10 HIPAA Violations to Watch Out for While Working Remotely

Most improper disclosures are caused by complacency, poor training, or lack of attention. These kinds of lists are good reminders of some of the biggest types of violations. Of course, Covered Entities should provide this, and more, to employees and business associates.

From Security Boulevard:

1. Unsecure internet access. Transmitting e-PHI over unsecured networks, such as Wi-Fi networks at a coffee shop, internet cafe, or even at home, can increase the risk of patient data becoming accessible to hackers.

2. Improper handling of paper-based PHI. Paper-based procedures are still commonly used for some elements of a healthcare organization’s operations. This may result in unauthorized access to PHI. For example, if a remote employee prints out patient information from their family printer, the household may access these files.

3. Improper disposal of files. Improper disposal includes disposing of files, physical or electronic, in a way that information can still be read or accessed by unauthorized individuals. …

4. Unauthorized devices.  HIPAA rules require all devices that use, gather, store, or transfer e-PHI to be safeguarded by specific security controls. Employees often use multiple devices to complete their daily tasks, so it is possible to use a device their organization did not authorize unintentionally. …

5. Insufficient compliance training program.  Business associates and covered entities are required to renew their HIPAA certifications annually through compliance training programs. All staff, including remote employees, must complete compliance training.

6. Lost or stolen records.  The HIPAA Security Rule outlines security and safeguards to ensure minimal risk of unauthorized access to PHI. …

7. Incorrect filing of PHI. Incorrect filing can result in unauthorized access to PHI. For example, if a health care provider sends digital X-ray results to the wrong physician or patient information to the wrong patient …

8. Phishing scams.  Phishing scams are a common way cybercriminals trick individuals into accidentally revealing passwords and other sensitive information by sending them communications that appear to come from a reputable source. Refresher courses for all employees on cybersecurity awareness can help reduce these risks. …

9. Unencrypted data.  With most communication occurring through text, email, and other messaging platforms, it’s easy to forget how vulnerable that information is. If PHI is not encrypted appropriately, there is an increased risk of cyberattacks, threats, and data breaches. …

10. Lack of physical security.  For example, leaving paper PHI unattended in communal rooms of the house or on the table at a coffee shop increases the risk of theft or unauthorized access to these files.

Source: 10 HIPAA Violations to Watch Out for While Working Remotely – Security Boulevard

Supreme Court Pauses Abortion-Pill Case: What Next?

U.S. Supreme Court Justice Samuel Alito has temporarily stayed until Wednesday a Texas federal court order imposing restrictions on the distribution of the abortion drug mifepristone while they consider a request by the Biden administration to block the restrictions.

Brendan Pierson, writing for Reuters, discusses What Happens Next?

Whether or not the Supreme Court decides to stay Kacsmaryk’s order, it will not decide the merits of the case. Rather, the court will determine whether and how mifepristone can be distributed while the case is pending.

Whichever way the Supreme Court rules, it will send the case back to the 5th Circuit, where the FDA will pursue a full appeal of Kacsmaryk’s preliminary injunction. The agency and the anti-abortion groups will both have a chance to file briefs, and the case is scheduled to be argued before a three-judge panel on May 17.

That appeal process could last months. The losing party could petition for rehearing with all judges of the 5th Circuit, known as en banc rehearing, and ultimately petition the Supreme Court once again.

A final resolution could be months or years away. Once it does come, the losing side will again have the chance to appeal to the 5th Circuit and, eventually, the Supreme Court.

Hospice in 2023: Dying and the Dollars

Interesting statistics on hospice care, its growth, and fraud from Deborah Abrams Kaplan, writing for Managed Healthcare Executive:

  • Hospice care really started to take hold after Medicare started covering it in 1985. With Medicare paying the bills, hospice gained traction over time. Medicare spending on hospice nearly doubled from 2010 to 2020, increasing from $12.9 billion to $22.4 billion, according to the Medicare Payment Advisory Commission (MedPAC), an independent group that advises Congress on Medicare. During that period, the number of organizations that provide hospice care grew by 44%, from 3,498 in 2010 to 5,058 in 2020.
  • With the growth in hospice care has come a growth in fraudulent practices. Hospice fraud is rampant and has gotten more sophisticated, especially in four areas: (1) improper admission, (2) improper retention, (3) improper classification, and (4) kickbacks.
  • Hospice care in the U.S. was originally provided almost exclusively by nonprofit organizations, but now the providers are predominately for-profit organizations and an increasing number of them are backed by private equity. In 2010, 1,958 of the 3,498 hospices (or about 56%) in the U.S. were run by for-profit companies, according to MedPAC. By 2020, the number of hospices had grown by 44%, to 5,047, and 73% of them were owned by for-profit companies, according to MedPAC.

Supreme Court’s False Claims Case Alleges Overbilling of Medicare and Medicaid

Violations of the False Claims Act require a requisite state of “knowledge” a claim’s falsity. To violate the statute, one must have “actual knowledge,” “deliberate ignorance” or “reckless disregard of the truth or falsity” of the claim. Any of those broad levels of knowledge is sufficient to support a False Claims Act violation.

But knowledge in retrospect looks different than knowledge prosectively. Is the “usual and customary” price of a drug the price that cash customers pay in cash, or is it the price negotiated by insurance companies or set by Medicare?

This week, the United States Supreme Court will consider the issue in U.S. ex rel. Proctor v. Safeway, Inc.

Nina Totenberg for NPR explains:

The case essentially began in 2006, when Walmart upended the retail pharmacy world by offering large numbers of frequently used drugs at very cheap prices — $4 for a 30-day supply — with automatic refills. That left the rest of the retail pharmacy industry desperately trying to figure out how to compete.

The pharmacies came up with various offers that matched Walmart’s prices for cash customers, but they billed Medicaid and Medicare using far higher prices, not what are alleged to be their usual and customary prices.

Walmart did report its discounted cash prices as usual and customary, but other chains did not. Even as the discounted prices became the majority of their cash sales, other retail pharmacies continued to bill the government at the previous and far higher prices.

For example, between 2008 and 2012, Safeway charged just $10 for almost all of its cash sales for a 90-day supply of a top-selling drug to reduce cholesterol. But it did not report $10 as its usual and customary price. Instead, Safeway told Medicare and Medicaid that its usual and customary price ranged from $81 to $109.

Widespread Third-Party Tracking On Hospital Websites Poses Privacy Risks For Patients And Legal Liability For Hospitals

Web tracking technology has been in the news a lot lately. Most websites use such tools to track users as they navigate through a particular site and around the web. Nothing new here. But in doing so, user data gets transferred from one site to another, or actively collected, posing privacy risks for healthcare providers.

A new study, published in Health Affairs, indicates that 99% of hospital websites use third-party tracking code on their sites, creating privacy risks for patients and legal liability for hospitals:

We found that third-party tracking is present on 98.6 percent of hospital websites, including transfers to large technology companies, social media companies, advertising firms, and data brokers. Hospitals in health systems, hospitals with a medical school affiliation, and hospitals serving more urban patient populations all exposed visitors to higher levels of tracking in adjusted analyses. By including third-party tracking code on their websites, hospitals are facilitating the profiling of their patients by third parties. These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share. These practices may also lead to increased health-related advertising that targets patients, as well as to legal liability for hospitals.

OIG Approves Gift Cards to Promote Patient Compliance with a Preventive Screening Measure

OIG has approved the use of gift cards to incentivize patients to return sample collection kits, provided there are certain safeguards in place:

  • Mailing the gift cards only to those patients who return the kits by the deadline specified in the reminder letter.
  • Advising patients that they may not use the gift cards on items or services provided by the requestors.
  • Limiting patients to one gift card every 36 months, which is consistent with Medicare’s coverage period for the screening test.
  • Implementing processes to ensure patients who received a gift card during the 36-month period do not receive another one during that period.
  • Refraining from patient-focused promotional activities that advertise the availability of the gift card.
  • Prohibiting advertising or marketing the proposed arrangement to healthcare providers who may order the test.
  • Excluding tests ordered by healthcare providers through the requestors’ website from the proposed arrangement.

Dee Harleston, Stewart Kameen, Jinnifer Michael, and Danielle Sloane, for Bass Berry & Sims:

The U.S. Department of Health and Human Services Office of Inspector General (OIG) recently issued Advisory Opinion 23-03, approving a proposal by the manufacturer of a colorectal cancer screening test and its wholly owned laboratory to provide gift cards to certain patients to encourage them to return the sample collection kits. While limited in scope, this favorable opinion is noteworthy because OIG typically disfavors arrangements under which providers or suppliers distribute gift cards to incentivize patients to obtain federally reimbursable services. Although OIG approved the proposed arrangement at issue in Advisory Opinion 23-03, the agency also pointedly warned entities against structuring arrangements that differ from the facts of the proposed arrangement.

OIG Advisory Opinion 23-03

FDA to Refuse Medical Device Submissions For Cybersecurity Reasons Beginning in October

Jill McKeon, for Health IT Security:

Effective immediately, the US Food and Drug Administration (FDA) will require medical device manufacturers to provide cybersecurity information in their premarket device submissions. Additionally, beginning October 1, the FDA will exercise its authority to refuse submissions for cybersecurity reasons.

Key Medical Device Security Requirements Included in Omnibus Bill
HSCC Publishes Guidance On Managing Legacy Medical Tech Security
Outdated Operating Systems Remain Key Medical Device Security Challenge
For any submission after March 29, manufacturers must include a “plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures,” the FDA stated.

In addition, manufacturers must develop and maintain procedures that provide a reasonable assurance that the device and systems are cybersecure and incorporate plans to patch and update the device and related systems at the postmarket stage.

Lastly, manufacturers are required to provide a software bill of materials (SBOM) for their devices, including commercial, open-source, and off-the-shelf software components. The FDA issued an accompanying FAQ document to help manufacturers determine their obligations.

FDA: Cybersecurity in Medical Devices Frequently Asked Questions (FAQs)

FDA Cybersecurity Requirements for Medical Devices Now in Effect

From the HIPAA Journal:

On Wednesday, March 29, 2023, the medical device cybersecurity requirements of the $1.7 trillion omnibus spending bill – The Consolidated Appropriations Act, 2023 – took effect and the FDA now requires all regulatory submissions for medical devices to include information about the cybersecurity measures that have been implemented for the devices. Section 3305 of the Omnibus bill — Ensuring Cybersecurity of Medical Devices — amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices. This requirement took effect 90 days after the enactment of the Act on December 29, 2022, which means premarket submissions submitted to the FDA after March 29, 2023, require information to be included about the cybersecurity of medical devices.

A Federal Judge Suspends FDA’s Longtime Approval of an Abortion Pill, but Gives the Government 7 Days to Appeal

Medication abortions typically use two drugs taken together: Mifepristone and Misoprostol. This ruling only affects Mifepristone. The other drug, Misopostol, is still available, but its use has always required the physician to prescribe it “off-label,” meaning it is not FDA-approved for abortions. It is FDA-approved only for use to prevent stomach ulcers while taking NSAIDs.

Chloe Atkins writing for NBC News:

In an unprecedented move, U.S. District Judge Matthew Kacsmaryk on Friday suspended the Food and Drug Administration’s longtime approval of key abortion pill mifepristone, though he gave the government a week to appeal his decision. If the ruling does eventually go into effect, it would curtail access to the standard regimen for medication abortion nationwide.

The FDA approved mifepristone more than 20 years ago to be used in combination with a second drug, misoprostol, to terminate pregnancies at up to 10 weeks. Over half of U.S. abortions are done by medication abortion, according to the Guttmacher Institute, a research group that supports abortion rights.

If the stay on the FDA’s mifepristone approval goes into effect, the drug would no longer be available anywhere in the U.S. That would leave a surgical procedure or off-label use of misoprostol on its own as the only options in states where abortion is legal.

Judge Strikes Down ACA’s Preventive Care Requirement

A Fort Worth federal judge yesterday ruled that insurers cannot be compelled under the Affordable Care Act to provide preventative care free of charge to insureds. The basis of the ruling involves the U.S. Preventive Services Task Force, which is the body tasked with enforcing the ACA. The judge determined that the Task Force is unlawful because the members are not appointed by the President or confirmed by the Senate.

Julia Forrest, writing for the The Texas Tribune:

O’Connor found that preventive care recommendations issued by the panel do not have to be followed because he found their volunteer members, who are 16 medical professionals and scientists charged with issuing the recommendations, do not have to be appointed by the president nor confirmed to their posts by the Senate.