Joelle Duval comments on the implications of the reopening of the Health Information Technology for Economic and Clinical Health (HITECH) audit program and a new round of audits of HIPAA-regulated entities.

Healthcare Risk Management | July 2024

The Health and Human Services Office for Civil Rights (HHS OCR) has reopened the Health Information Technology for Economic and Clinical Health (HITECH) audit program and will begin audits of HIPAA-regulated entities later in 2024, according to public statements by OCR Director Melanie Fontes Rainer. The audits will focus on the Security Rule, particularly the requirements for security risk analyses and risk management.

The audits will be accompanied by other enhancements intended to promote better compliance with HIPAA. These changes will put more pressure on covered entities and require work ahead of time to avoid penalties.

The impending audits may be more of a threat to smaller institutions, says John W. Leardi, JD, attorney with the Buttaci Leardi & Werner law firm in Princeton, NJ.

“I think most institutional or large providers probably, because of how resource-intensive they are compared to others, are probably fine, right? Or at least if they’re not, there’s no excuse for it,” he says. “My concern here in terms of vulnerability is going to be medium to small practices and independent practices, not part of a health system, not part of a larger institutional system.”

Leardi notes that the HIPAA Security Rule is about 20 years old now, and OCR probably is looking to update it. The audits may provide some guidance, he says.

“Some of it has become dated. The landscape of how we maintain health information is dramatically different now than it was 20 years ago,” Leardi says. “A substantial portion of the industry now has adopted electronically based storage as opposed to maintaining manila folders in the office. There has been some chatter that it needs to be revisited and, perhaps, updated to closely align with where we are in the industry. It’s not surprising that maybe these audits are designed as much about enforcement as they may be gathering data to determine the touch points in industry that are most in need of focus in any proposed rulemaking or adjustments.”

Many covered entities will not be ready for the audits, says Jeffery P. Drummond, JD, partner with the Jackson Walker law firm in Dallas.

“I think it’s going to catch people by surprise because nobody knows what we’re being tested on. There’s no study guide,” he says. “A more explicit message from OCR saying there are 10 things here that are listed, a list of possible bad things that can happen to you, would be helpful. They haven’t really done something that explicitly. It would be better for them to say we’re going to re-audit in two years and here are the things we’re going to be looking for, here is a list of things you need to do.”

No More Checking the Box

With the announcement of the return of the OCR HIPAA audit program the days of the “check the box” risk assessments and HIPAA compliance program evaluations may be gone for good, or at least until OCR pauses the program again, says John F. Howard, JD, senior attorney with the Clark Hill law firm in Scottsdale, AZ. It has long been understood that HIPAA requires covered entities and business associates to conduct accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), he says.

“But, notwithstanding entities that have fallen victim to some form of cybersecurity incident, most entities have taken this requirement as merely a quick review and response to a privacy and security questionnaire to ensure that all the requirements of the security and privacy rules are attested to for documentation purposes,” he says. “Often, this means that there is no validation of the required controls to ensure that they are operating as they should and do not need attention.”

Howard says he often has seen entities that have allowed the value of the risk assessment process to take a back seat while they focus on more seemingly pressing business matters. This is understandable to a point, he says, but clearly is not what was intended by the Rule when it was made. The announcement of the return of the federal audit should change this, he says. Howard suggests that covered entities and business associates should, at least, do the following to prepare for a potential audit by OCR:

• Review past risk assessment results and ensure any findings were addressed or plans have been put in place to do so.
• Conduct new risk assessments that look for validation of compliance measures being in place through pen testing, vulnerability scans, employee interviews, configuration validations, and access and control sweeps.
• Clearly document any findings, remedial measures, and plans for moving forward based on criticality if issues are found.
• Clearly identify any cybersecurity framework being relied on and how it has been implemented.
• Make sure appropriate leadership is kept aware of the state of the entity’s HIPAA compliance activities.

“These are necessary basic steps that I see missed over and over again that apply to risk assessment and risk management requirements under HIPAA. It is important that these also apply equally to the security and privacy side of the house,” Howard says. “Don’t forget to review the processes and procedures for responding to patient rights requests and making sure an entity’s privacy practices are clearly communicated. This applies to privacy practices between an entity and its patients, business partners, affiliates, and vendors.”

Structured relationships are necessary to ensure compliance along the entire service chain where
(e)PHI is involved, he says. It also will be important for covered entities and business associates to remember that HIPAA requires technical and nontechnical evaluations of an entity’s policies and procedures to make sure they are compliant with HIPAA’s various requirements, he says. This is completely separate from the risk assessment requirements and can be more closely equated to a HIPAA compliance program review, Howard notes. The output of this evaluation can be used to create an audit book that can be a great resource when the auditors come knocking.

“Overall, the return of the OCR audit program returning is a good signal that it is time for regulated entities to start putting processes in place now to identify any compliance gaps they may have and develop plans for resolving the more pressing issues found through risk assessments and program evaluations,” Howard says.

OCR Sending Survey

OCR indicated in a notice published in the Federal Register that it will send an online survey consisting of 39 questions to the 207 covered entities and business associates that participated in the 2016-2017 OCR HIPAA audits, explains Layna Cook Rush, CIPP/US, CIPP/C, shareholder with the Baker Donelson law firm in Baton Rouge, LA. OCR specifically asks for information regarding subsequent HIPAA compliance actions taken by the survey recipients as a result of the previous audits to evaluate the effectiveness of the audits and the counseling the organizations obtained from OCR in response to the audits, she says. Presumably the information gathered will be used to develop an updated audit program for future use, she says, adding that OCR has not expressly stated that the audit program will return or provide information on when audits will resume or what will be different. Because the requirements for covered entities and business associates have not substantially changed since the 2016-2017 OCR HIPAA audits, if there is a next phase of audits, OCR likely will focus on the same requirements, she says.

However, there may be an increased scrutiny on cyber performance, given the proliferation of cybersecurity incidents in the healthcare industry and OCR’s focus on technological security preparedness and resiliency, she says.

While OCR has not provided details on a new audit program, it is likely that the selection process will mimic the audits in 2016 and 2017, she says. OCR identified organizations that represented a wide range of covered entities; its sampling criteria included size, affiliations, location, and whether an entity was public or private.

The audited covered entities submitted lists of all their business associates, which OCR combined to create a pool of business associates, she says. OCR randomly selected business associates from the pool to audit.

“OCR has stated that the audit program is used to identify best practices gleaned through the audit process and to inform guidance targeted to identified compliance challenges,” Rush says. “Since the last audits, OCR has routinely published sub-regulatory guidance to covered entities on different aspects of the HIPAA privacy and security rules.”

In conjunction with the previous audits, OCR also published a comprehensive audit tool that covered entities and business associates could use to gauge compliance with HIPAA, Rush notes. The prospect of an audit and the availability of the tool resulted in many organizations reviewing their compliance posture and making positive changes, she says, and the same industry response is likely if the audit program is re-instituted.

The HITECH Act requires OCR to periodically audit covered entities and business associates for HIPAA compliance, so OCR’s failure to continue the audit program is in derogation to the requirements of the HITECH Act, Rush notes. OCR may be gearing up for another phase of audits to ensure it is complying with legal directives, she says.

“Another potential driver is the increase in security-related breaches that result from cybercrime. The audits may be a piece of the overall goal of seeing covered entities and business associates strengthen their protection of PHI,” she says. Rush notes that HHS also has recently launched new Healthcare and Public Health Cybersecurity Performance Goals to provide healthcare delivery organizations with practices that will “strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety.”

“It is likely that only a few organizations will be selected for audit if the program is reconstituted, but organizations that have not utilized the OCR audit protocol should consider such a review in anticipation of OCR resuming the program,” Rush says. “Covered entities should review the OCR audit protocol in anticipation of the return of the audit program. Further, covered entities should ensure that they have conducted a recent security risk assessment, instituted a risk mitigation plan in response to the assessment, and developed policies and procedures for compliance with the HIPAA Rules.”

OCR Sending Survey

The audits should not strike too much fear in the hearts of covered entities that are making a good faith effort to comply with HIPAA, says Joelle Duval, JD, an attorney with the Coffey Modica law firm in White Plains, NY. “While it goes without saying that nobody likes to be audited, least of all by the United States government through HHS or the IRS (Internal Revenue Service), covered entities that have complied, or made a valiant and demonstrable attempt to comply with the myriad of regulations and protections mandated by HIPAA, should take comfort that their efforts will shield them from violations, or substantially reduce the crushing fines that HHS is known to give for violations of protected health information,” she says.

Duval suggests that these covered entities should even be proud to be among those selected for audit by HHS to demonstrate to other comparable covered entities that compliance is possible and slip-ups forgivable to a large degree — “even if, just like the one student that always sat in the front row of the class and raised his/her hand for every question, they are ‘hated’ for passing the course and always knowing the answer.”

For those entities that have not made the effort, the audits will be problematic. “Those covered entities who have ignored the regulations, by choice or necessity, such as perhaps lacking resources to keep up with the privacy and security rule regulations, sadly there is little advice to give them other than to say that the dice they have been rolling have just hit snake eyes,” Duval says. “Quite simply, there are few excuses covered entities can have that HHS would likely accept as mitigation to identifying violations and breaches during an audit. In fact, I cannot think of one viable excuse to suggest. Even a comet crashing to earth and knocking out the power grid would have HHS asking the covered entity about what safeguards were in place should there be a complete loss of power.”

HIPAA and its privacy and security rules have been in effect too long, and reports of data breaches, identity theft, and data ransoms are too widespread to the general population for a covered entity to be unprepared to stand up to HHS scrutiny, Duval says.

Whistleblowers Encouraged?

An unexpected effect from the reemergence of random HIPAA audits may be the encouragement of whistleblowers, she says. Covered entities often maintain a smiling public face touting their lack of any tolerance for HIPAA violations, Duval says, proclaiming “if you see something, say something” or “report and you will be supported” or “HIPAA violations will not be tolerated here.” But the actual internal practice is really one of punitive retaliation against employees reporting violations, she says. It is surprisingly common but seldom recognized, Duval says, that some of the largest private and public covered entities are the most punitive to those internal personnel voicing legitimate concerns regarding negligent data practices and the routine practice of turning a blind eye.

“HIPAA violations happen, most often inadvertently, but at times negligently. HHS recognizes this reality, and covered entities facing violations or breaches can mitigate their damages,” she says. “But, regardless of how an adverse event happens, covered entities who have made it a regular practice to bury their heads in the sand or sweep violations and reporters under the rug rather than acknowledge — by reporting when obligated to do so — and attempt to rectify the situation will find themselves in a much deeper hole than underneath the sand.”

Therefore, covered entities should be prepared for HHS to come knocking at their door by not only examining its compliance practices under HIPAA, but also looking at its actual internal practices of compliance, including how employees are received when they voice legitimate concerns to protect HIPAA, and the covered entity, Duval says.

“It should not be surprising, therefore, for a random audit by HHS to stir up unrecognized and illegal state and federal employment practices,” she says. “And those covered entities [that] have taken a punitive approach or turned a deliberate blind eye to employees reporting actual or suspected HIPAA violations may find themselves under the dual scrutiny from both HHS; state and federal Departments of Labor; and, most frightening, plaintiff attorneys.”

Weak Risk Analysis?

A crucial element of the HIPAA Security Rule is conducting risk analysis, something that historically has been a weakness for many organizations, notes Michael Parisi, head of client acquisition with Schellman, an information technology compliance and cybersecurity firm in Tampa, FL.

“Poor risk analysis practices are major contributors to the increase in breaches we’ve seen in past years,” he says. “In fact, more than 90% of the OCR HIPAA settlement actions regarding ePHI breaches involved an insufficient risk analysis or risk management program.”

With the news that OCR is reinvigorating its HIPAA audits, it is important for organizations to take a look at when their last risk assessment was — if ever — and what actions they have taken since then, Parisi says. From there, they need to identify if they acted on making the appropriate security updates to address identified vulnerabilities and whether they have maintained those practices.

Parisi highlights these pitfalls many organizations face when it comes to HIPAA risk analysis and risk management:

• Skipping the step of threat analysis, which should happen even before the risk assessment. Organizations need to look through all potential existing threats, identify which are relevant to them, and have those threats reflected in the risk assessment.
• Not including all systems that touch ePHI in the risk analysis/management program and what threats are relevant to the organization. Overlooking these places leaves them vulnerable to attack and vulnerable to penalties.
• Inadequate risk analysis. Organizations should look to existing resources like the OCR Guidance on Risk Analysis Requirement or NIST SP 800-30 Guide for Conducting Risk Assessments for help when conducting analysis.
• Neglecting to reassess on a specified basis and not performing updated analyses when a change in the environment introduces new risks.

Being caught out of compliance can mean significant financial penalties, as well as reputational damage, Parisi says. Prioritizing these risk requirements not only preserves HIPAA compliance, but also mitigates risk for a breach or cyberattack.

One suggestion is for organizations to package up their “‘HIPAA story,” he says. Instead of having a risk assessment in one place and policies and procedures in another, it behooves the company to pull everything together with a cover page that tells the story of their HIPAA compliance journey and gives OCR everything they need in an easy to access bundle, he says.

“This movement of bringing back HIPAA audits is a step in the right direction from OCR in the efforts for a more secure healthcare system,” Parisi says. “It is, however, just a first step, and I think we can anticipate seeing continued movement from the OCR and HHS to implement additional standards and requirements beyond HIPAA, especially in light of recent breaches.”

Coffey Modica’s Joelle Duval shares valuable insights in the May issue of Healthcare Risk Management about the U.S. Supreme Court’s June 2023 decision in United States ex rel. Schutte v. SuperValu Inc., which affected healthcare compliance.

May 2024, Vol. 46, No. 5; p. 49-60

A Supreme Court ruling is changing how a defendant’s knowledge of wrongdoing and intent to commit fraud is viewed in civil cases. The ruling has significant implications for healthcare cases in which the False Claims Act (FCA) is involved.

The decision in U.S. ex rel. Schutte v. SuperValu Inc. unanimously held that liability under the FCA depends on a defendant’s subjective belief regarding whether a claim was false. Before this landmark ruling, it was unclear whether the standard for determining knowledge in an FCA claim was objective or subjective.1

The Supreme Court held a defendant can be held liable for “knowingly” submitting a false claim by demonstrating that the defendant knew or suspected the submission was false, even if an objectively reasonable person would not have known the claim was false. The decision means the healthcare industry is now grappling with the FCA’s “scienter” test, says George B. Breen, JD, an attorney with Epstein Becker Green in Washington, DC. “Scienter” is a legal term involving a culpable state of mind or a defendant’s knowledge that an act or conduct is wrongful and commits the act, anyway.

In Schutte, private parties sued retail pharmacies, claiming violations of the FCA through alleged fraud on Medicare and Medicaid, Breen says. Those government programs provide prescription drug coverage to their beneficiaries and usually limit the reimbursement to the pharmacy’s “usual and customary” charge to the public. However, the respondent pharmacies reported their higher retail prices to Medicare and Medicaid — as opposed to the lower discounted prices they offered customers through programs such as price matching, Breen explains.

The U.S. District Court for the Central District of Illinois held that the pharmacies’ “usual and customary” prices were its discounted prices, as opposed to the higher retail prices, and concluded that the pharmacies submitted false claims on that basis, Breen says. The district court held pharmacies could not have acted “knowingly” under the statute.

Breen notes that the two essential elements of an FCA violation are the falsity of the claim and the defendant’s knowledge of the falsity or scienter. The U.S. Court of Appeals for the Seventh Circuit affirmed in August 2021, finding that “there is no statutory indication that Congress meant its usage of ‘knowingly,’ or the scienter definitions it encompasses, to bear a different meaning than its common law definition,” Breen explains. “The Supreme Court, however, held in Schutte that the FCA’s scienter element refers to the defendant’s knowledge and subjective beliefs — not to what an objectively reasonable person may have known or believed. While the FCA clearly imposes liability on those who purposely intend to defraud the government, other cases might involve, by way of example, doctors who honestly mistake what ‘customary’ means — or who might correctly understand ‘customary’ but submit inaccurate claims, anyway.”

Justice Clarence Thomas wrote for the Supreme Court as it vacated and remanded the case to the Seventh Circuit that, “What matters for an FCA case is whether the defendant knew the claim was false. Thus, if respondents correctly interpreted the relevant phrase and believed their claims were false, then they could have known their claims were false.”1

In Schutte, the qui tam petitioners presented evidence that the companies believed that their “usual and customary” prices were their discounted prices — and took steps to prevent regulators and contractors from finding out about those discounted prices, Breen explains. For example, a pharmacy might charge $10 for a drug under a pricematch program but report $108 to the government for reimbursement. This kind of evidence could eventually help establish the scienter requirement for an FCA violation on remand.

“Schutte is a disappointing decision for the defense bar, and one likely to impact the ability to secure dismissal at the early stages of litigation. Healthcare providers must understand that the obligation of a relator or the government to show scienter is not dead as a result of Schutte,” he explains. “Recklessness means defendants being ‘conscious of a substantial and unjustifiable risk that their claims are false but submit[ing] the claims anyway.’ The focus will be on how providers can demonstrate their understanding at the time of claims submission and show that they were not acting with reckless disregard.”

This also might mean more scrutiny of attorney guidance on those complex, significant regulatory issues upon which FCA claims are based and the real-time documentation of a defendant’s understanding at the time of claims submission, Breen says.

Smoking Gun Is Rare

In the context of litigation, it is somewhat unusual that a healthcare provider or healthcare organization that knowingly, ignorantly, or recklessly submits false claims will all face the same liability and consequences, says Joelle Duval, JD, an attorney with Coffey Modica in White Plains, NY.

The practitioner or organization that knowingly submits false and excessive claims for monetary gain, the practitioner/organization that deliberately ignores or turns a blind eye to illegal practices occurring within its billing practices, and the practitioner/organization that with reckless disregard continues using an accounting service that is known to file false and misleading bills to insurance companies will all be charged with having the requisite scienter, Duval says.

“In the law, the state of mind of the defendant is generally important in considering not only liability or culpability but also the appropriate level of punishment or damages,” she says. “But with scienter, this appears not to be the case.”

While a healthcare practitioner or organization will be held liable regardless of the intent, Duval contrasts that with three individuals charged with murder. One defendant killed with deliberate premeditation, garnering the highest available punishment. The second defendant remained a bystander, neither participating in nor taking steps to stop a killing by members of his group, perhaps out of fear, which may mitigate the level of punishment. A third defendant who took a life after running a red light due to reckless but wholly unintentional and out of character conduct may be further mitigated to a minimum or alternative punishment.

“The bottom line is that healthcare providers and healthcare organizations should strive to always bill patients, private insurance companies, and government insurance programs fairly and honestly and in a way that a provider can justify the amount being billed if asked to do so,” Duval says. “Period. End of story.”

The Department of Justice’s (DOJ’s) recent announcement of the latest FCA settlements suggests that healthcare organizations were waiting to see how the Supreme Court ruled, says Brett W. Johnson, JD, partner with Snell & Wilmer in Los Angeles.

“One of the reasons why the settlements were so high was that a lot of companies were waiting for that opinion to come down to determine which way they were going to go — settlement, or do we have grounds to argue it,” Johnson says. “They realized when the Supreme Court issued its opinion that it was going to be changing the standard that had been more recently applied.”

Discovery costs related to the FCA cases are so extreme that it is often cheaper and more expedient to resolve them with a settlement, Johnson notes. “These cases sometimes take two to four years to process, and then all of a sudden you saw this pretty big spike in settlements. The ruling is a significant win for the whistleblower community because it allows for them to have more discovery, and that forced folks into settlement for the healthcare industry,” he says. “They also always have to worry about their licensure, and with that kind of threat hanging out over their heads, there is always more willingness in the healthcare world to settle.”

Knowing Right and Wrong

The Schutte decision hinged on whether the defendant knew it was wrong. That can be a complex question for healthcare organizations, says Jonathan A. Porter, JD, partner with Husch Blackwell in Washington, DC.

“When it comes to companies, there is all sorts of evidence that you can find that suggests someone should have known something. It gets really, really complicated, and then the problem with knowledge is it’s very rarely going to be one of those issues where there is a clear answer,” Porter says. “There are always going to be shades of gray when it comes to knowledge, especially when you live in what someone should have known, which by definition is part of the knowledge inquiry under the False Claims Act. It’s reckless disregard as well as actual knowledge.”

That type of fact inquiry can be difficult for a court to figure out on summary judgment, so these cases can end up going to trial. “That’s where healthcare providers are in pretty bad spot,” Porter says. “Even if they are confident they did no wrong, they can end up settling because the False Claims Act has some astronomical penalties for going to trial.”

The FCA implications of Schutte are important, but Patric Hooper, JD, partner with Hooper, Lundy & Bookman in Los Angeles, points out that the underlying case also holds compliance lessons. The moral of the story is that if you are a compliance officer or risk manager and find out that the company is submitting claims that it knows are false — in this case, because the price charged to the government was higher than the usual and customary charge — the submissions must be stopped immediately, Hooper says. If false claims have been submitted, the company must immediately disclose that fact to the government to head off an FCA investigation prompted by a whistleblower.

“That would be a rare smoking gun in one of these cases where someone finds some internal document or some employee says, ‘Yeah, we looked at this issue and realized we were charging higher than the usual and customary charge, but we did it anyway,” Hooper says. “Not only could that be potential liability under the False Claims Act, but that could be a criminal act.”

The Schutte decision can be seen as a good result for healthcare organizations, says Sean B. O’Connell, JD, an attorney with Baker Donelson in Washington, DC.

“The big takeaway of the case is that willfulness and knowledge matter. What you intended matters when it comes to violating the False Claims Act — and that’s a win,” O’Connell says. “That’s absolutely a win for people in the industry, because it requires you to know that you’re doing something that was wrong or have a reckless disregard for whether it was wrong in order to violate the statute.”

That is a pretty big hurdle, O’Connell notes. It means that the FCA is no longer a negligence statute or a strict liability statute.

“This is a statute that requires some level of knowledge to violate it, and the burden of proof is going to be either the government or a relator that has to prove that,” O’Connell says. “It can’t just rely on, ‘Well, other people are doing it this way,’ or ‘They should have known that they were doing something wrong.’”

REFERENCE

1. U.S. ex rel. Schutte v. SuperValu Inc. Decided June 1, 2023. https://www.supremecourt.gov/ opinions/22pdf/21-1326_6jfl.pdf