Healthcare and Cybersecurity
The Doctors Company just came out with an article entitled, “Cybersecurity Must Be Part of Every Healthcare Professional’s Job.” The article warns that we will see more cyberattacks in the future.
[Cyberattacks] are increasing in frequency and sophistication. But they are also preventable.
Becker’s Health IT and CIO Review published an article last week, entitled “43% of C-suite execs name cybersecurity as No. 1 operational challenge.”
The bottom line is that cybersecurity must become “a fundamental part of [healthcare organizations’] business.” This includes the solo physician practice as much as any major health system.
Reminder: Compliance with HIPAA Is Important (and Mistakes are Costly)
Compliance with HIPAA is critically important to covered entities and their business associates. This is not new, but it is good to remember that noncompliance with HIPAA Privacy and Security rules can lead to enforcement action and the imposition of civil monetary penalties.
The HHS Office of Civil Rights investigates violations of health information privacy rights. The HIPAA enforcement rule, which can be found at 45 CFR Part 160, Subparts C, D, and E, contains provisions for investigations and procedures for hearings.
The HHS OCR has been active in 2017. After 6 months, there have been a number of investigations of violations of HIPAA’s privacy rule. Covered entities should review here the types of violations that have arisen and their resolution.
Here is a reminder of the types of things that covered entities and business associates should be doing:
- Maintain up to date copies of HIPAA laws and regulations
- Make sure Notice of Information Practices and Consent forms are and comply with laws and regulations (multiple languages?)
- Designate an information privacy and security Officer
- Make sure there are Business Associate Agreements in place (and signed)
- Implement procedures for receiving, documenting, and investigating complaints
- Maintain IT security software, backup system, and disaster recovery plan
- Conduct risk assessments regularly
- Document all operational processes and procedures
- Implement procedures for breach notification
- Update training of employees
HHS OCR has been conducting audits of covered entities and their business associates to assess compliance with HIPAA Privacy and Security Rules. Audits of whom? According to HHS OCR —
Who Will Be Audited?
Every covered entity and business associate is eligible for an audit. These include covered individual and organizational providers of health services; health plans of all sizes and functions; health care clearinghouses; and a range of business associates of these entities. We expect covered entities and business associates to provide the auditors their full cooperation and support.
It’s important to remember to be careful and thorough in all dealings that implicate HIPAA. Data breaches and fines are embarrassing and expensive.
Does Lying Make Healthcare Simpler?
Earlier this year, the President admitted that healthcare and healthcare reform are complicated.
The House of Representatives passed the American Health Care Act in May as its repeal and replace Obamacare offering to America. The Congressional print of the Affordable Care Act when finally passed as amended was over 900 pages; the AHCA came in at 130 pages — certainly, an attempt at a simpler healthcare environment. The President described the AHCA as a “mean” and “cold-hearted” “son of a bitch.”
The Senate GOP leadership then proposed in June its Better Care Reconciliation Act of 2017. If the number of pages makes a difference, the Senate’s bill, at 145 pages, is a little less simple than the House’s AHCA, but still much simpler than Obamacare. The additional pages used in the Senate proposal, unfortunately, did not make the Better Care Act less mean — actually, the consensus is that the Better Care Act is “meaner” than the AHCA. The national negative reaction, along with a number of GOP Senators being unable to vote for the bill, resulted in the vote being postponed until later in July.
After the Senate vote was delayed, the President met with the GOP Senators at the White House for a pep talk of sorts, telling them that “This will be great if we get it done and if we don’t get it done it’s going to be something that we’re not going to like and that’s OK and I can understand that.” According to the President, “We have given ourselves a little bit more time to make it perfect.”
Then, in the hours that followed, the President forgot about healthcare’s complexity and focused his efforts on misinformation and misdirection. When congratulating the Cubs on their World Series victory, the President told reporters that “We’re going to have a big surprise. … We’re going to have a great, great surprise.” The next day the President posted the following Tweet at 3:37 a.m., which I suppose was the surprise: “If Republican Senators are unable to pass what they are working on now, they should immediately REPEAL, and then REPLACE at a later date!”
Repealing Obamacare is extraordinarily complicated and would hurt many people — is the Senate, whose GOP members can’t muster 50 votes to pass an arguably harsh repeal and replace bill, able to get enough votes to pass a much harsher repeal bill? Will Senators agree to repeal all protections for people with pre-existing conditions, and take away the right of adult children to stay on their parents’ insurance until they are 26, and terminate accountable care organizations, and rollback all Medicaid expansion and marketplace health plans, and stop all subsidies to people, and on and on? Yes, repeal would attract the more conservative Senators, like Paul and Cruz, who want Obamacare and its regulations repealed, but would be opposed by many moderate Senators, like Collins, Capito, and Heller, who remain concerned about the negative impact on their states if Obamacare is drastically changed.
Statements by the President and GOP Senators and House members about the death of Obamacare, its imminent collapse and implosion, are the lies that have fueled the rush to repeal and replace. These lies have been debunked by the CBO. The challenges faced by Obamacare are largely because the GOP has refused to help fix the problems because it and its members’ supporters (i.e., the insurance companies and the pharmaceutical industry) would rather go back to the ways things were by repealing Obamacare.
It is lie is that Obamacare is bad and must be repealed because of the collapsing insurance markets and the increasing premium costs. Despite its flaws, Obamacare extended coverage, made sure that the sickest segments of our population would still be able to get affordable insurance, forced the insurance companies to actually spend their premium dollars on the health of their insureds, and required that all policies provide certaIn basic benefits so that the insureds actually had coverage after paying premiums. If Obamacare had been allowed to work the way it was supposed, the individual and employer mandates would have made the pool of insureds bigger and reduced the rate of increase of premium costs.
It is a lie that the insurance markets are collapsing. Insurers are dropping out of the markets because of their losses (i.e., reduced profits). For years insurers have enjoyed artificially inflated profits by unilaterally reducing payments to physicians, hospitals, and other healthcare providers, by shifting the risk of insurance to the providers, and by denying benefits to insureds. Obamacare required these insurers for the first time in a long to actually provide insurance, pay claims, and accept the risk of covering their sick insureds whose money they took for so long. Insurers should never have been allowed to withdraw from the markets or a public option should have been provided — in any event, the struggle of the markets was orchestrated by insurance companies themselves, aided and abetted by the a GOP who refused to make necessary changes to Obamacare to address these problems.
A related lie is that things will be fine once we allow capitalism and the free market to work. Who believes this? Obamacare was the result of an out of control insurance industry abusing its customers in the manner described above.
The Wall Street Journal supports the Senate bill. In an editorial last week, the WSJ said “Repairing the failing individual insurance market, putting Medicaid on budget for the first time in the entitlement’s history, and passing an enormous pro-growth tax cut are historic opportunities.” Do not ignore the fact that “putting Medicaid on a budget” means less or no care for people getting healthcare now or who will need it in the future. If rationing healthcare is the goal, then state it plainly and let Americans decide if they ate prepared to have someone decide whose child goes without vaccines, whose grandmother is thrown out of the nursing home, and whose spouse with breast cancer goes untreated. And this is the underpinning of another lie — the GOP has been telling us that its repeal and replace bills will improve healthcare for Americans. However, the bills have nothing to do with healthcare other than to reduce its availability and affordability.
The biggest lie of the President and the GOP is that their proposals are what the people want and what they promised when they ran for election. The great unpopularity of the GOP’s bills demonstrates that those bills are not what people who need health insurance want. More important, the disconnect between the popular election rhetoric of repeal and replace and the dissatisfaction that voters express when presented with the effects of the GOP’s efforts at repealing and replacing shows that most Americans’ knowledge of Obamacare is still based on the 8 years of lies that the GOP has been telling about it — and continues to tell.
So, even though all of us know that healthcare is complicated, the President appears convinced that lying will make it simpler and make it easier to tell the Trump core that another promise has been kept. Making healthcare better should be about more than checking boxes on a list.
The Continued Scamming of Healthcare
Here are just a few healthcare fraud cases of note during July 2016:
Three Miami men — $40 million in fines and restitution and 188 months of prison for billing for phantom home healthcare, money laundering, and kickback schemes.
New York surgeon — $25 million in false claims for billing for services not performed.
Maryland X-Ray company owner — 10 years prison for fraudulently billing bogus medical interpretations for diagnostic tests that resulted in two patients’ deaths.
New York physician — jail time for kickback with hospitals in exchange for referring patients to nursing homes.
South Carolina hospital — $17 million in fines for improper financial arrangements with referring physicians.
Illinois woman — $15.6 million and six years prison for fraudulent billing in home health services.
Texas physician — 63 months prison and $1 million in fines and restitution for falsely certifying patients for home health services.
Florida physician — 46 months prison and $2.1 million in fines and restitution for intentionally falsifying diagnoses to get higher Medicare advantage plan capitation payments.
FSA Qui Tam Suit Against “Company Model” Providers
In October 2013, the Florida Society of Anesthesiologists filed a qui tam action under seal as required, which named as defendants a large number of Florida GI physicians, surgery centers, and “company model” anesthesia providers. The action was unsealed and made public during the last week of March.
Chief among the FSA’s allegations is that the defendants violated the federal False Claims Act by billing and collecting for anesthesia services performed by captive “company model” anesthesia providers.
At its simplest, the term “company model” refers to an anesthesia company jointly owned by referring physicians and anesthesiologists that is formed to provide anesthesia services at the ambulatory surgery center that the referring physicians own. The jointly owned anesthesia company takes the place of anesthesiologists (or an entity owned 100% by them) which previously performed the anesthesia services for the ASC. By using the company model arrangement, the referring physicians are then able to share in the revenues generated by the anesthesia services that previously would go solely to the anesthesiologists who performed the services.
The OIG made it clear in its Advisory Opinion 12-06 posted on June 1, 2012 that the company model and similar arrangements “could potentially generate prohibited remuneration under the anti-kickback statute and that the OIG could potentially impose administrative sanctions.” The American and Florida Societies of Anesthesiologists had been urging the OIG to take action like this for a long time, and it is not surprising that the FSA would take the lead in filing a qui tam action on company model arrangements that continued after the OIG posted its opinion.
This is a very significant case. The U.S. Attorney’s Office has presently declined to intervene, but its investigation is ongoing.
The Doctors Company – Ransomware Attacks
The Doctors Company, a physician-owned malpractice insurer, recently posted an article on so-called “ransomware” attacks on healthcare providers. Ransomware is a software virus that infects your computer network by encrypting all of your data so that it cannot be accessed without typing in the encryption key which the ransomware attacker will provide for a price.
I have a lawyer colleague whose law firm was the victim of a ransomware attack. Fortunately, the firm did frequent backups and all the data could be restored without having to pay the ransom. However, there was great disruption to the office, work essentially stopped, and everything has not quite been the same since the data was restored.
The Doctors Company’s article says that ransomware victims only have three options – restore the data (but that requires frequent backups), pay the ransom, or lose the data. For most organizations, especially those in healthcare, choosing to lose the data is not a viable option.
Victims face the loss of business, inconvenience to patients/clients/customers, damage to reputation, and potential liability if needed data is not available and a patient or client or customer is adversely affected.
Prevention, vigilance, and employee education are all critical to responding effectively to a ransomware attack.
Health Rankings — Pinellas County and Hillsborough County
The following infographic from the Suncoast Health Council compares various health factors between Pinellas and Hillsborough Counties, Florida:
Saving the Medical Profession
The following email string from earlier today from physician leaders is very telling and tragic. The email discussion starts with this:
Many of you will recognize some of the themes in this piece written by a frustrated young physician who has made the tough decision to leave her practice. Some of you might have struggled with the same issues discussed in this essay.
Here are two quotes from her thoughtful essay:
“The phenomenon of patients as customers, the cultural rise of entitled incivility, and trusting Dr. Google more than their doctor has eroded some of the pleasure of patient care.”
“In the past decade, physician groups have been purchased by hospitals and conglomerations. Rather than being recognized for individual excellence by patients voting with their feet, this has resulted in doctors being interchangeable cogs in a system where patients/hour and shifts/month dictate value.”
Two physicians responded with the following:
As physicians, WE make the wheel go around. Yet we have allowed our knowledge, our expertise, and our unmatched dedication to be devalued by hospitals, insurance companies, politicians, etc.
I think that the more we are called providers and we do not educate the public about the time commitment and education that physicians put in to become the master of the profession then we lose. … medical students are very talented. We need to make this news because we are the only ones who can provide quality care and provide the impetus to decrease costs We are the only ones equipped to do so. The MD degree has tons of value and it is not an interchangeable cog in the wheel.
I responded:
So true. My law practice focuses on representing physicians, which includes helping them evaluate and participate in opportunities as they deal with the onslaught of onerous laws, rules, and regulations. I constantly must remind my clients that physicians are and remain the sole source of value in healthcare. Notwithstanding that, many physicians, young and old, constantly ignore good opportunities for their practices because they are intimidated into choosing the wrong ones.
As the public member on the Board of Governors of the Florida Medical Association, I am pleased at the FMA’s focus (1) on lobbying legislators who are notoriously ignorant about physicians and the practice of medicine, and (2) on educating its members so that they can better understand and evaluate what is going on in the business of medicine.
I worry whether we can make a big enough impact quickly enough.
No other profession is faced with less respect or more demands or higher expectations than allopathic and osteopathic physicians.
This is not about “socialized” medicine, Obamacare, or anything other than economics. It has always been about the money. We are happy to make physicians work harder for less, and that has been happening for years. People don’t care because they have drunk the Kool-Aid from the insurance companies and the government that the medical profession is the problem with healthcare, and a misinformed public accepts the view that somehow physicians are the enemy.
There’s an App for That: Benefits and Risks of Using Mobile Apps for Healthcare | The Doctors Company
[The Doctors Company is a physician-owned professional liability insurer that, in my experience with my clients, does a very good job.]
With over 100,000 mobile health apps now available, physicians now have to handle an increasing amount of constant data and patient information that they did not have in the past. Mobile apps offer many benefits, but the use of these apps does not come without liability risks for doctors.
The Healthcare Marketplace — There is No Invisible Hand (until when consumers start paying)
The Tampa Bay Times included on its front page this morning an article entitled: “Big swings in medical prices make for a wild market, but savvy patients can benefit”
“It is a chaotic landscape, which is why it is so difficult for consumers and employers to navigate,” said Castlight vice president Kristin Torres Mowat.
So what gives?
For one, the market for health care doesn’t behave like most other markets. Consumers usually don’t know how much a procedure costs until after they’ve had it, and it can be challenging to compare prices beforehand. That means providers can set their rates somewhat independently of normal market forces — the forces that keep prices consistent at neighboring gas stations.
Bruce Vogel, an associate professor of health policy at the University of Florida (and a dorm mate at UF many years ago) was quoted in the Tampa Bay Times article — “It’s hard to find a market that deviates more from the perfectly competitive structure.”
Even Florida Gov. Rick Scott, a staunch conservative who opposes most government regulation, has expressed concern over the healthcare marketplace, focusing on the transparency of hospital pricing. In the September 29 online edition of Florida Politics, Gov. Scott was quoted:
“This is all about patients and empowering patients,” he told reporters after a Florida Cabinet meeting. “They should know what (a procedure) costs and be able to get as much information as they can.”
You can read the Governor’s official statement regarding hospital price transparency and supportive comments from members of the Commission on Healthcare and Hospital Funding here.
Gov. Scott is a smart guy – an M&A attorney, who founded Columbia Hospital Corporation which merged into the Hospital Corporation of America to become Columbia/HCA, of which he was CEO for a number of years (during which time Medicare fraud issues arose). It is not like he does not know how healthcare providers in general, and hospitals in particular, price their services.
Since the advent of third-party payers, healthcare has always been an artificial market. Vendors of healthcare and consumers of healthcare (those with health insurance) have rarely negotiated prices. The insurance companies negotiated with providers over what they would pay and with the insureds (or their employers) what their premiums would be. Add Medicare to the mix which set an artificial payment standard of some negotiated percentage of the Medicare rate, and pricing for healthcare services became almost completely independent of typical economic forces like supply and demand. Don’t even try to analyze pricing in rural or underserved markets.
So what is happening nowadays, when everyone is supposed to be insured, that makes healthcare pricing and bargaining with hospitals and other healthcare providers such a hot topic? I think it is because of high deductible plans. Health insurance has basically become insurance only for catastrophic claims. When the family deductible may be $5,000 or more, the cost for “unreimbursed” services becomes a matter of personal economics — even if the provider is charging the rate previously negotiated with the healthcare insurer.
Unfortunately, the negotiating for healthcare services is far more complicated than the negotiating over the price of a car. Transparency in healthcare pricing is important, but transparency in healthcare quality is critical. Quality of care will soon be the dominant factor as we move away from procedure based payment for healthcare services to preventive care services (paid 100%) and bundled/global payments focused on the episode of care.
Adam Smith never had a chance in healthcare.
Health News Florida
- An error has occurred; the feed is probably down. Try again later.
Physicians Practice
- An error has occurred; the feed is probably down. Try again later.
Joseph Rugg's Health Law Blog 