Cyber_securityThe U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) recently issued a checklist that details suggested best practices for entities covered by the Health Insurance Portability and Accountability Act (HIPAA) in responding to potentially damaging cyber attacks.  The checklist, and an accompanying infographic, provide welcome guidance for health care companies, which have found themselves increasingly targeted by cybercriminals who seek to steal valuable data or launch potentially devastating ransomware attacks.  Indeed, last month’s WannaCry ransomware attack crippled portions of the U.K.’s National Health Service, resulting in the cancellations of medical procedures and the closure of emergency rooms across the U.K.

OCR’s guide should serve as a quick response tool for all HIPAA-covered entities – including health care organizations and their vendors – to efficiently and effectively react to a cyber attack.  Importantly, the checklist identifies the minimum criteria, or foundational elements, a company must meet in the wake of a cyber emergency to safeguard data. Specifically, OCR’s checklist recommends that HIPAA covered entities (and affiliates) pursue the following actions:

  1. Execute mitigation procedures to immediately fix the technical problem that caused or permitted the cyber attack;
  2. Report the breach to local and federal law enforcement;
  3. Share all cyber threat indicators with information-sharing and analysis organizations (ISAOs), which include the Department of Homeland Security, Health and Human Services Assistant Secretary for Preparedness and Response, and private sector ISAOs; and
  4. Disclose the breach to OCR immediately – but no later than 60 days following the discovery of a breach that affects at least 500 people – and to those whose information has been compromised.  If a cyber attack affects fewer than 500 people, the HIPAA covered entity must notify the affected individuals “without unreasonable delay” and report the breach to OCR within 60 days of the end of the calendar year.

Compliance with these protocols by health care entities will be considered by OCR as a mitigating factor in any OCR investigation into a data breach.

It is important to note, however, that the checklist only addresses post-breach compliance under HIPAA.  Health care providers may have other reporting obligations under federal and state laws, particularly state data breach notification laws.  Health care providers that are the victims of a data breach should consult with counsel to determine the extent of their reporting obligations.

DOJOn May 31, 2017, the Department of Justice announced a $155 million settlement with eClincialWorks (ECW), an electronic health records (EHR) software vendor, to resolve a whistleblower complaint that alleged violations of the False Claims Act and the Anti-Kickback Statute.  This settlement, the “largest financial recovery in the history of the State of Vermont,” should put EHR vendors on notice, as well as vendors that offer services or products to health care providers: providing misinformation to a government contractor or health care provider about their products or services, or furnishing nonconforming goods or services, may expose them to significant financial exposure under the False Claims Act, even if they do not themselves submit claims to the government.

Background:  Pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009, the United States Department of Health and Human Services (HHS) established a program to provide incentive payments to health care providers who demonstrated “meaningful use” of “certified” EHR technology.  The incentive payments are to encourage health care providers to transition to using EHR.  To obtain the proper certification, EHR vendors are required to affirm that their products meet certain requirements adopted by HHS and then pass certain tests by a certifying agency approved by HHS.

Allegations:  The lawsuit, in which the federal government intervened, alleged that ECW falsely attested that its products met the applicable certification criteria and prepared its software to pass the certification testing without actually meeting the certification criteria.  Significantly, ECW was alleged to have violated the False Claims Act because it had “caused” the end user health care providers to submit inaccurate attestations concerning their use of “certified” EHR in support of their claims to the government for “meaningful use” incentive payments.

Settlement:  ECW agreed to pay $155 million to settle the complaint and entered into an onerous, five-year Corporate Integrity Agreement (CIA).  In what the DOJ described as “innovative,” the CIA requires, among other things, that ECW (a) retain an Independent Software Quality Oversight Organization to assess ECW’s software quality control systems, (b) provide prompt notice to its customers of any safety related issues, (c) maintain on its customer portal a comprehensive list of issues and steps users should take to mitigate potential patient safety risks, (d) provide its customers with updated versions of their software free of charge, (e) offer customers the option to have ECW transfer their data to another EHR vendor without penalties or charges, and (f) retain an Independent Review Organization to review ECW’s arrangements with health care providers to ensure compliance with the Anti-Kickback Statute.

Implications:  EHR and other health care vendors cannot assume that their liability is limited to breach of contract or indemnification of its customers.  Rather, the ECW case points to the risk of direct exposure under the False Claims Act, without ever submitting a single claim to the government.  In a similar vein, in the context of the Health Insurance Portability and Accountability Act (HIPAA), software and other vendors may also be directly subject to penalties under HIPAA for breaches of protected health information – as a business associate to their health care provider customers.

Combating health care fraud will continue to be a priority for the Jeff Sessions-led Department of Justice (DOJ).

DOJ Criminal Division’s Acting Assistant Attorney General Kenneth Blanco, in a May 18 speech at the ABA’s Institute on Health Care Fraud, said that Attorney General Jeff Sessions “feels very strongly” that “health care fraud is a priority for the Department of Justice.”  Mr. Blanco called health care fraud “despicable” and said, “the investigation and prosecution of health care fraud will continue; the department will be vigorous in its pursuit of those who violate the law in this area.”  Mr. Blanco continued, “I can tell you that [Attorney General Sessions] has expressed this to me personally.”

Mr. Blanco sent a strong and clear message to the audience of health care attorneys, defense counsel, compliance professionals, and relators counsel that the Justice Department’s longstanding commitment to combating health care fraud will continue. His speech appeared to be designed to address concerns that changes in emphasis in the DOJ Criminal Division towards  immigration and violent crime would come at the expense of health care fraud investigations.  Attorney General Sessions is committed to investigating and prosecuting health care fraud because, Mr. Blanco said, health care fraud hurts vulnerable people seeking medical care and costs the government and tax payers almost $100 billion annually. Continue Reading DOJ’s Focus on Health Care Fraud Continues

The Supreme Court will not hear the most important Park doctrine case in over 40 years. In DeCoster v. United States, the DeCosters appealed their convictions under the Responsible Corporate Office doctrine, commonly referred to as the Park doctrine, because they did not have “actual knowledge” that their egg distribution company sold eggs contaminated with salmonella. The DeCosters presented two arguments in their cert. petition, (1) their convictions and three month prison terms were based on vicarious liability and violated due process, and (2) the Supreme Court should overrule the Park doctrine altogether because anyone in the chain of command faces criminal liability.

Until another case tests the limits of the Park doctrine – or another Court of Appeals conflicts with the Eighth Circuit’s holding – the Supreme Court’s decision not to review DeCoster means executives in the food and drug industries may still face imprisonment for supervisory lapses.

We detailed the DeCoster case and the Responsible Corporate Officer doctrine in an earlier blog post and clients and friends memo.

Cyber_securityLast week’s massive ransomware attack should serve as a wake-up call that companies across all industries, including and perhaps especially the health care industry, must take the threat of global ransomware seriously.

The WannaCry attack reportedly crippled some of the computer systems of the U.K.’s National Health Service (NHS), forcing emergency room closures and the cancellations of patient appointments and medical procedures throughout the U.K., before spreading rapidly around the world to the computer networks of businesses and organizations in a variety of industries and regions.

The attack on the NHS echoed attacks in early 2016 on U.S. healthcare providers, including the February 2016 ransomware attack on the Hollywood Presbyterian Medical Center in California, which was forced to pay hackers approximately $17,000 in bitcoins to restore access to patient data and computer systems.  The WannaCry attack comes after the July 2016 announcement by the Department of Health and Human Services Office of Civil Rights (OCR) that it will consider ransomware attacks to constitute potential breaches of the Health Insurance Portability and Accountability Act (HIPAA) if confidential patient data is compromised, adding the prospect of enforcement actions and penalties for health care providers who find themselves to be the victims of ransomware attacks.

In a recent Clients & Friends Memo, we examine the nature of the threat posed by ransomware, what happened in the WannaCry attack, and three key lessons that have emerged for all businesses seeking to protect themselves:

  • First, as ransomware attacks continue to be successful, they will increase in frequency and scale.
  • Second, the WannaCry attack might have been prevented if companies had been more diligent about implementing basic cybersecurity practices, such as patching software vulnerabilities and training staff to detect phishing emails, i.e., emails that appear legitimate but contain links or files that deploy computer viruses if opened.
  • And, third, companies that fail to take reasonable measures to prevent attacks might find themselves to be the subject of costly regulatory enforcement actions or private litigation.

Read our full Clients & Friends Memo.

The most important Park doctrine case in over forty years may be heading to the Supreme Court – but not if the federal government has its way.  On April 12, 2017, the Acting Solicitor General of the United States filed his brief in opposition to the U.S. Supreme Court’s potential review of United States v. DeCoster and the Responsible Corporate Officer doctrine (“RCO doctrine”).  The RCO doctrine, commonly referred to as the Park doctrine, permits the government to prosecute employees for corporate misconduct when they are in a “position of authority” and fail to prevent or correct a violation of the Food, Drug and Cosmetic Act (FDCA).[1]  Not only is it a strict liability offense, it is a vicarious liability offense and is rarely used by the Department of Justice (DOJ) to seek prison time for supervisory employees.[2]

In the DeCosters’ January 10 Petition for Writ of Certiorari, the company’s executives contend that their convictions as responsible corporate officers are based on vicarious liability, because they did not have “actual knowledge” that their egg distribution company sold contaminated eggs.[3]  Therefore, they argue, federal precedent dictates that imprisonment violates due process.[4]  Anticipating the government’s argument that the DeCosters’ own negligence as responsible corporate officers is the source of their liability, the DeCosters state that Park doctrine liability has historically not been based on negligence by the responsible corporate officer.[5]  Rather, the argument continues, the Park doctrine is a strict liability offense based on the corporate officer’s position of authority and the presumption that the officer is in a position to prevent violations of the FDCA.  A sentence of imprisonment for a strict liability violation, they maintain, violates due process.[6]  Accordingly, the DeCosters argue that the Eighth Circuit’s holding, affirming the conviction and sentencing of both executives to three months’ imprisonment, gravely expands the RCO doctrine and an “innocent” supervisor convicted of vicarious criminal liability should not face imprisonment.[7]  Secondarily, the DeCosters argue that the Park doctrine itself should be overruled because it “creates a nearly boundless risk of arbitrary enforcement” whereby it exposes “essentially anyone in the chain of command of a company, large or small, with at least nominal responsibility for a given activity” to criminal liability.[8]  The latter argument was advanced in the cert. petition even though it had not been raised in the lower courts.

The Acting Solicitor General, however, opposes the Supreme Court’s review and contends the DeCosters’ prison terms were based on their acts and omissions, not vicarious liability.[9]  The government cites United States v. Park to explain the prison terms are appropriate because the FDCA “imposes not only a positive duty to seek out and remedy violations when they occur but also, and primarily, a duty to implement measures that will insure that violations will not occur.”[10]

If the Supreme Court reviews DeCoster, it will provide long-sought-after guidance for corporate executives in the food and drug industries.  Additionally, the DOJ’s defense of the DeCosters’ conviction and sentencing, coupled with its ongoing focus on prosecuting individuals for corporate misconduct, both via the Yates Memo and recent guidance from the Fraud Section, which we highlighted in a prior blog post, suggests that the government’s interest in holding individuals accountable and liable, including those in the c-suite, is not waning in the new administration.

For additional information, please see our Client & Friends memo: The Responsible Corporate Officer Doctrine in the Wake of DeCoster.

 

[1] United States v. Park, 421 U.S. 658 (1975); see also Jose P. Sierra, The Park Doctrine: All Bark and No Bite, pharmarisc.com, (Apr. 6, 2012), http://www.pharmarisc.com/2012/04/the-park-doctrine-all-bark-and-no-bite/.
[2] 21 U.S.C. § 301 et seq.
[3] United States v. DeCoster, 828 F.3d 626, 629, 631 (8th Cir. 2016).
[4] Petition for a Writ of Certiorari at *12-16, DeCoster v. United States (filed Jan. 10, 2016).
[5] Id. at *17.
[6] Id. at *23-26.
[7] Id. at *30.
[8] Id. at *32.
[9] Brief for the United States in Opposition, DeCoster v. United States, at *10 (filed Apr. 12, 2017).
[10] Id.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced on April 24, 2017, a $2.5 million settlement with mobile health services company CardioNet related to its “potential noncompliance” with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the exposure of unsecured electronic protected health information (ePHI) of more than a thousand individuals. OCR touted the settlement as its first with a wireless health services provider.

The settlement requires CardioNet to adopt a Corrective Action Plan, as part of which CardioNet must:

  • conduct a risk analysis to identify the security risks and vulnerabilities to its systems that house ePHI;
  • develop and implement a risk management plan to mitigate those risks and vulnerabilities;
  • review—and potentially revise—its security policies for electronic devices and media; and
  • review—and potentially revise—its training program related to the security of ePHI.

Continue Reading HHS Office for Civil Rights Announces HIPAA Settlement for Exposure of Electronic PHI

wooden toolbox with tools. isolated on white.

As we reported last week, on January 17, 2017, staff from the Department of Health and Human Services Office of Inspector General (HHS-OIG) met with Health Care Compliance Association (HCCA) professionals for a roundtable meeting to develop a resource guide aimed at helping health care organizations develop ways to benchmark and measure the effectiveness of compliance programs.

The results of the roundtable meeting were released by HHS-OIG on March 27, 2017, with the release of the Resource Guide on Compliance Program Effectiveness (“Resource Guide”).  The Resource Guide provides a large number of measurement options designed to work across “a wide range of organizations with diverse size, operational complexity, industry sectors, resources, and compliance programs.” It covers the well-established seven elements of an effective compliance program, articulated in the U.S. Sentencing Guidelines:

  1. Standards, policies and procedures
  2. Compliance program administration
  3. Screening and evaluation of employees, physicians, vendors and other agents
  4. Communication, education and training on compliance issues
  5. Monitoring, auditing and internal reporting systems
  6. Discipline for noncompliance and
  7. Investigations and remedial measures

Continue Reading Regulatory Guidance Part II: Synthesizing 2017 DOJ Fraud Section and HHS-OIG Guidance

 

USDHHS-sealThe federal Health and Human Services’ Office of Inspector General (OIG) has recently circulated a new resource guide for compliance, titled “Measuring Compliance Program Effectiveness.”  Beyond reciting the seven elements of an effective compliance program, this guidebook provides concrete metrics for “what to measure” and “how to measure” compliance under each element, including for instance performing a fraud risk assessment.

The OIG is careful to remind the health care community that there is no “one size fits all” compliance plan, and that this latest guidance is not meant to serve as a checklist or substitute for a program particularized to the organization’s particular needs and industry risks. Nevertheless, the guidance can serve as a useful platform for building out an effective compliance program and for evaluating and enhancing a program already in place.  Performing a compliance review with the Guide as a tool can also help demonstrate a provider’s or health plan’s commitment to compliance “best practices.”

cheatsheetIn February, to little fanfare, the Department of Justice (DOJ) Criminal Division Fraud Section issued detailed criteria for evaluating corporate compliance programs.  The guidance, entitled Evaluation of Corporate Compliance Programs (“Evaluation Guidance” or “Guidance”) comes two years after DOJ hired Hui Chen as Compliance Counsel in the Fraud Section.  When her position was announced, the DOJ said that Chen would “help prosecutors develop appropriate benchmarks for evaluating corporate compliance and remediation measures” and would “communicat(e) with stakeholders in setting those benchmarks.”  The Evaluation Guidance provides those benchmarks used by the DOJ to evaluate the effectiveness of corporate compliance programs. It covers 11 key compliance program evaluation topics, along with a list of specific questions that DOJ considers important in evaluating compliance programs as part of a criminal investigation. Continue Reading DOJ Compliance Cheat Sheet