The possibility of business associates potentially being audited, investigated, and ultimately fined is now a reality. On June 24, 2016, the United States Department of Health and Human Services’ Office of Civil Rights (“OCR”) entered into an agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”) for $650,000 to settle potential HIPAA violations related to the theft of a CHCS iPhone that contained the protected health information of 412 nursing home residents.
This is the first settlement of this kind with a business associate. If there was ever a question as to how diligent business associates must be in implementing a HIPAA compliant program that includes the management of mobile devices used to transmit protected health information, this settlement makes it clear that business associates should be very vigilant.Read More
An increasing number of health care providers are outsourcing the hosting and maintenance of software applications, the storage of data, and related support services. Outsourcing can provide cost savings, rapid deployment, system scalability, other efficiencies, and appropriate data security. It also introduces additional issues into the provider’s risk management analysis, largely based on the fact that a third party rather than the provider has possession and control of vital and sensitive assets and information. Before you enter into a contract that includes a cloud computing component, you should consider some of the following:
- No business decision or activity is risk free. Risk management is a balancing process based on the particular facts and circumstances. For example, a provider may be less concerned about its inability to access its web-based job application submission portal than its electronic health record application. Not all risks are the same, and a provider should devote more attention and resources to managing its greatest risks.
- Risk management is a team sport. Effective risk management requires the participation and interaction of representatives of the intended user group, financial analysts, compliance officers, information technology and data security experts, and legal counsel experienced in advising on and negotiating the particular type of contract.
The Medicare and Medicaid Electronic Health Care Record (“EHR”) Incentive Program (commonly referred to as “Meaningful Use”) provides incentive payments to eligible physicians and hospitals for adopting, implementing, upgrading, or demonstrating meaningful use of certified EHR technology. Medicare incentive payments are authorized over a 5-year period (2011 through 2016). As of February 2015, total EHR incentive payments exceeded $29.5 billion.
Last month, the U.S. Food and Drug Administration issued its final guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” Those guidelines make non-binding recommendations on the cybersecurity issues medical device manufacturers should consider in developing new devices. The guidelines also address the processes medical device manufacturers should follow in evaluating and seeking to mitigate cybersecurity risks and the documentation they should submit to the FDA in seeking approval of new devices.
The FDA’s guidance is in response to the growing recognition that the connectivity medical devices have through the internet, networks and USB ports makes them vulnerable. While that connectivity improves patient care, it also creates cybersecurity risks, including the risk of patient harm.
The FDA’s guidance is relevant not only to the manufacturers of new medical devices, but also to hospitals and others which currently use medical devices that have internet, network or other connectivity. The guidelines expressly state that they do not create “legally enforceable responsibilities.” However, they may well contribute to the establishment of a standard of care for such users in evaluating the security of current devices and whether software updates and other risk mitigation measures are recommended for such devices.
A copy of the Cyber Security Guidance issued by the FDA can be found here.