Dawn Morgenstern, Senior Director of Consulting Services and Chief Privacy Officer, Clearwater, speaks with Betsy Hodge, Partner, Akerman, and Gina Bertolini, Partner, K&L Gates, about the activities that are driving HHS/OCR health IT enforcement trends and what that means for the health care industry. They discuss the flurry of recent activity that appears to be setting the stage for major changes related to privacy and security, AHLA’s recently updated HIT Enforcement Summary Tables, trends related to business associates, and how privacy officers can educate their organizations on these issues. From AHLA’s Health Information and Technology Practice Group. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Dawn Morgenstern, Senior Director of Consulting Services and Chief Privacy Officer, Clearwater, speaks with Betsy Hodge, Partner, Akerman, and Gina Bertolini, Partner, K&L Gates, about the activities that are driving HHS/OCR health IT enforcement trends and what that means for the health care industry. They discuss the flurry of recent activity that appears to be setting the stage for major changes related to privacy and security, AHLA’s recently updated HIT Enforcement Summary Tables, trends related to business associates, and how privacy officers can educate their organizations on these issues. From AHLA’s Health Information and Technology Practice Group. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for A HLA comes from Clearwater. As the healthcare industry's largest pure play provider of cybersecurity and compliance solutions, Clearwater helps organizations across the healthcare ecosystem move to a more secure, compliant and resilient state so they can achieve their mission. The company provides a deep pool of experts across a broad range of cybersecurity, privacy, and compliance domains. Purpose-built software that enables efficient identification and management of cybersecurity and compliance risks. And the tech enabled twenty four seven three hundred and sixty five security operation center with managed threat detection and response capabilities . For more information, visit clearwater security.com.
Speaker 2:Hello everyone, and welcome to this episode of American Health Lawyer Association's podcast. Speaking of health law. I'm your host, Don Morgan Stern, senior Director of Consulting Services and Chief Privacy Officer for Clearwater, where we advise and support our healthcare clients on how to move their organizations to a more secure, compliant and resilient state. With me today is Betsy Hodge, a partner with a law firm of Ackerman and Chair of ALA's Health IT Practice Group, and Gina Bertolini , a partner with k and l Gates, and a member of the Health IT Practice Group. In this episode of speaking of Health Law, we'll be discussing what activities are driving the enforcement trends and what that means for clients. We're seeing a lot going on that will, will and are driving trends for OCR activity. So let's jump right in , uh, to our first topic, which is enforcement drivers, the focus on federal laws and regulations. So the question I have for you first , uh, Betsy, is , uh, we've seen a flurry of activity recently that appears to be setting the stage for major changes , uh, as it relates to privacy and security, such as the , uh, reproductive healthcare privacy, HITI one, information blocking confidentiality of substance abuse , uh, and disorder , uh, patient records, and even OCR bulletin and guidance on the use of ai. Um, and now that the HIPAA Audit Review survey notice has been , uh, also published, what are your impressions of this activity and how clients can prepare for what appears to be big changes coming? So , thank
Speaker 3:You, Don , and I'm glad that you were able to make it through that laundry list of activities .
Speaker 2:I know , and that's only part of it. That's only part of it.
Speaker 3:E exactly. And I can't tell you how many things have come out since we first started planning this podcast. Um, so I think first I would say , um, to entities in the healthcare space , um, get your reading glasses out and start reviewing all of this material because I think it does signal that, as you said, Dawn , there are big changes coming , um, down the pike. Um, and so now is a good time to, for organizations to assess where they are , um, and start looking at some of these materials that have come out. For example, the , um, um, uh, practice , uh, I'm sorry, the cybersecurity performance goals , um, you know, is a nice little checklist, easy checklist to see where your organization is. As far as best practices , uh, for cybersecurity , um, I would suggest continuing to read , um, the resolution agreements that OCR puts out , um, because those are always a good checklist to make sure that you are keeping up with OCR R'S expectations, especially in the cybersecurity space, but also , um, with privacy generally. You know, I would also suggest if you haven't already take a look at your organization's use of tracking technology , um, there is some litigation pending in Texas about , um, ocr um, bulletin or guidance or proposed rule , depending on your perspective regarding tracking technology. But I think that issue will be around , um, for a while and we're seeing, you know, private litigation , um, over that. So , um, again, really get your reading glasses out and, you know , um, start reviewing , um, what the agencies have been publishing because I think they don't publish this material , um, without a purpose. Um, and so , and I think it's now harder for organizations to say we did not know what to do if something happens.
Speaker 2:And I think we're also seeing a lot of these all commingle too, with what we're reading, at least in some of the final rules and the notice of proposed rulemaking. So that's another reason. Back to your point of get out your reading glasses, <laugh> . Yeah ,
Speaker 4:And I think this is Gina Bertini . Um, I think we're going to see, you know, to your point, Betsy, and I know we were discussing this offline, you know, boy, we're gonna need OCR to take a vacation so we can catch up <laugh> . You know, and, and really it feels that way. Um, the concept paper that HHS released, you know, you mentioned the CPGs, which came outta that concept paper that was released in Decem or the , uh, concept paper itself was released in December. Also mentioned updates to the security rule potentially in this spring, which we know , um, you know , we haven't seen in years. And I would just say in tr to tack onto what you said in terms of sort of all this content that we're seeing, you know, both sort of two major trends emerge. And Dawn , I know you'll get into this in in a question, but sort of the cyber cybersecurity trend , you know, focus on cybersecurity, right ? As well as a focus on sensitive records. And you mentioned, you know, the substance use disorder , um, update to part two to align it with hipaa. We've also got the reproductive healthcare proposed rule pending, and it does seem that in particular as we head into an election, you know, the Biden administration's incredibly focused on protecting sensitive records as well as focusing on on security.
Speaker 2:Yeah , I would agree. Betsy, any other thoughts around that? Oh, I know one. Um, so the other thing we haven't touched on yet is the fact that they just announced , uh, or they just published , um, HHS just published their annual report to Congress on breaches. Um, so that's another interesting thing to focus on. Um, not directly related to , uh, the regulations as far as changes, but I think there's some good insights in that in their direction and what they're seeing. What are your thoughts on that?
Speaker 3:I thank you for pointing that out, Dawn , be because I think , um, those reports are helpful in addition to the points you raised . They're helpful for educating people about the process that OOCR goes through when it investigates , um, either a report of a large breach or a complaint , um, or , um, it's compliance reviews. So I think it , it's helpful background information for those who are not that familiar , um, with the OCR process. And I think it , um, ties into something I think that we may get to a little bit later about , um, preparing to tell your story, <laugh> , right? Um , so sorry for that , uh, um, foreshadowing , um, you know, but I think that's helpful information , um, in there. Um, and again, it's also helpful to see, you know, in a relatively condensed view where OCR is seeing the most activity, the types of breaches , um, and also shortcomings they may be seeing in certain organizations. Um, and again, that's a roadmap for organizations , um, to , um, use to make sure they're implementing best practices. Yeah.
Speaker 2:Especially since we see such a huge focus on the resolution agreements and the corrective action plans. And I think what people lose sight of is all the other stuff that OCR is investigating that may not rise to, to that , uh, level and keep being able to keep that in mind. Um, when you're looking at your privacy or your security program is , I always say, you know, you can learn from others unfortunate circumstances , uh, when it comes to look , uh, improving on and maturing your own program as a , uh, covered entity or a business associate for that matter.
Speaker 3:Absolutely. So, and then one other , um, development , um, or resource folks might wanna consider is , um, the A HLA Health Information and Technology Practice group is going to be publishing an update to our , um, online enforcement tracker. Mm-Hmm. <affirmative> , um, should be coming out soon, <laugh> through , um, the end of 2023. And then we'll be updating it again this year , um, thanks to Gina and her folks. Um, and it's a great, that's
Speaker 2:Kind of a perfect segue into our next topic, actually, which is the enforcement trends and the work that the , uh, the HIT practice group has done. So , um, you know, as a privacy officer, I always found it valuable to monitor the enforcement and regulatory trends, as I said, to learn from others. And that's not just their unfortunate circumstances, but it's also, you can, you can glean best practices from that to understand where to focus time and resources, which are usually very valuable. Um, you both have been very engaged with the A HLA Health and Information Technology practice group and the development of the tracker , um, for the enforcement trends. Can you give us a quick preview of that and the work that you've done and are continuing to do and how that can benefit clients, especially based on some of the recent enforcement actions?
Speaker 4:Sure. Yeah, this is Gina. I'll go into that. Thank you, Dawn . Um, well, and I have the privilege of being a member of this committee and just am really loving working with Betsy and Adam Green and others on the committee. So I just wanna , you know, honestly, I wanna thank the HLA for the opportunity because it's really enhanced. Um, I think it's enhanced my connection to other practitioners in this area. Um, it's a fascinating, and as , as we've been talking about, really evolving area, the trackers, just so folks know if they're not familiar with them, are really useful tools that the H-L-A-A-H-L-A produces. Um, we release them, you know, multiple times a year , um, three to four times a year, just depending on the year and the level of activity. But it's, it's more than an annual update. And the trackers, there are four of them. So there's the criminal tracker, which focuses on any , um, data privacy and in particular in the HIPAA space activities , um, that are criminal enforcement actions. And then of course, OCR resolution agreements is another tracker. There's an FTC tracker, so tracking FTC , um, agree settlements or enforcement activity. And of course, we saw quite a, a few in 2023 relative to previous years under FTCs Health Breach Enforcement , um, noti or Health Breach Notification Rule, as well as , um, consumer fraud protection laws. And , um, that FTC enforces. And then the last tracker is the state AG settlements, and we're also seeing just a tremendous amount of activity there. So those trackers, that's a hard
Speaker 2:One to track. That's a hard one to track, I imagine , you know,
Speaker 4:Experie Yeah . Tell me about it . My experience ,
Speaker 2:My own experience. Yeah . Trying to make , trying to track all that, because there are so many different sources there.
Speaker 4:That's right. And that is one I almost feel like it, the , the , it takes a village sort of comment applies because, you know , I'll, I'll get emails from Betsy or Adam or others saying, oh, there's this ag activity, and of course we have some formal search processes in place and some great associate attorneys who are working on that. But you're right, it takes quite a, a bit to really make sure that you're, you're , um, getting the full landscape nationally, and we've seen, you know, increased activity by state ags , um, in data in general, you know, data privacy, including in the healthcare space. Yeah . Um, in terms of what we're seeing, Dawn , you know, I think I'll focus a bit on the OCR resolution agreements because , um, we are seeing some of the , um, continuing trend that we had seen in particular with the right of access cases. Um, there was a right of access case that I believe was about the 46th HIPA right, of access case, and that was the end of 2023. And just for our listeners, in case they're not tuned in , um, the right of access initiative was , um, really sort of formally implemented by OCRA few years ago. Obviously, there's always been the right of access under hipaa , um, that allows , uh, patients to designate third parties to receive their, their protected health information. And of course, they can make complaints. But a couple of years ago, OCR really began a , uh, a concentrated effort in enforcing right of access complaints, and we saw a flurry of activity in, you know, 2021, I believe it was 2022, and then that sort of tapered off in 2023. We did see the 46th one at the end of the year. Um, but what we've also seen , um, is a couple of, I think, you know, fairly momentous resolution agreements. Oh, yeah, yeah . Including, you know, OCR, even acknowledging the first and the second ransomware related , um, resolution agreement . So one involved doctors' management services and , uh, that was late last year, which involved ransomware, that encrypted files, there were about 200,000 affected individuals that resulted in a $100,000 settlement and a three year corrective action plan. And then the other one , um, the second ever ransomware attack we just saw just in this, this month in February, involving greenridge Behavioral Health, that's another ransomware attack. That one affected 14,000 individuals , um, and , uh, involved a network server that had been infected and then patient sensitive patient records , um, that had been locked down encrypted through malware, and that involved a $40,000 settlement. Also, a three year corrective action plan. And what I'll comment there, you know, 'cause folks can go in and read, read the details, right? A couple of , of , uh, what what I'm seeing , um, in terms of trending, you know, and what OCR is really focusing on are the, the failures that occurred leading up to those ransomware attacks. So the lack of a risk analysis, right? The lack of a , you know, implementing a risk management plan, the lack of policies and procedures, lack of audits going in and looking at your activity and lack of workforce training are sort of the, the four or five things off the top of my head that we're seeing repeatedly, I think in, in both comments by OCR as well as in their, their settlements, and then in where they're focusing in terms of the corrective action plan. You know, Betsy, you mentioned something I think really important that our listeners and , and our, their , our clients really need to pay attention to, which is, boy, those corrective action plans are helpful, right? If you go in and you read them and you read what OCR is telling these entities to do in the wake of a ransomware attack step by step , that gives you a sense of what you ought to be focusing on now. So, and, and I always tell my clients, you know, it's not whether you'll have a breach, it's, it's when, and I hope the same isn't true of ransomware, but sure , it sure seems like it could be. Right. We've seen a, the OCR says about a 260% increase in ransomware in the last five years. So it is a, a very important focus for OCR and, you know, I think our clients are well served to, to understand , um, what they need to be doing now to mid , not only to mitigate the risk , right, and detect if and when it happens, but mitigate then the , uh, enforcement, right? The ,
Speaker 2:Because I think I see, I see that a lot sometimes too. You mentioned the risk analysis being a big component of that, and, you know, oftentimes organizations think that it's a one and done and they don't realize, and OCR has spoken on this many times about, you know, an accurate and thorough enterprise wide risk analysis of all of your EPHI. And so it's an ongoing process, and that's, you know, one of the things we advise our clients on is it's not a one and done . We're here to help and keep that as an ongoing process. So as you bring on new systems, applications, you know, you're doing a thorough risk analysis of those. Yeah . And with sun setting those too. So,
Speaker 4:Yeah. And Dawn , in fact, one of the, it was either LaForce or doctors management, those are the two ransomware, and I believe one of them referenced the importance of consistently monitoring and managing. And so, to your point, you may do a risk assessment or risk analysis, but as your systems grow and change, you need to go back in and do it again.
Speaker 2:Right, right.
Speaker 3:Yeah . And I think it's probably not a coincidence that recently NIST released guidance on , um, implementing the HIPAA security role . It's , um, NIST special publication 800 dash 66 for those. Um , another
Speaker 2:Good catch, you know ,
Speaker 3:<laugh> , we wanna look it up for our
Speaker 2:List,
Speaker 3:And it was with , um, I believe OCR partnered with NIST on that guidance document. So again, that's another resource that's available to help those organizations that perhaps have not fully , um, developed , um, they're , um, their , um, security compliance program or just want to do a gut check to make sure they're implementing , um, right . All of the security requirements appropriately.
Speaker 2:It's a great list of, it's a great list of questions if you read through that Yeah . With each of the requirements. So it does, as you said, Betsy, it , it, it really helps focus.
Speaker 3:And I, one other point, I know historically the , um, resolution OCR has looked at , um, compliance with privacy and the security rule as a data privacy , um, or from the lens of the data and whether it's remaining confidential, the integrity there, and it's also available, I think we're seeing a greater understanding that, you know, if there's a ransomware attack or some other cyber event, it's not just a data issue or a patient privacy issue, it's a patient safety issue, potentially it's a , uh, revenue issue for the organization. Um, and I think, you know, there's , um, a rather large incident occurring now that's been in the news a lot , um, you know, with change Healthcare. And I think it showing that, you know, that this is, if you have a large cyber incident, you know, it's a multifaceted incident and you need a whole of organization response. And I think OCR now seems to be looking at , um, these incidents more holistically too. And that brings up, oh , sorry,
Speaker 4:Gina, did you No, I was just gonna say, Betsy, I think that's a great point there. There's a , the Hospital Cyber Resiliency Initiative, which was a sort of a joint, you know, study and report issued by HHS and CMS and others, and they really focused on that point that , um, these, these cyber attacks are, are patient safety issues. And there's a , a tagline, and it was, you know, something like data safety is patient safety. It's not exactly that. But I think that's a really great point as well, that as we, we continue to evolve into this era of really very , um, uh, significant cybersecurity events that we will see a greater risk to patient safety. Yeah . Um, so that's a great point. I, and I wanted to clarify, sorry if I could, because I misspoke earlier, the , the two ransomware , um, settlement agreements, just in case folks are tracking it's doctor's management in Greenridge, and then , then laforge actually is the first phishing phishing , right? Yeah. Phishing, which, you know, Betsy, Don we've talked about previously, which is , um, was a settlement , um, that OCR entered into with laforge Medical Group, where there was actually, you know, the threat actor entered through the phishing scheme through email, which of course is another concern of ocr.
Speaker 3:So , and I think , oh , I'm sorry, Dawn . I was just going mention briefly a couple other , um, themes that we've seen this year in the resolution agreements are, I would say what's old is new again , um, <laugh> , for example , um, the St . Joseph's Medical Center case where there was the impermissible disclosure of PHI to the media. Oh, right, yeah . During the , um, early days of Covid when, you know, film crews were coming in to show, you know, the tremendous strain on hospitals and the heroic work that healthcare workers were doing. Um, and , um, you know, proper authorizations may not have been obtained, you know, so we've seen those types of , um, situations occur every so often over the years. Um, and , um, then also , um, healthcare providers responding to online reviews , um, and , um, not realizing perhaps that by responding they are inappropriately disclosing PHI. And so , um, you know, I, it seems every couple years OCR has a settlement, you know, involving one or more <laugh> of those , um, topics. So I think, you know, those are not , um, you know, cyber incidents, but still things to keep in mind. Um,
Speaker 4:And Betsy, as, as the, our health system continues to evolve and we see more sort of, you know, non-traditional healthcare providers in the telemedicine space, which then moves, affects our more traditional healthcare providers who need to keep up and compete. You know, we are seeing these kinds of issues like responses to comments and the desire to post patient reviews is a pretty significant issue, and I think will continue to be, you know, in terms of, of it being needed for competitive purposes. But then this question of, well, how do we handle it in terms of, you know, compliance, right ? So it's a great, great one to bring up.
Speaker 2:And Betsy, you brought up a good comment that takes us into another question, which is as far as, you know, trends related to business associates. And what would you recommend to those organizations to be more rigorous and thorough in their programs that they've implemented, especially when it comes to business associates or third parties, vendors? And you brought up a perfect example of what we're seeing with the , uh, change healthcare , uh, situation right now. Um, what are your thoughts on, on that topic?
Speaker 3:Well, I would say what you just said, Dawn , to be more rigorous and thorough. Um, but as we know, you know, there are only so many hours in a day and so many resources to do that. So I think it's important for organizations to prioritize , um, their business , business associates , um, which means first you have to understand and know all of your business associates, you know, and who is handling your PHI. Um, so once you get your arms around that, then , um, triaging who, which of those entities pose the greatest risk to your organization, and then devote more resources to those organizations doing a deeper dive , um, when you're vetting those , um, business associates, making sure you get , um, security questionnaires completed , um, exactly . Um, and , um, you know, vetting them more carefully and then periodically revisiting them , um, to make sure that what they told you when you first contracted with them is still the case. Um, you know, are they still , um, you know, if they have their SOC two or if they're high trusts certified, you know, is that still the case? You know, have they evolved , um, over the years? So I think , um, that's important to do, but I think it's also important to understand that , um, some of these large cyber incidents that we're seeing are not even at the business associate level. They're lower down the chain. Um, you know, earlier this, no , last year <laugh> , it was last year , um, with the MoveIt , um, software incident that affected , um, a number of organizations. Um, and it, what we found in our experience was it was not , um, the covered entity that was necessarily using , um, that software, but it was, you know, a couple subcontractors down the chain, you know , and that's hard to monitor because you're not obligated to go that , uh, far down the chain. But I think maybe with those high priority business associates there, you may want to , um, see if they are in what processes and procedures they're implementing to monitor their subcontractors.
Speaker 2:I would say it goes, it goes beyond the days of all you need is a business associate agreement, and it really supports what we're, what we've been talking about, which is having a good vendor or a third party risk management program that goes, you may not go to that, that, in that, that ninth degree subcontractor level, but it's about informing yourself of what those, what those downstream vendors, contractors , subcontractors are doing too.
Speaker 4:And we have seen multiple instances where, you know, the entry into the health system is through the vendor account. Mm-Hmm . <affirmative> . And in some instances, an outdated vendor account, you know , of a vendor, an individual who's no longer there, or, you know, vendor access rights that should have been , um, terminated. And that goes back to your right . I think that's a , a great point, which is your third party management risk management system, or your vendor management system. And, and what we see OCR talking about as it's describing the importance of a risk analysis, of course the security rule requires, you know, the, the , um, physical and the admin , the administrative and the security, you know, analysis , um, yeah, the technical piece , right. But , um, we're also, you know, we're also seeing them focusing on looking at your , um, relationships with your third parties, your business associates, as Betsy just said, and, and assessing those and inventorying them and understanding the risk , uh, there and managing that risk.
Speaker 2:So let me ask this, you know, many of the recent enforcement actions, you know, some of those, when you start reading through the resolution agreements, they date back to like 2015, 2017, 2019, and they're just now being , uh, resolved now in 2020, late 2023, early 2024. Um, is there a perception that organizations are maybe penalized based on today's cybersecurity landscape versus at the actual time of the security incident?
Speaker 4:Yeah, that's a really good question, and I'll be interested, Betsy, in your thoughts on this. I'm, I'm not sure. So I think there are a number of threads here that we could pull . When we look at, you know, the dates of the activity versus ocr, R'S enforcement , um, action, which in many instances have just occurred in the last handful of months. I think one contributing factor is OCR R'S resources. And, you know, when you report a breach, how long does it take until you get an RFI, if you get one from OCR, how long does it take to sort of get through that? One of the settlements was from May of the activity was May of 2015, and that's a recent one involving Montefiore Medical Center. And , um, that one, you know, I think involved , um, a , a bad actor within the organization who is selling PHI. And so that I think is somewhat unique. That's, you know, called that malicious activity sort of resolution.
Speaker 2:Insider threat, yeah.
Speaker 4:Yeah. And insider threat. And I, I just think, you know, that's a unique, that's, that's fairly egregious behavior by, you know, an employee of the health system. And it, it went on for some time, you know, without being , um, identified. And, and it's unfortunate, right, for that health system. But I think that that to me feels unique. Um, some of the other ones that are recent as well involving ransomware, you know , certainly , um, there is a, a, a focus on cybersecurity incidents, as we talked about at the beginning of our session, you know, that that is , um, peaked because of the increase in these incidents that are, that are happening, you know, in almost 300% increase in five years. Um, we just didn't see them before. But I, I think that , um, that, that it is in part due to ocr r's lack of resources and, and just the timeline there, protracted timelines. I think it's also in , like I said, you know, the one case is sort of an outlier. Betsy, I'm curious your thoughts. I, I think that OCR is, is focusing on ransomware and cybersecurity, and they're going to look carefully at what organizations did leading up to the attack, and, and if they were in a good situation to protect themselves, you know, if they were taking measures, taking steps to protect themselves and where they weren't, they're gonna get hit. I think that's the reality.
Speaker 3:I, I agree with what you say, Gina, about the focus on ransomware and other , other cyber threats leading to , um, data breaches. Um, and OCR focusing on that. I think there may be some , um, I , I don't know that it , there may be some , um, justification for thinking that if I had an event in 2015 and , and say it was a ransomware event because they were occurring back then, they just weren't as prevalent. We , um, right. They were not as well , um, publicized , um, depending on how long it takes for the investigation to occur. Right ? If , if someone's investigating it in 20 19, 20 20, 20 21, the landscape has shifted significantly, say, in that five or six year span. So it may be a case of , um, you know, hindsight is always 2020. And so without intending to impose say, 2021 standards, you know, on what happened in 2015, that may unconsciously, you know, happen , um, y you know, but again, it's hard to remember. I , yeah , 2015 seems to, I know <laugh> ,
Speaker 4:But I think what you're saying, in fact , I think what you're saying is we're looking at what happened several years ago through the lens of what we know today, right? And we've seen how much these attacks have increased in terms of affected individuals and, you know, the percentage of them being reported. Um, so that's a , and I don't know how you can, though I don't, you know, I'm not sure how you can't look at these attacks through the lens of today. What I do know is not every ransomware attack results in a resolution agreement .
Speaker 2:Right. That's a good point. 'cause that was my next question I was gonna ask is, you know, how does that correlate to the breaches that were resolved through technical assistance? You know, could enforcement be based on how the ransomware occurred, meaning how the bad actor was let in and, or how the organization responded? Thoughts on that?
Speaker 3:I think how the organization responded makes a big difference , um, in the investigation process. Um, I think OCR has always said they do not expect perfection , um, in complying with , um, the privacy rule or , um, the security rule. They understand that things are going to happen, but it's really, I think, how the organization responds. Well , one, can the organization detect that something has happened, and then once it detects what happened, how are they responding? So I think those organizations that have in place , um, you know, policies and procedures around reporting , um, if you see something that's wrong, and then understanding the chain of command to implement your incident response plan , um, your business continuity plan if needed, and then documenting everything that you're doing, because when it comes time , uh, you know, to respond to a request for information from OCR , um, they want to see the documents that you , it's not enough for you to tell OCR what you have done. Um, but also to be able to show OCR what you've done, to have the policies, the procedures , um, and to be able , um, as we've talked about before, to tell your story, you know, in a way , um, you know, that makes sense and is supported , um, by , um, your policies, procedures, and the steps you took to address the situation when it arose. So, Gina, do you have some thought ? Yeah,
Speaker 4:Thank you. I was just gonna say, Dawn , if I could add to that, 'cause I know <crosstalk> Oh , definitely. Go ahead. Time and content. But one thing I will say, and I, Betsy, I, I agree wholeheartedly with everything you said, and, and this is a message really to, I think, you know, healthcare entities that may be dealing with an attack or will in the future. And in particular to executive leadership, the , the role of, you know, the , the approach of transparency is really a key here. Um, so really approaching how you report , um, and message, tell your story. As you just said, Betsy , um, a ransomware attack to federal and state regulators is really different than an approach you take in defending a lawsuit, for example. Right? And I appreciate that many of these are turning into class action lawsuits, and that might be a topic for another day, because that's, you know, that's a whole nother a whole different subject, but they're not different subject, it's related, but it's, it really is a can of worms. But what I will say is, I've, I've had to work with executives in dealing with breaches and how to handle with federal and state regulators quite a bit to help them understand that we really wanna be able to tell our story and, you know, and put our organization the best possible light. That means taking steps to mitigate immediately, even before we hear from those regulators, even before we've reported, so that once we report and we answer all the questions that you have to answer in the OCR portal, and then we get the RFI, if we do, which we're likely to, you know , we can answer those questions in the best possible way to say, these are the steps we've taken to address, you know, to initially mitigate the, the risk and the breach, and then address the, the source of the risk or the breach, and then, you know, take steps to prevent this from occurring again in the future. And when we can tell that story in a way that demonstrates that we recognize the importance of compliance, the risk to patient safety, as you said, Betsy, not just to data that really is meaningful to the, to the state regulators and the federal regulators, and to your point, they, they don't expect, you know, that you'll be perfect or that you won't have a breach. The question is when, and so this idea of transparency, and I know it's a fine line, but it really takes, I think, working with the team that has, has been through the trenches with, with, in particular with OCR before, to, to help you understand that some level, this level of transparency that may feel uncomfortable, for example, in a litigation environment, is really important to, to demonstrate to OCR that you know what you're doing and to avoid potential, you know, significant penalties. Um, so that's one takeaway I would say, or one message I would give to our healthcare clients is, is really , um, thinking about that, that story that you're telling and how to put yourself in the best possible light.
Speaker 2:And Gina , you brought up a good point about , uh, involving leadership. So, you know, with the organization's competing challenges for resources and funding and trying to either implement or update those existing programs , um, how would you recommend privacy and security officers educate leadership and the workforce to that extent on the importance of, or the impact that these types of things have on the organization, such as patient safety, interoperability, and information blocking, you know, and how, how do they balance all of those?
Speaker 4:Oh , that is a, a great question lot .
Speaker 2:It's a loaded question. Yeah, it's
Speaker 4:A lot . It's a loaded question. Yeah . Because, and as you throw in, and I'm so glad you brought up interoperability and information blocking, because one of the things we're talking a lot about within, you know, those of us who practice in this area is this balance of, you know, the , the government really wanting health systems to implement the systems that will facilitate , um, complete interoperability, and in fact, mandating that, right? Mandating that through CMSs promoting interoperability program and through ONC certified , you know, health IT and requiring the use of that and all of that, and then the information blocking rule, right? So there's all these things where the government's saying, you need to make your data open and available where it's otherwise permissible under HIPAA or other federal state laws. That's great, but it also increases the vulnerability of the organization. So to your question of how do you educate leadership, I think it's, it's really important, you know, one, i I , I think sometimes the fear tactics work. And so pulling out these OCR resolution agreements, you know, the, the one , um, I'm trying to remember which one was just 4.75 million , um, one of the recent settlement OCR resolution agreements and, you know, and then, and any number of hundreds of thousands of dollars that they range from, I think pulling those out and showing your leadership the impact, but there's also this , um, element of trust, right? That it , it , so the, the pr you know, and, and what, what you don't wanna see on the headlines of the morning news is that your, your health system has suffered a major breach. That's all really important, but what does that really mean for trust, patient trust? And so some of these pretty egregious cases that have settled recently, you know, involved very sensitive records and entire medical records that were shut down. So I think helping leadership understand the monetary risks, the, the reputational and trust risks, and then the really concrete steps that you can take to mitigate those risks. It doesn't mean you will, you will rid them forever, but you can mitigate them. And then as we've been talking this whole time, demonstrating that you took those steps before the breach happens, which will then mitigate any penalties with, with the office for civil rights. Betsy, how about, I , I know , what do you think? I know we're short on time, but I think it's a great question of, you know, how do we, how do our clients educate leadership to make sure that organizations are in a good position when these things occur or in the best position they can be anyway?
Speaker 3:Well, and I think you bring up a good point, Gina. Um, and this also ties back to what we were talking about before the , um, the reports that OCR recently released , um, about their activities in 2022. Um, and one of the comments in there , um, that OCR made was about the length of time it takes to , um, conduct an investigation and how that timeframe has gotten longer now because of a change in the High Tech Act in 2021, where now OCR is , um, required to consider whether an organization has implemented recognized security practices in the 12 months before the incident. Um, that's being reported to OCR. And so I think this ties in with your point about educating leadership about , um, the importance of, you know , having in place policies and procedures. And to your point about transparency, you get rewarded with OCR if you can demonstrate, you know, that you invested in these recognized security practices, had them in place , um, and , um, you know, can document that you had these security practices in place. Um, you know, and it benefits you , um, in the OCR investigation. And , um, obviously you would be encouraged to disclose that information , um, to OCR. Um, so I , um, but again, that also means that you would have conducted a risk analysis and implemented a risk management plan to address the threats that you've identified. So it all really sort of comes full circle, I think. Um,
Speaker 2:And also I think another , um, key , uh, thing that you can leverage, and it , this doesn't apply to all entities, but to certain entities is the , um, the cyber , uh, the reporting , um, uh, to the SEC in your filings. Uh , so if you know you're an organization that falls into that category for compliance, that can be another driver too that, that can really push that message up to leadership , um, where they may directly be impacted.
Speaker 4:That's an excellent point. And we just saw that with Change Healthcare , you know, that breach occurred within less than a week, I think, before the recording of this podcast. And within days they reported to the cc , right ? Yeah. Just a high level report of what they know, and they don't, it sounds like they don't know a lot yet, but that's a great point. And that ought to get, you know, in an organization that's required to report to file those 10 Ks, you know, that ought to get leadership's attention, right? Yeah.
Speaker 2:All right . So I really wanna thank you both , uh, for your, your excellent insights and you know, we've had many conversations not just today, so I've really enjoyed our conversations, but before we end the podcast, do , uh, I'm gonna give you each an opportunity for some final thoughts or takeaways that you have for our listeners. So we'll go Betsy first with you , uh, for some final thoughts,
Speaker 3:Document the good work that you are doing within your organization , um, so to protect not just patient data, but patient safety. So you are ready to tell your story, not if, but when you need to do so.
Speaker 2:Okay, Gina, how about you?
Speaker 4:Yeah, I'll say , um, and I'm actually gonna steal from , uh, some comments that our OCR director made , uh, in relation to a recent , uh, resolution agreement that , um, organizations should regularly review risks, regularly, review policies, and update them and do that enterprise wide . And as your systems change and , uh, grow re-review those risks. So, redo your risk assessment, look at your risk management plan, look at your policies, and train your workforce.
Speaker 2:Big one. Yeah . All right . Thank you both very much. And I also wanna thank our audience for listening today, and we hope that you have a great day.
Speaker 1:Thank you for listening. If you enjoyed this episode, be sure to subscribe to a HLA speaking of health law wherever you get your podcasts. To learn more about a HLA and the educational resources available to the health law community, visit american health law.org .
Speaker 5:<silence> .