Compliance. TODAY September Fighting fraud, waste, and abuse. Ted Doolittle. See page 16. How to avoid the CIA: The high price of non-compliance

Transcription

1 Compliance TODAY September 2013 a publication of the health care compliance association Fighting fraud, waste, and abuse Ted Doolittle Deputy Director of the Center for Program Integrity, Centers for Medicare and Medicaid Services See page How to avoid the CIA: The high price of non-compliance Gerry Goodman 26 The not-so-usual suspects: Four laws that may impact your compliance focus Lisa J. Acevedo and Brett B. Heger 31 After the investigation: What do you do when you are done? Meric Craig Bloch 35 Government targets healthcare for disability violations Karen R. Glickstein This article, published in Compliance Today, appears here with permission from the Health Care Compliance Association. Call HCCA at with reprint requests.

2 by Lisa J. Acevedo and Brett B. Heger The not-so-usual suspects: Four laws that may impact your compliance focus Many electronic and wire communications are subject to access by law enforcement under the Electronic Communications Privacy Act. Pending legislation under the proposed Cyber Intelligence Sharing Protection Act could permit companies to more easily share information with the government. The unauthorized access to computerized medical records could be punishable under the Computer Fraud and Abuse Act, including imprisonment, fines, or both. The Trans-Pacific Partnership Agreement may impact the intellectual property rights of, and trade-related requirements that impact, healthcare organizations. Compliance professionals should remain aware of current and proposed non-traditional healthcare laws, regulations, and government actions and their possible impact. Lisa J. Acevedo is a Shareholder in the Chicago office of Polsinelli PC. Brett B. Heger (bheger@polsinelli.com) is an Associate in the Phoenix office of Polsinelli PC. As healthcare compliance professionals who regularly negotiate the everincreasing web of federal and state statutes and regulations, we are all familiar with the usual suspects: the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) and its recently issued final implementing regulations, and of course, the Patient Protection and Affordable Care Act (PPACA). However, looming out there in this tangled web are laws, as well as proposed laws and trade agreements, that may also impact healthcare-related compliance issues, but which rarely get the same attention as HIPAA, HITECH and PPACA. Following is a summary of the Electronic Communications Privacy Act (ECPA), the proposed Cyber Intelligence Sharing Protection Act (CISPA), the Computer Fraud and Abuse Act (CFAA), and the proposed Trans-Pacific Partnership Agreement (TPP) and how they can impact the healthcare industry. Electronic Communications Acevedo Privacy Act ECPA regulates the privacy of electronic communications. 1 Among other things, EPCA addresses government access to stored wire and electronic communications. Under EPCA, providers of electronic communications services (e.g., service providers) and remote computing services Heger providers, (e.g., providers to the public of computer storage or processing systems) must disclose the contents of electronic communications that they store under certain circumstances. In the past, EPCA was not the

3 focus of healthcare compliance efforts because organizations typically stored their electronic documents, including s, on their own network servers. However, with the advent of Storage of electronic communications in the cloud means that the stored data may be subject to government access the cloud, organizations are increasingly contracting with cloud providers to store data in the cloud providers network servers. Storage of electronic communications in the cloud, or otherwise with electronic communication providers or remote computing service providers, means that the stored data may be subject to government access, even without a warrant under certain circumstances. Under ECPA, law enforcement may require electronic communication or remote computing service providers to disclose the contents of an electronic communication that is: (1) in remote storage; or (2) stored by an electronic communication provider for more than 180 days. However, law enforcement officials will need a warrant to access any electronic communication that is: (1) in transit, (2) in storage on a personal computer, or (3) stored by an electronic communication provider for 180 days or less. Although there have been recent attempts to update the ECPA, particularly given the changes in technology since 1986, such attempts have not been successful. In 2013, the Senate Judiciary Committee passed an ECPA amendment that would eliminate the 180 day rule and would require law enforcement to obtain a warrant based on probable cause in order to obtain any stored information. However, that amendment failed to pass in the Senate. In May 2013, two similar bills were introduced in the House of Representatives. House subcommittees were debating and deliberating such bills at the time this article went to press. ECPA could potentially impact privacy protections for medical documents, protected health information (PHI), and other sensitive or confidential information contained in electronic communications that are stored with cloud or other providers covered under EPCA. Healthcare organizations should review their electronic communication document storage practices and their document retention/destruction policies to determine the impact of ECPA on their practices and policies. Cyber Intelligence Sharing Protection Act The Cyber Intelligence Sharing and Protection Act (CISPA) 2 was introduced in the House of Representatives in November 2011 and approved in April After failing to pass in the Senate during the same session, the bill was reintroduced 3 in the House on February 12, 2013 and passed on April 18, The Senate has refused to vote on the bill as passed by the House. CISPA, as proposed, provides for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cyber security entities, and for other purposes. 4 If signed into law, CISPA will amend the National Security Act of 1947 with an additional section on cyber intelligence threats and will encourage information sharing between private sector entities and the government as is consistent with the protection of the national security of the United States. CISPA will provide for protection of personal documents including medical records

4 However, the bill raises privacy concerns due to its broad language permitting companies to share information with the government for cyber security purposes. Additionally, CISPA states that private companies may share information with the government notwithstanding any other provisions of law. Opponents of CISPA argue that CISPA s drafters intended to make it trump all existing federal and state laws, including laws dealing with medical privacy. Compliance professionals should monitor the progress of CISPA. Computer Fraud and Abuse Act The Computer Fraud and Abuse Act (CFAA) 5 is a criminal statute which prohibits anyone from accessing a computer without authorization, or from exceeding the scope of authorized access in order to: obtain protected information held by the US government; obtain financial records of financial institutions, information from any department or agency of the United States, or information from any protected computer; access or affect the use of a non-public computer used by or for the US government; knowingly and with intent to defraud, access a protected computer in an effort to further the intended fraud; knowingly transmit information that causes damage or loss to a protected computer; knowingly and with intent to defraud, traffic computer passwords or similar information, if such trafficking affects interstate or foreign commerce or a government computer 6 ; and intentionally participate in computer extortion. A protected computer is a computer that is (1) exclusively used by or for a financial institution or the United States government, (2) used by or for a financial institution or the United States government and affecting that entity, or (3) used in or affecting interstate or foreign commerce or communication. Courts have interpreted this to mean any computer connected to the Internet. Traffic means: (1) transfer, (2) otherwise dispose, or (3) obtain control of data with intent to transfer or dispose of that data. Violations of the CFAA could result in a fine, imprisonment, or both. With respect to the healthcare industry, CFAA specifically states that if a person modifies or potentially modifies a medical examination, diagnosis, treatment, or care of one or more individuals, this can result in a fine and imprisonment for five years. Healthcare organizations should consider including the CFAA in their employee training programs and should evaluate the impact of the CFAA if there is a breach involving their computers. Trans-Pacific Partnership Agreement The TPP is a proposed free-trade deal currently being negotiated between Australia, Brunei Darussalam, Canada, Chile, Malaysia, Mexico, New Zealand, Peru, Singapore, Vietnam, and the United States. 7 It is aimed at fostering a closer relationship between these countries regarding economic policies and regulatory issues. The seventeenth round of negotiations of the TPP took place in Lima, Peru, May 15 17, Although the Office of the United States Trade Representative has and continues to solicit input from various stakeholders, the countries negotiating the TPP have entered into a confidentiality agreement regarding the TPP negotiations. The confidentiality of the TPP negotiations has caused criticism over the lack of transparency and accountability regarding such negotiations

5 Other countries involved in TPP negotiations have different levels of intellectual property protections, and in the course of negotiations between the United States and these countries, the United States intellectual property protections could be subject to change. Healthcare organizations routinely deal with intellectual property on their websites, webinars, and licensing agreements, as well as using intellectual property to protect their medical products, and thus, should be aware of these concerns and any changes in intellectual property protections that may arise from the TPP. Further, the eighth round of TPP negotiations that concluded in September 2011 produced a white paper outlining the Trade Enhancing Access to Medicines (TEAM) initiative. 8 The TPP TEAM initiative aims to achieve the following goals: Expedite access to innovative and generic medicines through a TPP access window Enhance legal certainty for manufacturers of generic medicines Eliminate tariffs on medicines Reduce customs obstacles to medicines Curb trade in counterfeit medicines Reduce internal barriers to distribution of medicines Promote transparency and procedural fairness Minimize unnecessary regulatory barriers Reaffirm TPP parties commitment to the Doha Declaration on Trade-Related Aspects of Intellectual Property Rights (TRIPS) and Public Health 9 Although many of these goals may be welcomed within the US healthcare industry, some fear that such protections will result in longer patent terms, data exclusivity, and increased prices. Compliance professionals who focus on intellectual property and traderelated issues should monitor the progress of the TPP. In short, the laws and the proposed statutes and trade agreement described above should be on every compliance officer s radar. While it s easy to get bogged down with HIPAA, HITECH and PPACA, time should be devoted to exploring whether your organization could be impacted by the ECPA, CISPA, CFAA, and the TPP. 1. Public Law No , 100 Stat (1986) (codified as amended at 18 U.S.C , , 3117, ). Available at 2. Cyber Intelligence Sharing and Protection Act, H.R. 3523, 112 th Cong. (2011). 3. Cyber Intelligence Sharing and Protection Act, H.R. 624, 113 th Cong. (2013). 4. H.R. 624, 113 th Cong. (2013) U.S.C U.S.C. 1029(e)(5). 7. Office of the United States Trade Representative: The United States in the Trans-Pacific Partnership. Nov Available at 8. Office of the United States Trade Representative: Trade Enhancing Access to Medicine Available at 9. World Health Organization: The Doha Declaration on the TRIPS Agreement and Public Health Available at Upcoming HCCA Web Conferences 9/19 9/25 9/26 Behavioral Health Documentation & Billing: Compliance Pitfalls, Challenges, and Solutions Vonda K. Moon and Georgia D. Rackley to Motivate the Physician: Why, Who, How, and When James S. Dunnick Understanding the Attorney Client Privilege and its Role in Compliance Amy Fehn learn more and register at