Regulation of Medicine
article
Top 5 Regulatory and Cybersecurity Concerns for Healthcare Providers
Executive Summary
In today’s increasingly complex regulatory and technological landscape, healthcare providers must stay sharp and informed about cyber threats, fraudulent activities and regulatory violations. The top five regulatory and cyber issues that healthcare providers should focus on — from hacking and breach notification to financial and cybersecurity fraud — call for proactive strategies, ongoing staff training and adherence to best practices to safeguard both physicians and patients while avoiding significant penalties.
Recommended Actions
- Educate your teams to spot social engineering tactics and establish cybersecurity protocols to protect against them.
- Ensure that third parties you work with on breach notifications comply with HHS guidelines.
- Review all relationships with designated health services providers to ensure compliance with the Stark Law.
- Review your cybersecurity protocols to ensure that they meet federal standards, including those established by the False Claims Act.
- Make sure that medical billing and coding is accurate, even if it’s performed by an electronic health system or third party.
With cybercriminals lurking and compliance requirements tightening, it’s crucial for healthcare providers to stay sharp and informed. As the industry leans more into digital solutions, the stakes concerning information breaches, fraudulent activities and regulatory violations have never been higher.
Each of the top five regulatory and cyber issues healthcare providers are facing calls for proactive strategies, ongoing staff training and adherence to best practices to safeguard both physicians and patients while avoiding hefty penalties. The industry is leaning more into digital solutions, and the stakes concerning information breaches, fraudulent activities and regulatory violations have never been higher.
1. Social Engineering Attacks Are on the Rise
While ransomware continues to be a significant threat, sophisticated social engineering scams and phishing campaigns are on the rise. Overall, phishing attacks increased by 58.2% in 2023 compared to the previous year. Unlike ransomware, which typically requires more direct interaction with malicious software, social engineering exploits the human element, making it harder to identify.
For instance, a hacker may call a medical practice posing as a new patient who claims they can’t access the patient portal and requests that forms be emailed instead. When unsuspecting staff opens the forms, hidden malware can activate, compromising the practice's network. To combat this, healthcare providers should educate their teams on spotting social engineering tactics and put robust cybersecurity protocols in place.
2. Change Healthcare: Delegating Breach Notification Responsibilities
Recent developments have underscored the importance of understanding breach notification requirements. The Department of Health and Human Services (HHS) has authorized healthcare providers to delegate breach notification responsibilities to third parties, such as Change Healthcare. However, this delegation does not absolve providers of their ultimate responsibility for ensuring that notifications are made promptly and accurately.
To help providers navigate these requirements, the HHS website offers FAQs on the recent Change Healthcare cybersecurity incident, along with helpful tips and resources on best practices for cybersecurity. It’s essential that providers familiarize themselves with those resources and ensure that third parties they work with also comply with HHS guidelines.
3. Stark Law Compliance
The Stark Law, which prohibits physician self-referrals, continues to be a significant regulatory concern, particularly as related to "designated health services" such as laboratory services, radiology/imaging, durable medical equipment (DME) and other vendors. Even without a direct financial connection, such as ownership interest, certain relationships can raise red flags.
For example, if a physician's office also houses a third-party lab service, that arrangement might attract Stark Law scrutiny. Providers should carefully review all relationships with entities involved in designated health services to ensure compliance with the Stark Law's complex regulations. Regular audits and legal consultations can help mitigate this risk.
4. False Claims Act and Cybersecurity
In 2021, the Department of Justice (DOJ) launched its Civil Cyber-Fraud Initiative, which seeks to use the False Claims Act (FCA) to prosecute cybersecurity-related fraud committed by government contractors and grant recipients. Since its launch, the DOJ has announced multiple settlements under the FCA. Recently, government contractors were required to pay more than $11 million in penalties under the FCA for cybersecurity lapses, signaling a potential shift towards stricter enforcement in the healthcare sector.
While it’s still unclear how this trend might impact healthcare providers, it’s likely that certain cybersecurity measures and assurances may soon be incorporated into Medicare and Medicaid contracts. Providers should proactively review their cybersecurity protocols, ensure that they meet federal standards and be prepared for potential FCA enforcement actions related to cybersecurity shortcomings. Read more about recent FCA cases.
5. Overpayments: Continued Focus on Compliance
The Centers for Medicare & Medicaid Services (CMS) continues to target providers for overpayments, with increasing focus on billing for durable medical equipment (DME) and specific medical products such as amniotic fluid injections and skin substitutes. Overpayments stemming from incorrect billing and coding practices remain a prime target for CMS audits and enforcement actions.
Providers must be diligent in ensuring accurate billing and coding. Even when electronic health systems automatically code bills using AI, the provider is responsible for the accuracy of the codes submitted.
Special attention should be given to billing modifiers. For example, a single patient visit may involve multiple health issues requiring different codes, or a telehealth visit may require modifiers that are often overlooked. Regular training and audits are essential to prevent errors that could lead to overpayment demands or penalties.
As we look ahead, the emphasis on data privacy and security and regulatory compliance in healthcare will only grow. Providers can expect stricter compliance standards, additional regulation and more extensive use of technologies like AI for spotting and preventing cyberattacks. With cyber threats constantly evolving and regulations like HIPAA — and potentially new healthcare-specific cybersecurity laws — in place, healthcare organizations will need to focus on proactively identifying and responding to risks to stay ahead of cyberattacks and compliance challenges of all types.
Lessons Learned
- Cyberattacks on healthcare organizations are on the rise and only expected to grow. In particular, phishing attacks are increasing and can be difficult to identify. It’s crucial that providers stay informed about attacks and educate themselves and their teams about them.
- Even if providers use third parties and automated systems for breach notification and billing and coding, healthcare organizations are ultimately responsible for those activities and need to manage them accordingly.
- Healthcare providers can expect greater scrutiny under such federal regulations as the Stark Law and False Claims Act for their regulatory, financial and billing practices. Recently, the FCA has been used to penalize contractors for cybersecurity lapses, signaling a potential shift towards stricter enforcement in the healthcare sector.
- Overpayments stemming from incorrect billing and coding practices remain a prime target for CMS audits and enforcement actions. Providers must be diligent in ensuring accurate billing and coding.
Potential Damages
Failure to safeguard protected health information from cyberattacks and data breaches, inaccurate medical billing and coding, and questionable financial relationships with third-party health service providers all can trigger scrutiny under a variety of federal laws and can result in financial penalties and fines to a healthcare organization. The landscape of threats may be multifaceted and ever shifting, but with the proper defenses, training and protection, healthcare practices can reduce their risk and avoid fines.
Safeguard your practice with comprehensive coverage from MagMutual. Our industry-leading Cyber Plus Policy helps secure your organization and financial assets in the event of a data breach or other cyber threat, while our Regulatory Defender Policy provides robust protection from regulatory and compliance risks. For more details, contact your agent.
10/24
Disclaimer
The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.