HHS cybersecurity performance goals consistent with legal requirements

© sasun Bughdaryan - stock.adobe.com

Overview

“Cybersecurity is patient safety.”¹ Meeting the requisite technical, administrative, and physical safeguards to protect the confidentiality, integrity and availability of protected health information (“PHI”) and individually identifiable health information (“IIHI”) are also required by law under the Health Insurance Potability and Accountability Act of 1996, Pub. L. 104-191 (Aug. 21, 1996) (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).The healthcare and public health sector is also considered part of critical infrastructure by the United States Government’s Cybersecurity & Infrastructure Security Agency (“CISA”).² The United States Department of Justice’s (“DOJ”) October 6, 2021, announcement regarding the launch of its Civil Cyber-Fraud Initiative (“Cyber-Fraud”),³ as well as the inclusion of HIPAA and the 21st Century Cures Act in the November 2023 United States Department of Health and Human Services – Office of the Inspector General’s (“HHS-OIG”)⁴ General Compliance Program Guidance,⁵ underscores a fraud, waste, and abuse component. In January 2024, HHS issued its Healthcare and Public Health Sector-Specific Cybersecurity Performance Goals, which not surprising given what is already legally required by the HIPAA Security Rule.⁶

As a recap, 45 CFR Part 160 and Subparts A and C of Part 164, the HIPAA Security Rule “requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of [ePHI].”⁷ Published at 68 Fed. Reg. 8334 (Feb. 20, 2003), the Security Rule became effective on April 21, 2003, with a compliance date of April 21, 2005 (April 21, 2006 for small health plans). Id. These obligations apply to covered entities and business associates⁸ alike, including conducting an annual Risk Analysis pursuant to CFR § 164.308(a)(1)(ii)(A).

Complying with HIPAA, as well as the related Privacy Rule and Security Rule is material both for cybersecurity and for the submission of claims for payment by the United States Government and it stems back to 1996. As a reminder, in a False Claims Act case, it is the DOJ and not another agency (although they may be persuasive) that have the authority to waive violations of the FCA and “’and the unauthorized statements of United States agents may not serve to waive the Government's claim.”’⁹ The remainder of this article is dedicated to why failing to abide by the HIPAA Security Rule is material to submitting a false and fraudulent claim.

Analysis

HIPAA’s purpose mandated the following: “to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.”¹⁰ Title II of HIPAA addresses the prevention of health care fraud and abuse, administrative simplification and medical liability reform. Here are a few of the relevant areas that relate to HIPAA and curtailing fraud, waste, and abuse laws:

• Section 201
  • (1) Amended 1128 of the Social Security Act by inserting Section 1128C for HHS-OIG and the United States Attorney General to jointly establish a program to control fraud, waste, and abuse through conducting investigations and enforcement actions;
  • (3)(B)(ii) requires “confidentiality of the information and the privacy of individuals receiving health care services and items”; and
  • 3(B)(iii) requires qualified immunity for providing information [notably, this is incorporated into the whistleblower provision at 45 CFR §164.502(j)(1)].
• Section 221(b)(3) references confidentiality in relation to establishing procedures to “assure that the privacy of individuals receiving health care services is appropriately protected”.

HIPAA and the related implementing rules and regulations are dense; however, as medical records, medical devices, and communications have evolved, so has the increased need to keep patients safe and their privacy intact. In many ways, the Security Rule and the HITECH Act were quite forward looking in relation to the technical, administrative, and physical safeguards needed to ensure secure claims submissions and patient treatment.

Congress amended the FCA in 2009 to "clarify" that liability attaches when one directly presents a false claim to the government and when one acts indirectly by making a false statement material to a false claim. S. Rep. No. 110-10, 111th Cong., 1st Sess. at 11 (March 23, 2009). Sections 3729 (a)(1)(A) and 3729 (a)(1)(B) are complementary. The latter ensures that FCA liability captures subcontractors who make false statements or records material to claims presented to the government. Id. The U.S. Supreme Court in Universal Health Services, Inc. v. United States ex rel. Escobar, 136 S. Ct. 1989 (2016) (hereinafter “Escobar”),highlighted “materiality” in relation to the “implied certification theory” of a false claim under the FCA. While the HIPAA requirements are express and are more in line with an express legally false claim, it can’t hurt to run through the materiality factors. “No one factor is dispositive, and our inquiry is holistic.” United States ex rel. Deborah Lemon v. Nurses to Go, Inc., Case No. 18-20326 (5th Cir. May 17, 2019) (citing Escobar 136 S. Ct. at 2003).

There are three factors that courts look at when assessing materiality:

1. Conditions of Payment - are the alleged violations of non-compliance with HIPAA and the Security Rule a condition of payment;
2. Government Enforcement – has the government taken criminal or civil enforcement actions related to HIPAA violations; and
3. Substantial or Minor - “noncompliance [cannot be] minor or insubstantial.” Escobar. at 2003.

The answer to all three factors in relation to significant deficiencies of non-compliance with HIPAA, the HITECH Act, and the related Security Rule is “YES.” Here’s the substantiation:

1. HIPAA is the reason that we have National Provider Identifiers (“NPIs”)¹¹ and the requirements for the electronic submission of claims. “The complete suite of HIPAA Administrative Simplification Regulations can be found at 45 CFR Part 160, Part 162, and Part 164, and includes: Transactions and Code Set Standards [45 CFR 162.920],¹² Identifier Standards, Privacy Rule, Security Rule, Enforcement Rule, [and] Breach Notification Rule.”¹³ There are different documents related to Electronic Data Interchange (“EDI”);¹⁴ however all relate to the submission of claims to CMS for reimbursement under Medicare Parts A and B through Medicare Audit Contractors (“MACs”) and require compliance with the HIPAA Privacy and Security Rules as set forth on documents including EDI 837 or EDI 835.¹⁵
2. The Government has taken enforcement action – both civil and criminal involving HIPAA violations. In United States ex rel. Awad et al. v. Coffey Health System, Case No. 2:16-cv-03034 (D. Kan.), the hospital allegedly “falsely attested that it conducted and/or reviewed security risk analyses in accordance with requirements under a federal incentive program for the reporting periods of 2012 and 2013.”¹⁶ In March 2022, the DOJ announced its first civil cyber-fraud settlement under the False Claims Act against Comprehensive Health Services, LLC (CHS).¹⁷ Here, the Relator, Dr. Lawler,¹⁸ raised the cybersecurity concerns and allegations related to the company’s failure to disclose to the government that patient medical records were not consistently stored on a secure electronic health record system and failed to implement the requisite technical, administrative, and physical safeguards required by HIPAA and the related Security Rule,¹⁹ as well as the government contract provisions. In turn, CHS submitted claims for payment from the government. Finally, on the criminal front, United States v. Joshua Hippler, Case No. 6:14-cr-00018 (E.D. Tex. Mar. 26, 2014) illustrates a situation where a defendant was employed by a covered entity and utilized PHI for personal gain in violation of HIPAA – ultimately leading to his indictment and sentencing.²⁰
3. Whether compliance with HIPAA is minor or unsubstantial is a case-by-case basis determination. In the aforementioned cases, compliance was not “minor or unsubstantial.” And, there are numerous examples of HHS-Office for Civil Rights enforcement actions, as well as FCA case settlements involving electronic health record companies failure to meet the requisite technical, administrative, and physical safeguards under the Security Rule, as well as Privacy Rule violations.²¹

So, how does the HIPAA Security Rule and the HHS January 2024 Cybersecurity Goals compare? Table A is illustrative of the interplay.

The best part about the 2024 Cybersecurity Goals is that they map to the National Institute for Standards and Technology (“NIST”) standards – something that HHS mapped the Security Rule to NIST as early as 2016 (hereinafter “Crosswalk”), building on the February 2014 NIST Cybersecurity Framework.²² Importantly, the emphasis is on strong data security safeguards and covered entities and business associates should take note that the Security Rule has more requirements than map to NIST in the Crosswalk. Additionally, in August 2023, NIST published its draft of NIST Cybersecurity Framework 2.0, which mirrors the initial Cybersecurity Framework, with the addition of one important item – governance.²³

The FCA cases and other enforcement actions cited supra illustrate situations where compliance was not minor or unsubstantial. Organizations that have been complying with HIPAA, the HITECH Act and the related implementing regulations should take solace in the fact that their efforts can and do serve to mitigate government prosecution, audits/investigations, and fines under Pub. L. 116-321 (Jan. 5, 2021). Additionally, the DOJ’s Justice Manual provides a roadmap for how an adequate and comprehensive compliance program and cooperation can provide “credit” and serve as a mitigation factor.²⁴ Again, HIPAA and HITECH Act compliance has been required for over 15 years, so the enforcement actions, 2024 Cybersecurity Goals, and Security Rule requirements should hardly come as a shock to covered entities and business associates.

Conclusion

From its inception in 1996, HIPAA integrated the need to protect patient data with fraud, waste and abuse. The Government continues this legacy as the healthcare and public health sector was identified as a critical infrastructure, as HHS-OIG dedicated a section of its 2023 Compliance Guidance to the HIPAA Privacy and Security Rules and the 21st Century Cures Act, and False Claims Act settlements involving allegations of HIPAA and HITECH non-compliance. For those persons that have been implementing the requisite technical, administrative and physical safeguards associated with creating, receiving, maintaining, and transmitting PHI, including the EDI requirements for claims submission and payment from Medicare Parts A and B, there are ways for counsel to mitigate government enforcement actions, prosecutions, and fines for their clients. For those who took the approach of knowing, willful ignorance or reckless disregard of HIPAA, the HITECH Act and the implementing regulations, the outcome, as the cases cited indicated, paint a different picture.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.

[1] R.V. Rose, Cybersecurity is patient safety (Nov. 10, 2022), https://www.physicianspractice.com/view/cybersecurity-is-patient-safety

[2] CISA, Critical Infrastructure Sectors, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors (last visited Jan. 28, 2024).

[3] DOJ, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber Fraud Initiative (Oct. 6, 2021), https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.

[4] HHS-OIG, Fact Sheet (Nov. 2023), https://oig.hhs.gov/documents/root/1139/About-OIG-Fact-Sheet-November2023.pdf.

[5]HHS-OIG, General Compliance Program Guidance (Nov. 2023), https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf#page=76.

[6] HHS, https://hphcyber.hhs.gov/documents/cybersecurity-performance-goals.pdf (Jan. 2024).

[7] HHS, The Security Rule, https://www.hhs.gov/hipaa/for-professionals/security/index.html#:~:text=The%20Security%20Rule%20requires%20appropriate,and%20C%20of%20Part%20164 (last visited Jan. 21, 2024).

[8] 45 CFR 160.103, https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160 (identifying three general categories under the term “covered entity” – health plan, health care clearing house, and health care provider) (last visited Jan. 15, 2024).

[9] See R.V. Rose and C. Sabis, Advisory Opinion Highlights Inconsistency Between OIG and DOJ Regarding Gift Cards, AHLA Health Law Weekly (Jan. 26, 2024) (citing United States ex rel. Monahan v. Robert Wood Johnson Univ. Hosp. at Hamilton, No. 02-5702, 2009 WL 4576097, at *7 (D.N.J. Dec. 1, 2009) (citing Sappiest v. Omaha Prop. & Cas., 404 F.3d 805, 809 (3d Cir. 2005)), https://americanhealthlaw.org/content-library/health-law-weekly/article/081e6e8c-b643-4607-870b-90e2ced84bee/Advisory-Opinion-Highlights-Inconsistency-Between?_zs=sV7tn.

[10] Pub. L. 104-191 (Aug. 21, 1996), https://www.govinfo.gov/content/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf.

[11] 45 CFR § 162.406(a),(b) (relaying that the NPI is a ten (10) digit identifier that is unique to a particular provider); see also 45 CFR §§ 162.408, 410.

[12]See https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-162 (last visited Jan. 28, 2024).

[13] HHS, Combined Regulation Text of All Rules, https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/index.html (last visited Jan. 28, 2024).

[14] G. Vidals, Electronic Data Interchange (EDI) in Healthcare and HIPAA, HIPAAVault (Sept. 13, 2023) (noting that HIPAA compliance for EDI is mandatory and “ensuring that all document transactions meet the set privacy and security requirements …[,] must implement necessary safeguards to protect the data during transmission.”) https://www.hipaavault.com/resources/electronic-data-interchange-edi-in-healthcare-and-hipaa/.

[15] CMS, Electronic Data Interchange (EDI) Support, https://www.cms.gov/medicare/coding-billing/electronic-billing/electronic-data-interchange-support (last visited Jan. 28, 2024).

[16] DOJ, Kansas Hospital Agrees to Pay $250,000 To Settle False Claims Act Allegations (May 31, 2019), https://www.justice.gov/usao-ks/pr/kansas-hospital-agrees-pay-250000-settle-false-claims-act-allegations.

[17] DOJ, Medical Services Contractor Pays $930,000 to Settle False Claims Act Allegations Relating to Medical Services Contracts at State Department and Air Force Facilities in Iraq and Afghanistan – First Settlement by the Department of Justice of a Civil Cyber-Fraud Case Under the Department’s Civil Cyber-Fraud Initiative (Mar. 8, 2022), https://www.justice.gov/opa/pr/medical-services-contractor-pays-930000-settle-false-claims-act-allegations-relating-medical.

[18] In the interest of full disclosure, Rachel V. Rose, Esq., was one of the attorneys who represented Relator Shawn Lawler, DDS.

[19] R. V. Rose, Cybersecurity: Look to where you are going (Feb. 11, 2021), https://www.physicianspractice.com/view/cybersecurity-look-to-where-you-are-going.

[20] DOJ, Former Hospital Employee Sentenced for HIPAA Violations (Feb. 17, 2015), https://www.justice.gov/usao-edtx/pr/former-hospital-employee-sentenced-hipaa-violations.

[21] See HHS-OCR, Resolution Agreements, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html (last visited Jan. 28, 2024); DOJ, Electronic Health Records Vendor to Pay $155 Million to Settle False Claims Act Allegations (May 31, 2017), https://oig.hhs.gov/fraud/enforcement/electronic-health-records-vendor-to-pay-155-million-to-settle-false-claims-act-allegations/ (settling allegations that eClincialWorks misrepresented its software’s capabilities and paid kickbacks in exchange for product promotion).

[22] HHS, Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework (Feb. 23, 2016), https://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk/index.html.

[23] NIST, Updating the NIST Cybersecurity Framework – Journey To CSF 2.0, https://www.nist.gov/cyberframework/updating-nist-cybersecurity-framework-journey-csf-20 (last visited Jan. 28, 2024).

[24] DOJ, Justice Manual, 9-28.000 – Principles of Federal Prosecution Of Business Organizations, https://www.justice.gov/jm/jm-9-28000-principles-federal-prosecution-business-organizations (last visited Jan. 28, 2024).