Privacy

Another Health Plan Hit By Massive CyberAttack and Class Actions Follow

Coming fresh off the heels of the Anthem data breach Premera Blue Cross announced on March 17th that it was the victim of a “sophisticated” cyberattack that may have exposed the personal information of approximately 11 million of its members.  Premera has approximately 6 million members residing in the State of Washington, 250,000 members residing in Oregon and 80,000 members residing in Alaska.  Premera stated that the cyberattack began sometime in May of 2014 but was not discovered until the end of January 2015.   According to Premera, the information exposed may include social security numbers, bank account information, and medical and financial information, including clinical information.

Three state insurance commissioners (Washington, Oregon and Alaska) have already launched a joint investigation and a market conduct examination of Premera related to the breach.  The joint investigation will include on-site reviews of Premera’s financial books, records, transactions, and Premera’ cybersecurity.  The Washington Insurance Commissioner has expressed concern over the length of time (approximately six weeks) it took for Premera to notify his office of the attack.  Alaska’s governor ordered all state agencies to review their online security safeguards as well as those put in play by their business associates.  Premera is also conducting an internal forensic investigation by a cybersecurity firm and is cooperating with the FBI in a criminal investigation.

Combined with the cyberattacks on Community Health Systems and Anthem, this is the third large attack on a member of the health care industry announced in the last seven months, and these three breaches may have collectively impacted approximately 95.5 million people.   As these attacks illustrate, health information is now a high priority target for cybercriminals.  Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a wealth of personal information that can be used for identity theft and to file false health insurance claims.  Further, the data security protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to attack by those who view the valuable information as “low hanging fruit.”

Similar to the Anthem and the Community Health Systems breaches, Premera was immediately hit by a proposed class action accusing Premera of negligence and inadequate security.  The March 26, 2015 Complaint alleges that Premera breached its duty of care by failing to secure and safeguard the personal and health information of its members and negligently maintaining a system that it knew was vulnerable to a security breach.  The Complaint further alleges that Premera has a duty to secure and safeguard the personal health information of its members under HIPAA and its failure to implement security and privacy safeguards was a violation of HIPAA.  The Complaint also alleges violations of state consumer protection laws and data disclosure laws.

As evident by the Anthem and Premera breaches, a single security incident resulting in a data breach can have significant consequences for health care companies and business associates that include government investigations, class action lawsuits, and a hit to the organization’s reputation.  To manage this risk, we encourage all companies handling health information to conduct comprehensive risk assessments and to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.

Ryan Blaney

Ryan Blaney

Ryan Blaney joined Cozen O'Connor as a member of the firm's Health Law group. Ryan practices in the firm's Washington, D.C., office. He focuses his practice on representing clients in the health care and life sciences industries in a wide range of matters, including health care fraud and abuse, civil and criminal government investigations, qui tam and whistle-blower disputes under the False Claims Act and other federal and state laws and regulations, HIPAA privacy and data security, compliance and transactional services, and antitrust matters.

More Posts - Website

Tags: , , ,

“LoProCo”, 12,915 Complaints, and Other Lessons from OCR/NIST

Posted by Ryan Blaney on September 26, 2014
ACA, CMS, HHS, HIPAA, HITECH, Privacy / No Comments

 

12,915 complaints were reported in 2013 to the Department of Health and Human Services Office of Civil Rights (“OCR”) according to Illiana L. Peters, Senior Adviser for HIPAA Compliance and Enforcement.  Cozen O’Connor attended Ms. Peters’ presentation at the Safeguarding Health Information: Building Assurance through HIPAA Security conference on September 22-23, 2014.  The conference was hosted jointly by OCR and the National Institute of Standards and Technology (“NIST”).  Below are a few discussion points worth mentioning from the conference:

  • Between September 2009 and August 31, 2014, OCR investigated 1176 reports involving breach of Protected Health Information (“PHI”) where more than 500 individuals were affected and approximately 122,000 reports affecting less than 500 individuals.
  • According to Ms. Peters, 60% of the large breaches could have been prevented by encrypting the covered entities and business associates’ laptops and mobile devices.
  • Theft and loss continues to be the most common cause of breaches but OCR expects that IT hacking will continue to rise as a significant breach risk.
  • Since 2009, consumer complaints regarding HIPAA violations continue to rise.
  • Covered entities and business associates should already have in place business associate agreements that have been updated for the Omnibus Rule.
  • Business associates must comply with all of the HIPAA Security Rules applicable to covered entities, “PERIOD.”
  • Given the known risks of hacking, theft and loss and the direct guidance from OCR, covered entities and business associates must recognize that inadequate security, inadequate physical and technical safeguards is not acceptable.
  • OCR expects that covered entities and business associates will be familiar with recent corrective actions, resolution agreements such as Parkview, NYP/Columbia, Concentra, QCA, Skaget County, Adult & Pediatric Dermatology, P.C., and Affinity Health Plan, Inc.

Continue reading…

Ryan Blaney

Ryan Blaney

Ryan Blaney joined Cozen O'Connor as a member of the firm's Health Law group. Ryan practices in the firm's Washington, D.C., office. He focuses his practice on representing clients in the health care and life sciences industries in a wide range of matters, including health care fraud and abuse, civil and criminal government investigations, qui tam and whistle-blower disputes under the False Claims Act and other federal and state laws and regulations, HIPAA privacy and data security, compliance and transactional services, and antitrust matters.

More Posts - Website

Tags: , , , , , , , , ,

CMS and ACOs: A Busy Summer and a Busier Fall

Posted by Chris Raphaely on August 05, 2014
ACA, Accountable Care Organizations, Affordable Care Act, HIPAA, HITECH, Medicare, Privacy / No Comments

 

It has been a busy summer so far for the Centers for Medicare & Medicaid Services (CMS) with respect to Accountable Care Organizations (ACOs), as the agency has proposed altering the quality reporting measures under the Medicare Shared Savings Program (“MSSP”) for 2015 and beyond.  Expect an even busier fall as other, potentially broader, proposed rule changes for ACOs are analyzed by the Office of Management and Budget (OMB) and both sets of proposals wind their way through the public comment process.

The proposed changes concerning quality reporting would revise and update the measures used to evaluate MSSP ACOs’ performance. Overall, the CMS says it would like to focus more on outcome-based measures (as opposed to process-based measures), reduce duplicative measures, and reflect current clinical practices without increasing ACO’s reporting burden.

More specifically, the CMS proposes to add 12 new measures and remove eight, which would increase the total number of quality measures from 33 to 37. The new measures relate to “avoidable” admissions for patients with multiple chronic conditions, heart failure, and diabetes; depression readmission; readmissions to skilled nursing facilities; patient discussion of prescription costs; and updated composite measures for diabetes and coronary artery disease.

The CMS would like to modify the scoring system to award bonus points toward shared savings to ACOs that make year-over-year improvements on individual measures. Moreover, the agency would like to modify its benchmarking methodology to use flat percentages to establish the benchmark for a measure when the national FSS data results in the 90th percentile being greater than or equal to 95 percent. And, finally, the CMS proposes several ways to align MSSP reporting requirements with other reporting programs, including Medicare’s Electronic Health Records Incentive Program and the Physician Quality Reporting System.

Fewer details are available about the next set of proposed rules changes, which were submitted to OMB on June 26 and will be printed in the Federal Register after review. It is expected that these regulations will include changes to the MSSP’s payment provisions. The proposed changes would apply to existing ACOs and approved ACO applicants starting January 1, 2016. As soon as the text of the rule becomes publicly available, the Health Law Informer will provide more information.

Chris Raphaely

Chris Raphaely

R. Christopher Raphaely joined Cozen O'Connor's Philadelphia office in 2014 as co-chair of the Health Care Practice Group. Chris joins the firm from Jefferson Health System, where he served as deputy general counsel and general counsel to the system’s accountable care organization and captive professional liability insurance companies.

More Posts

Tags: , , , , ,

ACOs and Pay for Value … All About the Data

Posted by Chris Raphaely on July 24, 2014
Accountable Care Organizations, Affordable Care Act, HIPAA, Privacy / No Comments

It has been over three years since the Centers for Medicare and Medicaid Services (CMS) announced its proposed rule and guidance on the development and implementation of Accountable Care Organizations.  About four million Medicare beneficiaries are now in an ACO, and over 400 provider groups are participating in ACOs.  See February 19, 2013 Health Affairs Blog. An estimated 14% of the U.S. population is being treated within an ACO. See April 16, 2014 Kaiser Health News.

By all indications, these numbers will continue to grow as the US health system moves away from the fee-for-service model to pay for value models that reward quality and cost savings and require clinical coordination among different types of providers, in many cases providers who are unrelated other than through an ACO or other similar arrangement.  The seamless sharing of data, patient information and collaboration among large, medium and small physician practices, hospitals, post-acute providers, and even private companies like pharmacy chains is critical to the success of these organizations. Continue reading…

Chris Raphaely

Chris Raphaely

R. Christopher Raphaely joined Cozen O'Connor's Philadelphia office in 2014 as co-chair of the Health Care Practice Group. Chris joins the firm from Jefferson Health System, where he served as deputy general counsel and general counsel to the system’s accountable care organization and captive professional liability insurance companies.

More Posts

Tags: , , , , , ,