Tom Price is out as Secretary of the U.S. Department of Health and Human Services (“HHS”).  Mr. Price announced his resignation on September 29th as he faced more questions and increasing scrutiny over his use of taxpayer-funded private planes.  While Mr. Price’s departure from HHS will impact some aspects of the Trump Administration’s health care agenda, health care enforcement and compliance issues are bi-partisan in support and therefore less volatile.

Under Inspector General Daniel Levinson, who has led HHS’ Office of Inspector General (“OIG”) for twelve years, HHS remains committed to detecting, preventing, and prosecuting individuals and companies for health care fraud.  Accordingly, all signs point to OIG continuing to focus on detecting fraudulent billing practices and illegal physician referral programs, and using corporate integrity agreements to ensure that health care providers obey Medicare and Medicaid rules and policies.

In addition to fighting fraud in HHS programs, Health Information Portability and Accountability Act (“HIPAA”) security and cyber security are top priorities for HHS’ Office for Civil Rights (“OCR”).  To combat cyber security threats and to mitigate damage caused by cyber security breaches, OCR will likely increase its enforcement of HIPAA privacy rules and regulations and scrutinize providers’ cyber security policies, best practices, and response procedures.  Driving home this point, new OCR Director Roger Severino said, “I’ve gotten up to speed on HIPAA, and as the threats evolve, we have to evolve in how we approach it – and we have to be smart about who we target.  At most I will say the big, juicy case is going to be my priority and the methods for us finding it – stay tuned.”[1]

Under Attorney General Jeff Sessions, the U.S. Department of Justice has maintained a high tempo in its efforts to combat health care fraud.  For example, in July 2017 DOJ announced a partnership between its Health Care Fraud Unit’s Corporate Fraud Strike Force and Foreign Corrupt Practices Act (“FCPA”) prosecutors to ensure that health care companies are held accountable to the standards of the False Claims Act and the FCPA.  And DOJ’s new Opioid Fraud and Abuse Detection Unit will help combat the ongoing opioid crisis, in keeping with Attorney General Sessions’ enforcement priorities.

Tom Price’s departure as HHS Secretary is significant for other important aspects of health care, including the future of the Affordable Care Act and the Medicare and Medicaid bundled payment models.  However, current HHS and DOJ enforcement programs remain a priority under President Trump and Attorney General Sessions.

[1] Marianne K. McGee, Top HIPAA Enforcer Names His Top Enforcement Priority, Data Breach Today (Sept. 5, 2017), https://www.databreachtoday.com/top-hipaa-enforcer-names-his-top-enforcement-priority-a-10258.

Cyber_securityThe U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) recently issued a checklist that details suggested best practices for entities covered by the Health Insurance Portability and Accountability Act (HIPAA) in responding to potentially damaging cyber attacks.  The checklist, and an accompanying infographic, provide welcome guidance for health care companies, which have found themselves increasingly targeted by cybercriminals who seek to steal valuable data or launch potentially devastating ransomware attacks.  Indeed, last month’s WannaCry ransomware attack crippled portions of the U.K.’s National Health Service, resulting in the cancellations of medical procedures and the closure of emergency rooms across the U.K.

OCR’s guide should serve as a quick response tool for all HIPAA-covered entities – including health care organizations and their vendors – to efficiently and effectively react to a cyber attack.  Importantly, the checklist identifies the minimum criteria, or foundational elements, a company must meet in the wake of a cyber emergency to safeguard data. Specifically, OCR’s checklist recommends that HIPAA covered entities (and affiliates) pursue the following actions:

  1. Execute mitigation procedures to immediately fix the technical problem that caused or permitted the cyber attack;
  2. Report the breach to local and federal law enforcement;
  3. Share all cyber threat indicators with information-sharing and analysis organizations (ISAOs), which include the Department of Homeland Security, Health and Human Services Assistant Secretary for Preparedness and Response, and private sector ISAOs; and
  4. Disclose the breach to OCR immediately – but no later than 60 days following the discovery of a breach that affects at least 500 people – and to those whose information has been compromised.  If a cyber attack affects fewer than 500 people, the HIPAA covered entity must notify the affected individuals “without unreasonable delay” and report the breach to OCR within 60 days of the end of the calendar year.

Compliance with these protocols by health care entities will be considered by OCR as a mitigating factor in any OCR investigation into a data breach.

It is important to note, however, that the checklist only addresses post-breach compliance under HIPAA.  Health care providers may have other reporting obligations under federal and state laws, particularly state data breach notification laws.  Health care providers that are the victims of a data breach should consult with counsel to determine the extent of their reporting obligations.