HHS OIG Work Plan

Posted by Steve Alder

The HHS OIG Work Plan is a schedule of audits and evaluations conducted by the HHS Office of Inspector General that are intended to protect the integrity of HHS programs and the welfare of program beneficiaries. Unlike OIG Work Plans maintained by OIGs in other US Federal Government Departments, the HHS OIG Work Plan is “dynamic” and changes frequently to respond to emerging issues.

The Role of the HHS OIG

The role of the HHS OIG is to fight waste, fraud, and abuse in more than 100 HHS programs run by agencies such as the Centers for Medicare and Medicaid Services (CMS), the Centers for Disease Control and Prevention (CDC), and the Food and Drug Administration (FDA). It attempts to fulfil its role by conducting audits, evaluations, and – when necessary – investigations, and by providing outreach, compliance, and educational activities.

Because OIG staff cannot be in all places at all times, HHS OIG schedules audits and evaluations based on mandatory review requirements, requests made by Congress, and reported management or performance issues. The HHS OIG Work Plan can be – and often is – interrupted by an audit or evaluation progressing into an investigation, by the requirements of other oversight agencies, or by an emerging issue requiring prioritization.

HHS OIG Audits, Evaluations, and Investigations

HHS OIG audits, evaluations, and investigations are conducted by three Offices within the OIG – the Office of Audit Services, the Office of Evaluations and Inspections, and the Office of Investigations. Audits and evaluations most often assess the performance of HHS programs and service providers; and, if anomalies are identified, criminal, civil, and administrative investigations are initiated to detect cases of fraud and misconduct.

The majority of audits and evaluations do not progress into an investigation. Most often they provide insights into potential risks, suggest policies and procedures that could mitigate the risks, or make recommendations about improvements to existing programs. When an investigation is considered necessary, the most common outcomes are repayments of overcharged amounts, exclusions from HHS programs, civil settlements, or criminal charges.

HHS OIG Work Plan - HIPAA Journal.com

Source: HHS OIG Semi Annual Report to Congress September 2023

Outreach, Compliance, and Educational Activities

As well as scheduling audits, evaluations, and investigations, the HHS OIG Work Plan includes outreach, compliance, and educational activities to (for example) warn program beneficiaries of healthcare-related scams, help service providers comply with HHS Regulations, and provide tools for service providers to comply with HHS Regulations. HHS OIG also encourages service providers to self-disclose potential fraud or misconduct in HHS programs.

In the context of helping service providers comply with HHS Regulations, one of the most recent activities on the HHS OIG Work Plan has been an update to the “General Compliance Program”. Not only has the guidance documentation been completely refreshed, but HHS OIG is planning to publish further industry segment-specific compliance program guidance throughout 2024 for different types of service providers participating in HHS programs.

HHS OIG Work Plan 2024

At present, Offices of the HHS OIG have more than 200 items scheduled for the HHS OIG Work Plan 2024. Almost half are from previous years and have been put on hold due to a lack of resources, because they are low priority, or because they are waiting for further information. Others are in progress and partially complete or waiting for a decision from an HHS program as to whether the recommendations in an audit or evaluation will be accepted or revised.

Active items in the HHS OIG Work Plan 2024 most likely to have an impact on service providers include a study of adverse events in hospitals affecting Medicare patients, an audit of workplace violence in NIH-funded institutions, and an investigation of OCR’s governance of HIPAA with regards to protecting ePHI from cyberattacks. This investigation will also determine whether minimum security measures should be a condition of participation in the Medicare program.

Why It Is Important to Keep Up To Date with the HHS OIG Work Plan

The reason it is important to keep up to date with the HHS OIG Work Plan is that HHS OIG audits and evaluations make recommendations that could be adopted in future HHS policies. While most service providers to HHS programs will be aware of the proposed changes to HIPAA and other HHS programs that have already been announced, making changes to accommodate the proposed changes without looking further ahead may create future compliance challenges.

The post HHS OIG Work Plan appeared first on HIPAA Journal.

Seattle Children’s Hospital Sues Texas AG Over Demand for Trans Youth Medical Records

Posted by Steve Alder

The Texas Attorney General sent a civil investigative demand to Seattle Children’s Hospital seeking access to the medical records of trans patients. The hospital refused to provide the records and has filed a lawsuit that requests a Texas judge nullify the Attorney General’s demands.

The American Medical Association and the American Academy of Pediatrics believe that gender-affirming care is medically necessary and, in some cases, can be a lifesaving treatment for transgender youth; however, 20 states have imposed bans or placed restrictions on gender-affirming care for minors, and dozens of bills are being considered in other states. Earlier this year, Texas was added to that list when SB 14 was signed into law by Texas Governor Greg Abbott. The law prohibits the provision of gender transition care to Texas residents under 18 years of age.

In November 2023, Texas Attorney General Ken Paxton issued a civil investigative demand for the records of Texas residents who visited Seattle Children’s Hospital to receive gender-affirming care when under 18 years of age. In Washington, gender transition care can be legally provided to minors, including to individuals who travel to Washington from other U.S. states. AG Paxton sought access to information on diagnoses, lab test results, visit records, treatment for gender dysphoria, and other information about minor trans patients from Texas dating back to January 2022, along with the hospital’s standard protocol for treating patients with gender dysphoria who live in Texas. The hospital was given until December 7, 2023, to respond and provide the requested records.

The civil investigative demand was issued by the Texas Attorney General’s Consumer Protection Division as part of an investigation into alleged violations of the Texas Deceptive Trade Practices Act, specifically, the misrepresenting gender-affirming care. The demand for records was also accompanied by a threat of fines of $5,000 or a year in jail for anyone who concealed or falsified information. Seattle Children’s Hospital refused to provide the requested records and claimed that handing over the requested information would violate the Health Insurance Portability and Accountability Act (HIPAA), state healthcare privacy laws, and the recently passed House Bill (HB) 1469 – The Shield Law. The Shield Law protects individuals who travel to Washington to receive protected medical services such as abortion and gender-affirming care, which are banned or restricted in their home states.

Seattle Children’s Hospital also explained in its lawsuit that it owns no land in Texas, does not provide telehealth services to Texas residents, and has no offices in Texas, and while the hospital does employ a small number of individuals in Texas, none of those employees deal with gender-affirming care, therefore the state has no jurisdiction over the hospital’s practices. The lawsuit claims that the Texas Attorney General’s demands are unconstitutional and are an attempt to chill potential travel from Texas to obtain legal healthcare in another state. The lawsuit requests a Texas Travis County Court Judge overrule AG Paxton’s civil investigative demand, or at least modify the request or grant an extension for reply.

Washington University (WU) has also taken legal action against a state attorney general over a civil investigative demand that sought access to the medical records of trans patients, in that case, the demand was issued by the Missouri Attorney General as part of an investigation into deceptive trade practices under Missouri law. The Missouri attorney general responded with its own lawsuit seeking an order from the court for WU to provide the records immediately, and to get clarification from the court as to whether providing the requested records violated HIPAA.

The post Seattle Children’s Hospital Sues Texas AG Over Demand for Trans Youth Medical Records appeared first on HIPAA Journal.

GAO: FDA Should Update Medical Device Cybersecurity Agreement

Posted by Steve Alder

The Government Accountability Office (GAO) has recommended the Food and Drug Administration (FDA) update its formal medical device agreement with the Cybersecurity and Infrastructure Security Agency (CISA), as the agreement is now five years old.

The Consolidated Appropriations Act of 2023 includes a provision for GAO to review cybersecurity in medical devices and the FDA has primary responsibility for the cybersecurity of medical devices such as heart monitors. The FDA collaborates with CISA on security guidance for medical device manufacturers, public alerts about current vulnerabilities, and more, and facilitates collaboration with other federal agencies.

While data from the Department of Health and Human Services do not show that vulnerabilities in medical devices are commonly exploited by malicious cyber actors, vulnerabilities in medical devices are a cause of concern as they could be exploited to cause harm to patients or to gain access to the internal networks to which the devices connect. Unauthorized access could result in delays to critical patient care, access being gained to sensitive patient data, and healthcare operations being shut down. Because of these risks, the HHS considers medical device cybersecurity to warrant significant attention.

GAO identified federal agencies with roles in medical device cybersecurity and selected 25 non-federal entities representing healthcare providers, patients, and medical device manufacturers, and conducted interviews to find out about the challenges in accessing federal cybersecurity support. GAO also assessed agency documentation and compared coordination efforts against leading collaboration practices, reviewed relevant legislation and guidance, and interviewed agency officials. GAO’s interviews identified several challenges that entities face, such as a lack of awareness of resources or contacts and difficulties understanding vulnerability communications from the federal government; however, GAO found that the steps that the FDA and CISA are taking will meet those challenges if they are implemented effectively.

The GAO study found that the FDA’s authority over medical devices has increased in recent years following December 2022 legislation mandating that medical device manufacturers submit plans to the FDA for addressing the cybersecurity of their medical devices in premarket submissions. The new legislation took effect in March 2023. The FDA has an agreement with CISA to support medical device cybersecurity; however, the agreement does not reflect organizational and procedural changes that have occurred over the last 5 years. GAO therefore recommended that the FDA and CISA work together and update the FDA agreement to reflect those changes, as doing so will enhance coordination and help ensure clarity of current roles in addressing medical device cybersecurity. Both agencies agreed with the recommendations.

The post GAO: FDA Should Update Medical Device Cybersecurity Agreement appeared first on HIPAA Journal.

December Healthcare Data Breach Round-Up

Posted by Steve Alder

Data breaches have been reported by Cardiothoracic and Vascular Surgeons, ZOLL Medical Corporation, Erie Family Health Centers, Health Diagnostic Management, BlueCross BlueShield of Tennessee, and Rush System for Health.

Cardiothoracic and Vascular Surgeons Investigating Cyberattack

Cardiothoracic and Vascular Surgeons in Texas discovered on October 13, 2023, that its systems had been accessed by an unauthorized individual. The forensic investigation confirmed there had been unauthorized access to its IT systems between October 12 and October 13, 2023, and during that time, an unauthorized third party may have viewed or obtained files containing patient information.

The review of the affected files is still ongoing, but the following types of information are anticipated to have been exposed:  individuals’ names, Social Security Numbers, credit card information, account numbers and passwords, financial account information, driver’s licenses, dates of birth, medical record numbers, health insurance information, patient account numbers, doctors’ or medical professionals’ names, treatment information, procedure codes, diagnosis codes, Medicaid/Medicare numbers, dates of treatment, prescription information, diagnosis and symptoms information.

Cardiothoracic and Vascular Surgeons said they are reviewing their policies, procedures, and processes related to the storage and access of sensitive information to reduce the likelihood of a similar future incident. Since the number of individuals affected has yet to be established, the breach has been reported to the HHS’ Office for Civil Rights with an interim figure of 500 individuals and will be updated when the file review is completed.

PHI Compromised in Phishing Attack on ZOLL Medical Corporation

ZOLL Medical Corporation has recently announced that it was the victim of a sophisticated phishing attack. An employee responded to a phishing email and disclosed credentials that allowed the email account to be accessed. According to the breach notice provided to the Maine Attorney General, the attack occurred on August 2, 2023, and it was detected on November 1, 2023.

The review of the account confirmed it contained names, addresses, and Social Security numbers. The breach was reported to the Maine Attorney General as affecting 15,276 individuals in total. The HHS’ Office for Civil Rights breach portal indicates the PHI of 8,898 individuals was compromised.  ZOLL Medical has offered the affected individuals 36 months of credit monitoring and identity theft protection services.

Email Account Breach Reported by Erie Family Health Centers

Erie Family Health Centers has recently confirmed that the protected health information of 6,351 patients was potentially accessed or obtained by an unknown threat actor who gained access to the email account of one of its employees on October 1, 2023. The email account breach was detected on October 19, 2023, and the account was immediately secured. Erie Family Health Centers engaged a cybersecurity company to determine whether patient data had been viewed. No evidence of unauthorized access to patient data was found, nor evidence of any uploads of patient data to the dark web. The information in the account included names, dates of birth, medical record numbers, dates of service, laboratory test tracking numbers, and insurance identification numbers. Affected patients have been offered complimentary credit monitoring services.

Health Diagnostic Management Announces Patient Portal Breach

Health Diagnostic Management (HDM), a New York-based provider of non-medical management services for diagnostic imaging centers, experienced a breach of its patient portal on October 12, 2023. The vendor that operates the HDM patient portal identified suspicious activity on October 13, 2023. Its investigation revealed that valid credentials for a referring physician from Brooklyn Premiere Orthopedics were used to access the patient portal. Brooklyn Premiere Orthopedics announced it had suffered a data breach the week before the unauthorized activity was detected, leading HDM to conclude that the credentials were stolen in that breach.

The review of the affected accounts concluded on November 21, 2023, and affected individuals were notified on October 16, 2023. Affected individuals have been offered complimentary credit monitoring services. HDM is in the process of implementing additional security safeguards, and has engaged a third-party vendor to conduct penetration tests on the patient portal after the security updates are implemented. The breach was reported to the HHS’ Office for Civil Rights as affecting 1,863 individuals.

BlueCross BlueShield of Tennessee Affected by MOVEit Hack

BlueCross BlueShield of Tennessee (BCBST) has announced that the protected health information of 1,665 of its members was stolen by the Clop hacking group, which exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer tool. MOVEit Transfer was used by the BCBST business associate NASCO for file transfers. The vulnerability was exploited on May 30, 2023, and NASCO learned it had been affected on July 12, 2023, and notified BCBST about the breach on October 20, 2023. The information compromised in the incident was limited to health insurance numbers, group numbers and names, claim information, medical ID numbers, dates of service, procedure codes, and provider names. NASCO is notifying the affected BCBST members and is offering 24 months of identity monitoring services.

Rush System for Health Notifies Patients About Emil Error

An email error at Rush University System for Health resulted in research surveys being misdirected on October 25, 2023, resulting in the name of a patient being visible to another recipient of the survey. No other information was exposed. The error occurred due to an error in a spreadsheet that became misaligned during data sorting and resulted in the impermissible disclosure of the names of 4,961 patients.

The post December Healthcare Data Breach Round-Up appeared first on HIPAA Journal.