AHLA's Speaking of Health Law

Navigating the AI, Security, and Compliance Challenges Facing Medical Practices

AHLA Podcasts

Jeff Bushong, Consulting Principal, PYA, speaks with Amy Leopard, Partner, Bradley Arant Boult Cummings LLP, about the current legal and regulatory aspects of artificial intelligence (AI), security, and compliance as it relates to medical practices. They discuss the importance of AI and cybersecurity in medical practices, HIPAA and cybersecurity challenges, enforcement activities, and risk management strategies for medical practices. Sponsored by PYA

To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.

Speaker 1:

Support for A HLA comes from PYA for nearly 40 years, PYA has helped clients find value in the complex challenges related to mergers and acquisitions, clinical integrations, regulatory compliance, business valuations, and fair market value assessments and tax and assurance. PYA is recognized by Modern Healthcare as one of the nation's top 20 healthcare consulting firms, and by inside public accounting as a top 100 accounting firm. Learn more@ppyapc.com.

Speaker 2:

Hello, my name is Jeff Bushong . I am a consulting principal with PYA and are really happy to be part of this a HLA podcast , navigating the AI security and compliance challenges facing medical practices. Uh , I have been in consulting and healthcare , um, for 35 plus years with a variety of experience in both hospital and medical group practice, operations, strategy, and revenue cycle. And I'm joined today as my co-host, Amy Leopard from the Bradley Law Firm.

Speaker 3:

Hi everyone. And , uh, good morning. Good afternoon. Um, I'm Amy Leopard . I'm a healthcare , um, information and technology lawyer at Bradley in our Nashville office. And , uh, a board member of <inaudible> . I , uh, work with both providers and technology companies in terms of , um, technology and health information type , um, projects. So looking forward to having a conversation with you, Jeff, about some of the risk and compliance issues in that area.

Speaker 2:

It's certainly a topic on the top of many of our physicians and administrators within the medical groups in the hospital industry. So we're anxious to talk about this important subject today .

Speaker 3:

Well, I know you do a lot of work in that area. What do you think keeps , um, physicians up at night?

Speaker 2:

I think there are several key issues, but uncertainty is one of those. And I think there's a tremendous amount of uncertainty in the, the realm of the evolution of artificial intelligence, always ongoing concerns with cybersecurity, compliance, fraud , um, and equally important , uh, uncertainty in the workforce, which has many implications as we're gonna discuss later today.

Speaker 3:

One of the things that , um, I think physician practices need to consider as they're , um, working through some of those concerns is , um, a lot of the enforcement Act activities, there's been a couple of notable recent enforcement actions and guidances that , um, should be considered. Um, one thing is recently , um, OCR, the HHS Office for Civil Rights announced its first ever settlement concerning a ransomware attack with a physician practice management company , um, that served as a business associate to healthcare providers. And in this case, the hackers had gained access to the Business Associates Network and used malicious software to encrypt their PHI affecting over 200,000 patients once they reported the breach and OCR conducted an investigation, they found that the intruders had been in the network for a year and a half before had it was detected. And as often typical with these kinds of cases , um, they had not conducted regular network monitoring or conducted a security risk analysis. So we saw a , um, a hundred thousand dollars payment to resolve that action and , um, three year corrective action plan with monitoring , um, OCR. Um, and , um, you know, no good deed goes unpunished. The , the best , uh, sometimes the best laid plans of , uh, providers , um, just are such that they, they don't get to , um, document all of the different compliance activities they've done. So I think that that's a, that's a good example of the importance of putting together your compliance documentation with respect to , uh, cybersecurity risk management. And

Speaker 2:

Amy , do you find with some of your clients that come to you after the fact that one of the mistakes they make is the lack of pre-planning and being proactive in this area? I know with, you know, reimbursement concerns and rising cost of staff, you know, practices struggle with the whole issue of where do we spend our money? To me , this is not an optional activity. This is a , you know, required you have to do, and it's, it's one of diligence because it's not a static environment that we're operating in and helping to advise our clients to, how do you minimize and in some cases, mitigate as much of the risk as possible?

Speaker 3:

Uh , absolutely. We, we do a lot of , um, m and a type work and see a lot of diligence , um, in terms of acquisition of physician practices and surgery centers, and even hospitals today where, you know, you get in and look at their hipaa , uh, program and they have nothing or very little in terms of documentation. And , you know, it doesn't mean that they're not concerned about privacy and security, but they don't have , they can't, they can't prove it. And if they can't do that in diligence, you can't do that, you know, when the, when the government investigation begins. But , uh, you know, I tell people, just get started. And HIPAA provides a great framework for you to do that. Um, one of the foundational things under HIPAA is to conduct a regular security risk assessment. And that process of identifying potential threats and vulnerabilities and prioritizing the criticality of those and the impact on your organization , um, is, will help you. It helps, it , it's a , it's a helpful framework to begin to manage those risks . And , and I think that's, you know , uh, true. For example, in , in the case of, of ransomware , um, the HIPAA security rule just provides you with almost a checklist of what you should be doing to prevent , um, a ransomware attack in terms of, you know, logging and alerts and detecting and patching malware vulnerabilities and , um, vulnerability scanning. And , uh, and of course, if the event occurs that you have backup and disaster recovery plans so that you can be nimble in responding to a tax and, and reduce the recovery time . So if , um, if practices will embrace that security risk assessment process, it provides them , um, a , a tool both for compliance, but also for security risk management.

Speaker 2:

And , and Amy, I think you pointed out something really important to our potential , uh, listeners, and that is there's a lot of information available from the government because obviously these are federal rules and regulations and laws, and sometimes it's just a matter of knowing where to go to get started. The other thing that you mentioned was the, the actual EHR software itself. We still have clients, unfortunately, that have non-compliant EHRs . Part of it is an expense issue that they wrestle with and the conversion from their current platform to potentially a compliant, but unfortunately, that's another area where I don't think they have options and they need to figure out options for funding. One of the other things you mentioned that I think is really important for our listeners to understand is that you don't have to provide all these services in-house. There are many resources, particularly in the sophisticated technology, where you can have a, a vendor partner, whether it's the HIPAA education and training very similar to what OSHA training, you know, requires. We see a lot of outsourced arrangements, but the sophisticated remote monitoring that your IT vendors, your IT security vendors and partners can provide , um, is, is a very good investment. Because as you pointed out, in just one limited case study, there's risk and sometimes you don't even know if you've had a breach until many, many months or even years down the line.

Speaker 3:

Well, and you know, that's right. And as practices sit down and think about where are my risks , you know, you have to inventory where is my electronic PHI and that, you know, the obvious answer to that is in my EHR and in my patient accounting system, right? So that's where you start, that's where, you know, that's where the money is. Uh , you know, so , um, you know, beginning there and then like you mentioned, the partnership that you could have with your EHR vendor to help lift up the security , um, um, profile and, and, and documentation that a security risk assessment has occurred with respect to, you know, your EHR that's hosted by , uh, a third party , um, can help a physician practice really leverage , um, the type of documentation they need in the event of a , you know, to prevent a breach. And in the , uh, in the event of an investigation.

Speaker 2:

I , I think you made another great point, and that is the , the potential access and breaches extend to the vendor partners. You mentioned one real obvious one, and that is many of our medical group practices, whether they're hospital health system affiliated use outside vendors for billing and revenue cycle management, that is another access point into that PHI information that, you know, in many cases, you have to have access to that because you wanna be compliant in your billing and your collections practices. But at the same time, we need to make sure that as you do that security risk analysis, it extends to all vendor partners, anyone that potentially would need access to PHI or have access to PHI, that those same high level security standards are spread across your entire portfolio of your vendor partner relationships.

Speaker 3:

That's a great point , um, with your vendors. Another area , uh, focused recently , um, is OCR and the Federal Trade Commission have focused on tracking technologies and , um, issued guidance last year that has some controversy and is now subject to litigation. Um, but the issues where these , uh, tracking technologies collect information from consumers who log to the , uh, your websites and your mobile apps . Um , so the , the concern is that there would be either an impermissible disclosure to a vendor who may be a business associate, but refuses to sign A-A-B-A-A business associate agreement, or does not conduct themselves as a business associate. Um, so covered entities should begin to, you know, as part of their risk assessment inventory, the PHII on their website and in their apps , um, which have user , um, authentication , um, procedures , um, that's what OCR maintains is PHI , um, and the extent of third party data sharing with that , um, you know, you'll need to get BAA in place with your vendors who store that PHI or get a consumer authorization , um, to share that information. So it , it again, points to understanding your environment, inventorying, you know, where your PHI is, and , um, reaching out to your vendors and making sure you're working in partnership with them toward the , the security of health information.

Speaker 2:

Uh , that's a great tip to make sure that as vast as your network is of other partners who you may not see on a daily basis, that information security is a , is a key point. And I think many of us can relate, you know, when you go to a , a website and someone says, you know, we use cookies, you know, that's how I always remember, you know, that a lot of your data's being tracked, you know, whether you're, this time of the year when you're doing holiday shopping and you go to a particular website, it's funny, you're gonna get popup ads for those kind of products from many, many people, which is, you know, certainly not necessarily in a hip or PHI standard, but we know that that technology is out and in use across the worldwide web .

Speaker 3:

What are you seeing , um, among your clients in terms of preparation for that and, you know, training and support that they need to conduct their responsibilities?

Speaker 2:

One of the things that we're seeing is a lot of questions just because it's an ever moving target to some degree, because the regulations and some of the rules have changed. But I think most of our clients wanna make sure that they have reasonable ready access to the information training tools, interpretation of policies. Um, I encourage our clients to go to the frequently asked question section, and the question you may be thinking of may have already been addressed. I think the other things that are important are making sure that if it exceeds your knowledge and you don't have a resource in-house, you know, avail yourself to other trusted advisors to say, what are your other clients doing on these kinds of matters? You know , uh, sometimes through IPAs, sometimes through clinically integrated networks, we see information sharing. So if you're not part of one of those kinds of entities, that's another source. Um, the hospitals and health systems , uh, for their independent practices in particular have really tried to extend and make sure that those practices are obviously within compliance , uh, for those kinds of issues. And I think the ongoing need for training and retraining. So if you're not in the position where you can afford to have that kind of in-house expertise, make sure you're asking the right questions. Who can I go that has, you know, a reputable training and retraining program because of that constancy of the turnover and the staffing? Mm-Hmm. <affirmative> labor drives , um, several different issues. One of them being the need to have constant training and retraining, but also the turnover and the fact that you could be in a continuous cycle.

Speaker 3:

Yeah . And there , I saw a study recently stating that , um, no matter how often you do security awareness training on phishing attacks, 4% of your employees will click on anything. Um , so you could , you just, it's just keeping up is , is really difficult. You know, it's really hard, especially in a small setting for providers to , um, keep trained, staffed , um, you know, personnel who understand what some of these compliance risks are.

Speaker 2:

Well , those are where you have to put reminders on every monitor or any device that you have. And, and Amy really that applies to our professional services firms, whether they be accounting, advisory, legal, because we are targets for phishing attacks all the time because the amount and the vastness of the data that we, we analyze and we receive from our clients. So we, even as a professional services firm, are acutely aware. And so if , if you get a , a strange text or an email from the CEO or the managing partner, be cautious before you click on

Speaker 3:

It. Right. Right. That's great. I think , um, at the end of the day , um, ha the risk comes from not knowing what you're doing. Um, and I think a lot of times , um, physician practices in particular, you know, are, are so anxious about all of the , um, regulatory unknowns , um, and risk out there that, you know, it's easy to bury your head in the sand, but , um, I think just the , you know, sticking to the fundamentals , um, you know, start at the beginning inventory or PHI set priorities on the risks that you think are critical and, and start men , uh, managing them. Um, when it comes to a , a breach or a complaint investigation by OCR, I have to say that most of the time , um, the agency is fairly forgiving if you have done that, if you have identified your vulnerabilities and if you have a plan, even if you're not perfect. Right? So just like identifying the issues and working the working the problem, I think goes a long way. It gives us something to talk about, at least, you know, when you know the, you know, untoward event occurs, and, and you've got to defend the practice,

Speaker 2:

Amy, your practical advice is do nothing is not an option. Be proactive about it. Uh , make, you know, reasonable attempts avail yourself to publicly available information. Um, and just as you, you know, consult your colleagues, you know, whether you're an administrator or a clinical role , it's great to get opinions from people that you trust and may have that, that experience. You know, we, we always get this, well, I can't afford to do A, B and C. My advice is, you can't afford not to do A, B and C. And as you said, it's, it's that good faith effort to make sure you're trying to be in compliance with the rules and the standards, and, and they're very complex. You know, as a non-attorney, even when I read some of these things, I have to pick up the phone and , and talk to one of our in-house attorneys to say, am I interpreting this information correctly? And maybe you could just advise, you know, our listeners that sometimes it's okay just to ask a simple question of someone that might have, you know, expertise and knowledge in these particular areas.

Speaker 3:

Absolutely. What kind of concerns do your , um, provider clients have about artificial intelligence and the, the challenges there and the risk , um, to be managed?

Speaker 2:

Uh , you know, I think when it comes to artificial intelligence, there's tremendous fear and trepidation about what it could mean to our practices and to our hospital clients, because there's still a lot of information that's not really available for, for instance, you know, I AI and how it can learn, you know, from experience, I think scares the , the daylights of a lot of people . Um , it's really those unknown consequences and potential impacts because we are so connected, it , it enters into many, many points of potential risk. And I think that's why it's the ongoing diligence. I think it's also , uh, important to understand that in , in our medical groups in particular, it's how can AI potentially impact just day-to-day operations? There may be some really positive things about, you know, what it can learn when it gets in and looks at your system, but also potentially there are all kinds of threats. And , and I think as it relates to breaches, it's , um, it's something that shouldn't be , um, part of any practice or department meeting on a regular basis to say, just wanna remind you, you know, if you get a suspicious email , um, even suspicious text , um, you know, even in our personal lives, I don't think there's a day where I don't get a spam phone call on my cell phone , <laugh> that says, you know , even our phones have gotten smart to say, you know, alert, this might be potential spam . My rule of thumb, if I don't recognize it, I do not answer the call because we know what's happened with, you know, if you , if you say the word yes or this is whoever, you know how that stuff can be recorded and captured and used for, for things that are pretty , uh, suspect in nature. What about your clients? What are, what are they telling you about their concerns for ai?

Speaker 3:

Well, I think there's a lot out there right now on potential regulation and the , um, government, federal government in particular is trying to discern how best to approach regulation . Um, you, as , as you know, the Biden administration issued an executive order recently , um, and it includes a number on AI and the regulation of AI, basically , uh, addressing the governmental agencies at the federal level and requiring that they develop regulatory action plans for, for AI using their existing legal authority. So for HHS, they've been instructed , um, to, by April of 2024, to address bias and compliance with federal non-discrimination laws for , um, the use of ai. Uh, we know a little bit about how HHS is going to regulate AI in that , um, we have two proposed rules. Um, one regulates the technology and one would regulate the healthcare providers. Um, on the healthcare provider side, we have proposed regulations , um, covering clinical algorithm bias. Um, so HHS will use the civil rights laws governing federally funded healthcare programs to ensure that AI systems don't discriminate against patients based on race, age , sex, disability, et cetera . So providers are going to be responsible for the bias stemming from the use of biased algorithms. Um, the devil will be in the details, but we know that , uh, April is the deadline that , uh, the president has set for HHS. Um, one of the things that, from a physician point of view we see is they kind of understand that , um, the , one of the most important safeguards in these AI systems is, is for human oversight , uh, to be present. And the human in the loop is the informed physician , um, that is involved in assessing the AI information and then making , um, independent decision , uh, making . Um, so, but how , how , how are they gonna know? How are they gonna know if the algorithm is, is biased or what's in the algorithm? Uh, there's a separate rule that will , uh, propose that , uh, by the office of the national coordinator for Health Information technology , uh, to regulate EHR vendors , um, where their software enables our interfaces with , uh, what's called predictive decision support interventions. So those types of tools must meet the HHS criteria to make sure that the algorithm doesn't contribute to health disparities. And then those vendors have to enable the technology to permit users to review the health , uh, you know, health equity data elements within , uh, the A EHR and provide feedback , um, on how the algorithm is working and to publish their risk management practices that show how they've thought about , um, managing and , uh, health information , um, and technology risk of, of predictive decision support. So it should be a busy year. Uh ,

Speaker 2:

That's a lot to take in, but Amy, just to take that a step further, if you are a hospital health system medical group, and you participate in any of the government payer programs through CMS, you would be subject to all these rules. And the , and we find, you know, there are very few practices other than maybe a concierge medicine practice where, you know, they're participating in those government programs. You can see the far reaching impacts to everything from direct providers to home health to DME pharmacy, et cetera , that this gets really large, really fast, but we know what a huge impact that our healthcare industry has on the, the national economy as well.

Speaker 3:

That's, that's great. Totally agree. It's , uh, overwhelming. I think, I think our , and that , I guess I'm , you know, kind of wrapping up here, I think that makes our job as advisors , um, more, even more important that we take all of that complexity and dense density and streamline it and help them focus on, you know, getting the most bang for their buck and setting priorities of the risks that have the, you know, highest chance of materializing and would have the most tremendous impacts. So I think if I, if I had to leave with one thought, it would be, you know, kind of stick to the fundamentals and , um, look at , um, trying to set priorities, stay informed due to all of these changes , um, and proactive.

Speaker 2:

I , I would echo that. And I think the one thing you said is take practical steps. Don't, don't be the ostrich with your head down in the sand. Just make sure that you're up on this and , and rely on your trusted advisors and hopefully, whether it's a department administrator or a practice manager, or even just someone within your delivery mechanism that has awareness, read everything and get your hands on regarding these issues because , um, when , when they make it on the nightly news, you know, that it's a , it's an important issue to pay attention .

Speaker 3:

Yep . We , uh, we are live in exciting times, and that's great to , uh, connect with you and talk through some of these things. I always enjoy chatting with you and hearing what you're seeing in your practice,

Speaker 2:

Amy , for sharing all these with our listeners today . And likewise, appreciate the opportunity to , to present with you today .

Speaker 1:

Thank you for listening. If you enjoy this episode, be sure to subscribe to a HLA speaking of health law wherever you get your podcasts. To learn more about a HLA and the educational resources available to the health law community, visit American health law org .