The Latest NSA News: Updating the Anesthesia Community

Summary

The long and winding history of federal regulations and court rulings connected with the No Surprises Act continues to grow with every passing month it seems. The latest NSA rules are discussed in today’s alert.

There are some things that we’ve just come to expect: a paycheck at regular intervals, power outages that seemingly occur with every storm and the daily (if not hourly) mess made by a busy toddler. Expectations serve a purpose. They psychologically prepare us for what is sure to come—whether good or bad.

For those trying to get a handle on the rules connected with federal No Surprises Act (NSA), it sure seems as if there is something new every month or so—whether that involves a federal court ruling, a process pause or a revised regulation. It’s something we’ve come to expect. So, what is the latest and greatest when it comes to rules and rulings surrounding the NSA? The following will provide a brief overview.

Opening the Portal

No, we’re not talking about opening a portal to the fifth dimension or stepping through a doorway in time. Such sci-fi vortices seem rather tame in comparison to the back-and-forth jolts to which the healthcare community has been recently subjected relative to the independent dispute resolution (IDR) portal and overall process.

This past December 15, those federal departments empowered to promulgate regulations with respect to the NSA—specifically Health and Human Services (HHS), Treasury and Labor (hereinafter jointly referred to as “the Departments”)—reopened the Federal IDR portal for all dispute types. You will recall that it is through this electronic portal that providers may initiate a request for a federally certified IDR mediator when there is a dispute over the reimbursement amount involving a medical service where the provider does not participate with the patient’s insurance plan.

Over the last several months, there has been a series of announcements by the Departments relative to the IDR portal being opened, then paused, then open again, then closed, etc. The December 15 action by the Departments that reopens the portal includes the addressing of previously initiated batched disputes, new batched disputes, and new single disputes involving air ambulance services.

According to the December 15^th announcement:

The Federal IDR process protects consumers against out-of-network balance billing by providing a process whereby providers (including air ambulance providers), facilities, and health plans can resolve payment disputes for certain out-of-network charges. Since August 2023, parts of the portal to submit Federal IDR disputes were closed due to recent court orders and opinions. The portal is now fully operational.

So, unless something has transpired between December 15 and the writing of this article, anesthesia providers can fully avail themselves of the IDR portal. “But,” you interject, “isn’t there a cost to accessing this process?” Funny you should ask.

Paying the Piper

On December 18, 2023, the Departments issued a final rule on IDR administrative fee and certified IDR entity fee ranges. A fact sheet was published by the Centers for Medicare and Medicaid Services (CMS) summarizing the major elements of the final rule.

The rule specifically finalizes an administrative fee of $115 per party for disputes initiated on or after the effective date of the rule. The CMS fact sheet goes on to state the following:

For disputes initiated on or after the effective date of this rule, the Departments are finalizing a certified IDR entity fee range of $200-$840 for single determinations and $268-$1,173 for batched determinations. Further, for batched determinations exceeding 25 dispute line items, the Departments are finalizing the proposal that certified IDR entities may set a fixed fee within the range of $75-$250 for each increment of 25 dispute line items included in the batched dispute, beginning with the 26th line item. The Departments are finalizing the proposal that the certified IDR entity fee ranges will remain in effect until the Departments propose and finalize different certified IDR entity fee ranges in subsequent notice and comment rulemaking.

The final rule provides that the administrative fee amount will be established no more frequently than once per calendar year. This is in response to comments requesting more stability in the administrative fee amount.

So, it remains up to each provider to determine if the cost of disputing an insurance payment is worth the fee, effort and potential frustration. The American Society of Anesthesiologists has recently stated that it is generally pleased that the Departments are allowing the batching of disputed claims as part of the IDR process. The question is, will this be enough to convince anesthesia providers to brave the portal?

Should you have any questions, please reach out to your account executive.

from
https://www.coronishealth.com/blog/the-latest-nsa-newsupdating-the-anesthesia-community/

An Ounce of Prevention: The Increasing Priority of Compliance Programs

Among the maxims we Americans have heard and repeated over the decades is one that lauds a common-sense approach to preparedness and self-preservation: “An ounce of prevention is worth a pound of cure.” The old chestnut is actually profound for those who opt to ponder its ultimate meaning. “If only I had let the faucet drip during last night’s hard freeze, I wouldn’t have woken up to a busted water pipe.” That’s the kind of rue and regret that gets expressed when the adage above is not observed. It’s always cheaper to prevent a disaster than the cost of the disaster itself.

Fending Off Disaster

Are there disasters waiting to happen for those in hospital administration? You bet there are. But these can be significantly limited in size and scope where those facilities have a comprehensive and well-functioning corporate compliance program. Just like the compliance plan guidance that the Office of Inspector General (OIG) for the U.S. Department of Health and Human Services (HHS) has issued for medical groups, there are certain elements that should be a part of a hospital’s or health system’s compliance program. Indeed, the OIG has published at least two sets of compliance plan guidelines related to hospitals—one in 1998 and a supplemental document in 2005.

Part of a sound compliance program is identifying risk areas—especially those areas that could lead to fraud, waste and abuse in connection with a federal healthcare program, such as Medicare or Medicaid. Each facility should have a compliance officer who is tasked with identifying issues at their location that have a real potential for violating various federal regulations, such as coding, documentation of services, documentation retention, billing, etc. These risk areas should be identified, documented and disseminated in the form of training for appropriate personnel. Policies should be put in place to minimize these identified risks.

Ratcheting up the Pressure

In the fall of 2022, the U.S. Department of Justice (DOJ) promulgated new crime guidelines applicable to U.S. corporations. Known as the Monaco guidelines (named for Deputy Attorney General Lisa Monaco who formulated the guidelines), the DOJ document is primarily seen as an attempt by the federal government to put more teeth into prosecuting non-compliant behavior by American companies, including individuals within such companies. In fact, this may be the big takeaway from the Monaco guidelines.

Specifically, the guidelines provide for “individual accountability” as the primary emphasis of its new enforcement policy. In other words, it won’t be just the corporation’s board held responsible for improper acts, but the individuals who directly perpetrated them, whether that be the CEO, CFO or lower-level staffer. The guidelines provide for expedited powers to go after such individuals once identified.

Timeliness of cooperation in the DOJ’s investigations will also be taken into account when assigning penalties. It therefore will behoove the institution to move quickly to fully provide whatever information the government requests during its investigation into potential wrongdoing within the facility. Monaco stated that corporate leadership will be “on the clock,” indicating an expectation that there should be no stonewalling the investigative activity.

History of misconduct will also be a component in the assessment of penalties by the DOJ. Prior wrongdoing by the same individuals will be deemed of special concern. The agency will also take into consideration the corporation’s track record of response to inappropriate behavior among its personnel. Thus, it will be important for the hospital to ensure that its compliance plan contains real teeth when it comes to responding to bad behavior. That is, there should be documented consequences meted out to employees who engage in non-compliant behavior—up to and including termination.

So much unpleasantness can be avoided by simply having a compliance plan that actually works. It must target real areas of risk; it must have sufficient consequences for non-compliance; and it must be effectively communicated to staff members. After all, an ounce of prevention . . . well, you know.

from
https://www.coronishealth.com/blog/an-ounce-of-prevention/

The Strategic Impact of Medicare on Anesthesia Practices

Summary

For anesthesia groups wishing to remain independent, strategic planning is a must. As part of these planning sessions, practices must take into account the impact of an increasingly depressed Medicare reimbursement landscape. Today’s article looks at the relevant trends and strategies groups will want to consider. 

Declining Medicare payment rates for anesthesia are probably more significant than most anesthesia providers realize. Most providers understand that these governmental rates are significantly discounted and that the percentage of Medicare cases greatly impacts the potential overall yield per billed unit. What most do not stop to think about is the strategic impact of American demographic trends and that the migration of cases from traditional inpatient venues to outpatient facilities has dramatically changed the economics of call coverage. The dramatic increase in endoscopic anesthesia cases has created a whole new set of challenges and opportunities. As Medicare coverage options evolve, it becomes increasingly difficult to optimize practice revenue potential.

Medicare Rates Continue to Erode

The sad but unfortunate reality is that current Medicare payment rates for anesthesia do not begin to cover the cost of providing the care. A review of data for six Coronis clients (two from the East, two from the Midwest and two from the west) reveals an average anesthesia rate for 2023 of $21.88, and the projection is for this rate to drop further in 2024. This represents a decrease of 5.5 percent from the 2019 rate of $23.14. As a point of reference, if an anesthesia provider generates 10.000 billable units per year and the only source of payment is Medicare, this would only yield total revenue potential of $218,800, and this assumes that all potential revenue could be collected. The reality is that Medicare intermediaries only pay 80 percent of the allowable, leaving a remaining 20 percent to be collected from secondary coverage or the patient. If the patient is covered by Medicare and MediCal, and lives in California, there is no additional 20 percent payment.

If one wanted to benchmark these rates against the Consumer Price Index for Medical services, which has been tracking at about five percent per year, the problem is obvious. The deficit must be covered by payments from non-Medicare plans and hospital support. This is why the greatest challenge facing virtually every practice these days is to generate enough revenue to recruit and retain an appropriate number of qualified providers.

The Challenge is Compounded by the Size of the Medicare Population

CMS data and projections indicate that currently about 18 percent of all Americans are covered by Medicare. Given an aging population, the projection is that the Medicare population will increase dramatically as baby boomers continue to age. The fastest growing segment of the American population is people over 80. The good news is that, as the tables below indicate, the Medicare surgical population has not increased over the past five years, although this may be partially explained by the impact of the pandemic in 2021 and 2022. The overall average Medicare percentage for the six practices stayed at about 35 percent, which is obviously not representative of all practices across the country. Not included in this percentage is the Medicaid population, which can be as much as an additional 10 percent of severely discounted units.

The data for the six practices indicates that the percentage of outpatient cases continues to increase. While about 52 percent of total billed units were generated in outpatient venues in 2019, the percentage has now increased to 60 percent.

The percentage of patients who have opted for HMO plans is significant. While many of these HMO plans minimize the patient’s responsibility, many also make it more difficult for anesthesia providers to get paid.

The Impact of Colonoscopy

The dramatic increase in anesthetics for endoscopy and especially colonoscopy has created an additional set of challenges. While these cases are typically short in duration, productivity is the key to profitability. Recent coding changes also had the effect of reducing the base value for most cases and thereby diminishing the revenue potential. At an average rate of $21.88, the typical Medicare colonoscopy only generates $131.28 when paid in full. 

While it is true that, for many anesthesia practices, endoscopy has been the fastest growing and most profitable line of business, this trend may well have run its course.

Coverage Implications

As practices expand their scope to include a more diverse collection of venues, coverage requirements become more difficult to meet. Typically, for a large multi-site practice, 60 percent of all units are generated in outpatient venues. It used to be that only hospitals would provide financial support, but many practices are now having to request subsidies from outpatient facilities. This is simply a function of the fact that, as the number of anesthetizing locations increases, too often the utilization decreases.

Since 75 percent of the revenue generated per location is typically produced between 7 AM and 3 PM, this means that night coverage is usually a financial loss leader. There is a concept that has started to gain currency: the misery index. It reflects the percentage of cases that must be done after 5 PM and on the weekends.

The tables below indicate changes in the acuity of Medicare patient care over the five-year period. Note that the acuity of inpatient care has increased, as compared to the acuity of outpatient care that has remained fairly constant. These percentages represent aggregated data for the six practices included here. In other words, traditional inpatient venues are covering increasingly older and sicker patients.

Managing the Medicare Challenge

An ongoing decline in Medicare rates is inevitable. This is just one of the many challenges with which today’s anesthesia practices must contend. As is so often the case in business, one practice’s challenge is another practice’s opportunity. Inevitably, this means thinking outside the box. Most practices have three options. This is where strategy is critical. They can (a) try to replace the falling Medicare revenue with other revenue, such as higher rates from commercial payers; (b) attempt to increase their subsidy from the facilities they serve, which seems to be the most common option most are exercising; or (c) explore ways to reduce the cost of anesthesia care through improved operating room efficiency and more creative scheduling. Status quo is never a viable option. If independent practice is the goal, then exploring strategic options is the only solution.

Should you have any questions, please reach out to your account executive.

from
https://www.coronishealth.com/blog/the-strategic-impact-of-medicare-on-anesthesia-practices/

Something’s Brewing: New Challenge to Web Tracking Rule

There’s trouble in Paradise . . . again. The federal government has created a rule that has upset many in the hospital community, resulting in legal action taken by the American Hospital Association (AHA), among other entities. The rule at issue involves the prevention of hospitals from utilizing third-party technologies in connection with hospitals’ webpages. To put it another way, “the rule imposes limitations on the application of common third-party web technologies responsible for capturing IP addresses on sections of publicly accessible web pages for hospitals,” according to a January 8 report in Becker’s Health IT.

Stirring the Pot

According to Becker’s, HHS’ Office for Civil Rights (OCR), along with the Federal Trade Commission (FTC), began sending letters this past July to 66 hospitals and health systems across the country, warning them that their websites may be using disallowed tracking tools. This, no doubt, created quite a stir in the hospital sector, ultimately leading to a decision by the AHA to file suit in November.

The AHA’s position is that the federal agencies have incorrectly held that the collection of online data for advertising and backend operations might constitute a breach of federal health privacy laws.  According to Becker’s, the HHS rule comes at a time when “many hospitals and health systems in the U.S. are facing lawsuits that allege third-party tracking tools on their websites and patient portals have been sending patient information to tech giants like Meta and Google.” As of last May, some 18 hospitals or health systems were facing such lawsuits.

Boiling Over

On Jan 5, the AHA filed a brief challenging the December 2022 rule issued by the Department of Health and Human Services’ Office for Civil Rights. Again, that rule acts to restrict the use of standard third-party web technologies that capture IP addresses on portions of hospitals’ public-facing webpages.

In the “Introduction and Summary” section of its brief in support of a motion for summary judgment in a case before the U.S. District Court for the Northern District of Texas, the AMA asserted the following:

The U.S. Department of Health and Human Services (HHS) has issued a new rule that is flawed as a matter of law, deficient as a matter of administrative process, and harmful as a matter of policy. The rule prohibits the use of certain technologies that make healthcare providers’ public webpages more effective in sharing vital information with their communities. In doing so, it exceeds the government’s statutory and constitutional authority, violates the substantive and procedural requirements for agency rulemaking, and injures the very people it purports to protect.

The brief went on to state:

The rule is contrary to law because it restricts the use of information that is not protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Count 1), and it also is final agency action that violates the Administrative Procedure Act (APA) because it provided an arbitrary-and-capricious rationale (Count 2) and failed to go through the notice-and comment process (Count 3). On each of these purely legal claims, Plaintiffs are entitled to summary judgment because there are no genuine disputes of material fact.

This issue is far from being resolved. We have the above-referenced action currently in play, and there are the other lawsuits against hospitals that will have to be adjudicated, as well. As to the case in which the AHA is a party, it might be worth noting that it is before a Texas judicial panel. Interestingly, it has been a Texas federal court that has recently handed the federal government a series of defeats relative to a different legal issue—the No Surprises Act regulations. Though those cases were before the Eastern District of Texas, it would not be surprising to see the Northern District court take a similar pro-provider position. Stay tuned.

from
https://www.coronishealth.com/blog/somethings-brewing-new-challenge-to-web-tracking-rule/

2024 PFS Final Rule: A Deeper Dive on Drugs

Summary

The Medicare Physician Fee Schedule for 2024 contains several provisions concerning drugs and biologicals that will have an impact on pain practices. This alert provides a summary of those provisions.   

We have provided three alerts in the past few weeks devoted to provisions within the 2024 Medicare Physician Fee Schedule (PFS) final rule applicable to the anesthesia and pain community. This alert seeks to summarize what the final rule has to say about drugs and biologicals, which we believe will be of interest to many of our readers—especially those in a chronic pain practice. Based on a review of a fact sheet published by the Centers for Medicare and Medicaid Services (CMS), we have highlighted the following areas of focus.

Opioid Treatment Programs

The final rule extends current flexibilities for periodic assessments that are furnished via audio-only telecommunications through the end of CY 2024. CMS will allow Opioid Treatment Programs (OTPs) to “bill Medicare under the Part B OTP benefit for furnishing periodic assessments via audio-only telecommunications when video is not available to the beneficiary, to the extent that use of audio-only communications technology is permitted under the applicable SAMHSA and DEA requirements at the time the service is furnished, and all other applicable requirements are met.”

The intent of this extension, according to CMS, is to promote continued beneficiary access to these services by minimizing potential disruptions to services following the end of the COVID-19 PHE. The extension is also intended to better align telehealth flexibilities for OTPs with telehealth flexibilities authorized for certain other settings.

Drugs and Inflation

The Inflation Reduction Act (2022) contains several provisions that affect payment limits for beneficiary out-of-pocket costs for certain drugs payable under Part B. The final rule contains the following actions:

• Section 11402 amends the payment limit for new biosimilars furnished on or after July 1, 2024, during the initial period when ASP data is not available. The final rule codifies this provision.
• Section 11403 makes changes to the payment limit for certain biosimilars with an ASP that is not more than the ASP of the reference biological for a period of five years. CMS implemented Section 11403 of the IRA under program instruction, as permitted under Section 1847A(c)(5)(C) of the Act. The final rule contains changes to regulatory text to reflect these provisions.
• Section 11101 requires that beneficiary coinsurance for a Part B rebatable drug is to be based on the inflation-adjusted payment amount if the Medicare payment amount for a calendar quarter exceeds the inflation-adjusted payment amount, beginning on April 1, 2023. CMS issued initial guidance implementing this provision, as permitted under Section 1847A(c)(5)(C) of the Act, on February 9, 2023, and is finalizing “conforming changes” to regulatory text.

Discarded Drug Amounts

In the 2023 PFS final rule, CMS adopted policies to implement Section 90004 of the Infrastructure Investment and Jobs Act. Among them, were (a) reporting requirements for use of the JW modifier to report discarded amounts of drugs from single-dose containers and the use of the JZ modifier for such drugs with no discarded amounts; (b) an increased applicable percentage of 35 percent for a category of drugs with unique circumstances; and (c) a dispute resolution process.

In the 2024 PFS final rule, these additional policies were added, including:

• Timelines for the initial and subsequent discarded drug refund reports to manufacturers.
• The method of calculating refunds for discarded amounts from lagged claims data.
• The method of calculating refunds when there are multiple manufacturers for a refundable drug.
• Increased applicable percentages for certain drugs with unique circumstances (e.g., drugs with small volume doses and rarely utilized orphan drugs).
• An application process by which manufacturers may request an increased applicable percentage for a drug with unique circumstances.
• Modification to the JW and JZ modifier policy for drugs payable under Part B from single-dose containers that are furnished by a supplier who does not administer the drug.

Electronic Prescribing for Controlled Substances

The final rule provides for the issuing of a prescriber notice of non-compliance as the non-compliance action for subsequent measurement years. CMS may consider a prescriber’s non-compliance under the CMS EPCS program in its processes for assessing potential fraud, waste, and abuse. In some instances, this could result in a referral to law enforcement or revocation of billing privileges in the event that evidence of fraud, waste, or abuse is present.

CMS is also finalizing the following provisions:

• Remove the same entity exception.
• Determine compliance by counting unique prescriptions in the measurement year by prescription number assigned by the pharmacy and included in the Part D claims data. This would exclude refills (which are not separately transmitted) from the compliance calculations and include renewals, which are assigned a new prescription number by the pharmacy.
• Update the exception for emergencies to allow CMS to identify which emergencies qualify for the exception and establishing that, as a default, prescribers impacted by the recognized emergency exception would be excepted for the entire measurement year.
• Updates to extraordinary circumstances waivers to further clarify the process for applying for a waiver, the circumstances in which CMS can grant a waiver and establishing that approved waivers would apply to the entire measurement year.

The final rule also clarifies that the CMS EPCS Program will continue to align with Part D e-prescribing standards.

For more information on this or other parts of the 2024 PFS final rule, you can visit the following website: Calendar Year (CY) 2024 Medicare Physician Fee Schedule Final Rule | CMS.

from
https://www.coronishealth.com/blog/2024-pfs-final-rulea-deeper-dive-on-drugs/

Endoscopy Edits and Waiver Form Now Available

SPECIAL ANNOUNCEMENT for Massachusetts Providers

Blue Cross/Blue Shield of Massachusetts (BCBSMA) has announced that, effective January 1, 2024, it is implementing a set of diagnosis-driven claim edits to reinforce its existing medical policy (MP 154) that sets forth the conditions for payment of monitored anesthesia care (MAC) in an endoscopy case in the outpatient setting. Essentially, the BCBSMA announcement is giving anesthesia providers a heads-up that where a patient’s diagnosis or physical status does not meet the MP 154 threshold for billing MAC, the provider will not receive reimbursement from the payer. Where a provider believes that payment may be an issue, he/she should have the patient sign the attached waiver form prior to the service.

Conditions that would meet the medical necessity threshold of MP 154 include, for example, the following:

• ASA status III – V
• Severe obesity
• History of adverse reaction to sedation
• History of inadequate response to sedation
• Findings consistent with sleep apnea

The use of MAC is considered NOT medically necessary for endoscopy procedures “in patients at low to average risk of complications related to the use of moderate sedation.” Furthermore, MAC for routine screening and diagnostic colonoscopy in ASA Class I patients is deemed to be NOT medically necessary.

Providers are encouraged to review MP 154 prior to the provision of MAC services to BCBSMA patients in endoscopy cases. The policy can be found here: 154 Monitored Anesthesia Care (MAC) (bluecrossma.org).

You can access the form here:  For the Member (bluecrossma.com)  If you have questions about this topic, please contact your account executive or you can reach out to us at info@coronishealth.com.

from
https://www.coronishealth.com/blog/endoscopy-edits-and-waiver-form-now-available/

Gone Phishing: Medical Group Penalized in Wake of Cyberattack

You’ve seen the old signs: “Out to lunch” or “Gone fishing.” Such messages placed conspicuously in front of small businesses may have been commonplace in the low-tech days of the last century, but these phrases now serve as a descriptor of either laziness or craziness. At the very least, careless disregard may be the modern-day messaging implicit in these memes. The problem is that running a 21^st-century business in a carefree manner can invite predators to engage in a fishing expedition at your own expense.

In late December, the Office for Civil Rights (OCR), an agency under the aegis of the U.S. Department of Health and Human Services (HHS), announced a financial settlement with a private medical group following a phishing attack that affected the electronic protected health information (ePHI) of 34,862 patients. The term “phishing” describes a particular kind of cyberattack that employs clever methods to entice individuals to disclose sensitive information via electronic communication, such as email. Typically, the method involves the impersonation of a trustworthy source, such as a co-worker or supervisor. Such an attack scored a major hit on Lafourche (pronounced “Lah-foosh”) Medical Group (LMG), a Louisiana-based clinical practice specializing in emergency medicine, occupational medicine and laboratory testing.

Baiting the Hook

On May 28, 2021, LMG filed a breach report with HHS stating that a phishing attack, which occurred the previous March, enabled a hacker to successfully gain access to ePHI. This exposed sensitive patient information, including diagnoses, frequency of visits and treatment locations. Phishing attacks, generally, often involve identity theft, monetary exploitation and harm to one’s reputation. And all this, in turn, can lead to mental anguish and financial loss on the part of the patient. Phishing is considered a very serious danger by cyber security experts because of its potential to cause large-scale harm.

In response to the breach report, the OCR investigated the case and found that the medical group was in violation of multiple regulations that arise from the Health Insurance Portability and Accountability Act (HIPAA). It was determined that, prior to the 2021 reported breach, LMG failed to conduct a risk analysis to identify potential threats or vulnerabilities to ePHI across the organization as required by HIPAA. The OCR also discovered that the group had no policies or procedures in place to regularly review information system activity to safeguard PHI against cyberattacks. This, dear readers, is what we call being “out to lunch” from a vigilance standpoint. Such reckless disregard is not only illegal, it’s actually harmful to your own financial interests.

Resolution and Restitution

As a result of the federal investigation, LMG agreed to pay OCR a fine of $480,000 and to implement a corrective action plan that is to be monitored by the agency for two years. Specifically, the group has agreed to take the following actions:

• Establish and implement security measures to reduce security risks and vulnerabilities to ePHI in order to keep patients’ protected health information secure;
• Develop, maintain and revise written policies and procedures as necessary to comply with the HIPAA rules; and
• Provide training to all staff members who have access to patients’ PHI on HIPAA policies and procedures.

Tales and Takeaways

The LMG case serves as a cautionary tale for medical entities, generally—including hospitals. This marks the first settlement imposed by the OCR that involved a phishing attack. According to the agency’s director, Melanie Fontes Rainer:

Phishing is the most common way that hackers gain access to healthcare systems to steal sensitive data and health information. It is imperative that the healthcare industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our healthcare system safe and taking preventive steps against phishing attacks.

It should be reiterated that healthcare providers, health plans and data clearinghouses regulated by HIPAA are required to file reports with HHS in the event of large breaches of ePHI. Based on the breach reports received in 2023, nearly 90 million individuals were affected by large breaches last year. This is up from 55 million individuals affected from breaches in 2022. So, these attacks are not going way; they are only increasing. Hospitals must have measures in place that comply with HIPAA requirements and that are sufficient to defend against the dangling hook that is already in the water.

For more information on a hospital’s responsibility relative to cybersecurity and breaches, check out the OCR’s website at OCR Home | HHS.gov.

from
https://www.coronishealth.com/blog/gone-phishing/