Healthcare Law Blog

Health Care Industry Familiar with HIPAA Breaches, Not So Much Hackers

Community Health Systems (“Community”), which operates 206 hospitals in 29 states, recently notified 4.5 million of its patients that online hackers had stolen personal data information from its systems in a period between April and June 2014. The data included names, addresses, birthdates, telephone numbers and Social Security numbers—all of which are protected under HIPAA. According to Community, the data did not include financial or medical information.

It has been reported that the hackers responsible for the attack are a group of cybercriminals from China that traditionally go after intellectual property, including medical device and equipment development data.  They used malicious software to obtain the data, which has since been removed by Community from the network. Further remedial efforts are already underway, including notifying affected patients and offering them identity theft protection services.

Hospitals should be accustomed to protecting data against privacy breaches as part of their HIPAA obligations, but outright cybertheft is a threat that many providers have not likely considered. The FBI, which is now investigating the Community incident, said in April that health care providers typically do not use the same high levels of security technology as companies in other industries (such as banking or retail). This makes providers an easy target for hackers. If a leading hospital system like Community can be breached, then hospitals of every size are at risk.

It is crucial that HIPAA-covered entities (and their business associates) understand and identify potential threats to their secured information. The importance of HIPAA risk analysis cannot be stressed enough; in fact, a risk analysis is required as the first step in HIPAA Security Rule compliance. While it may be impossible to build an impenetrable fortress of secured online information, it is evident that health care providers must continue to make it a top priority to protect patient records – both from HIPAA breaches and hackers.

Christopher J. Shaughnessy is a member at McBrayer law.  Mr. Shaughnessy concentrates his practice area in healthcare law and is located in the firm’s Lexington office.  He can be reached at cshaughnessy@mcbrayerfirm.com or at (859) 231-8780, ext. 1251. 

Services may be performed by others.

This article does not constitute legal advice.

FDA Issues Guidance for Drug & Device Companies’ Social Media Interactions

In June, the U.S. Food and Drug Administration issued two draft guidance documents for the pharmaceutical and medical device industries related to social media. The guidance is part of an asserted effort by the FDA to provide more clarity regarding how drug and device manufacturers may appropriately communicate through Internet platforms.

The first document, Internet/Social Media Platforms with Character Space Limitations—Presenting Risk and Benefit Information for Prescription Drugs and Medical Devices, addresses advertising and promotional communications concerning prescription drugs and medical devices on sites where character space is limited, such as Twitter and sponsored search engine results. The guidance specifies, among other things, that each “tweet” must include both benefits and risks of the promoted drug and should include a hyperlink to a more comprehensive list of risks and side effects.

The other draft guidance, Internet/Social Media Platforms: Correcting Independent Third-Party Misinformation About Prescription Drugs and Medical Devices, addresses how manufacturers may correct certain misinformation posted by independent third parties and in chat rooms. As long as the information appears on a site not controlled by the company, the FDA does not mandate that a company correct the misinformation. If, however, the company chooses to correct the misinformation, they must follow certain protocol as outlined in the guidance.

Manufacturers may submit comments regarding the draft guidance documents to the FDA until September 16, 2014. While the guidance is solely issued for pharmaceutical and medical device companies, all providers must use caution when using social media to promote their services, practice group, a certain procedure, etc. In 2013, the Kentucky Board of Medical Licensure adopted the Model Policy for the Appropriate Use of Social Media and Social Networking in Medical Practice (“Model Policy”) that was issued by the Federation of State Medical Boards (“FSMB”). See more on the adoption here.

The unintended consequences of social media can lead to real consequences, as even seemingly innocent and inconspicuous postings and interactions can result in costly and serious repercussions. Inappropriate postings or patient-physician communications can lead to violations of HIPAA and the Kentucky Medical Practice Act, licensing violations, or even fraud and abuse charges (i.e., physicians pay money to third parties to promote their services through online media platforms). The FDA guidance, even if not binding on a particular health care profession, is still informative and can serve as a great reference tool in policymaking.

If you are a health care provider and have questions about drafting or implementing social media policies for your health care organization, contact a McBrayer healthcare attorney today.

Services may be performed by others.

This article does not constitute legal advice.

Are You Ready for Round Two?

In February 2014, the Health and Human Services Office of Civil Rights (“OCR”) announced its plans to send pre-audit surveys to between 550 and 800 entities during the summer in preparation for Phase 2 HIPAA compliance audits. After collecting information from those surveyed, OCR will select about 400 of those entities for actual HIPAA audits. Those audits will begin this fall – which is quickly approaching. More >

DOJ Intervenes In Case Involving ACA’s 60-Day Overpayment Rule

Recently, the Department of Justice (“DOJ”) intervened in a qui tam whistleblower suit in the US District Court for the Southern District of new York, which involves Continuum Health Partners and several Mount Sinai-related hospitals. United States ex. Rel. Kane v. Continuum Health Partners, Inc. et al, (Civil Action, No. 11-2325(ER)). While DOJ intervention in whistleblower cases is not unusual, this case is significant because the DOJ’s complaint specifically alleges that the defendants failed to return Medicaid overpayments within 60 days, as required by the Affordable Care Act (“ACA”). The case is one of the first to explore the issues and interpret the requirements of the 60-Day Rule. More >

Labs & Referring Physicians Take Note of OIG’s Special Fraud Alert

Recently, the U.S. Department of Health & Human Services, Office of Inspector General (“OIG”) issued a Special Fraud Alert (“Alert”) entitled, “Laboratory Payments to Referring Physicians.” The Alert focuses on (1) Specimen Processing Arrangements and, (2) Registry Arrangements. These arrangements, according to the OIG, pose substantial risks for fraud and abuse under the federal Anti-Kickback Statute. More >

New Part D Regulations Face Increased Scrutiny from Advocacy Groups & Congress

On March 10, 2014, the Centers for Medicare & Medicaid Services (“CMS”) issued a memorandum to Part D Plan Sponsors and Medicare Hospice Providers entitled, "Part D Payment for Drugs for Beneficiaries Enrolled in Hospice – Final 2014 Guidance" (“Guidance”).   The Guidance, effective since May 1, 2014, requires a prior authorization process for Hospice and Part D providers to determine their respective responsibility for drug coverage. The Guidance followed a 2012 OIG report entitled "Medicare Could Be Paying Twice for Prescription Drugs for Beneficiaries in Hospice,” which found that Medicare Hospice patients’ medications were sometimes paid for by Part D rather than by the patient’s Hospice program. More >

New Law Affecting APRNs Takes Effect Today

Today, Senate Bill 7, signed by Governor Beshear on February 26, 2014, becomes effective. The new law allows for an Advanced Practice Registered Nurse (“APRN”) to request to discontinue a Collaborative Agreement for Prescribing Authority for Non-Scheduled drugs (“CAPA-NS”) after having a CAPA-NS in place for four years. Specifically, the new law states: More >

Have You Reviewed Your Existing Business Associate Agreements?

Pursuant to the HIPAA Final Omnibus Rule (“Final Rule”), covered entities and their business associates were required to enter into new business associate agreements (“BAAs”) or modify existing BAAs by Sept. 23, 2013. However, existing BAAs that (i) were entered into on or before Jan. 25, 2013; (ii) met the requirements that were applicable prior to the promulgation of the Final Rule; and (iii) were not modified after March 26, 2013, have until Sept. 23, 2014 to be updated. That deadline is quickly approaching. More >

OCR Offers “Lessons Learned” Regarding HIPAA Compliance, Part II

On Tuesday, some of the details of OCR’s recently released Breach and Compliance Reports were discussed. In addition to detailing facts and figures from cases involving breaches in 2011 and 2012, the Breach Report includes an important “Lessons Learned” section that all covered entities and their business associates should review. Based upon reported breaches, the OCR has outlined some specific areas of concern, which include the following: More >

OCR Offers “Lessons Learned” Regarding HIPAA Compliance

Two recent reports issued by the HHS Office for Civil Rights (“OCR”), pursuant to the HITECH Act, reveal some interesting information about HIPAA data breaches. The Annual Report to Congress on Breaches of Unsecured Protection Information (“Breach Report”) and the Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance (“Compliance Report”) should remind covered entities and their business associates about the many risks associated with HIPAA and the importance of compliance. More >