0:14

Support for A HLA comes from Clearwater.

0:17

As the healthcare industry's largest pure

0:20

play provider of cybersecurity and compliance

0:22

solutions, Clearwater helps

0:24

organizations across the healthcare ecosystem

0:27

move to a more secure, compliant

0:29

and resilient state so they can achieve

0:31

their mission. The company provides

0:34

a deep pool of experts across a broad

0:36

range of cybersecurity, privacy,

0:39

and compliance domains. Purpose-built

0:41

software that enables efficient identification

0:44

and management of cybersecurity and compliance

0:46

risks. And the tech enabled twenty

0:51

four seven three hundred and sixty five security operation center with

0:54

managed threat detection and response

0:57

capabilities . For more information, visit

0:59

clearwater security.com.

1:02

Hello everyone, and welcome to this episode

1:05

of American Health Lawyer Association's

1:08

podcast. Speaking of health law. I'm

1:10

your host, Don Morgan Stern, senior Director

1:13

of Consulting Services and Chief

1:15

Privacy Officer for Clearwater, where

1:18

we advise and support our healthcare

1:20

clients on how to move their organizations

1:23

to a more secure, compliant and

1:25

resilient state. With me today

1:27

is Betsy Hodge, a partner with

1:30

a law firm of Ackerman and Chair of

1:33

ALA's Health IT Practice Group, and

1:36

Gina Bertolini , a partner with k and

1:38

l Gates, and a member of the Health IT

1:41

Practice Group. In this episode of

1:43

speaking of Health Law, we'll be discussing

1:45

what activities are driving the enforcement

1:48

trends and what that means for clients.

1:52

We're seeing a lot going on

1:54

that will, will and are

1:57

driving trends for OCR activity.

2:00

So let's jump right in , uh, to our

2:02

first topic, which

2:04

is enforcement drivers, the focus

2:06

on federal laws and regulations. So

2:09

the question I have for you first

2:11

, uh, Betsy, is , uh,

2:14

we've seen a flurry of activity recently

2:16

that appears to be setting the stage

2:18

for major changes , uh,

2:21

as it relates to privacy and security,

2:23

such as the , uh, reproductive

2:25

healthcare privacy, HITI

2:29

one, information blocking confidentiality

2:32

of substance abuse , uh,

2:34

and disorder , uh, patient records,

2:37

and even OCR bulletin and guidance

2:39

on the use of ai. Um, and

2:42

now that the HIPAA Audit Review

2:44

survey notice has been , uh, also

2:46

published, what are your

2:48

impressions of this activity and

2:51

how clients can prepare for

2:53

what appears to be big changes coming?

2:58

So , thank

2:58

You, Don , and I'm glad that you were

3:00

able to make it through that laundry list of

3:03

activities .

3:03

I know , and that's only part of it. That's only part

3:05

of it.

3:06

E exactly. And I can't

3:08

tell you how many things have come out since we first

3:11

started planning this podcast. Um,

3:13

so I think first

3:15

I would say , um, to entities

3:18

in the healthcare space , um, get

3:21

your reading glasses out and start

3:23

reviewing all of this material because

3:26

I think it does signal that, as

3:28

you said, Dawn , there are big changes coming

3:30

, um, down the pike.

3:33

Um, and so now is a

3:36

good time to, for organizations

3:38

to assess where they are , um,

3:41

and start

3:43

looking at some of these materials

3:46

that have come out. For example, the

3:48

, um, um, uh,

3:52

practice , uh, I'm sorry, the cybersecurity

3:54

performance goals , um, you

3:58

know, is a nice little checklist, easy

4:01

checklist to see where your organization

4:03

is. As far as best practices , uh,

4:06

for cybersecurity , um, I

4:08

would suggest continuing to read , um,

4:12

the resolution agreements that OCR

4:14

puts out , um, because those

4:17

are always a good checklist to

4:19

make sure that you are keeping up

4:21

with OCR R'S expectations,

4:24

especially in the cybersecurity space,

4:26

but also , um, with privacy generally.

4:31

You know, I would also suggest if you

4:33

haven't already take a look at your

4:36

organization's use of tracking technology

4:39

, um, there is some

4:41

litigation pending in Texas about

4:43

, um, ocr um,

4:47

bulletin or guidance

4:49

or proposed rule , depending on

4:52

your perspective regarding tracking technology.

4:54

But I think that issue will be around

4:56

, um, for a while and we're

4:59

seeing, you know, private litigation , um,

5:02

over that. So , um, again,

5:04

really get your reading glasses out and, you

5:07

know , um, start

5:10

reviewing , um, what the

5:13

agencies have been publishing because I think

5:18

they don't publish this material , um,

5:21

without a purpose. Um, and

5:23

so , and I think it's now harder for organizations to

5:26

say we did not know what to do if

5:28

something happens.

5:29

And I think we're also seeing a lot of these all

5:32

commingle too, with what we're reading,

5:34

at least in some of the final rules and the notice

5:37

of proposed rulemaking. So that's

5:40

another reason. Back to your point

5:42

of get out your reading glasses, <laugh> . Yeah ,

5:46

And I think this is Gina Bertini

5:48

. Um, I think we're going to see, you

5:50

know, to your point, Betsy, and I know we were discussing

5:52

this offline, you know, boy, we're

5:55

gonna need OCR to take a vacation so

5:57

we can catch up <laugh> . You know, and,

6:00

and really it feels that way. Um, the

6:02

concept paper that HHS

6:05

released, you know, you mentioned the CPGs,

6:07

which came outta that concept paper that

6:09

was released in Decem or the , uh, concept paper itself

6:11

was released in December. Also mentioned

6:14

updates to the security rule potentially

6:17

in this spring, which we know , um,

6:19

you know , we haven't seen in years. And I would just say

6:22

in tr to tack onto what you said in terms of

6:24

sort of all this content that

6:26

we're seeing, you know, both sort

6:28

of two major trends emerge. And Dawn , I know you'll

6:30

get into this in in a question, but sort of

6:33

the cyber cybersecurity trend , you know, focus

6:35

on cybersecurity, right ? As well as a

6:37

focus on sensitive records. And

6:40

you mentioned, you know, the substance use

6:42

disorder , um, update to part

6:44

two to align it with hipaa. We've

6:46

also got the reproductive healthcare proposed

6:49

rule pending, and it does seem that in

6:51

particular as we head into an election, you

6:53

know, the Biden administration's incredibly focused

6:56

on protecting sensitive records as

6:58

well as focusing on on security.

7:01

Yeah , I would agree. Betsy,

7:06

any other thoughts around

7:09

that? Oh, I know one. Um, so the

7:11

other thing we haven't touched on yet is the

7:14

fact that they just announced , uh, or

7:16

they just published , um, HHS just

7:18

published their annual report to Congress on

7:20

breaches. Um, so that's another

7:23

interesting thing to focus on.

7:26

Um, not directly related to , uh,

7:29

the regulations as far as changes,

7:32

but I think there's some good insights

7:34

in that in their direction and what

7:37

they're seeing. What are your thoughts on that?

7:39

I thank

7:41

you for pointing that out, Dawn , be because I

7:44

think , um, those reports are helpful

7:47

in addition to the points you raised . They're

7:50

helpful for educating people about

7:52

the process that OOCR

7:55

goes through when it investigates , um,

7:58

either a report of a large breach or

8:00

a complaint , um, or , um,

8:04

it's compliance reviews. So I think

8:07

it , it's helpful background information

8:09

for those who are not that

8:11

familiar , um, with the OCR process.

8:14

And I think it , um, ties

8:18

into something I think that we may get to a little bit

8:20

later about , um, preparing to tell

8:22

your story, <laugh> , right? Um , so

8:24

sorry for that , uh, um, foreshadowing

8:27

, um, you know, but

8:29

I think that's helpful

8:31

information , um, in

8:34

there. Um, and again, it's also

8:36

helpful to see, you know, in

8:39

a relatively condensed view where OCR

8:41

is seeing the most activity, the types of breaches

8:43

, um, and also shortcomings

8:46

they may be seeing in certain

8:49

organizations. Um, and again,

8:51

that's a roadmap for organizations

8:54

, um, to , um, use

8:56

to make sure they're implementing

8:59

best practices. Yeah.

9:00

Especially since we see such a huge

9:02

focus on the resolution

9:05

agreements and the corrective action

9:07

plans. And I think what people lose sight

9:09

of is all the other stuff

9:12

that OCR is investigating

9:14

that may not rise to, to that

9:17

, uh, level and keep

9:19

being able to keep that in mind. Um,

9:22

when you're looking at your privacy or

9:24

your security program is , I always

9:27

say, you know, you can learn from others unfortunate

9:30

circumstances , uh, when it

9:32

comes to look , uh, improving

9:36

on and maturing your own program as

9:38

a , uh, covered entity or a business associate

9:40

for that matter.

9:43

Absolutely. So,

9:46

and then one other , um, development

9:50

, um, or

9:53

resource folks might wanna consider is

9:55

, um, the A HLA Health

9:57

Information and Technology Practice group is

10:00

going to be publishing an

10:02

update to our , um,

10:05

online enforcement tracker. Mm-Hmm. <affirmative>

10:07

, um, should be coming

10:09

out soon, <laugh> through , um, the end

10:11

of 2023. And then we'll be updating it again

10:14

this year , um, thanks to Gina

10:16

and her folks. Um, and

10:19

it's a great, that's

10:20

Kind of a perfect segue into our next topic,

10:23

actually, which is the enforcement trends

10:25

and the work that the , uh,

10:28

the HIT practice group has

10:30

done. So , um, you know,

10:32

as a privacy officer, I always found

10:34

it valuable to monitor the enforcement

10:37

and regulatory trends, as I said,

10:39

to learn from others. And

10:41

that's not just their

10:44

unfortunate circumstances, but it's also,

10:46

you can, you can glean best practices

10:49

from that to understand where

10:51

to focus time and resources,

10:53

which are usually very valuable. Um,

10:56

you both have been very engaged with

10:58

the A HLA Health and Information

11:00

Technology practice group and the development

11:02

of the tracker , um, for the enforcement

11:05

trends. Can you give us a quick preview of

11:07

that and the work that you've done and

11:09

are continuing to do and how

11:11

that can benefit clients, especially

11:14

based on some of the recent enforcement actions?

11:18

Sure. Yeah, this is Gina. I'll go into that. Thank

11:20

you, Dawn . Um, well, and I have the

11:22

privilege of being a member of this committee and

11:24

just am really loving working with

11:27

Betsy and Adam Green and others on the

11:29

committee. So I just wanna , you know, honestly, I

11:31

wanna thank the HLA for the opportunity because it's

11:33

really enhanced. Um, I

11:35

think it's enhanced my connection to other practitioners

11:38

in this area. Um, it's a fascinating,

11:40

and as , as we've been talking about, really evolving area,

11:43

the trackers, just so folks know if they're

11:45

not familiar with them, are really useful

11:48

tools that the H-L-A-A-H-L-A

11:50

produces. Um, we

11:52

release them, you know, multiple

11:55

times a year , um, three to four times

11:57

a year, just depending on the year and the level of

11:59

activity. But it's, it's more than an annual

12:02

update. And the trackers, there

12:04

are four of them. So there's the criminal tracker,

12:06

which focuses on any , um, data

12:08

privacy and in particular in the HIPAA space

12:10

activities , um, that are criminal

12:12

enforcement actions. And then of course, OCR

12:15

resolution agreements is another tracker. There's

12:18

an FTC tracker, so tracking FTC

12:20

, um, agree settlements or

12:22

enforcement activity. And of course, we

12:24

saw quite a, a few in 2023 relative

12:27

to previous years under FTCs

12:29

Health Breach Enforcement , um, noti

12:32

or Health Breach Notification Rule, as

12:34

well as , um, consumer fraud protection

12:37

laws. And , um, that FTC

12:39

enforces. And then the last tracker

12:42

is the state AG settlements, and we're

12:44

also seeing just a tremendous amount of activity there. So

12:47

those trackers, that's a hard

12:48

One to track. That's a hard one to track, I

12:50

imagine , you know,

12:51

Experie Yeah . Tell me about it . My experience ,

12:52

My own experience. Yeah . Trying to make

12:55

, trying to track all that, because

12:57

there are so many different sources there.

13:00

That's right. And that is one I almost feel like

13:02

it, the , the , it takes a village sort of comment

13:05

applies because, you know , I'll, I'll

13:07

get emails from Betsy or Adam or others

13:09

saying, oh, there's this ag activity, and of course we

13:11

have some formal search processes

13:14

in place and some great associate

13:16

attorneys who are working on that. But you're right, it takes

13:19

quite a, a bit to really make sure

13:21

that you're, you're , um, getting the full landscape

13:23

nationally, and we've

13:26

seen, you know, increased activity

13:28

by state ags , um, in

13:30

data in general, you know, data privacy,

13:33

including in the healthcare space. Yeah

13:36

. Um, in terms of what we're seeing, Dawn

13:38

, you know, I think I'll focus a bit on the

13:40

OCR resolution agreements because

13:42

, um, we are seeing some

13:45

of the , um, continuing trend

13:47

that we had seen in particular with the

13:49

right of access cases. Um, there

13:51

was a right of access case that I believe was

13:53

about the 46th HIPA

13:56

right, of access case, and that was the end

13:58

of 2023. And just

14:00

for our listeners, in case they're not

14:03

tuned in , um, the right of

14:05

access initiative was , um,

14:07

really sort of formally implemented by OCRA

14:09

few years ago. Obviously, there's always been the

14:12

right of access under hipaa , um,

14:14

that allows , uh, patients to designate

14:16

third parties to receive their, their

14:19

protected health information. And

14:21

of course, they can make complaints. But

14:24

a couple of years ago, OCR really

14:27

began a , uh, a concentrated

14:29

effort in enforcing right

14:32

of access complaints, and we saw

14:34

a flurry of activity in, you know, 2021,

14:37

I believe it was 2022, and

14:39

then that sort of tapered off in 2023.

14:42

We did see the 46th one at

14:44

the end of the year. Um, but what we've

14:46

also seen , um, is a

14:48

couple of, I think, you know, fairly momentous

14:52

resolution agreements. Oh, yeah, yeah

14:54

. Including, you know, OCR, even acknowledging

14:56

the first and the second ransomware

15:00

related , um, resolution agreement . So

15:02

one involved doctors' management

15:04

services and , uh, that was late

15:06

last year, which involved

15:09

ransomware, that encrypted files, there

15:11

were about 200,000 affected individuals

15:14

that resulted in a $100,000

15:16

settlement and a three year corrective

15:18

action plan. And then the

15:21

other one , um, the

15:23

second ever ransomware attack we

15:25

just saw just in

15:27

this, this month in February, involving

15:29

greenridge Behavioral Health, that's another

15:32

ransomware attack. That one

15:34

affected 14,000 individuals , um,

15:37

and , uh, involved a network

15:39

server that had been infected and then patient

15:42

sensitive patient records , um, that had

15:44

been locked down encrypted through malware,

15:47

and that involved a $40,000

15:49

settlement. Also, a three year corrective action

15:52

plan. And what I'll comment there, you

15:54

know, 'cause folks can go in and read, read the

15:56

details, right? A couple of , of

15:58

, uh, what what I'm seeing , um,

16:02

in terms of trending, you know, and what

16:04

OCR is really focusing on are

16:06

the, the failures that

16:09

occurred leading up to those

16:11

ransomware attacks. So the lack of

16:13

a risk analysis, right? The lack

16:15

of a , you know, implementing a risk management

16:17

plan, the lack of policies and

16:20

procedures, lack of audits going

16:22

in and looking at your activity and

16:25

lack of workforce training are sort of the, the

16:27

four or five things off the top of my head

16:29

that we're seeing repeatedly, I

16:31

think in, in both comments by OCR

16:33

as well as in their, their settlements, and then in

16:36

where they're focusing in terms of the corrective action

16:38

plan. You know, Betsy, you mentioned

16:40

something I think really important that

16:43

our listeners and , and our, their , our

16:45

clients really need to pay attention to, which is, boy,

16:47

those corrective action plans are helpful,

16:49

right? If you go in and you read them and

16:52

you read what OCR is telling these entities

16:54

to do in the wake of a ransomware

16:56

attack step by step , that gives

16:58

you a sense of what you ought to be focusing on

17:01

now. So, and, and I always tell my

17:03

clients, you know, it's not whether you'll have

17:05

a breach, it's, it's when, and

17:08

I hope the same isn't true of ransomware, but

17:10

sure , it sure seems like it could be. Right. We've seen

17:13

a, the OCR says about a 260%

17:16

increase in ransomware in the last

17:18

five years. So it is a,

17:21

a very important focus for OCR

17:23

and, you know, I think our clients are well served

17:26

to, to understand , um,

17:28

what they need to be doing now to mid , not

17:30

only to mitigate the risk , right, and detect if and when

17:32

it happens, but mitigate then the

17:34

, uh, enforcement, right? The

17:36

,

17:37

Because I think I see, I see that a lot sometimes

17:39

too. You mentioned the risk analysis being

17:41

a big component of that, and, you

17:44

know, oftentimes organizations

17:47

think that it's a one and done and they don't

17:49

realize, and OCR has spoken on

17:51

this many times about, you

17:53

know, an accurate and thorough enterprise

17:56

wide risk analysis of all of your

17:58

EPHI. And so it's

18:01

an ongoing process, and that's, you know,

18:03

one of the things we advise our clients on

18:06

is it's not a one and done . We're

18:08

here to help and keep that as

18:10

an ongoing process. So as you bring

18:12

on new systems, applications, you

18:15

know, you're doing a thorough risk analysis

18:17

of those. Yeah . And with sun setting

18:19

those too. So,

18:20

Yeah. And Dawn , in fact, one of the, it

18:23

was either LaForce or doctors management,

18:26

those are the two ransomware, and I believe one

18:28

of them referenced the importance of

18:30

consistently monitoring and managing.

18:33

And so, to your point, you may do

18:35

a risk assessment or risk analysis,

18:38

but as your systems grow and change,

18:40

you need to go back in and do it again.

18:43

Right, right.

18:44

Yeah . And I think it's

18:49

probably not a coincidence that recently

18:51

NIST released guidance on

18:54

, um, implementing the HIPAA

18:56

security role . It's , um, NIST

18:58

special publication 800 dash

19:01

66 for those. Um , another

19:03

Good catch, you know ,

19:04

<laugh> , we wanna look it up for our

19:06

List,

19:07

And it was with , um, I believe OCR

19:09

partnered with NIST on that guidance

19:12

document. So again, that's another

19:14

resource that's available to help those organizations

19:16

that perhaps have not fully , um,

19:19

developed , um, they're

19:22

, um, their , um, security compliance program

19:24

or just want to do

19:26

a gut check to make sure

19:28

they're implementing , um, right . All

19:31

of the security requirements appropriately.

19:33

It's a great list of, it's a great list of questions if

19:36

you read through that Yeah . With each of the requirements.

19:38

So it does, as you said, Betsy,

19:41

it , it, it really helps focus.

19:44

And I, one other point, I know

19:47

historically the

19:50

, um, resolution OCR

19:52

has looked at , um, compliance

19:55

with privacy and the security rule as a

19:58

data privacy , um,

20:02

or from the lens of the

20:04

data and whether it's remaining

20:07

confidential, the integrity there, and

20:10

it's also available, I think we're

20:12

seeing a

20:15

greater understanding that, you

20:18

know, if there's a ransomware attack or

20:20

some other cyber event, it's

20:22

not just a data issue or

20:25

a patient privacy issue, it's a patient

20:27

safety issue, potentially it's

20:30

a , uh, revenue issue

20:32

for the organization. Um, and

20:35

I think, you know, there's , um,

20:38

a rather large incident occurring

20:41

now that's been in the news a lot , um,

20:44

you know, with change Healthcare. And I

20:46

think it showing that, you

20:48

know, that this is,

20:51

if you have a large cyber incident,

20:54

you know, it's a multifaceted incident

20:56

and you need a whole of organization

20:58

response. And I think OCR now seems

21:03

to be looking at , um,

21:05

these incidents more holistically too.

21:08

And that brings up, oh , sorry,

21:10

Gina, did you No, I was just gonna say, Betsy, I

21:12

think that's a great point there. There's a

21:14

, the Hospital Cyber Resiliency

21:16

Initiative, which was a sort of a joint,

21:18

you know, study and report issued by

21:21

HHS and CMS and others,

21:23

and they really focused on that

21:25

point that , um, these,

21:27

these cyber attacks are,

21:30

are patient safety issues. And

21:33

there's a , a tagline, and it was, you

21:35

know, something like data safety is patient safety.

21:37

It's not exactly that. But I think that's a really

21:39

great point as well, that as we, we

21:42

continue to evolve into this era of

21:44

really very , um, uh,

21:47

significant cybersecurity events

21:50

that we will see a greater

21:53

risk to patient safety. Yeah

21:55

. Um, so that's a great point. I, and

21:57

I wanted to clarify, sorry if I could, because

21:59

I misspoke earlier, the , the two ransomware

22:02

, um, settlement agreements, just

22:04

in case folks are tracking it's doctor's management

22:07

in Greenridge, and then , then

22:09

laforge actually is the first phishing

22:12

phishing , right? Yeah. Phishing, which, you know, Betsy, Don

22:14

we've talked about previously, which is , um,

22:16

was a settlement , um, that OCR

22:19

entered into with laforge Medical Group,

22:22

where there was actually, you

22:24

know, the threat actor entered through the phishing

22:26

scheme through email, which of course is

22:28

another concern of ocr.

22:30

So , and I think , oh , I'm sorry, Dawn . I

22:32

was just going mention briefly a

22:34

couple other , um, themes

22:37

that we've seen this year in the

22:39

resolution agreements are, I

22:42

would say what's old is

22:44

new again , um, <laugh> , for example

22:46

, um, the St . Joseph's

22:48

Medical Center case where there

22:51

was the impermissible disclosure of PHI

22:53

to the media. Oh, right,

22:55

yeah . During the , um,

22:58

early days of Covid when, you

23:00

know, film crews were coming in to

23:03

show, you know, the tremendous

23:06

strain on hospitals and the heroic

23:08

work that healthcare workers

23:10

were doing. Um, and , um,

23:13

you know, proper authorizations

23:16

may not have been obtained, you know, so we've

23:18

seen those types of , um, situations

23:22

occur every so often over the years.

23:25

Um, and , um, then

23:28

also , um, healthcare providers

23:30

responding to online reviews , um,

23:33

and , um, not

23:37

realizing perhaps that by responding

23:40

they are inappropriately disclosing

23:42

PHI. And so , um, you

23:45

know, I, it seems every couple

23:47

years OCR has a

23:50

settlement, you know, involving

23:52

one or more <laugh> of those , um, topics.

23:55

So I think, you know, those are not

23:57

, um, you

23:59

know, cyber incidents, but still things

24:01

to keep in mind. Um,

24:04

And Betsy, as, as the, our health

24:06

system continues to evolve and we

24:08

see more sort of, you know, non-traditional

24:11

healthcare providers in the telemedicine

24:13

space, which then moves,

24:16

affects our more traditional healthcare providers who need

24:18

to keep up and compete. You know, we

24:21

are seeing these kinds of issues

24:23

like responses to comments and the

24:25

desire to post patient reviews

24:28

is a pretty significant issue,

24:30

and I think will continue to be, you know, in terms

24:32

of, of it being needed for

24:35

competitive purposes. But then this

24:37

question of, well, how do we handle it in

24:39

terms of, you know, compliance, right ? So it's

24:41

a great, great one to bring up.

24:44

And Betsy, you brought up a good comment that

24:46

takes us into another question, which is as

24:49

far as, you know, trends related

24:51

to business associates. And what

24:54

would you recommend to those organizations

24:57

to be more rigorous and thorough

24:59

in their programs that they've implemented,

25:02

especially when it comes to business

25:04

associates or third parties, vendors?

25:08

And you brought up a perfect example

25:11

of what we're seeing with the , uh, change healthcare

25:13

, uh, situation right now. Um,

25:17

what are your thoughts on, on

25:19

that topic?

25:21

Well, I would say what you just said,

25:23

Dawn , to be more rigorous and thorough. Um,

25:27

but as we know, you know, there

25:29

are only so many hours in a day and

25:32

so many resources to do that. So I think

25:34

it's important for

25:36

organizations to prioritize

25:39

, um, their

25:42

business , business associates , um,

25:44

which means first you have to understand and

25:47

know all of your business

25:49

associates, you know, and who is handling

25:51

your PHI. Um,

25:54

so once you get your arms around that, then

25:56

, um, triaging

26:00

who, which of those

26:03

entities pose the greatest risk to

26:05

your organization, and then devote

26:09

more resources to those organizations

26:12

doing a deeper dive , um,

26:14

when you're vetting those , um, business

26:17

associates, making sure you

26:19

get , um, security questionnaires

26:22

completed , um, exactly . Um,

26:25

and , um, you

26:27

know, vetting them more carefully

26:30

and then periodically revisiting

26:33

them , um, to make sure that

26:36

what they told you when you first contracted

26:38

with them is still the case. Um, you

26:41

know, are they still , um, you

26:43

know, if they have their SOC

26:46

two or if they're high trusts certified,

26:48

you know, is that still the case? You know, have

26:50

they evolved , um, over the

26:52

years? So I think , um, that's

26:55

important to do, but I think it's also important to

26:57

understand that , um, some

27:00

of these large cyber

27:02

incidents that we're seeing are not even

27:05

at the business associate level. They're

27:07

lower down the chain. Um,

27:10

you know, earlier this, no

27:12

, last year <laugh> , it was last year , um,

27:14

with the MoveIt , um, software

27:18

incident that affected , um, a

27:21

number of organizations. Um,

27:24

and it, what we found in

27:26

our experience was it was not , um,

27:29

the covered entity that was necessarily

27:31

using , um, that software,

27:33

but it was, you know, a

27:35

couple subcontractors down the

27:38

chain, you know , and that's

27:40

hard to monitor because you're not obligated

27:43

to go that , uh, far down the

27:45

chain. But I think maybe with those high priority

27:48

business associates there, you may want

27:51

to , um, see

27:54

if they are in what processes

27:58

and procedures they're implementing to

28:00

monitor their subcontractors.

28:02

I would say it goes, it goes beyond the

28:04

days of all you need is a business associate

28:07

agreement, and it really supports

28:09

what we're, what we've been talking about, which

28:12

is having a good vendor or a third party risk

28:14

management program that goes,

28:17

you may not go to that, that, in

28:19

that, that ninth degree subcontractor

28:22

level, but it's about

28:24

informing yourself of what

28:26

those, what those downstream vendors,

28:29

contractors , subcontractors are doing too.

28:33

And we have seen multiple instances

28:35

where, you know, the entry into

28:38

the health system is through the

28:40

vendor account. Mm-Hmm . <affirmative> . And in some instances,

28:43

an outdated vendor account, you

28:45

know , of a vendor, an individual who's

28:47

no longer there, or, you

28:49

know, vendor access rights that should have been , um,

28:52

terminated. And that goes back

28:54

to your right . I think that's a , a great point,

28:56

which is your third party management

28:58

risk management system, or your

29:00

vendor management system. And, and what

29:03

we see OCR talking about as

29:05

it's describing the importance of a risk

29:07

analysis, of course the security rule requires, you

29:10

know, the, the , um, physical

29:12

and the admin , the administrative and

29:15

the security, you know, analysis , um, yeah,

29:17

the technical piece , right. But , um,

29:20

we're also, you know, we're also seeing them focusing

29:22

on looking at your , um,

29:24

relationships with your third parties, your business

29:27

associates, as Betsy just said, and, and assessing

29:29

those and inventorying them and

29:31

understanding the risk , uh, there

29:34

and managing that risk.

29:35

So let me ask this, you know, many of

29:37

the recent enforcement actions, you

29:40

know, some of those, when you start reading through the resolution

29:42

agreements, they date back to like 2015,

29:45

2017, 2019,

29:47

and they're just now being , uh, resolved

29:50

now in 2020, late 2023,

29:52

early 2024. Um, is

29:54

there a perception that organizations are maybe

29:56

penalized based on today's

29:58

cybersecurity landscape versus

30:01

at the actual time of

30:03

the security incident?

30:06

Yeah, that's a really good question, and I'll

30:08

be interested, Betsy, in your thoughts on this. I'm,

30:10

I'm not sure. So I think there

30:13

are a number of threads here that we could pull

30:15

. When we look at, you know, the dates of

30:17

the activity versus ocr,

30:19

R'S enforcement , um, action, which

30:22

in many instances have just occurred in the last

30:24

handful of months. I think one

30:27

contributing factor is OCR R'S resources.

30:30

And, you know, when you report a breach, how

30:32

long does it take until you get

30:34

an RFI, if you get one from OCR,

30:37

how long does it take to sort of get through that? One

30:39

of the settlements was from May

30:42

of the activity was May

30:44

of 2015, and that's a recent one

30:46

involving Montefiore Medical Center.

30:49

And , um, that one, you

30:51

know, I think involved , um, a

30:54

, a bad actor within the organization

30:57

who is selling PHI. And so

31:00

that I think is somewhat unique. That's,

31:02

you know, called that malicious activity sort

31:04

of resolution.

31:05

Insider threat, yeah.

31:06

Yeah. And insider threat. And I, I just think, you

31:09

know, that's a unique, that's,

31:11

that's fairly egregious behavior

31:13

by, you know, an employee of the health system.

31:16

And it, it went on for some time, you

31:18

know, without being , um, identified.

31:20

And, and it's unfortunate, right, for that health

31:23

system. But I think that that to

31:25

me feels unique. Um, some of the other ones

31:27

that are recent as well involving ransomware,

31:30

you know , certainly , um, there

31:33

is a, a, a

31:35

focus on cybersecurity

31:38

incidents, as we talked about at the beginning of our session,

31:40

you know, that that is , um, peaked

31:42

because of the increase in these

31:45

incidents that are, that are happening, you know, in almost 300%

31:47

increase in five years. Um, we

31:49

just didn't see them before. But

31:52

I, I think that , um, that,

31:55

that it is in part due to

31:58

ocr r's lack of resources and,

32:00

and just the timeline there, protracted

32:02

timelines. I think it's also in

32:04

, like I said, you know, the one case is sort of

32:06

an outlier. Betsy, I'm curious your

32:09

thoughts. I, I think that OCR is,

32:12

is focusing on ransomware and cybersecurity,

32:14

and they're going to look carefully at

32:17

what organizations did leading

32:19

up to the attack, and, and

32:21

if they were in a good situation

32:23

to protect themselves, you know, if

32:25

they were taking measures, taking steps to protect themselves

32:28

and where they weren't, they're gonna get hit. I

32:30

think that's the reality.

32:34

I, I agree with what you say, Gina,

32:36

about the focus on ransomware

32:38

and other , other cyber threats leading

32:41

to , um, data breaches.

32:43

Um, and OCR focusing on that. I

32:47

think there may

32:49

be some , um,

32:54

I , I don't know that it , there

33:00

may be some , um, justification

33:04

for thinking that

33:07

if I had an event in

33:09

2015 and , and say

33:12

it was a ransomware event because

33:14

they were occurring back then, they just weren't as

33:16

prevalent. We , um, right. They

33:19

were not as well , um, publicized

33:21

, um, depending

33:24

on how long it takes for the investigation

33:26

to occur. Right ? If , if someone's

33:29

investigating it in

33:32

20

33:34

19, 20 20, 20 21, the landscape has shifted

33:38

significantly, say, in that five

33:40

or six year span. So it may

33:42

be a case of , um,

33:45

you know, hindsight is always 2020. And

33:48

so without intending

33:51

to impose say, 2021

33:53

standards, you know, on what happened

33:56

in 2015, that

33:58

may unconsciously, you

34:01

know, happen , um, y

34:04

you know, but again, it's hard to remember. I

34:06

, yeah , 2015 seems to, I know

34:09

<laugh> ,

34:09

But I think what you're saying, in fact , I think what

34:11

you're saying is we're looking at what happened

34:14

several years ago through the lens of what we

34:16

know today, right? And we've seen

34:18

how much these attacks have

34:20

increased in terms of affected individuals

34:23

and, you know, the percentage of them being reported.

34:26

Um, so that's a , and I don't know how

34:28

you can, though I don't, you know, I'm not

34:30

sure how you can't look at these

34:32

attacks through the lens of today. What I do know

34:34

is not every ransomware attack results

34:37

in a resolution agreement

34:39

.

34:39

Right. That's a good point. 'cause that was my next question

34:42

I was gonna ask is, you know, how

34:44

does that correlate to the breaches that were

34:46

resolved through technical assistance? You know, could

34:49

enforcement be based on how the ransomware

34:51

occurred, meaning how the bad actor was let

34:53

in and, or how the organization

34:56

responded? Thoughts

34:58

on that?

34:59

I think how the organization responded

35:03

makes a big difference

35:05

, um, in the investigation

35:07

process. Um, I think OCR

35:10

has always said they do

35:12

not expect perfection , um,

35:15

in complying with , um, the

35:18

privacy rule or , um,

35:20

the security rule. They understand that things

35:22

are going to happen, but it's

35:24

really, I think, how the organization responds.

35:28

Well , one, can the organization

35:30

detect that something has

35:33

happened, and then once it detects what happened,

35:36

how are they responding? So I think

35:38

those organizations that have in place

35:40

, um, you

35:43

know, policies and procedures around reporting

35:45

, um, if you see

35:47

something that's wrong, and then understanding

35:51

the chain of command to implement

35:53

your incident response plan , um,

35:56

your business continuity plan if needed,

35:59

and then documenting everything

36:01

that you're doing, because when

36:04

it comes time

36:06

, uh, you know, to respond

36:08

to a request for information from OCR

36:10

, um, they

36:14

want to see the documents that you , it's

36:16

not enough for you to tell OCR what

36:18

you have done. Um, but

36:21

also to be able to show OCR

36:23

what you've done, to have the policies, the

36:26

procedures , um, and to be able , um,

36:29

as we've talked about before, to tell your story,

36:32

you know, in a way , um, you

36:35

know, that makes sense and is supported

36:37

, um, by , um,

36:40

your policies, procedures, and the

36:42

steps you took to address

36:44

the situation when it arose. So,

36:47

Gina, do you have some thought ? Yeah,

36:48

Thank you. I was just gonna say, Dawn , if I

36:51

could add to that, 'cause I know <crosstalk> Oh , definitely. Go

36:53

ahead. Time and content. But one

36:55

thing I will say, and I, Betsy, I,

36:57

I agree wholeheartedly with everything you said, and,

36:59

and this is a message really to,

37:01

I think, you know, healthcare entities that may

37:04

be dealing with an attack or will in the future. And

37:06

in particular to executive leadership, the

37:08

, the role of, you

37:11

know, the , the approach of transparency is

37:13

really a key here. Um,

37:15

so really approaching how

37:18

you report , um,

37:21

and message, tell your story. As you just

37:23

said, Betsy , um, a ransomware

37:25

attack to federal and state regulators

37:29

is really different than

37:31

an approach you take in defending

37:34

a lawsuit, for example. Right? And

37:36

I appreciate that many of these are turning

37:38

into class action lawsuits, and that

37:41

might be a topic for another day, because that's,

37:43

you know, that's a whole nother a whole different subject, but

37:47

they're not different subject, it's related, but it's, it

37:49

really is a can of worms. But what

37:51

I will say is, I've, I've had to work

37:53

with executives in dealing with breaches

37:56

and how to handle with federal and state regulators quite

37:58

a bit to help them understand that we

38:00

really wanna be able to tell our story

38:03

and, you know, and put our organization the best possible

38:05

light. That means taking steps

38:07

to mitigate immediately, even before

38:10

we hear from those regulators, even before we've

38:12

reported, so that once we report and

38:14

we answer all the questions that you have to answer

38:17

in the OCR portal, and then we get

38:19

the RFI, if we do, which we're

38:21

likely to, you know , we can answer those

38:23

questions in the best possible way

38:25

to say, these are the steps we've taken to

38:28

address, you know, to initially mitigate

38:30

the, the risk and the breach, and then

38:32

address the, the source of the risk

38:35

or the breach, and then, you

38:37

know, take steps to prevent this from occurring

38:39

again in the future. And when we can tell

38:41

that story in a way that demonstrates

38:44

that we recognize the importance

38:46

of compliance, the risk to patient safety,

38:48

as you said, Betsy, not just to data

38:51

that really is meaningful to the, to

38:53

the state regulators and the federal regulators, and to

38:55

your point, they, they don't expect,

38:58

you know, that you'll be perfect or

39:00

that you won't have a breach. The question is when,

39:02

and so this idea of transparency,

39:05

and I know it's a fine line, but

39:07

it really takes, I think, working

39:09

with the team that has,

39:11

has been through the trenches with, with, in

39:14

particular with OCR before, to, to

39:16

help you understand that some

39:18

level, this level of transparency that may feel

39:20

uncomfortable, for example, in a litigation environment,

39:23

is really important to, to demonstrate

39:26

to OCR that you know what you're doing and

39:28

to avoid potential, you know, significant

39:31

penalties. Um, so that's one takeaway

39:34

I would say, or one message I would give to

39:36

our healthcare clients is, is really

39:38

, um, thinking about that, that

39:40

story that you're telling and how to put yourself in the best

39:42

possible light.

39:43

And Gina , you brought up a good point about , uh,

39:46

involving leadership. So, you

39:48

know, with the organization's competing

39:51

challenges for resources and funding and

39:53

trying to either implement or update

39:55

those existing programs , um,

39:58

how would you recommend privacy and

40:00

security officers educate

40:02

leadership and the workforce to that

40:05

extent on the importance of, or

40:07

the impact that these types of

40:09

things have on the organization, such as

40:11

patient safety, interoperability, and

40:14

information blocking, you know, and

40:16

how, how do they balance all of those?

40:18

Oh , that is a, a great question lot .

40:20

It's a loaded question. Yeah, it's

40:21

A lot . It's a loaded question. Yeah . Because, and as you throw

40:23

in, and I'm so glad you brought up interoperability

40:26

and information blocking, because one

40:29

of the things we're talking a lot about within,

40:31

you know, those of us who practice in this area is

40:33

this balance of, you know, the , the government

40:36

really wanting health systems to

40:38

implement the systems that will facilitate

40:41

, um, complete interoperability,

40:44

and in fact, mandating that, right? Mandating

40:46

that through CMSs promoting interoperability

40:48

program and through ONC certified

40:51

, you know, health IT and requiring

40:53

the use of that and all of that, and then the information blocking

40:55

rule, right? So there's all these things where the government's

40:57

saying, you need to make your data open

41:00

and available where it's otherwise permissible

41:02

under HIPAA or other federal state laws.

41:04

That's great, but it also increases

41:07

the vulnerability of the organization. So

41:09

to your question of how do you educate

41:12

leadership, I think it's,

41:14

it's really important, you know, one, i

41:16

I , I think sometimes the fear tactics

41:18

work. And so pulling

41:21

out these OCR resolution agreements,

41:23

you know, the, the one , um, I'm

41:26

trying to remember which one was just

41:28

4.75

41:30

million , um, one of the recent settlement

41:33

OCR resolution agreements and, you

41:35

know, and then, and any number of hundreds

41:37

of thousands of dollars that they range from,

41:40

I think pulling those out and showing your leadership

41:42

the impact, but there's also this

41:44

, um, element of trust, right? That

41:47

it , it , so the, the pr you

41:49

know, and, and what, what you don't wanna

41:51

see on the headlines of the morning news is that your,

41:54

your health system has suffered a major breach.

41:56

That's all really important, but what does that really

41:59

mean for trust, patient trust? And

42:01

so some of these pretty egregious

42:03

cases that have settled recently, you know, involved

42:05

very sensitive records and entire medical

42:08

records that were shut down. So I think

42:10

helping leadership understand

42:12

the monetary risks, the,

42:15

the reputational and trust

42:17

risks, and then the really

42:19

concrete steps that you can take to

42:22

mitigate those risks. It doesn't mean you will, you

42:24

will rid them forever, but

42:26

you can mitigate them. And then as

42:28

we've been talking this whole time, demonstrating

42:31

that you took those steps before

42:33

the breach happens, which will then mitigate

42:36

any penalties with, with the office for civil rights.

42:40

Betsy, how about, I , I know , what do you think? I

42:42

know we're short on time, but I think it's a great question of,

42:45

you know, how do we, how do our

42:47

clients educate leadership to

42:50

make sure that organizations are in a

42:52

good position when these things occur or

42:54

in the best position they can be anyway?

42:56

Well, and I think you

42:59

bring up a good point, Gina.

43:02

Um, and this also ties back to what we were talking

43:04

about before the , um, the

43:07

reports that OCR recently

43:09

released , um, about their activities

43:11

in 2022. Um,

43:14

and one of the comments in there , um,

43:17

that OCR made

43:19

was about the length of time it

43:22

takes to , um, conduct

43:24

an investigation and how that timeframe

43:27

has gotten longer now because of

43:29

a change in the High Tech Act in

43:31

2021, where now OCR

43:34

is , um, required

43:38

to consider whether an organization

43:40

has implemented recognized security practices

43:43

in the 12 months before

43:46

the incident. Um, that's

43:48

being reported to OCR. And

43:50

so I think this

43:54

ties in with your point about educating

43:56

leadership about , um, the

43:58

importance of, you know , having

44:01

in place policies and procedures.

44:04

And to your point about transparency,

44:08

you get rewarded with OCR if

44:10

you can demonstrate, you know, that you

44:13

invested in these recognized security practices,

44:15

had them in place , um, and

44:18

, um, you know, can document

44:21

that you had these security

44:23

practices in place. Um, you

44:27

know, and it benefits you , um,

44:30

in the OCR investigation. And , um,

44:32

obviously you would be encouraged to disclose

44:35

that information , um, to

44:37

OCR. Um, so I

44:39

, um, but again,

44:41

that also means that you would

44:43

have conducted a risk analysis and implemented

44:46

a risk management plan to address

44:49

the threats that you've identified. So

44:51

it all really sort of comes full

44:53

circle, I think. Um,

44:57

And also I think another , um, key

44:59

, uh, thing that you can leverage, and it , this

45:01

doesn't apply to all entities, but

45:03

to certain entities is the , um,

45:06

the cyber , uh, the reporting

45:08

, um, uh, to the SEC

45:11

in your filings. Uh , so

45:13

if you know you're an organization that falls

45:16

into that category for compliance, that

45:18

can be another driver too that, that can

45:20

really push that message up to leadership

45:22

, um, where they may directly

45:25

be impacted.

45:27

That's an excellent point. And we just saw

45:29

that with Change Healthcare , you know, that breach occurred

45:32

within less than a week, I think, before

45:34

the recording of this podcast. And within

45:36

days they reported to the cc

45:38

, right ? Yeah. Just a high level report of what they

45:40

know, and they don't, it sounds like they don't know a lot yet,

45:42

but that's a great point. And that ought

45:45

to get, you know, in an organization that's

45:47

required to report to file those 10 Ks,

45:50

you know, that ought to get leadership's attention, right? Yeah.

45:53

All right . So I really wanna thank you both , uh,

45:56

for your, your excellent insights

45:58

and you know, we've had many conversations

46:00

not just today, so I've really enjoyed our conversations,

46:03

but before we end the podcast, do

46:06

, uh, I'm gonna give you each an opportunity

46:08

for some final thoughts or takeaways that

46:10

you have for our listeners. So we'll go Betsy

46:12

first with you , uh, for some final

46:14

thoughts,

46:19

Document the good work that you are doing

46:21

within your organization , um,

46:24

so to protect

46:27

not just patient data, but patient safety.

46:29

So you are ready to tell your story,

46:33

not if, but when you need to do

46:35

so.

46:36

Okay, Gina, how about you?

46:38

Yeah, I'll say , um, and I'm actually

46:40

gonna steal from , uh,

46:43

some comments that our OCR director

46:45

made , uh, in relation to a recent

46:47

, uh, resolution agreement that

46:49

, um, organizations should regularly

46:52

review risks, regularly,

46:54

review policies, and update them and

46:57

do that enterprise wide . And as

46:59

your systems change and

47:01

, uh, grow re-review

47:04

those risks. So, redo your risk assessment, look

47:06

at your risk management plan, look at your policies,

47:08

and train your workforce.

47:10

Big one. Yeah . All right . Thank

47:13

you both very much. And I also wanna thank our

47:15

audience for listening today, and we hope that you have

47:17

a great day.

47:25

Thank you for listening. If you enjoyed

47:27

this episode, be sure to subscribe

47:29

to a HLA speaking of health law wherever

47:32

you get your podcasts. To

47:34

learn more about a HLA and the educational

47:37

resources available to the health law community,

47:39

visit american health law.org

47:41

.

47:47

<silence> .