AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field with nearly 14,000 members. As part of its educational mission, AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the health care system. AHLA is committed to ensuring equitable access to our educational content. We are continually improving the user experience for everyone and applying the relevant accessibility standards. If you experience accessibility issues, please contact accessibility@americanhealthlaw.org.
AHLA's Speaking of Health Law
HIPAA Liability, Part 2: Anticipated Changes
In the second episode of this two-part series that delves into the perspectives of those at the front lines of HIPAA liability, Shalyn Watkins, Associate, Vedder Price, speaks with Jon Moore, Chief Risk Officer and Senior Vice President of Consulting Services, Clearwater, about some of the anticipated changes to HIPAA in 2023. They discuss what these changes mean, recent OCR enforcement actions, and lessons that can be learned from these enforcement actions. From AHLA’s Health Care Liability and Litigation Practice Group.
Listen to Part 1, which discusses maintaining organizational compliance, here.
New Health Law Daily Podcast Coming in January 2025
Coming in January 2025, AHLA’s popular Health Law Daily email newsletter will also be available as a daily podcast, exclusively for AHLA Premium members. Listen to all the current health law news from the major media outlets on this new podcast! Subscribe Now
This episode of A H L A speaking of health law is brought to you by A H L A members and donors like you. For more information, visit american health law.org.
Speaker 2:Hi, and welcome to part two of our HIPAA liability podcast. I'm Shalen Watkins. Um, I'm an associate at Better Price , uh, and here at a better Price. I am in our healthcare regulatory practice group. Um, and I have a history of working , um, in the state and federal government , um, representing state agencies with relation to HIPAA violations. Um, I'd love to get started. Today we're speaking with John Moore of Clearwater Consulting. John, why don't you introduce yourself?
Speaker 3:Sure. Thank you, Shalin . My name is John Moore , as mentioned, and I am , uh, our Chief Risk Officer here at Clearwater. Also have responsibility for our consulting team as well as our customer success team. We're , um, some of the leading providers in cybersecurity and compliance, particularly to , uh, focus on healthcare and, and obviously HIPAA compliance is a big part of that.
Speaker 2:Awesome. And John , it's nice to talk to you again. I think one of the most fun parts about this podcast is you and I have now seen each other when I'm consulting you for my clients. We've now seen each other when we're , um, a against each other at odds, a little bit <laugh> . Um , and then we've seen each other when we just wanna move together and start educating people. So , um, this is gonna be a fun, this is gonna be a fun podcast.
Speaker 3:Yeah. We've definitely been on , um, all sides of the table , uh, when it comes to healthcare , cybersecurity, and compliance. Uh, that's for sure.
Speaker 2:And I think it's important to talk about kind of where your practice kind of steps in at Clearwater. Um, much like mine, I often find myself sometimes in an actual deal mm-hmm . <affirmative> . Um , but then on the other side, there's operational compliance issues where an existing client might just have some questions going forward. Um, and then on the other end, you know, they get a letter from a regulator and they're on high alert and they call you and I and we have to figure out what's going on. Right?
Speaker 3:Yep . Certainly , uh, for us, it's all of those things. I mean, historically here at Clearwater, we as an organization got our start , uh, really focused on HIPAA compliance following the, the High Tech Act when, when HIPAA compliance started to get some teeth associated with it , um, really around security role privacy , uh, rule policy procedures , uh, in helping organizations complete some of the required activities. Like risk analysis was a huge part of , uh, Clearwater's history. Uh, when we first started out , um, more recently, we really expanded our services and, and , uh, everything up to and including , uh, providing the design, implementation and operation on an ongoing basis of organizations HIPAA security and compliance operations. And, and , uh, as you mentioned, we're , you know , kind of full life cycle , a lot of times we're being asked to , uh, evaluate organizations, whether that's diligence on the, on the front end, or preparing organizations for diligence on the back end , um, or, you know, everything in the middle as well, really helping them kind of implement programs. And, and unfortunately, sometimes , uh, and unfortunately for those organizations coming in after they've had some sort of incident , uh, helping them and , and they're preparing their response to the Office for Civil rights and , uh, working with their council to do that, you know, big continues to be a , a big part of what we do.
Speaker 2:Right. And to date , um, we're halfway, almost through 2023 , um, OCR has been teasing us with changes to hipaa. Um, there's a proposed rule that's supposed to go on the final rule sometime this year. You wanna talk about , um, some of the new changes to HIPAA we're supposed to be expecting this year?
Speaker 3:Sure. So I, for me, for the most part, I, I kind of lump these things into two buckets, and I think that they're part of the , uh, or representative of the ongoing sort of policy thinking from a federal government perspective. I think going back to , uh, HIPAA High Tech Act, I think there was this belief that if we could just digitize healthcare information, it would flow freely and we would get a reduction in cost and an improvement in care. And , uh, you know, the billions , I think, was spent on that , you know, the proning interoperability meaningful use initiatives , um, to, to facilitate that. And I think that more recently, there was a , there was a recognition that there was additional work that needed to be done in order to facilitate that , uh, flow of information and use all the information blocking , uh, activities from regulations come out. And I think this , the , the hipaa, at least for the most part, the HIPAA changes are aligned with that as well. I see. You know, there's a number of changes , um, proposed changes anyway associated with facilitating the exchange of information between, let's call it third parties involved in the broader healthcare ecosystem. Uh, and then there's , uh, changes that are intended to facilitate really the right of access or making it easier for , um, patients to get access to their, their , uh, information as well. And so there's, they kind of fall into those, those buckets. And there's a number of, of specific , um, proposed changes anyway that, that , uh, fall in there. But, but for the moon part, there's those two buckets. There's some transaction different , uh, transaction code differences as well , uh, potentially, but those where I see the main differences.
Speaker 2:Yeah, I totally agree. I think the access piece is sometimes the easier piece to conceptualize, right? We understand that individuals have a right to access to their health information. It's just somehow providers miss that. Um, and so there needed to be some tidying up of the rule. Um, and then the second bucket, I think is a little bit more fact specific and why we have folks like Clearwater here to help <laugh> . Yeah . Um, I just wonder from a practice point, what's the scariest thing? Like the worst thing you hear, or like, you could hear a client come to you and say, let's say one a person who's just getting tiping their toes into the healthcare mm-hmm . <affirmative> business mm-hmm . <affirmative> , right ? And then two, someone who's been around for a little bit, but is just getting started for the first time with Clearwater.
Speaker 3:Sure. So , um, you know, for the organizations, let's say that, that are new to healthcare, there's a couple different scenarios. We see. We see a lot of, you know, technology startup , business associate type organizations that , um, are targeting solutions in, in the healthcare space, particularly during covid. There was a big , uh, uh, increase in those types of organizations. And, and for them, it , it , it's , um, from a business associate perspective, it it's really a , it's a realization that they've now found themselves in a regulated industry. And , and a lot of times for those folks, the first realization of that comes when their customers, typically providers are asking 'em to sign a business associate agreement , uh, you know, promising to follow all of the HIPAA security rules. And on top of that, sending them some sort of questionnaire or security evaluation to understand , uh, what security controls they have in place to protect the confidentiality, integrity and availability of the healthcare information, and won't move forward with them , uh, from a , from a contracting perspective, unless they're satisfied with their responses. And that can be a , a big eyeopener to, to someone or, or to an organization that's new to healthcare . Uh, in the provider space, it's, it's a , it's a little more complex from a compliance perspective. Obviously, as you're aware, you know, much more , um, regulation around the privacy role and, and, and , uh, breach notification rules that come into play , uh, and, and , and making sure that all of those are in all of those policies and procedures that support compliance in , in those different areas , uh, are in place. We'll see this a lot. We get a , we do a lot of work with , um, for example , um, physician practice management groups. A lot of times they're private equity back physician practice management groups. They're doing rollups of, of , um, small healthcare practices. And a lot of times they're rolling up these small healthcare practices, and they , uh, those practices themselves are not very mature when it comes to HIPAA compliance. And so, you know , they're trying to, to instill a certain level of discipline across their, their portfolio or practices. And, and so we'll do a lot of work , uh, for them, not just on the security side, but also on the privacy side as well. And, and understanding how they can, can have a , a discipline and consistency in the application and compliance with HIPAA. And , and , uh, you know, for, in regard to the changes that are, are happening , uh, you know, making sure that there's, that there's appropriate training in place that everyone's trained, making sure that there's appropriate policies and procedures in place, making sure that things like the, that the , um, time limits around right . Of access to patient records, if they're gonna be able to meet those. And, and , uh, you know, that's getting harder. It was already hard for a lot of smaller practices to, to meet those , um, requirements in the course. The , the expectation is that they're gonna cut the timeline from 30 days to 15 days in , in the updates to the HIPAA privacy rules . So that's going to , uh, I think gonna continue to be a challenge for especially small organizations . I think all the changes are particularly problematic for, for smaller organizations. There's a cost associated with all of these things. And, and the more complexity and cost you have, the r the harder it is for smaller organizations to comply. I think we saw , uh, particularly in the right of access that cases, I think there's been like 40 fines now in cases where, or I think it's actually over 40 now, that , um, organizations that have , uh, not met their obligations and right of access. And I think at least 50 or 60% of those are very small, typically very small practices that struggle with that.
Speaker 2:Right. And , um, in my past, having been assistant regional council for H H s when I was representing OCR r I remember seeing some of these kind of policy changes going towards , um, the access arena. But I think if there's any indicator, and tell me how you feel about this , um, if there's any indicator of how the government is kind of tipping its head , um, it's that they want us to know that they think privacy is paramount. Um, so it doesn't matter how small you are , uh, doesn't matter how few patients you have , um, you are responsible for securing the data you create and store. Yeah . Um,
Speaker 3:Yeah, I'd , I'd say it's , it's an interesting conundrum , um, for the government in many ways. Like also on the one hand , um, there's this recognition and, and policy goal to reduce the cost associated with healthcare and to improve the quality of that, that care by helping people have access to information, make informed decisions, et cetera . And , um, and so there's a, there's a need to, to make that information a avail readily available and , um, and easily available. Uh , while simultaneously this desire and , and this started, you know, the origins of HIPAA with the security rule , privacy breach notification rules to, to this recognition that, hey, you know, we're , while we're digitizing healthcare, we're making it , uh, making it potentially easier to access, easier to exchange easier kind of flow between individuals and organizations. Um, but there's a recognition that with that comes a risk. And the, and the risk, of course, is , uh, associated with the privacy, personal privacy of that information and the implications of a breach of that privacy for the individual , uh, and, and the security around that. So what, what, what's reasonable and appropriate from a security perspective? Now, when I , I think, you know, from a privacy role , uh, I don't see much difference necessarily in the enforcement depending on the size of the organization. I think from a security perspective, there's this notion that I need to have the controls in place that are reasonable and appropriate for my organization. And, and that can be, that can be to a certain degree different for, let's say, a , a small , um, healthcare practice with a couple doctors in it versus a extremely large , um, healthcare organization like an IDN or something like that within multiple hospitals and things . There , they , there's just , I think there's a, a , a rational realization on the part of, of OCR r in particular, that you're just not gonna have the resources necessarily available to that small practice for , um, for security purposes that you would have in the large practices. And I think that , um, to, to a , I don't know whether we'll talk about this later, but there's, you know, if you, if you think about the, the , um, regulations that came out around recognized security practices, and in particular 4 0 5 D um, in 4 0 5 D itself, the, the practices are broken down by , um, size of the organization. So I think there's a recognition certainly there that, that there's, there's , um, some differences in, in what's expected , uh, from different types and sizes of organizations. But yeah, I, I would agree with you certainly around the privacy. Um, it's clear that it doesn't matter if you're a sole practitioner or a, a large I d n , the , there's an expectation that you're gonna comply with the privacy rules in particular.
Speaker 2:So let's , um, get into some of these horror stories. Um, you and I kind of talked before, we spoke today about , um, some of the recent action that's come out of ocr . Um, and I want to talk first about , um, the incident in Pittsburgh with mm-hmm . <affirmative> , the small practice, which is an access issue. And I think that also kind of gets you to your 4 0 5 D um, point that you were just , just mentioning, you know, I think 4 0 5 D contemplates , um, the size of the practice, and also considers that when we're talking about what will the financial penalty be , um, in part, and I think it also kind of overflows here into the access arena as well, where we're seeing , um, this small scale counselor out of Pittsburgh mm-hmm . <affirmative> , um, who receives a financial penalty of $15,000 , um, he's licensed to provide psychotherapy services. Um, and at first glance, I guess , um, a parent came in and requested his , um, Chi Child's medical records , um, did not receive them within 30 days. Um, the parent complained to O C R and OCR R provided technical assistance, then the parent requested the medical record again and did not receive another 30 days later and complained again to O C R . And by the time of the second request, O C R says, all right , we've already given technical assistance time for a financial penalty , um, and require a corrective action plan , um, to be put in place , um, for that $15,000 penalty. Um, if you are dealing with a counselor, even if it's a small scale psychotherapy services , um, location, and you hear this story, where, where were the red flags?
Speaker 3:Well, you know, there's a, there's a couple things and in this, that are just, you know, very typical of what, what we're seeing versus the rite of access case case . So first of all, anyone can file a complaint under HIPAA pretty much at any time, and you can just go on the web and to OCR and do that. And so they get, I think they're getting, forget the number, it's some crazy number of increase in number of complaints over time. But there's a, there's a lot of complaints that, that are filed. Um, and in this case , uh, we know that for the last three years, four years or so , um, OCRs really been focused on this right of access initiative. And so if you're, if you're an organization and , um, you know , have that complaint, you get that letter from ocr and, and technical guidance is always a funny thing , uh, in regard to what their guidance is. Usually their guidance is a reminder of your obligations, at least in my experience. So, you know, you get that, you get that, let's call it technical guidance, a reminder of your obligations and , uh, you know, ignore , you ignore those things at your own peril. Uh, you know, just generally speaking, if you've gotten a notification from OCR where they're either requesting information or, or , or reminding you of your obligations, you , you , you ignore that again, at your own peril. And, and I think this is a case where that happened. And, you know, I don't, don't know exactly some of the details behind this. There may have been, you know, some underlying issues with the , the family and, and who had parental rights and that sort of other things, which may have played somewhat of a role. But nevertheless, once you get that, once you know, you've gotten that O C R notification, I think that , uh, unless you're prepared to, to fight it on some other grounds, you best comply. And, and clearly that wasn't the case here. Now, you know, in its , in the cosmic scheme of OCR r penalties, $15,000 is, is not much. But again, remember, this is probably a sole practitioner, and, and , uh, and this is what we've seen over the last few years, is a lot of these rite of access cases, I think it's 40, 43 of 'em in the last few years. And, and , uh, in , in many, if not most cases, they're very small practices, maybe single practitioners or a few practitioners in the practice and , uh, and fines that are, you know, smaller as a result.
Speaker 2:Yeah. And I'll even say on the deal side, now, when I'm seeing things like this, we're going through our diligence. We've asked for, you know, evidence of policies and procedures , um, any communications you've received from the government regarding , um, any security incidents or write up access issues, and then we'll get the provider. It says, oh, there was a letter <laugh> , but it was no big deal. Yeah. And I'm like,
Speaker 3:Yeah,
Speaker 2:Okay, dude, every time you get a letter, it is a big deal. <laugh> . Yeah . Yeah . And I've had one time where I've seen them say, well, this is in the normal course, and it's never the normal course for OCR R to just be knocking on your door. Um, I think, I think that's my biggest takeaway , um, from situations like this. It ,
Speaker 3:It's funny you say that. I , I was just , um, talking with some other folks on , on another hhl podcast specifically around diligence and, and , uh, the scenario , one of the scenarios I proposed was exactly that, where they said, well, you know, we haven't really had any problems. We did get this one letter from O C R , but it's not a big deal. You know, because I , I've heard that myself. You know, it's the kind of the downplay of the significance of that sort of , uh, correspondence
Speaker 2:<laugh>, right? And I think one thing that we also don't put enough stock in is that OCR is kind of keeping that ledger of how many times it's contact u g , right ? So you're starting to demonstrate systematic non-compliance , um, when they have got to come back more than one time to discuss an issue with you. Um, so even if it's very minor and there's only one individual who's complaining if another individual makes a very similar complaint , um, that still grounds , um, for an understanding of a systematic and non-compliance issue.
Speaker 3:Yeah. I, I think that there's a , you can be lulled into a sense of security from OCR because they'll, you know, they'll oftentimes send you something and then you , you don't really hear from them for a significant period of time. You think, well, everything's great. Um, when in many cases that's not the case, you know, lesson until they've told you specifically that , um, you know , that they're, they've reviewed things and they're not gonna take any additional action. Uh, you're not off the hook. And , and, and, you know , I've seen people waiting significant periods of time between correspondence from OCR thinking they're, they're fine, when in fact they're definitely not.
Speaker 2:Well, let's talk about another case study that's , um, on our recent rules of , um, what's happening , um, with OCR r mm-hmm . <affirmative> , earlier this year, banner Health had to settle a security rule violation for 1.25 million. Were you following that?
Speaker 3:Uh , a little bit. I had actually, to a certain degree, somewhat forgotten about it, because it happened, at least the events, you know , associated with it. It happened quite a long time ago. And, and , um, and , uh, they had subsequently settled a class action suit again years ago. Uh , so sort of had , had gotten off my radar when , um, when the announcement came out. I , I didn't remember what had transpired.
Speaker 2:Right. Definitely. So the incidents definitely occurred in 2016, and that's when some hackers gained access to the systems at Banner Health , um, which is based out in Phoenix, Arizona. Um, I think the hacker scenario is , you know, one that we all kind of understand. We've seen , um, ransomware on television. We, we know what it looks like when your systems are getting taken over. Um, here, there was 2.81 million individuals who were impacted by this , um, this hack. And so their names addresses, date of birth, social security numbers, claims information, lab results, I mean, medications, diagnoses. I , the list could go on forever. Um, and eventually, OCR basically determined that non-compliance was a contributory factor in the data breach , um, based on a need for thorough , um, risk analyses and ver vulnerabilities to the system , um, and system integrity. Um, so let's talk about, you know, some of the red flags you see there. Yeah. Well,
Speaker 3:And
Speaker 2:How does the new hipaa , uh, apply to,
Speaker 3:Yeah. And in this case, one of the more , um, concerning things is they use language like found evidence of long-term pervasive non-compliance. And, and of course, you start to see things like that, and you start to , um, you know, move up the scale in , in regards to what potential penalties are in, in play. There's, you know , different levels of, of , um, of penalties available, depend tiers of, of penalties available, depending on your knowledge of what the issues are, and kind of ranging from lack of knowledge to just will and neglect. And, and , uh, you know, when you start to see language like the , that there was more of this systemic non-compliance or pervasive non-compliance, that's, that's a , um, not a good thing and, and can result in substantially more in regard to penalties. But from a , from a, what they , uh, you know, what they had not done, it's, it's all the usual suspects in a way. I mean, when you look at , uh, across time what organizations have failed to do that's resulted in, in these types of penalties, it's the same stuff. It's the didn't do the risk analysis, don't have an ongoing risk management plan , um, insufficient monitoring , uh, you know, lack of training. There's, there's these consistent things that, that we see over and over and over again, particularly in these circumstances of the breach. And I think one of the things that people still , uh, fail to realize is that when I have a breach, it's not, yes, OCR R is gonna ask questions about the breach and how we responded to the breach, et cetera . But what that really has opened you up to is an investigation of your overall HIPAA compliance program. And , and so, you know, they're gonna ask you things like, Hey, I wanna see your risk analysis, and if you don't have, you know, you can't show that you did a risk analysis, they're gonna ding you for that. I mean, it's the, I think it's the, the most common next to the , um, next to policies and procedures, I think , uh, is the most common , um, violation of hipaa. So if they're gonna go right down the list of all those things that you're required to do, and if it's E P H I , now we're talking, you know, security rule , and they're gonna go through all of those specific requirements. Did you do the risk analysis? Did you have a risk management plan? Have you done a non-technical and technical evaluation? Have you , uh, you know, do you have have policies and procedures in place? Have you done your training, et cetera? Uh, and if you haven't, if you haven't done those things and you don't have evidence of those things, well then you're, now we have a violation in addition to the disclosure of the E P H I . Uh , and , uh, you know, in this case, you start to get into the millions of people or patients that , uh, have had their, their information exposed. I mean , things like this , uh, the , the impact on an organization from a , from a cost of a breach perspective, just the , and just even setting aside the, the , uh, the penalty here, the class action suit in that case, I think was 6 million. Um, so you got 6 million in the class action plus your legal fees in defense of that. And then you got another 1.25 million for OCR R and then there's all the a all the expense that they're gonna have associated with , uh, complying with the , uh, corrective action plan from ocr . And, and , um, that's not a trivial endeavor either. It's, I , I start , believe it or not, started my career as a, as a criminal defense attorney. And, and , uh, when I was first started this, it always sticks in my mind. Um, when I first started, I had , um, clients who would tell me that they, they'd rather spend the time in jail than be in probation. And I , that just struck me as odd, like, oh , no, it's much better to get, you do your jail time, you get out. But if you're on probation, then you have someone watching you all the time. Well , that's like the CAP programs , uh, with, with , um, O C R , right? They're just, you're always having to reply and always wait for their responses. And, and there's a lot of expense associated with that, that's, that's , uh, best avoided if at all possible. But , uh, in this case, it wasn't.
Speaker 2:Yeah, definitely. I completely agree. I think when I see this in practice , um, on the deal side, you know, I automatically am adding these knowledge qualifiers to any representations or warranties that , um, you know, clients are making. So they can say, you know, to the best of their knowledge, there has not been an incident and these policies have been implemented. Um, and to, to kind of avoid the question of there being that systematic issue. Um, but then when I'm on bias side , and I think this is my favorite time to hear them say, oh, Clearwater came in and did this risk analysis, cause then I know I'm gonna end up on the phone with you guys and you're gonna be able to just like, download to me everything that's ever occurred. Um, I think with that in mind, when you have new customers come in, are you automatically conducting that risk analysis?
Speaker 3:Um, it , it depends. Like, so we, we , uh, we typically, our process is more consultative. So, you know, we have a lot of organizations that come to us for, for different reasons and different types of organizations too. So, you know, it's, there's a difference. I think people don't necessarily understand some of the subtleties within the different segments of the healthcare market. There's a very different sort of needs for, let's say a business associate who's a , some sort of digital health or health it, such sort of company versus a large health , uh, hospital organization or health plan or , um, you know, let's , or small hospitals critical access kind of hospitals in a rural area. They have, they have all sort of different needs to some extent or another, and different drivers and, and different , um, resources available to them. So for us , uh, you know, what , first thing we're trying to understand with an organization is, is what it is that they're trying to achieve. What are their goals and objectives? And, and that can really vary. We have , uh, you know, unfortunately , uh, still a lot of cust folks who are , uh, come to us usually at the recommendation of their attorneys, because something's going wrong, right? They, they've , um, they've had some sort of problem or issue, and now they're trying to address that. And, and that could be , uh, uh, a critical, immediate need. You know, they're under investigation by ocr. They need to respond, they need to provide information, you know, Hey, I need a risk analysis right away, kind of thing. Um, to others who are, who are, who are, let's call it , um, thinking more systematically about what they need. And, and for those folks, you know, we'll, we'll discuss with them what it really means to set up a reasonable and appropriate , um, security program and, and privacy compliance program that's gonna be aligned with the , uh, requirements under HIPAA and, and with their strategic goals and objectives as an organization. And so , uh, you know, from a prioritization of activity , uh, perspective, it really depends , um, to a large degree on, on what the circumstances are. Some folks, you know, newer folks will start establishing governance. And , and so we will , we'll be forming those , um, uh, um, committees or, or groups maybe at the board or senior executive leadership , um, level, kind of that governance structure in place. We'll be putting the policies and procedures in place. We'll be doing a , a lot of that foundational work and then move to things like the risk analysis and technical testing and other types of activities that are not just required from a , from a , uh, HIPAA compliance perspective, but that are just good practice from a security perspective and, and , uh, and gonna help organizations manage, understand, and manage their risk on an ongoing basis. Because the risk of , uh, from a cyber attack, whether you're found to a violated HIPAA or not, and be, well, I'm not sure there's any limit on whatever . I mean , you know, if there's organizations, we've seen hundreds of millions of dollars in, in , uh, cost associa with a breach. Uh, you know, and fortunately those were , well, obviously there's a very large organizations, but we've seen organizations that have gone out of business following a breach because they, they simply can't , uh, afford the cost associated with it. And one of the things too that, that we do now, that we have this , um, regulation around recognized security practices, and, and OCR is supposed to take that into consideration if there is a problem, a lot of times , uh, what we'll do is, is if we're, particularly if we're in a situation where we're able to establish that foundation for a security program, for HIPAA compliance program, generally , uh, we're gonna use those recognized security practices, whether it's in this cybersecurity framework or the hiccup, the health industry cybersecurity practices, four five D um, work , uh, either individually or in conjunction with each other to , um, to design an appropriate security program for an organization. And , and in the process of doing that, trying to generate the , um, evidence or collateral associated with their adoption of those practices so that , uh, if and when they would have an incident and OCR r sends their letter , um, more often than not now, they'll ask for any evidence of those practices. So we'll wanna make sure that our, our clients have that available and can provide that , uh, if they've, if they can demonstrate that they've implemented those practices and had them in place for the previous 12 months, then then we get into the , you know, potential reduced penalties and reduced scrutiny , um, area, which is definitely a positive.
Speaker 2:Yeah. And so lastly, I wanna move us onto another type of, you know , uh, possible client , um, the business associate mm-hmm . <affirmative> , um, and talk about what happened in Arkansas. Um, here we have a $350,000 fine from OCR r , um, based on a business associate's impermissible disclosure of E P H I , um, of more than 230,000 individuals.
Speaker 3:Yep .
Speaker 2:So , um, this was the Metall case. Um, and I mean, what are your thoughts here? Um, how do we even get around the question of the added requirements that some business associates face , um, because they also have to report up when one of these, you know, disclosures occur to the covered entity.
Speaker 3:Yeah. So , um, do a lot of work with business associates, and this is sort of the, the worst case scenario for an organization like this. And , and it, you know, again, can, can be the sort of situation, it can be the end of them in the industry. It's, it's , uh, you know, in this case we had a , a misconfigured FTP server that, that allowed , um, I think access to essentially anyone on the internet to, to get , um, what was on that server, allowed them to gain access through that server. And , and , uh, you know, misconfigurations are , is a big problem. The , the, particularly in the cloud organizations that utilize the cloud, it cloud's extremely powerful. You can do a lot of things. You can also , uh, because of the complexity have misconfigurations that expose, you know, essentially everything to the internet , uh, broadly. And, and we've seen that over time be , uh, be a problem for healthcare organizations in particular, you know, business associates are , are really interesting. I, there's sort of two things that I've seen re probably move the needle in regard to security and healthcare more than OCR r enforcement. Uh , the first of those was , um, the, the recognition that third parties pose a particular risk to the, to , uh, providers organizations in particular. So, you know, you look at the, the biggest breaches over the last few years and, and in , and I think three years in a row, they were business associate breaches. But those business associate breaches, as you point out, get, get , um, low up through their, their provider customers. So you, you gotta kind of figure out how that's done unless they specifically ask the, the , um, business associate to report directly. So , uh, you know, we see that, that kind of thing where, where it's like tossing a pebble into the pond, it just cascades out through all these different customers of the business associate when they have a problem like this. Uh, and, and so there's that, you know, that issue, which, which is problematic for the business associates. And , but it's problematic for the providers as well because it's , they're in a position where they're trying to understand their risk. And the more they leverage third parties , um, the, the more important it is for them to understand the risk of their third parties. And, and I think earlier I mentioned, you know, the situation where the business associate and suddenly they start getting these questionnaires and, and security surveys and, and maybe , um, they're even running some sort of passive tools like security scorecard or bit side against them and, and coming to like, look, we found all these, these issues , um, with your , uh, cybersecurity and , um, that that focus by in particular, the, the provider community on the risk of third parties has caused , uh, business associates to have to really tighten up their security if they want to continue to sell their wares in the marketplace. And we've seen a lot of, a lot of , um, business associates coming to us for assistance , um, because of that particular need. The other thing that I've seen drive a lot of, of, of , uh, investment in cybersecurity and healthcare is the insurance industry. Cyber liability insurance carriers have gotten far more strict on, on , um, what they expect to see , uh, before they issue coverage. And, and , uh, that's driven a lot of activity as well and investment. But in the, you know, the metall case, it's a , you know , unfortunate circumstances, again, with a , you know, misconfiguration could have happened to anyone. Um , but again, you know, similar to the, the, the , um, banner Health case, well, okay , uh, you had this misconfigured server, but you're gonna get this letter from OCR r saying, well, did you do your risk analysis? Do you have a risk management plan and go going down the list of things you're supposed to have? And in this case , uh, it appears that they did not have many of those things. They didn't have the risk analysis, they didn't have the risk management plan. Um, they didn't have appropriate policies and procedures. Um, they didn't have , uh, HIPAA training in place. So all of these things that are required under the HIPAA security rule in , in which a business associate is , uh, you know, is obligated to comply with, and they would've been obligated not just from a , from a regulatory perspective, but they probably have business associate agreements with all of their customers saying that they're gonna be in compliance with these, you know, contractual , uh, compliance with all of these , um, requirements as well. And they, and they just didn't do it, or at least they certainly weren't able to provide evidence to O O C R that , um, you know, sufficient evidence that they had done those things. And, and, and here we go with an , you know, another penalty for non-compliance,
Speaker 2:Right? And I think there's two things from what you just said that kind of struck a nerve with me. Um, you're right, those BAAs do exist. So you have that agreement and sometimes, you know, failure to comply with HIPAA is enough to nullify the agreement and for them to just pull out their business. So from an operational standpoint, you know, business associates have to be the best of the best. So they're not losing business , um, down the line just because of , um, a possible instance of non-compliance in the past. But then second, you noted, well, unless they have , um, been delegated the requirement for reporting themselves. And that led me to my biggest HIPPA horror story, which it's funny, we were talking about that before we got started today , um, of an incident in Houston where, you know, three hospitals were all under BAAs with a certain, a certain entity. And , um, they were, the reporting application was shift to all, shifted to all of the BAAs or the business associates. Well, there was a huge breach , um, which led to actual p h i going down the streets of Houston , um, <laugh> like trash bags of it just flowing through Houston and ending up in a newsroom. Um, so in that scenario, we were struggling to determine who is responsible for this breach now that the reporting obligation has been passed on to the business associate. Um, we've become aware of this now because the media got ahold of it. Um, so before the business associate or the covered entity could report to OCR r at the time we were getting news reports from Houston. Um, and now every single time I ever see a business associate agreement where the reporting obligation has been passed down to the business associate, I hit the biggest red flags and I just say, stop <laugh>. Um , and it's just really interesting because everything is so technical , um, when it comes down to integrating the business associates into the overall flow of reporting obligations. Yeah.
Speaker 3:I don't think it's a , uh, I haven't seen it be that common that, that the, that the reporting flows down to the businesses, but it does happen. You know, I , I have seen it. It's not that it doesn't happen, it it , it does. Um, and it can be , uh, depending on how many business associated agreements the, the business associates negotiated with different organizations, you can, it can get a bit, you know, if they're not consistent in, in how that's , uh, been applied and those conditions have been negotiated, it can be a bit of a, a mess and a problem. Um, you know, you're , the scenario you gave is a really horrible situation because A , you hit , you hit the news, and if you hit the news, that means OCR is probably gonna notice. So there's gonna be an expectation on their part that you're gonna report. Um, b it's amazing how trash bags full of protected health information, conveniently always seem to show up at, at , uh, uh, television and other news organizations. It , it's like magnets for that kind of thing, apparently <laugh> . Um , so that, that happens , uh, then it's , uh, okay, well, what's the extent of the breach? Well , I don't know. I mean , how many, how many bags of this did we have and where did it, you know, how, where did it flow to who , who, who in the world is trying to figure out all of that that's problematic. Um, you know, all of those things are, are just , uh, and , and yet the clock is ticking, right? I mean, to, to a certain degree on, on your reporting obligation and , um, and that , yeah, that's a not a good scenario at all. <laugh> , I'm not sure how you work through that one specifically.
Speaker 2:Yeah. Well, I, I think that's the perfect place to end. We've got horror stories galore , um, and I think we've learned our lesson , um, call people like you , um, in the event that you're unsure. Um, and thanks so much, John, for joining me. It's great to catch up again. I hope to see each other again soon.
Speaker 3:Yeah, that would be great. I'm sure we will. It's , um, it's, we travel and scene , just travel in the same circles now, so I'm sure we'll, I'll be on one side of the same side or the other side of the table at some point in the near future I would imagine. I , uh, it's been great talking with you as well. I mean, we could have probably talked for another hour just about the other things that are happening in hip in hipaa . I mean that the , uh, I would just thinking about it the other day that I keep seeing, for example, HIPAA actions brought by , uh, office of Attorney Generals more and more frequently again. Now , that was something we saw a lot a few years ago, but , um, sort of slowed down a bit, but now there's, they seem to be one every month or so popping up again. You know, there's that sort of activity . There's this whole pixel , um, tool thing, which is a whole nother , uh, challenge and, and , uh, difficult to understand, I think for a lot of organizations out there, but could potentially be, I dunno , thousands of, of breaches that may be associated with that. I don't know. Who knows? <laugh> . So, you know , a lot happening in this, in this space and, and , uh, you know, kind of going back to some of those changes, we'll see when, when and if those come out. I would anticipate that the , you know, it's probably gonna be in the next few months. I think that everybody certainly expects the , the new updates to come out , um, this year and we're running out of this year, right? So I , so there's gonna be , you know , a lot of folks are gonna need to change their policies and procedures, a lot of training that's gonna need to be updated and, and , uh, a lot of , uh, procedures and, and things that are going to need to be implemented. There's gonna be some, it changes I think that are gonna need to occur to facilitate , um, some of the transfers that, that , uh, information that need to occur. So, you know, gonna be a lot of activity , uh, in the next year or so around organizations , uh, addressing these changes to the regulations. And , um, it's been a while since we've had that kind of activity around hipaa .
Speaker 2:Thanks everyone for listening in. Um, once again, John Moore from Clearwater Consulting. Thank you so much for taking time to talk with us here at H L A .
Speaker 3:Yep , great talking with you .
Speaker 1:Thank you for listening. If you enjoy this episode, be sure to subscribe to a H L A speaking of health law wherever you get your podcasts. To learn more about a H L A and the educational resources available to the health law community, visit American health law.org.