Encryption – Govt. double standard – or not


The medical community is subject to unprecedented governmental requirements to protect the privacy of patient data – the governmental interest and incentives for digital storage and transmission of ePHI are clear – the safe harbor of encryption has pushed the medical community, and thereby their business Associates to achieve the highest levels of encryption.

On the other hand, the United States government stands firm in its opposition to “strong” encryption.

I believe that there  are two competing interests, privacy and security. HIPPA and the associated rules and regulations are firmly grounded in a patient’s right to privacy and therefore the balance is firmly tipped in favor of privacy. Moreover, the encryption safe harbor is somewhat illusory, if encrypted data can be accessed. While it is possible that the covered entity or business associate may not be subject to fines, they will have to notify those who are affected, and suffer the reputational loss associated with a breach.

On the other hand, the government must prevent crime, terrorism and other misdeeds, and to that end they are opposing “strong” encryption. However, in the final analysis I do not think that demands can be made on the medical community – and the business community at large which are being pushed toward impregnable encryption and functionally zero tolerance for breaches of information, while on the other hand insisting on “back doors” to make encrypted data accessible.

I believe that in the final analysis is a zero-sum game. If encryption will be “strong” enough that governments may not be able to access it through the service providers, and there will be end to end encryption, with service providers rendered unable to access the information, we will be protecting information like ePHI, sensitive personal financial information, and information that should be private. Conversely, if we allow governments the ability to access information, the privacy of law abiding citizens and the protection of ePHI etc. may be compromised.

The Basic Arguments are :

Government  – we need the ability to monitor information passing through US computer networks. This is the position of Admiral  Mike Rogers, director of the NSA.

Counterargument – if the United States has the right to have back doors for the US government (as a governmental right) other governments should have that right as well, e.g. China, Russia etc. This position was articulated by Alex Stamos, the then current security engineer at Yahoo. As an aside, Yahoo and Google are currently working on an end to end email encryption system that may be ready by the end of the year.

Government – The rise in encryption has rendered significant part of the Internet “dark” making it harder to track terrorists and other criminals.

Counterpoint- Skype seems to have end to end encryption using the Skype video service (as opposed to making phone calls on it) and therefore with respect to the criminal element all you need is one service through which criminal information is inaccessible.

Furthermore, the companies that handle the transmission of emails and other digital information say that providing any backdoor weakens encryption. Whit Diffie, A 71 year old pioneer and co-inventor of the basic approach used in most modern encryption systems seems to believe that it is counterproductive to try to build the special access governments or seeking.

It is interesting to note that the French intelligence services have been the beneficiaries of a bill that was passed in May legalizing phone tapping and email interception. With respect to England, David Cameron has proposed a ban on “strong” Encryption to ensure the terrorists do not have a safe space in which to communicate.

There are over a billion email users around the world, the use of email and digital transmission of private information is rising, as is the incidence of cyber crime, hacking by rouge nations and the the need for secure digital information and transmission.

In the final analysis it is difficult to find the exact intersection/equilibrium of crime prevention (with respect to criminals and terrorists) and the rights of privacy of law-abiding citizens.  This issue is only made more complex when the government is encouraging digital storage and transmission of the very information it rightfully demands to be held private.

What do you think.

The Falling Star of Nursing Homes – or Maybe Not


How accurate is the Five Star rating system in assisting the general public to determine which nursing home to select?

The Government Accounting Office (GAO) has accepted a request to investigate the rating system used on the Nursing Home compare website.

This request stems from a request by Senators Bob Casey (D-PA) and Ron Wyden  (D-OR) after CMS (this past February) added quality measures on antipsychotic medication use and staffing levels to the ratings displayed on the website. Apparently, the estimate was that 4,777 out of 15,500 nursing homes would see a drop of at least one star. Obviously, in a five-star rating system, the drop of one star is very significant.

Similarly, Rep. Elijah E. Cummings (D-MD) has asked for a briefing with the Centers for Medicare & Medicaid services on the website’s rating system.

As I understand it, the American Health Care Association (ACHA) has taken issue with the rating system, as it does not give proper weight to residents seeking nursing home care on a short-term basis for rehabilitation or therapy, and is heavily weighted toward long-term care.

Furthermore, there are concerns that the February changes do not really affect how well the residents will fare during their nursing home stay.

It is interesting that while the five-star system will come under review, there is no current roadmap with respect to the metrics (and relative weight) that should be employed to give an accurate five-star rating.

Obviously, HIPAA, or people’s interest in maintaining their privacy, would preclude (or at least severely limit) reviews by residents or their families in which they could give details regarding their ratings.

To the extent that we have become accustomed to rely on five-star rating systems, e.g. Amazon or eBay, which are becoming more widely accepted, and in my experience, with a little due diligence are highly accurate and predictive, it is important that five-star rating systems which DO NOT have detailed/descriptive ratings by the residents or their families,  have accurate metrics and weight, as they will be relied on for  very important decisions –  clearly more important than the average purchase on Amazon or eBay.

New Pay Model for Nursing Homes

dollar scroll

CMS is currently testing a new payment model seeking to avoid hospitalizations by funding nursing homes and practitioners for more extensive intervention.

On August 27, 2015, CMS reported that seven organizations will test the efficacy of the new payment model for nursing home operators and practitioners by funding higher intensity interventions in the nursing facilities for residents who may otherwise be hospitalized. The goal is in recognition of the fact that treatment at nursing homes is less expensive than hospitalizations.

The Centers for Medicare & Medicaid Services has been working with seven “Enhanced Care and Coordination Providers” (ECCPs) for the past three years to gather information. These organizations may apply to test the new payment model.

While this should come as no news to anyone involved in revenue cycle management for nursing homes or hospitals, the agency said that “improving the capacity of nursing facilities to treat common medical conditions as effectively as possible within the facility has the potential to improve the residents’ experience at lower cost than a hospital admission.”

Significantly, the model also includes payments to physicians, NPsand PAs– which makes me wonder if part of this initiative will also include increased responsibilities for the nurse practitioners and physician assistants.

This model is currently scheduled to run from October 2016 to October 2020.


Brilliant poem by an 11th grader seeking anonymity. Must be read in its entirety to be appreciated

Good Day


Today was the absolute worst day ever

And don’t try to convince me that

There’s something good in every day

Because, when you take a closer look,

This world is a pretty evil place.

Even if

Some goodness does shine through once in a while

Satisfaction and happiness don’t last.

And it’s not true that

It’s all in the mind and heart


True happiness can be obtained

Only if one’s surrounding are good

It’s not true that good exists

I’m sure you can agree that

The reality


My attitude

It’s all beyond my control

And you’ll never in a million years hear me say that

Today was a good day


Please, Now read from bottom to top


HIPAA – Critical
Hypocrisy or Critical to the Operation of Government

Hypocrisy or Critical to the Operation of Government

In reviewing the various reports of HIPAA breaches as a subset of the almost every day occurrence of significant data breaches, and the recent reports of significant data breaches of information that is either entrusted to the government (e.g. medical and/or credit information) or information that the government is both logically and legally responsible for safekeeping, there seems to be a significant disconnect. With respect to HIPAA, the current regulatory environment seeks a very high level of compliance with significant fines and governmental interventions in the case of a breach, but when the government drops the ball, the most we can expect is OOPS, and maybe not even that.

Without going through the litany of recent governmental breaches, I will highlight the White House’s recent confirmation that the Office of Personnel Management suffered a SECOND cyber attack in which the data of 4.2 million Federal employees was stolen. In addition, the April 2015 report of the Office of Inspector General (OIG) reported the results of its audit of the security controls of the Department of Health and Human Services (HHS) which identified numerous deficiencies.

Imagine a father heartily puffing on a cigar, and a mother vigorously inhaling the smoke from her cigarette lecturing their teen about the dangers of smoking, while at the same time (in the name of proper parenting skills) advising their child of the consequences they would administer if their child began smoking. I imagine that at least to some, this scene would seem somewhat hypocritical.

I fully understand that there must be limitations on the ability for private citizens to sue the government and/or its employees carrying out governmental functions (sovereign immunity), but the real question is the propriety of placing standards on private industry before one cleans up one’s own house.

You may find this to be HIPAA-Critical (hypocritical)or you may feel that there is a critical need for the protections that  HIPAA mandates and therefore,  immunity and consequence free breaches are  appropriate.

Irrespective of the answer, to the extent we can trust the government with private medical information (PHI) for its healthcare exchange, and to the extent that, at some level, the government may be competing with medical providers (e.g. various forms of Medicaid) is it appropriate to have two standards?

What do you think?

HIPAA and the Law of Unintended Consequences

HIPAA and the Law of Unintended Consequences

Identity theft is so prevalent that we are almost desensitized to its effects – unless of course we’re speaking about its victims who are left with the unenviable task of sifting through the rubble and trying to re-create their medical and/or credit identities. What is surprising is that the very laws that were enacted ( HIPAA etc. ) to protect patient privacy hinder the victims of medical/identity theft from accessing THEIR OWN medical records. The Wall Street Journal had an illuminating article regarding the rise of medical/identity theft ( How Identity Theft Sticks You With Hospital Bills ). There is no way to offer absolute protection under all circumstances. I am reminded of the tragedy that occurred when the captain and flight attendants could not gain access to the cabin of a German Wings flight, because the cabin was virtually impregnable as a safety measure against terrorists. The very measures that were put into effect to protect the passengers were the ones that ultimately cost them their lives. We cannot totally escape the Law of Unintended Consequences, but in making rules or drafting laws it is helpful to   be aware of the potential for looming risks.

Ashley Madison Writes Rx for Doctors About Safe Sex(curity) and HIPAA

Rx for Doctors

There are many lessons that the Medical Community– Covered Entities, Business Associates and their subcontractors – can learn from the Ashley Madison hack.  Please forgive me if I omit the prurient details and/or any “holier than thou” statements about the AM business, except to say that it was a site that needed security, dealt with highly sensitive and personal matters, and the very people who sought to obtain a “full delete” of their personal information, are the ones who apparently were caught “flapping in the wind” – please forgive the pun.

  1. How could a subscriber/patient/doctor or medical provider (CE, BA or Sub) have known that the information they retained made them a prime target?In the case of Ashley Madison, assuming itdid not possess the native intelligence to realize that we live in an age of website breaches, the WSJ.com actually warned/predicted that Friend Finder networks (a website with similar appeal to individuals seeking extracurricular activities) was hacked, and that Avid Life Media (owner of AM), which was seeking to raise $200 million in an IPO,warned that   “investors will have to think of hack attacks as a risk factor.”  In the case of CEs BAs and their subcontractors, and in addition to HIPAA, HITECH and the Omnibus Rule, the internet is replete with stories of both medical and nonmedical private information being hacked.
  1. How could the information have been safeguarded? In the case of AM, prepaid credit cards, anonymous browsing and encryption would or could have mitigated or eliminated the risk.  On the Medical side, awareness and compliance with the regulatory requirements (which incidentally, includes encryption as a safe harbor) would similarly substantially mitigate the risk and the amount of damage a breach may cause.  Starting with a risk analysis, proper security and privacy protocols, management oversight, and adequate resources devoted to regulatory compliance would go a long way.

The basic problem is that the NIMBY (not in my back yard) type of denying reality has a way of catching up and exploiting vulnerabilities.  The new reality is that with every passing day, more private information is being entrusted to others. Cyber security is playing a cat and mouse game with hackers and ignoring the realities of the digital age can lead to embarrassment, financial loss (or ruin) and governmental scrutiny and fines.

What do you think?

Will Your Recruitment Initiatives Invite and Welcome Computer Hackers?

inside threat

It is very clear that the current landscape is replete with stories of improper intrusion and hacking of computer systems leading to improper dissemination of proprietary or other types of protected information.

Most organizations try to block the unwanted intruder (hacker) from ever gaining access to their computer systems. A common method utilized by hackers is known as phishing, which is an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to get the unsuspecting victim to click on a particular link, oftentimes seeking private information. Clicking on that link may also allow for malware/viruses to enter the unsuspecting victim’s computer system. So far, we see nothing new.

I recently read that there is a variant on the phishing scheme which comes into play when a company advertises that it is seeking to fill a position. In essence, it is inviting applicants to send resumes which normally and, in fact, are expected to be sent as email attachments. The person tasked with hiring, oftentimes HR, or in smaller organizations, someone with admin responsibilities receives a series of e-mails from would-be applicants. The attachment, however, can contain malware which would not necessarily be detected.

Frankly, I found this situation to be alarming because the general rule of “don’t open e-mails or attachments from people you don’t know” realistically falls by the wayside. In fact, the refrain “you really should have known better” also falls by the wayside.

How many people has your organization hired by placing ads on websites and then sifting through the e-mail responses?

Antivirus software and keeping current on software patches are an obvious first step.

Internal firewalls with dual factor authentication may be the next step.


How Much Does a Data Breach Cost in Dollars and Cents?

Online Security

In my last few posts, I wrote about causes of HIPAA breaches and the possible course of a compliance agreement. ( “The Most Detailed and Costly Compliance Agreement You Are Ever Likely to See” , “Seven Noteworthy HIPAA Breaches & the Recent Enforcement Actions” , “The Seven Most Likely Causes of Major HIPAA Breaches” , “The Five Most Likely Types of Major HIPAA Breaches” ) A basic question though is how much does a data breach cost in dollars and cents?

I am reasonably certain that as with all statistical matters, depending on how you skew the numbers, there can be vastly different results. I recently came across a report by the Ponemon Institute/IBM dated May 2015, which deals with global data breaches (not restricted to healthcare and/or HIPAA breaches) which I believe is both timely and highly informative.

Some of the key findings of this report indicate that there has been a 23% increase in the total cost of data breaches since 2013 (understanding that this 2015 report represents 2014).

The simple study of 350 companies dealt with data breaches. The average cost of a breach increased from $3.52 to $3.79 million during a one year period.

An interesting finding was that 79% of C-level US and UK executives surveyed said that executive level involvement is necessary to achieve an effective incident response to a data breach and 70% believe that board level oversight is critical. The reason I point out this factoid is that too many small to medium companies approach HIPAA compliance (which to me is really a subset of the need for data security) with the belief that outsourcing compliance is enough.

All of the participating companies experienced a data breach ranging from a low of approximately 2,000 to slightly more than 100,000 compromised records. For the purposes of this study, a compromised record was one that identified the individual whose information was lost or stolen in a data breach. A breach was defined as an event in which an individual’s name plus a medical record and/or financial record or debit card is potentially put at risk. (Obviously, the report did not deal with the 19 identifiers relating to HIPAA.)

Malicious or criminal attacks were 47% of the root causes as opposed to 42% a year earlier, and similarly the report shows an increased cost from $159 to $170 per record. The cost is highest in the United States, with an average of $230 per record.

The smaller the breach the greater the likelihood, and apparently, the higher the cost per record.

Costs relating to detection increased as well from $0.76 million to $0.99 million. The costs included forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors.

The cost of the data breach ranges by industry, and while the average is $154, the average cost for a healthcare organization is $363.

The cost can vary based on the initial safeguards put in place.

While notification costs are relatively low, the cost associated with lost business is increasing.

The general attitude of NIMBY (Not in my backyard) seems to be a common mindset with small to medium Covered Entities (CEs) and/or Business Associates (BAs) – this only happens to the other guy. The threat of a data breach is real.

In communication I had with the FBI Cyber Crime and US Attorney prosecutors, the question they pose is not IF you will have a breach, but rather WHEN you will have a breach. The key is preparation and implementing safeguards.

When virtually every company surveyed had a breach of some size, it is fair to assume that this mindset (even absent the significant regulatory issues) is misguided.


The Most Detailed and Costly Compliance Agreement You Are Ever Likely to See”

The Most Detailed and Costly Compliance Agreement You Are Ever Likely to See

Corporate integrity agreements or the consent agreements which are reached between the government (HHS) and Covered Entities and Business Associates can be extremely detailed, comprehensive and costly.

In my last post (http://bit.ly/1RsCwLP )  I went so far as to say that these agreements and their implementation are often more expensive than the actual fines, and that I would discuss one of the most far reaching consent agreements I had ever seen, namely, the corporate integrity agreement between OIG-HHS and Nason Medical Center.

While I cannot incorporate the totality of an agreement that is over 50 pages long into a few paragraphs, I think that I can convey the spirit of this agreement.

  1. The length of the agreement is five years.
  2. The people covered by the agreement include all owners, officers, directors, managers (which include members of the mandated “Management Committee”) and all employees, contractors, subcontractors, agents and other persons who provide patient care items or services or who perform billing or coding functions on behalf of Nason, as well as all physicians or other non-physician practitioners who work within one or more of Nason’s facilities.
  3. Establishment of a Compliance Officer and Compliance Committee – and with respect to the Compliance Officer, that individual must be a member of senior management, report directly to the CEO, cannot be subordinate to the General Counsel or CFO, and must be required to visit each location where Nason provides patient services at least every two weeks.

Responsibilities include developing and implementing policies, procedures and practices designed to ensure compliance, making periodic (at least quarterly) reports regarding compliance matters directly to the “Management Committee” with written reports to the “Management Committee” made available to OIG on request, as well as monitoring the day-to-day compliance activities engaged in by Nason.

Not surprisingly, Nason must report to OIG in writing any changes in the identity or description of the compliance officer.

  1. Compliance committee, which at a minimum must include the Compliance Officer and other members of senior management, including senior executives of relevant departments such as billing, clinical, human resources, audit, and operations as well as at least one employee who works at least 20 hours per week at each building where Nason sees patients. The Compliance Officer chairs the Compliance Committee. The Compliance Committee must support the Compliance Officer in fulfilling his/her responsibilities.
  2. Management Committee’s compliance obligations include meeting at least quarterly to review and oversee Nason’s compliance program, the performance of the Compliance Officer and the Compliance Committee, submitting to OIG a description of the documents and other materials reviewed as well as any additional steps taken in its oversight of the compliance program. In addition, each reporting period, the committee must adopt a resolution signed by each “manager” of the “Management Committee” summarizing its review and oversight of Nason’s compliance with Federal Health Care program requirements and the obligations of the agreement.

This resolution at a minimum must certify that the Management Committee” has made reasonable inquiry into the operations of Nason’s compliance program including the performance of the Compliance Officer and the Compliance Committee. Based on its inquiry and review, the Management Committee must be able to conclude that, to the best of its knowledge, Nason has implemented an effective compliance program to meet Federal Health Care program requirements and the obligations of this agreement. Conversely, if they are unable to provide the required conclusion, they must provide an explanation to OIG explaining why.

  1. In addition, managers (people with management responsibilities) are specifically expected to monitor and oversee activities within their areas of authority and annually certify that the applicable Nason department is in compliance with applicable Federal Health Care requirements and with the obligations of this agreement. These employees include but are not limited to the billing manager; director of Human Resources; medical director; Nason medical center manager and CEO; laboratory director; radiology director; business administration manager; accounting director; director of business analysis; and parent company CEO.

The certification must include language that “I have been trained on and understand the compliance requirements and responsibilities as they relate to my department, and/or facility, an area under my supervision” ensuring that the department complies with all applicable Federal Health Care program requirements, obligations of the agreement, and Nason policies, and that they have taken steps to promote such compliance. To the best of their knowledge, except as specifically stated in the certification, they must attest that Nason is in compliance with all applicable Federal Health Care program requirements and the obligations of this agreement.

The list goes on and on, and in fact I have just turned to page six of the agreement. At this point, you could probably imagine that the cost of compliance, and the responsibility placed on the majority of the organizational chart (including new positions that were created based on this agreement) will have a heavy impact on the operations of the organization.

  1. An independent monitor selected by OIG must be retained. The monitor may retain additional personnel including independent consultants to help meet the monitor’s obligation under the agreement. The monitor may confer and correspond with Nason, OIG, or both. The monitor is not an agent of OIG; the monitor, however, may be removed by OIG at its sole discretion. If the monitor resigns or is removed, Nason must retain another monitor selected by OIG within 60 days. The monitor is granted virtually unlimited access to all of Nason’s records and documents. The length and breadth of the reports that the monitor must prepare is extensive. Nason is responsible for all reasonable costs incurred by the monitor in connection with the engagement, including labor costs, indirect labor costs, consultant and subcontractor costs, material costs and other direct costs such as travel, etc.

Nason must pay the monitor’s bills within 30 days of receipt. Failure to timely pay the bills constitutes a default under the agreement with OIG, unless said bills are contested and taken up with OIG.

In case you thought that this was not oppressive enough, the agreement also requires engaging an independent review organization.

  1. The independent review organization, such as an accounting, auditing or consulting firm, must perform various reviews on Nason. This organization is charged with the responsibility of reviewing Nason’s coding, billing and claims submission to Medicare and state Medicaid programs and the reimbursement received. Of course, OIG reserves the right to do its own independent reviews. The independent review organization must certify its independence and objectivity.

I could go on and “get into the weeds” regarding the highly detailed requirements (both in terms of staff compliance, report generation, and resulting certifications) but I am concerned that I will lose the readers’ attention and distract them from the point I am trying to make.

Noncompliance with HHS-OIG may result in a corporate integrity agreement or consent agreement which is set forth in news releases. The cost of the actual fine, however, does not necessarily begin to give the reader the picture of the burdens, costs, and potential liability that these agreements create.

HIPAA, HITECH and the Omnibus Rule place specific requirements on covered entities and their business associates. Audits can be triggered randomly (as HHS is ramping up audits) or can be triggered by a reported breach by the entity or by an individual whose privacy was violated. In addition, audits have been triggered by media reports and/or reports brought by members of the public at large.

The bottom line is that an ounce of prevention is worth a pound of cure. What do you think?