HIPAA and False Claims Act Liability: Requirements for Cybersecurity Providers
Cybersecurity products and service providers, as business associates of HIPAA providers, are required by that law to observe specific administrative, physical, and technical safeguards in creating, maintaining, transferring, or receiving electronic protected health information (ePHI). These requirements are found in the HIPAA Security Rule. Another HIPAA rule, the Breach Notification Rule, requires that covered entities and business associates not keep knowledge of breaches of unsecured PHI to themselves. Rather, under the Breach Notification Rule, covered entities and business associates have breach reporting obligations. Generally, if a business associate incurs a data breach, they must notify its covered entity of the breach details. In turn, the covered entity must then inform affected patients, and in the case of larger breaches, media outlets and HHS.
Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.
HIPAA and False Claims Act compliance cannot be viewed in isolation under the new initiative. HIPAA and the False Claims Act may now work together to prevent cybersecurity providers from taking the federal government for a ride. Picture this scenario: You are a revenue cycle management (“RCM”) company – a HIPAA business associate. You submit claims to Medicare and Medicaid on behalf of your covered entity partner. You experience a security incident, conduct a HIPAA risk assessment, and knowingly (and falsely) conclude that your cybersecurity practices were “just fine,” when in fact they were not “just fine,” and indeed, caused the incident.
You announce your “findings”