According to the Statement, the Health Breach Notification Rule ‘Helps to ensure that entities who are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) nevertheless face accountability when consumers’ sensitive health information is compromised.” The Breach Notification Rule is not new, but this clarification is, and signals likely enforcement of a rule that has largely gone unenforced to date. The push to regulate apps came from Congress, and further legislation is likely.

Since the COVID outbreak and the explosion of telehealth as a healthcare option, these apps have proliferated at an insane rate. As of 2020, there were 325,000 healthcare apps on the market, with more coming all the time.

Whether you are a consumer who uses such apps, or a provider who wants to develop an app for patients to use, it’s important to understand some of the privacy and security risks that may accompany the use of such tools, and what to watch out for.

Although HIPAA (The Health Insurance Portability and Accountability Act of 1996) has been around for a long time, the COVID epidemic has spawned a slew of misunderstandings, disinformation, and erroneous claims about the law’s reach and impact.

Telehealth or ‘virtual’ visits have increased over 11,000% when the pandemic-related changes by CMS were implemented, according to Medicare data for March/April of 2020. Previous reviews of telehealth services by the OIG revealed a 31% error rate, and this was well before such services became easier to provide. Given those high numbers, it isn’t surprising this is a high-risk issue.

Unfortunately, loosening the regulatory requirements opened the door to fraud by dishonest providers, telemedicine companies, and others.

By Susan Walberg, JD MPA CHC

As Private Equity companies and healthcare organizations move to grow or consolidate practices and organizations, one area of due diligence that is often overlooked is the evaluation of the compliance program and the compliance risks that are the natural result of a deficient program.

For those of us who are responsible for compliance, there are many new challenges, issues, and questions that arise as this situation rapidly unfolds. In addition, the federal government has been providing daily briefings which often announce new changes. Just this week they announced a willingness for providers to work across state lines. The Centers for Medicare and Medicaid Services, (CMS) has been issuing various waivers to states, which can be found on the CMS page under the Medicaid section.

As I think about this as a compliance person, and listen to the briefings, I see a few key topics that will generate questions and that people need to understand.

There is a lot of activity in the healthcare space these days. Venture capital companies getting involved with various lines of healthcare, smaller practices merging or growing, adding lines of business or services…it is easy to overlook certain compliance issues, especially those that aren’t usually top of mind anyhow.

We have all known them; that boss who walks around at 4:55 on a Friday afternoon looking for that ‘slacker’ who left a few minutes early, or who criticize any ‘out of the box’ ideas in order to maintain control. The manager who micro-manages employees and stifles creativity, who finds ways to intimidate independent thinkers and who actually punishes those who dare to offer unsolicited suggestions, even if it’s to benefit the organization. You know who I’m talking about, you’ve probably worked with some version of this person at least once.

As I have worked with a variety of physician practice groups and other smaller healthcare organizations, I have seen repeatedly that there are compliance gaps that can become expensive if left unattended.

The opioid epidemic is in the news every day. State and federal regulators and law enforcement regularly investigate cases of drug diversion, ‘pill mills’, opioid over-prescribing, and even deaths from overdoses. Although most of those cases involve deliberate and knowing actions by providers, patients, drug companies, and other bad actors, the enforcement landscape has created a worrisome reality for physicians and other prescribers who are trying to take care of patients with chronic pain.

Compliance has become part of the landscape, especially in highly regulated industries like healthcare. If you ask any leader in the field of healthcare why you must have a compliance program, they will likely reference government laws, such as the Affordable Care Act, or will state that it is important for keeping the organization out of trouble.

There are a number of occasions when an organization has the need to work on their compliance program; in many instances the first reaction is to start trying to hire someone to fill the role. Although ultimately the organization should have a full-time person, there may be occasions where it makes sense to take a step back and bring in an interim Compliance Officer.

If you have ever been in a leadership role, or worked in the corporate office of a large organization, you have undoubtedly encountered resistance from various departments, divisions, or individuals, whether passive or overt.

The word ‘whistleblower’ conjures up images of Enron or other head-line grabbing stories where an employee is awarded millions of dollars for reporting some egregious action by their employer, who callously ignores the reports of wrongdoing in the search for profits.

As a compliance professional, conduct- ing investigations is an essential part of the job. We are tasked with pre- venting and detecting wrongdoing, whether it’s violations of laws, regulations, or internal policies and procedures. Sometimes, however, we come to the end of our investigation and that there was no actual “violation” committed, but there is a discernable culture problem in the organization.