Photo of Colin P. McCarthy

Colin concentrates his practice on healthcare compliance and reimbursement. He counsels hospitals, health systems, surgery centers, physician practices, and other healthcare providers on the laws and regulations governing payment from Medicare, Medicaid, TRICARE, and commercial payers.

Healthcare providers and other covered entities are not required by HIPAA regulations to have “bulletproof” protections for safeguarding patient information stored in electronic form, according to a January 14, 2021 decision of the 5th U.S. Circuit Court of Appeals. In University of Texas M.D. Anderson v. U.S. Department of Health and Human Services, the 5th Circuit vacated a $4.3 million civil monetary penalty imposed by the U.S. Department of Health and Human Services (HHS) against the University of Texas’ M.D. Anderson Cancer Center.

The case arises from three separate incidents where M.D. Anderson employees lost laptops and USB thumb drives that contained unencrypted protected health information (PHI) for more than 34,000 patients. M.D. Anderson reported the breach incidents to HHS’ Office for Civil Rights (OCR), the office tasked with enforcing HIPAA. As a result of the reported breaches, OCR ordered M.D. Anderson to pay $4.3 million in civil monetary penalties (CMPs). M.D. Anderson appealed the decision to an HHS administrative law judge and to the HHS Departmental Appeals Board (DAB), both of which upheld OCR’s penalties. M.D. Anderson argued that the HIPAA regulations do not require encryption, that it complied with the regulations and employed other effective measures to safeguard electronic protected health information (ePHI), that the three incidents were the fault of staff who violated M.D. Anderson’s policies, and that the proposed CMPs were excessive.

Continue Reading 5th Circuit Weakens HHS’ Ability to Enforce HIPAA Safeguards

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) reached a settlement for $1,500,000 and entered into a substantial corrective action plan with Athens Orthopedic Clinic (AOC) as a result of AOC’s alleged systemic noncompliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. AOC, located in Georgia, provides a wide range of orthopedic services to approximately 138,000 patients a year.

Problems began for AOC in June 2016, when the practice was notified by a journalist that AOC patient records may have been posted for sale on the internet. Shortly thereafter, AOC was contacted by a hacker demanding payment for the stolen patient records. It was later determined that the hacker had accessed AOC’s electronic medical records using a vendor’s credentials on June 14, 2016, and continued to access protected health information (PHI) until July 16, 2016. AOC filed a breach report with OCR on July 29, 2016, revealing that the names, dates of birth, social security numbers, and other PHI of over 200,000 patients had been compromised by this breach.

Continue Reading Hacked Patient Records Land Athens Orthopedic Clinic in Hot Water with OCR

The U.S. Department of Health & Human Services (HHS) issued a recent report noting that cybersecurity is a key public health concern that needs “immediate and aggressive attention.”  Shortly thereafter, HHS’ Office for Civil Rights (OCR) released a checklist of practical steps health care providers can take to protect themselves and their patients in the event of a cyber attack.  Both items underscore the Government’s increased focus on cybersecurity in the health care industry and remind health care providers of the importance of preparing for and appropriately responding to cyber attacks.

The Report

The interdisciplinary Health Care Industry Cybersecurity (HCIC) Task Force issued its 87 page report (the Report), mandated by the Cybersecurity Act of 2015, emphasizing the increased responsibility health care organizations have to secure their systems, medical devices, and patient data.

The increased focus on cybersecurity comes in the wake of recent rise and sophistication of cyberattacks on the health care industry. For instance, the Report notes that the health care sector experienced more cyber incidents resulting in data breaches in 2015 than any of the other 15 critical infrastructure sectors in the U.S. economy.  As the health care industry increasingly shifts to electronic health records (EHRs), automated medication delivery systems, and generally more connectivity and dependence on the Internet of Things (IoT), the prevalence and severity of these attacks is likely to increase.

The Report includes several high-level recommendations to federal regulators that could have a significant impact on members of the health care industry, including, among others:

  • Creating a cybersecurity leader role within HHS to align industry-facing efforts for health care cybersecurity;
  • Requiring federal regulatory agencies to harmonize existing and future laws and regulations that affect health care industry cybersecurity;
  • Exploring potential impacts to the Physician Self-Referral Law (the Stark Law), Anti-Kickback Statute, and other fraud and abuse laws to allow health care organizations to share cybersecurity resources and information with their partners; and
  • Establishing a Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures.The Report also identified several recommended steps for industry members, including identifying a cybersecurity leadership role for driving for more robust cybersecurity policies, processes, and functions with clear engagement from executives.

The Report also suggested creating managed security service provider models to support small and medium-size health care providers. The Task Force also recommended that the industry evaluate options to migrate patient records and legacy systems to secure environments (e.g., hosted, cloud, shared computer environments). The imperatives, recommendations, and action items identified in the Report may be a guidebook for future rule-making from HHS aimed at strengthening the privacy of protected health information (PHI) in a new age of cybersecurity risks.

OCR Checklist

In the wake of the Report and an unprecedented year of increased cyber-attacks against health care entities (including the recent WannaCry attack and the Petya attack), OCR released a checklist of steps that HIPAA covered entities and business associates must take in response to a cyber-related security incident. OCR also published an infographic of the steps, which include:
Continue Reading Increased Focus on Health Care Cybersecurity: HHS Releases Long-Awaited Report and Cyber Attack Quick-Response Checklist