I just reviewed two articles that talked about fines against providers for allegedly illegal behavior related to HIPAA and to the False Claims Act. I also just read an exchange of opinions and information on my state psychological association listserv about a Microsoft cloud service product and whether it is HIPAA compliant. As we deal with our customers on a day-to-day basis, I am amazed at the variation in response to possible breach of the law. Some state things like, “Oh HIPAA. I’m not worried about that stuff.” Others indicate opinions such as, “I would never use a Cloud backup program. It cannot possibly be secure!”
The HIPAA article was in an Open Minds newsletter and focused on the money-making potential of HIPAA. The gist of the article is that 2015 is expected to be a very big year for fines for breach of HIPAA requirements. The cases in OCR’s pipeline as well as the plan for HIPAA audits of providers, insurers and clearinghouses are likely to produce record fines. The advice in the article was similar to the advice given by one of the participants in the listserv discussion mentioned above: complete a comprehensive risk assessment for your organization. There are many tools and much guidance available on the CMS web site; the Indian Health Services also have a checklist for what should be in that risk assessment.
The second article I read this morning was about the False Claims Act and how it relates to certain aspects of the Affordable Care Act. The article discusses a Department of Justice and New York Attorney General’s lawsuit against a healthcare organization accused of failing to return Medicaid overpayments the organization allegedly had knowledge of. Apparently, ACA requires return of overpayments by government payers within 60 days of the provider’s awareness that such an overpayment was received. Additionally, the lawsuit is seeking to apply the False Claims Act to this failure to refund. If it is successful, the organization in question could owe treble damages along with the overpayments! That could be lots of money. Large provider organizations are carefully watching this lawsuit as the outcome could have profound and expensive effects on the industry. It could also save us taxpayers lots of money.
Given the wide range of opinions on laws and what they really require of us that we hear every day, I wonder what motivates your organization to get things right. Is it the threat of a fine that could put you out of business? Is it a threat to your license that could keep you from practicing your profession? Is it simply that we owe it to our patients to protect their information? Do you really not worry about such things? What motivates you to meet the requirements of the law? How does that relate to how you provide care?
Please share your comments below.
Seth says:
Although a bit off the main topic, I want to react to the comment about “the cloud” not being secure. I hear remarks like this one frequently. While no computing platform, including “the cloud”, can be 100% guaranteed secure, the real question is, “How secure are these cloud systems by comparison to YOUR OWN system?”
The fact is that data on the servers of the major cloud platforms (Amazon, Microsoft, and Google, for example) is way, way, way, WAY more secure than the same data sitting on a server in your office, if that server is connected to the internet. Just think about it for a moment. Do you have a team of brainiac security engineers configuring, managing, and constantly tuning your router settings, firewall configuration, perimeter anti-virus, anti-malware, and intrusion detection systems? Well, all of those cloud providers do! In fact, I would guess that there are very few small businesses that even have commercial grade perimeter security gateways between their internal computers and the wild, wild web, much less have them expertly configured.
It is likely that your network is already compromised and you don’t even know it. In addition, it is exceedingly unlikely that you, or most of your consultants, would be able to detect much suspicious behavior by examining your system logs (if you even have them). These top-tier cloud providers have specialized tools that monitor network activity and comb through those logs constantly to detect anomalous behavior. If something looks unusual, these monitoring systems automatically notify the cloud provider’s army of security experts, 24 x 7. Those people can read those logs as easily as you can read psych test results. It’s their job and they do it every day.
In my opinion, the only real reasons to avoid using cloud services for mission-critical purposes are if:
– Your internet service is so slow or so unreliable that use of such services would impair your current work-flow, or if…
– The service you want to use will not sign a HIPAA Business Associate Agreement, or if the cost does not make sense for you right now.
Oh, I feel so much better now!