Hospitals Will Need Psychiatrists and Mental Health Professionals to Satisfy EMTALA

Posted by Gregory M. Fliszar on November 07, 2017
Hospital, Mental Health, Uncategorized / No Comments

Hospitals that have emergency departments should call upon their “available resources” to screen and stabilize patients with mental health emergencies as required by the Emergency Medical Treatment and Labor Act (“EMTALA”) according to recent statements by an analyst for CMS and an attorney with the Office of Inspector General (“OIG”) for the Department of Health and Human Services.

While speaking at the American College of Emergency Physicians annual meeting in Chicago, the CMS representative noted that EMTALA requires hospitals with emergency departments to provide a medical screening within the capabilities of the hospital by a person who is qualified to do the examination, which, if the hospital offers psychiatric services, would include a psychiatrist.  While the initial screening must be done with medical personnel such as a psychiatrist, the CMS official stated that other mental health professionals may be qualified to assist in those examinations.

Gregory M. Fliszar

Gregory M. Fliszar

Greg Fliszar is member in the firm’s Health Law Group. Greg’s practice focuses on health law litigation and regulatory and compliance matters, as well as compliance with the Medicare Secondary Payer Act and HIPAA. Greg is also a licensed doctoral level clinical psychologist and was a clinical instructor of psychiatry at the MCP-Hahnemann School of Medicine.

More Posts - Website

Tags: ,

FTC Overturns ALJ’s LabMD Decision and Reasserts its Role as a Data Security Enforcer

Posted by Gregory M. Fliszar on August 25, 2016
Federal Trade Commission, HIPAA, OCR / No Comments

On July 29, 2016, the Federal Trade Commission (“FTC” or “Commission”) reversed an FTC administrative law judge’s (“ALJ”) opinion which had ruled against the FTC, finding that the Commission had failed to show that LabMD’s conduct caused harm to consumers to satisfy requirements under Section 5 of the FTC Act. In reversing the ALJ, the FTC issued a unanimous opinion and final order that concluded, in part, that public exposure of sensitive health information was, in itself, a substantial injury.

The FTC initially filed a complaint against LabMD in 2013 under Section 5 of the FTC Act, alleging that the laboratory company failed to “provide reasonable and appropriate security for personal information on its computer networks,” which the FTC claimed lead to the data of thousands of consumers being leaked. The complaint resulted from two security incidents that occurred several years prior, which the FTC claimed were caused by insufficient data security practices.

In its opinion, the FTC concluded that the ALJ had applied the wrong legal standard for unfairness and went on to find that LabMD’s data security practices constituted an unfair act or practice under Section 5 of the FTC Act. Specifically, the Commission found LabMD’s security practices to be unreasonable – “lacking even basic precautions to protect the sensitive consumer information on its computer system.” The Commission stated that “[a]mong other things, [LabMD] failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had protected.” As a result of these alleged shortcomings in data security, medical and other sensitive information for approximately 9,300 individuals was disclosed without authorization.

Further, and perhaps more importantly, the Commission concluded that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n), and thus that LabMD’s disclosure of the [ ] file itself caused substantial injury.” Thus, contrary to the findings of the ALJ, the Commission essentially held that the mere exposure of sensitive personal and health information into the public domain may be enough to constitute a substantial injury for purposes of Section 5, without any proof that the information was ever misused.

As a result, the FTC ordered LabMD to establish a comprehensive information security program, obtain independent third party assessments of the implementation of the information security program for 20 years, and to notify the individuals who were affected by the unauthorized disclosure of their personal information and inform them about how they can protect themselves from identity theft or related harms.

Takeaway: While LabMD has announced its intention to appeal, the FTC’s decision reinforces its role as an enforcer of data security, even in the health care arena, where OCR has been the traditional enforcer of HIPAA and health care data breaches.   Thus, in addition to OCR, health care entities must continue to monitor FTC enforcement actions to see if there are any additional or conflicting data security standards mandated by both agencies.   Any companies handling PHI should, therefore, continue to ensure that their data security policies and procedures are being implemented and followed in accordance with industry standards. Inadequate security safeguards may contribute to data breaches resulting in government investigations and enforcement actions – not just by OCR, but the FTC as well.

For more information about the FTC’s opinion, contact Gregory M. Fliszar or a member of Cozen O’Connor’s Health Law team.

Gregory M. Fliszar

Gregory M. Fliszar

Greg Fliszar is member in the firm’s Health Law Group. Greg’s practice focuses on health law litigation and regulatory and compliance matters, as well as compliance with the Medicare Secondary Payer Act and HIPAA. Greg is also a licensed doctoral level clinical psychologist and was a clinical instructor of psychiatry at the MCP-Hahnemann School of Medicine.

More Posts - Website

Tags: , ,

OCR Announces New HIPAA Guidance on Ransomware

Posted by Gregory M. Fliszar on July 13, 2016
HHS, OCR / No Comments

shutterstock_438013921In response to the increasing prevalence of ransomware cyber-attacks by hackers on electronic health information systems in hospitals and medical practices, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on Monday July 11, 2016 its publication of new HIPAA guidance on ransomware (“Ransomware Guidance”). According to OCR:

Ransomware is a type of malware (or malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom (usually in a cryptocurrency such as Bitcoin to maintain anonymity) in order to obtain a key to decrypt the data.

Notably, the HIPAA Security Rule already requires implementation of security measures to help covered entities and business associates prevent the introduction of malware (e.g., ransomware) into their systems, and to implement policies and procedures to assist in responding to ransomware attacks. The Ransomware Guidance addresses, among other areas, how to implement security measures in order to prevent, mitigate the chances of, or even recover from ransomware attacks. Not surprisingly, conducting a risk analysis (or risk assessment) is at the core of covered entities and business associates implementing security management processes as required by the HIPAA Security Rule. The Ransomware Guidance further notes that maintaining an overall contingency plan, as required by the Security Rule, that includes disaster recovery planning, emergency operations planning and frequent backups of data can also help covered entities and business associates respond to and recover from malware infections, including ransomware attacks.

In addition, the Ransomware Guidance states that ransomware attacks against a covered entity or business associate can be considered a breach under the HIPAA Rules. Specifically, the Ransomware Guidance provides, “[w]hen electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e. unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” Therefore, unless it can be shown that there is a low probability that the PHI involved in the ransomware attack has been compromised based on the factors in the Breach Notification Rule, a breach is presumed to have occurred, which would trigger the applicable breach notification provisions.

Even before OCR’s publication of the Ransomware Guidance, in late June the Secretary of HHS sent a letter (“Letter”) to the attention of chief executive officers at health care entities addressing the threat of ransomware. The Secretary attached interagency guidance to the Letter containing best practices and mitigation strategies integral to combatting ransomware incidents.

Ransomware is immediately disruptive to the day-to-day operation of businesses, as seen by its impact earlier this year on health care systems like MedStar in Washington, D.C. and Hollywood Presbyterian Medical Center in Los Angeles (“HPMC”), resulting for example, in HPMC paying 40 Bitcoins (approximately $17,000) to regain control of its computer system. Although the Ransomware Guidance does not address whether payment or ransom should be paid to regain access to computer systems, the interagency guidance attached to the Letter advises against paying hackers because, among other reasons, paying a ransom doesn’t necessarily guarantee that an entity will regain access to its system. The Ransomware Guidance does recommend that an entity victimized by a ransomware attack contact its local FBI or United States Secret Service field office.

For more information about the Ransomware Guidance contact Gregory M. Fliszar, Ryan Blaney, J. Nicole Martin or a member of Cozen O’Connor’s Health Law team.

Gregory M. Fliszar

Gregory M. Fliszar

Greg Fliszar is member in the firm’s Health Law Group. Greg’s practice focuses on health law litigation and regulatory and compliance matters, as well as compliance with the Medicare Secondary Payer Act and HIPAA. Greg is also a licensed doctoral level clinical psychologist and was a clinical instructor of psychiatry at the MCP-Hahnemann School of Medicine.

More Posts - Website

Tags: , , , , , , , , , , , , , , , , ,

Heads-up! HIPAA Phase Two Audits Begin – Business Associates Included!

Posted by Gregory M. Fliszar on March 22, 2016
HHS, OCR / No Comments

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) finally announced on March 21 that it is ready to begin Phase Two of its HIPAA audit program, which will include business associates. These audits, mandated by HITECH, will primarily be comprised of desk audits, scheduled for completion by the end of December 2016, followed by onsite audits.

OCR explained it will immediately commence Phase Two by verifying, via email, cover entities’ and business associates’ contact information. The OCR is requesting timely responses, so that it can send pre-audit questionnaires out in order to gather data from covered entities and business associates for the creation of potential audit subject pools. The data will relate to the entities’ size, type and operations. Should covered entities and business associates fail to respond to OCR’s requests, they may still be part of OCR’s potential subject pools because OCR plans to compile publically available information about covered entities and business associates that do not respond to its requests.

The first round of desk audits will focus on covered entities, and the second round will focus on business associates. The third round will be onsite audits, with a greater focus on the HIPAA requirements. OCR explains that some covered entities and business associates who are subject to desk audits may also be subject to onsite audits. According to OCR, all covered entities and business associates are eligible to be audited. The audits will focus on identifying compliance with specific privacy and security requirements under HIPAA/HITECH, and OCR will notify auditees by letter, regarding the subject(s) of their specific audits. On the HHS website, OCR provides a sample letter for review. Subsequent to the audits, OCR will review and analyze information from audit final reports.

Importantly, if an audit report uncovers significant noncompliance with HIPAA, it could prompt an investigation by OCR. The areas of interest for OCR in Phase Two will become clearer as the Phase Two audit program gets underway, but for now, we know OCR will focus on assessing covered entities’ and business associates’ HIPAA compliance, identifying best practices and discovering risks and vulnerabilities.

More information about the Phase Two audits is available here, and you can also contact Greg Fliszar, Ryan Blaney, J. Nicole Martin or another member of Cozen O’Connor’s Health Law team.

 

Gregory M. Fliszar

Gregory M. Fliszar

Greg Fliszar is member in the firm’s Health Law Group. Greg’s practice focuses on health law litigation and regulatory and compliance matters, as well as compliance with the Medicare Secondary Payer Act and HIPAA. Greg is also a licensed doctoral level clinical psychologist and was a clinical instructor of psychiatry at the MCP-Hahnemann School of Medicine.

More Posts - Website

Tags: , , , , , , , , , , , , , , , ,

OCR Announces Two Significant HIPAA Breach Settlements

Posted by Gregory M. Fliszar on March 21, 2016
HHS, OCR / No Comments

shutterstock_62667685On consecutive days, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) recently announced two large HIPAA breach settlements. On March 16, 2016, OCR announced that it entered into a Resolution Agreement with North Memorial Health Care of Minnesota for $1.55 million plus a two-year corrective action plan. On March 17, 2016 OCR followed by announcing that Feinstein Institute for Medical research, a New York biomedical research institute, agreed to pay to OCR $3.9 million and enter into a three-year corrective action plan to settle potential HIPAA violations. Both cases resulted from the all too familiar scenario of breaches resulting from stolen, unencrypted laptops.

In the Minnesota hospital breach, the unencrypted laptop containing the PHI of over 9,000 individuals was stolen from the locked car of an employee of a business associate of the hospital. According to the OCR’s investigation, the hospital failed to have a business associate agreement in place with that particular business associate. OCR also alleged that the hospital had not previously performed a risk analysis to identify and address potential risks and vulnerabilities to the ePHI it maintained, accessed or transmitted.

In the New York research corporation breach, OCR alleged that the institution did not have policies and procedures in place, including a policy on encryption and one that addressed use and access of electronic devices (e.g., the removal of the devices from the institution’s facility), nor did it have in place a security management process that sufficiently addressed potential security risks and vulnerabilities to ePHI, namely, its confidentiality, vulnerability or integrity. Notably, the stolen, unencrypted laptop contained the PHI of approximately 13,000 individuals.

As above, both OCR settlements also include multiple year corrective action plans requiring the hospital and research facility to conduct risk analyses/assessments, train their employees, and have HIPAA compliant policies and procedures in place. The Resolution Agreement for the Minnesota hospital breach is available here, and the Resolution Agreement for the New York research institute breach is available here.

Takeaways: The OCR’s 2016 breach enforcement is off to a very strong start with two high dollar settlements. Lessons learned from both breaches include the significance of encrypting electronic devices, conducting and updating on a regular basis security risk assessments and analyses, having adequate safeguards in place to protect PHI, having business associate agreements with all business associates, and having and implementing HIPAA policies and procedures to protect the security and privacy of PHI, including for example, policies related to encryption, authorized access to ePHI/PHI, and removal of electronic devices from facilities.

 

For more information, contact Greg Fliszar, J. Nicole Martin, or a member of Cozen O’Connor’s Health Law team.

 

Gregory M. Fliszar

Gregory M. Fliszar

Greg Fliszar is member in the firm’s Health Law Group. Greg’s practice focuses on health law litigation and regulatory and compliance matters, as well as compliance with the Medicare Secondary Payer Act and HIPAA. Greg is also a licensed doctoral level clinical psychologist and was a clinical instructor of psychiatry at the MCP-Hahnemann School of Medicine.

More Posts - Website

Tags: , , , , , , , , , , , , , , , , ,

Gun Control and HIPAA

Posted by Gregory M. Fliszar on January 06, 2016
HHS, OCR / No Comments

shutterstock_320073545In the wake of recent gun violence and in a concerted effort to protect public safety, the Department of Health and Human Services (HHS) released a final rule published in the Federal Register January 6, 2016, that modifies the HIPAA Privacy Rule to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of persons who are subject to a Federal “mental health prohibitor” that would prevent such individuals from possessing a firearm (“Final Rule”). The covered entities are those that have “lawful authority to make the adjudications or commitment decisions that make individuals subject to the Federal mental health prohibitor, or that serve as repositories of NICS reporting purposes.”

The Final Rule, which will appear at 42 C.F.R § 164.512(k)(7), adopted what HHS had initially proposed in April 2013 in its proposed rule. The purpose of the Final Rule is to afford the NICS with the ability to identify individuals subject to this prohibitor for the purpose of disqualifying them from shipping, transporting, possessing or receiving a firearm. Individuals subject to the Federal mental health prohibitor include those who have been involuntarily committed to a mental health institution, found incompetent to stand trial or not guilty by reason of insanity, or have been determined by a court or other lawful authority to be a danger to themselves or others or being unable to manage their own affairs. The disclosures to the NICS will be restricted to limited demographic and other information required by the NICS. Further, the Final Rule specifically prohibits the disclosure of any diagnostic or clinical information and “any mental health information beyond the indication that the individual is subject to the Federal mental health prohibitor.”

Importantly, the Final Rule’s express permission to disclose/report is narrowly tailored. Specifically, it does not extend to covered entities permission to report to the NICS the protected health information of individuals who are subject to the State-only mental health prohibitors. Additionally, the permission is not extended to “most treating providers”, which emphasizes HHS’ intention to protect the privacy of the patient-provider relationship.

A key tension at the heart of the gun control issue for years has been how to adequately protect individual privacy, in particular, mental health information, and maintain public safety. Not surprisingly, the Final Rule’s publication comes at a time of heightened tension between these issues, and President Obama announced yesterday that under his executive actions on guns, the administration will, among other actions, seek to expand mandatory background checks for certain private gun sales.

The Final Rule is effective February 5, 2016, 30 days from its publication in the Federal Register. To learn more about reporting under the Final Rule and the amended HIPAA regulation, please contact Greg Fliszar, J. Nicole Martin or any member of Cozen O’Connor’s Health Care team.

Gregory M. Fliszar

Gregory M. Fliszar

Greg Fliszar is member in the firm’s Health Law Group. Greg’s practice focuses on health law litigation and regulatory and compliance matters, as well as compliance with the Medicare Secondary Payer Act and HIPAA. Greg is also a licensed doctoral level clinical psychologist and was a clinical instructor of psychiatry at the MCP-Hahnemann School of Medicine.

More Posts - Website

Tags: , , , , , , ,

OCR Announces Another HIPAA Settlement and Warns Not to Forget About Paper Records

Posted by Gregory M. Fliszar on May 04, 2015
HHS, HIPAA, OCR / No Comments

On April 27, 2015, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that Cornell Prescription Pharmacy (“Cornell Pharmacy”) had entered into a resolution agreement to settle, without an admission of liability or wrongdoing, potential HIPAA violations. As part of the resolution agreement Cornell Pharmacy will pay $125,000 and enter into a two-year corrective action plan (“CAP”) focused on correcting the alleged deficiencies in its HIPAA compliance program.

Cornell Pharmacy is a small, single store pharmacy located in Denver, Colorado that specializes in compound medications and providing services for local hospice agencies. OCR began an investigation into the pharmacy after it received a media report from a Denver news agency that protected health information (“PHI”) belonging to Cornell Pharmacy was apparently disposed of and found in an unlocked, publically accessible dumpster. The documents were not shredded and contained the PHI of approximately 1,610 of Cornell Pharmacy’s patients.   After conducting its investigation, OCR concluded that Cornell Pharmacy failed to implement any written policies and procedures as required by HIPAA’s Privacy Rule, and further failed to provide training on the Privacy Rule to its workforce members.

This settlement is instructive as OCR again highlights the importance of having updated and comprehensive HIPAA policies and procedures in place, including policies on the proper disposal of PHI, and on training all staff on those policies and procedures.   Further, in this year of massive cyber-attacks and other breaches of electronic data, this HIPAA settlement serves to remind covered entities and business associates not to forget about protecting their paper records as well.   As stated by OCR in its press release, “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.” As discovered by Cornell Pharmacy, a breach or other improper disclosure of paper PHI can also result in significant consequences.

For further information please contact the author, Gregory M. Fliszar (Philadelphia, PA), or other members of Cozen O’Connor’s healthcare team.

Gregory M. Fliszar

Gregory M. Fliszar

Greg Fliszar is member in the firm’s Health Law Group. Greg’s practice focuses on health law litigation and regulatory and compliance matters, as well as compliance with the Medicare Secondary Payer Act and HIPAA. Greg is also a licensed doctoral level clinical psychologist and was a clinical instructor of psychiatry at the MCP-Hahnemann School of Medicine.

More Posts - Website

Tags: , , , , , , , , , , , ,

CMS Issues Proposed Rule That Would Extend Provisions of Mental Health Parity

Posted by Gregory M. Fliszar on April 15, 2015
Addiction, CHIP, CMS, MCOs, MCOs, Medicaid, Medicare, Mental Health, PAHPs, PIHPs / No Comments

On April 6, 2015, the Centers for Medicare & Medicaid Services (“CMS”) released a proposed rule that would extend provisions of the Mental Health Parity and Addiction Equity Act of 2008 (the “Mental Health Parity Act”) to Medicaid managed care organizations (“MCOs”) and the Children’s Health Insurance Program (“CHIP”). The Mental Health Parity Act requires health plans that provide mental health and substance abuse disorder benefits to ensure that any financial requirements (e.g., co-pays, deductibles) and treatment limitations (e.g., limitations on visits) applicable to those benefits are no more restrictive than the requirements or limitations applied to medical/surgical benefits. The proposed rule was published in the Federal Register on April 10, 2015 at 80 Federal Register 19418. (Proposed rule). Comments to the proposed rule are due on June 9, 2015.

The proposed rule was drafted to ensure that all Medicaid beneficiaries who receive benefits through MCOs or under alternative benefit plans would have access to mental health and substance use disorders benefits regardless of whether they received those benefits through an MCO or another system. In addition, the proposed rule would also apply to CHIP, whether the care is provided through an MCO or a fee-for-service program.

Presently, a number of states that provide medical benefits through Medicaid MCOs carve out mental health and substance abuse services through other arrangements, which can include prepaid inpatient health plans (“PIHPs”), prepaid ambulatory health plans (“PAHPs”), or even fee-for-service. Under the proposed rule, states would continue to have flexibility in selecting different delivery systems to provide services to Medicaid beneficiaries, but would have to ensure that enrollees of a Medicaid MCOs receive the benefit of mental health and substance abuse parity when provided through these alternative models. States, for example, would be required under the proposed rule to include contract provisions requiring compliance with the Mental Health Parity Act in all applicable contracts with Medicaid MCOs and entities providing services through alternative arrangements such as PIHPs and PAHPs. Further, states would have to provide CMS with evidence of compliance with the Mental Health Parity Act in their provision of mental health and substance services to Medicaid beneficiaries.

In addition, the proposed rule would require Medicaid, MCOs, PIHPs, PAHPs and other alternative benefit plans to make their medical necessity criteria for mental health and substance abuse disorder benefits available to any enrollee or contracted provider upon request. Such Medicaid plans must also make available to enrollees the reason for any denial of reimbursement for services related to mental health and substance use disorder benefits.
For further information contact the author Gregory M. Fliszar (Philadelphia, PA) or other members of Cozen O’Connor’s healthcare team.

Gregory M. Fliszar

Gregory M. Fliszar

Greg Fliszar is member in the firm’s Health Law Group. Greg’s practice focuses on health law litigation and regulatory and compliance matters, as well as compliance with the Medicare Secondary Payer Act and HIPAA. Greg is also a licensed doctoral level clinical psychologist and was a clinical instructor of psychiatry at the MCP-Hahnemann School of Medicine.

More Posts - Website

Tags: , ,

Another Health Plan Hit By Massive CyberAttack and Class Actions Follow

Coming fresh off the heels of the Anthem data breach Premera Blue Cross announced on March 17th that it was the victim of a “sophisticated” cyberattack that may have exposed the personal information of approximately 11 million of its members.  Premera has approximately 6 million members residing in the State of Washington, 250,000 members residing in Oregon and 80,000 members residing in Alaska.  Premera stated that the cyberattack began sometime in May of 2014 but was not discovered until the end of January 2015.   According to Premera, the information exposed may include social security numbers, bank account information, and medical and financial information, including clinical information.

Three state insurance commissioners (Washington, Oregon and Alaska) have already launched a joint investigation and a market conduct examination of Premera related to the breach.  The joint investigation will include on-site reviews of Premera’s financial books, records, transactions, and Premera’ cybersecurity.  The Washington Insurance Commissioner has expressed concern over the length of time (approximately six weeks) it took for Premera to notify his office of the attack.  Alaska’s governor ordered all state agencies to review their online security safeguards as well as those put in play by their business associates.  Premera is also conducting an internal forensic investigation by a cybersecurity firm and is cooperating with the FBI in a criminal investigation.

Combined with the cyberattacks on Community Health Systems and Anthem, this is the third large attack on a member of the health care industry announced in the last seven months, and these three breaches may have collectively impacted approximately 95.5 million people.   As these attacks illustrate, health information is now a high priority target for cybercriminals.  Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a wealth of personal information that can be used for identity theft and to file false health insurance claims.  Further, the data security protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to attack by those who view the valuable information as “low hanging fruit.”

Similar to the Anthem and the Community Health Systems breaches, Premera was immediately hit by a proposed class action accusing Premera of negligence and inadequate security.  The March 26, 2015 Complaint alleges that Premera breached its duty of care by failing to secure and safeguard the personal and health information of its members and negligently maintaining a system that it knew was vulnerable to a security breach.  The Complaint further alleges that Premera has a duty to secure and safeguard the personal health information of its members under HIPAA and its failure to implement security and privacy safeguards was a violation of HIPAA.  The Complaint also alleges violations of state consumer protection laws and data disclosure laws.

As evident by the Anthem and Premera breaches, a single security incident resulting in a data breach can have significant consequences for health care companies and business associates that include government investigations, class action lawsuits, and a hit to the organization’s reputation.  To manage this risk, we encourage all companies handling health information to conduct comprehensive risk assessments and to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.

Gregory M. Fliszar

Gregory M. Fliszar

Greg Fliszar is member in the firm’s Health Law Group. Greg’s practice focuses on health law litigation and regulatory and compliance matters, as well as compliance with the Medicare Secondary Payer Act and HIPAA. Greg is also a licensed doctoral level clinical psychologist and was a clinical instructor of psychiatry at the MCP-Hahnemann School of Medicine.

More Posts - Website

Tags: , , ,

Cybersecurity Attack on Anthem, Inc. Highlights the Cybersecurity Risks for All Companies Handling Electronic Medical Records

Posted by Gregory M. Fliszar on February 09, 2015
cyberattacks, cybercriminals, cybersecurity, FBI, Healthcare, HIPAA, HITECH / No Comments

Health care providers, insurers and all who handle information on their behalf were put on notice last week that cybersecurity must be a high priority for their organizations. Anthem, Inc. (“Anthem”), the nation’s second largest health insurer, revealed on February 4, 2015 that its information technology (“IT”) system was victimized by a “very sophisticated” cyberattack that exposed the birthdates, social security numbers, street and email addresses and employee data (including income information) of approximately 80 million customers and employees. Anthem noted that the hackers apparently did not get any health information or credit card numbers in the attack, but that the hack did yield medical information numbers. Anthem discovered the breach on its own on January 29th and contacted the FBI, which has started an investigation into the matter.

Large hospitals and health insurers are not the only ones at risk. As the Anthem attack illustrates, health information is a high priority target for cybercriminals. Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a treasure trove of personal information that can be used for identity theft and to file false health insurance claims. Further, the cybersecurity protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to cyberattacks by criminals who view the information as “low hanging fruit.”

Failure to have robust cybersecurity programs in place can have a devastating effect on any organization that experiences a data breach. Anthem has already been hit with putative class action lawsuits in Alabama, California, Georgia and Indiana alleging that Anthem did not have adequate security procedures in place to protect its customers and it is likely that more suits will follow. In addition to the FBI’s investigation into attack, Attorney Generals in New York, Connecticut and Massachusetts have indicated that they will be reaching out to Anthem for more information about the attack, the company’s security measures and how it plans to prevent future attacks.

The Anthem breach was the largest in the health care industry so far and may be a harbinger of things to come. The FBI and other security experts have been warning that the health care industry is a key target for cybercriminals, and a single security incident resulting in a data breach can have significant and immediate consequences that include government investigations, class action lawsuits, and a hit to the organization’s reputation. To manage this risk, we encourage all companies handling health information to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.

To learn more about strategies you can use to manage your exposure, join me at the upcoming panel discussion on “Cybersecurity and Healthcare: The Key to Limiting Your Risk is being Informed” at the Greater Philadelphia Alliance of Capital and Technologies seminar on Thursday, February 26, 2015 in West Conshohocken, Pennsylvania. Click here to register.

If you cannot make the event or would like to discuss your cybersecurity needs with me directly, please contact me, Greg Fliszar, at [email protected].

Gregory M. Fliszar

Gregory M. Fliszar

Greg Fliszar is member in the firm’s Health Law Group. Greg’s practice focuses on health law litigation and regulatory and compliance matters, as well as compliance with the Medicare Secondary Payer Act and HIPAA. Greg is also a licensed doctoral level clinical psychologist and was a clinical instructor of psychiatry at the MCP-Hahnemann School of Medicine.

More Posts - Website