice. Alternatively – or to find out more about developing an integrated healthcare compliance program – healthcare facilities can seek independent advice from a compliance professional.

The post What is an HHS OIG Compliance Program? appeared first on HIPAA Journal.

Humana Reports Mailing Errors Affecting More than 10,000 Members

Posted by Steve Alder

Three mailing error incidents have resulted in the impermissible disclosure of the PHI of more than 10,000 Humana members. Data breaches have also recently occurred at KMJ Health Solutions, Jewish Home Lifecare, and Lake of the Woods County Social Services.

Insurance ACE/Humana Inc.

The Kentucky-based health insurance provider Humana Inc. has recently disclosed three separate mailing error incidents that have resulted in the impermissible disclosure of the protected health information of 10,688 of its members. On December 8, 2023, a programming error resulted in Explanation of Payment documents intended for providers being sent to an incorrect address. The documents included first and last names, Humana ID numbers, provider names, dates of service, and claim payment information.

On December 14, 2023, large print/braille health plan communications were mailed to incorrect recipients. An error was made when fixing an unrelated coding issue that added a date/time stamp to the naming convention, which was not a unique identifier. As a result, the system began overwriting files as duplicates, which resulted in members receiving another member’s letter. The information impermissibly disclosed included first and last names, addresses, Humana ID numbers, provider names, dates of service, claim payment information, prescription medication information, and copay and premium information.

On January 12, 2024, Humana’s printing vendor in Louisiana, Broadridge Output Solutions, Inc., experienced a printing error that caused explanation of benefits information of Humana members to be printed on the reverse of other members’ statements. The information impermissibly disclosed included names, claim information, provider name, gender, copay information, deductible and coinsurance information. Humana said all of the errors have been rectified and it is unaware of any misuse of members’ information.

KMJ Health Solutions

KMJ Health Solutions, a Michigan-based provider of online signout and charge capture systems, has reported a breach of the protected health information of 2,191 individuals. On November 19, 2023, KMJ Health Solutions identified unauthorized access to the server that hosts its eDocList system. The attacker used ransomware to encrypt files and may have obtained the data of some of its clients. The threat actor first gained access to the server on July 1, 2023. KMJ Health Solutions notified the affected clients on or around January 11, 2024.

One of the affected clients was Saint Joseph’s Medical Center in New York. The information potentially compromised included names, dates of birth, medical record numbers, diagnoses, laboratory results, dates of service, provider names, medications, and/or treatment information. Saint Joseph’s sent notifications to the affected individuals on March 4, 2024, and has confirmed that it no longer uses KNJ Health Solutions. When business associates experience data breaches, notifications may be issued by the business associate, their covered entity clients, or a combination of the two. It is therefore unclear at this stage how many individuals in total have been affected.

Jewish Home Lifecare

Jewish Home Lifecare, Inc., a New York senior health care system, identified unusual activity in its computer systems on January 7, 2023, and assisted by computer forensics experts, determined that there had been unauthorized access to its systems and the hackers potentially viewed or obtained patient data. The information exposed included names, addresses, dates of birth, Social Security numbers, payment card information, financial account information, passport numbers, medical record information, and medical treatment information. Jewish Home Lifecare has reported the incident to the HHS Office for Civil Rights as affecting 501 individuals. 501 is a placeholder often used to meet breach reporting requirements when the total number of affected individuals has yet to be confirmed.

Lake of the Woods County Social Services

Lake of the Woods County Social Services in Minnesota has reported a data breach that has affected individuals served by the County Social Services Department and their household members. On November 14, 2023, the County’s cybersecurity solutions detected and blocked a ransomware attack. While file encryption was prevented, the forensic investigation confirmed there was unauthorized access to its systems between November 14 and November 15, 2023, and data was stolen in the attack.

A ransom demand was received, but the County refused to pay to have the stolen data deleted, consistent with the advice of the FBI. Some of the stolen data was subsequently posted on the dark web. The information compromised in the attack included the following: Name, in combination with some or all of the following: address, date of birth, Social Security number, driver’s license number, financial account information, payment card information, information related to medical condition, treatment or diagnosis, medications, names of healthcare providers, information related to services individuals received from the County Social Services Department, such as locations of service, dates of service, client identification number or unique identifiers related to services provided to you, insurance identification number, and/or insurance information. For a limited number of individuals, the data included mental health reports and/or username(s) and password(s) used to access online accounts. The breach has been reported to the HHS’ Office for Civil Rights as affecting 537 individuals.

The post Humana Reports Mailing Errors Affecting More than 10,000 Members appeared first on HIPAA Journal.