1st Talk Compliance

[https://1sthcc.com/wp-content/uploads/2025/07/HIPAA-Reproductive-Update.jpg]https://1sthcc.com/hipaa-reproductive-update/ In this episode of 1st Talk Compliance, Kevin Chmura is joined by Rachel Rose, JD, MBA, as they discuss recent changes to the HIPAA Privacy Rule to Support Reproductive Health Care and Privacy in relation to recent court rulings. This rule, which went into effect in April of 2024, still has certain components which practices need to know about and adhere to heading into 2026. Learn about how these rulings are, and will, impact this important rule, and what HIPAA regulated organizations need to know concerning these updates. In addition, hear about what might be coming in the future of not only reproductive health regulations, but also various other areas of healthcare with regards to privacy. Kevin Chmura Hello and welcome to today’s episode of First Talk Compliance. I’m your host, Kevin Chmura, CEO of First Healthcare Compliance and Panacea Healthcare Solutions. And I’m excited to bring you an important discussion about a major legal development that impacts all HIPAA regulated entities. By way of background, on June 18th, 2025, the U.S. District Court for the Northern District of Texas issued a nationwide order striking down the HIPAA Privacy Rule Amendments designed to strengthen reproductive health care privacy. The amendments had been mandatory since December 2024, and this court decision has created a new compliance challenge for covered entities and business associates. To help us understand what happened, why it matters, and what organizations should do now, we’re joined by our expert guest. Rachel V. Rose, J.D. MBA, who’s a leading authority on HIPAA healthcare privacy law. If you listen to our podcast, you’ve heard Rachel many times. In fact, we’ve discussed this particular topic, or issues around it, pretty recently. So it’s great to have her back. So, Rachel, welcome back. Thank you for coming to share your expertise with us today.   Rachel V. Rose Kevin, it’s always my pleasure and thank you for having me back.   Kevin Chmura Yeah, your content is always heavily consumed because it’s very important. So we thank you for being here. So, maybe probably best way to just start off is if I can ask you to just briefly explain what the U.S. District Court’s order did, why it’s significant and who it applies to?   Rachel V. Rose Absolutely. So on June 18th of this year, the United States District Court for the Northern District of Texas and specifically the Amarillo Division in the case caption Carmen Purl et all the United States Department of Health and Human Services et all. And for those who are interested, that case number is 224 dash CV, Dash 228, Dash Z and ta Z. It correlates to the judge at any time you see initials or an initial after a case number, it’s the judge. And I’ll just simply refer to this case as the Purl case. Purl. Basically, what the court did was to issue an order vacating the April 16th, 2024 HIPAA Privacy Rule to support reproductive health care and privacy. And for simplicity’s sake, I’ll just call that the HIPAA reproductive privacy rule. And basically what it did was to leave intact the requirements regarding the updates to the notice of privacy practices which are due in early 2026. And to focus on that, there really hasn’t been any guidance yet from HHS. But every covered entity and business associate and subcontractor need to be aware that the notice of privacy practices updates, which really incorporate the HIPAA provisions along with a 42 CFR part two regulations, are still in play, and the part two regulations specifically relate to the substance use disorder regulation. So that’s something that again, covered entities, business associates and subcontractors should put on their calendar and look for updates from First Healthcare Xompliance. Whenever HHS releases some more guidance related to what should be included. As many know who have been in healthcare a long time. Oftentimes HHS and SAMHSA, the Substance Abuse and Mental Health Services Administration, which oversees 42 CFR part two, will issue guidance or form types of agreements or other relevant compliance items. One great example is the Business Associate Agreement. So that’s the part that should be calendar and people should make sure that they are staying abreast of. Now that brings us to what was vacated. And so basically, procedurally, the court granted the plaintiff’s motion for summary judgment. And for those non-lawyers, summary judgment is available when there is no issue of a material fact. In essence, it is judgment as a matter of law, and in doing so, denied the defendants, which in this case is the United States Department of Health and Human Services motion to dismiss for lack of jurisdiction and the specific section that was vacated pursuant to five U.S.C. Section 7062, except for the modifications that I mentioned to C.F.R. Section 164.520 with the notice of privacy practices are the provisions of associated with what were 45 C.F.R. section 1604520b, 1, 2, F, G, and H, And so for those who were familiar with what was required under those particular items, that had to do with the reporting requirements and the attestation requirements under law, and that’s distinct from the law enforcement exception. A couple of items that are also notable, Kevin, and other healthcare attorneys in the space have also honed in on this, is that the plaintiff indicated, and the court honed in on this, saying that under the Administrative Procedures Act that the government exceeded its rulemaking authority. However, a lot of lawyers are of the opinion that Congress merely barred rules that supersede state statutes, not those that add reasonable conditions. And so that’s something that I want to emphasize to, as I normally do in our discussions that state laws cannot be overlooked.   Kevin Chmura So that’s significant given that that you and I not that long ago discussed some of the updates to HIPAA 2024 rules. So it’s interesting that we’re talking about it this this soon thereafter kind of thought that we were a little bit settled there. So maybe just do a quick check. Are there any other reproductive rights related lawsuits that are significant that that we should know about and be paying attention to?   Rachel V. Rose I would say the one that is very prominent is the recent Supreme Court opinion in United States versus Committee, The attorney general and reporter for the State of Tennessee. And what’s notable about that case is that it was a 6-3 opinion which upheld Tennessee’s ban on puberty blockers and hormone therapy for transgender teenagers. Texas also actually had a similar law. And last year, in 2024, the Texas Supreme Court upheld a state law banning doctors from prescribing gender affirming care to transgender minors and a state policy expanding the definition of child abuse to include gender affirming care remains blocked following a state court of appeals decision last year. So notably, the court, actually, has agreed to hear a couple of other transgender related cases, including transgender, participate in in female sports. And so this is an area that should be read in conjunction with any HIPAA privacy, any law enforcement exception, which is found under the HIPAA regulations at 164.51 Q And just really be conscientious and cautious about what the individual states are requiring, as well as following the United States Supreme Court’s ruling. Because this particular case, the court held that Tennessee’s law prohibits certain medical treatments for transgender minors is not subject to heightened scrutiny under the equal protection clause of the 14th Amendment and satisfies rational basis review. So whenever one looks at civil rights issues under a constitution analysis, we have what’s known as strict scrutiny. We have intermediate scrutiny, and then the lowest level of review is rational basis, strict scrutiny. We typically see applied to those items that are expressly mentioned in the 1964 Civil Rights Act: race, gender, religion. And for those who read any employment agreement with the nondiscrimination provisions, those same items are included there as well. Intermediate scrutiny is a level below, and then we have rational basis, which is the lowest level of review. I would also add that in relation to some of the 14th Amendment issues and strict scrutiny, one cannot overlook any executive order that is being issued right now. And as it relates to discrimination and the DEI initiatives, the executive orders that were published in January of 2025 that relate to this expressly upheld the Civil Rights Act of 1964. So you still cannot run afoul of that.   Kevin Chmura Wow. So just to clarify in question for non-attorney, because that’s amazing. So with respect to scrutiny or really any recent Supreme Court cases, well, any of those have or could have an impact on an appeal or the ultimate outcome of the parole case.   Rachel V. Rose I think that’s a great question for three main reasons, Kevin. First and foremost, the Purl case. The judge used, as I mentioned earlier, the Administrative Procedures Act, and that’s very relevant because of the recent Supreme Court Trump versus Costa Inc. And what’s relevant about Costa Inc, even though that’s a completely different area of law, is that the Supreme Court case, Costa basically held that nationwide injunctions are invalid and they cannot be issued. They’re only specific to the individual parties to that case right. That was brought, which typically makes sense whenever I’ve used in injunctive relief at the state court level, it’s to either get a temporary hold, so to speak, or to have conduct stop, but it only pertains to the parties. It doesn’t go beyond that. I can’t say every oil company, right, or every healthcare company is involved in this. And so basically what Costa did, and there’s been a lot of debate over nationwide injunctions by federal courts in their nationwide applicability for a very long time. So this issue really isn’t new. But Costa affirmatively stated that nationwide injunctions can no longer be issued, and they’re only specific to the parties. What is relevant to the Purl case is that the court also discussed the Administrative Procedures Act and said this does not relate to the Administrative Procedures Act, and I believe it’s footnote ten in the Costa opinion that highlights that. And what’s notable is that even some of the entities who were involved in some of the nationwide injunctions honed in on that fact. So will we see an appeal by the United States government? According to the HHS website, they’re evaluating their options. That’s the first item. The second item is since nationwide injunctions are now not permissible, how can a single district court’s ruling invalidate a particular regulation and have that apply to the rest of the country? When is even non-lawyers know if you’re in a particular jurisdiction? Typically the district court’s opinion is only binding not only on the parties, but it then becomes precedential within that particular district. So every other case that were to follow in the Northern district of Texas, for example, would have to cite the Purl case. Now up on appeal, once an appellate court rules on something that then applies to every district court, which is under that particular circuit and then if the Supreme Court rules, as we saw in the Dobbs case, right. Which overturned Roe or low firm, which is the case. So the Loper Bright versus Raimondo case, which honed in on the Administrative Procedures Act and overturned the Chevron Doctrine, at least in part, the Supreme Court has the ultimate authority to invalidate a law or regulation as it may be applied across the entire country. So I do think that we will see potentially the government appeal the district court’s opinion, although there’s a potential policy issue there. And then the other item is we could see other cases arise under this that challenge this district court out of a different circuit or district within the United States.   Kevin Chmura It’s interesting and nationwide bans are a hot topic of late I’m sure in your world especially and so it’s, it is not necessarily always black and white as you point out, which is interesting maybe we can, that’s all super helpful. Perhaps we switch gears just a little bit and think through. Okay. We know where we are right now. What should we be thinking about doing? So I guess maybe to frame it as a question with this order in place now, what should HIPAA regulated entities, covered entities, business associates alike, but what are they still required to do with respect to reproductive health information as it stands now?   Rachel V. Rose Well, one item that stood out to me about the Purl case was the definition of a child. And I really do think there’s a lot of interplay there with a variety of different state laws, because even if you look at the United States Census Bureau, they do not include unborn individuals in the definition of a child. So a fetus is not included there. Yet, Purl reached the opposite conclusion. Right. And the plaintiffs in the Purl case kind of raised that in the reporting of child abuse obligations. So to answer your question, what remains first and foremost and for those individuals who are clients of First Healthcare Compliance, I created a revised FAQ regarding the privacy rule and basically, in light of the opinion as it stands now, because we have no other cases, we don’t have a Fifth Circuit opinion, we don’t have a United States Supreme Court opinion on the APA being able to be utilized at a district court level to overturn an entire statue and make it invalid. I would recommend that individuals put a placeholder on what was previously only required to be implemented by December of 2024, with the exception of those notice of privacy practices, Kevin, and I would also make sure that people are very aware of the obligations under the law enforcement exception which have been in place for over 20 years. So that’s not new and in compliance with the law enforcement exception. I specifically would initially go to 164.512 F12 in that relates to a court or court ordered warrant or subpoena or summons issued by a judicial officer, a grand jury subpoena, or an administrative request for which response is required by law, including an administrative subpoena or summons a civil or an authorized investigative demand or a similar process under law, provided that first the information sought is relevant and material to a legitimate law enforcement inquiry. The request is specific and limited in scope to the extent reasonably practicable, in light of the purpose for which the information is sought, and de-identified information could not be reasonably used. A couple of examples related to that have actually come out of State Supreme Courts and one case that is very much an example of not adhering to the law enforcement exception that got a practice in hot water is the civil case, and it’s the Byrne case, versus Avery Center for Obstetric and Gynecology. It’s case number 18 904. It was a Connecticut Supreme Court case and it was decided on November 11th of 2014. And basically, as everyone in healthcare should know, through their training, before you send any HIPAA information out, you should look at that patient or the legal representatives. HIPAA authorized the patient and see if any individual or entity is excluded. So what happened in the Connecticut case was that a woman learned she was pregnant and expressly stated on her HIPAA authorization that no provider was to release her protected health information to the child’s father with whom she was no longer in a relationship. So the practice gets served with a subpoena from the child’s father, and instead of going to a lawyer, the practice simply released the medical records. And so the Connecticut Supreme Court said, Hey, from our review of the record in the present case, it appears that the defendant did not even comply with the face of the subpoena, which is required by the custodian of records for the defendant to appear in person before the attorney who was issued the subpoena. Instead, the defendant mailed a copy of the plaintiff’s medical records directly to the court. And then secondly, although it was a civil case, the costs to the plaintiff in terms of losing trust in the healthcare system and to the practice in the form of a lawsuit is significant. And there is a provision in the law enforcement exception which actually requires a covered entity to contact the patient first. And so not meeting those fundamental requirements of the law enforcement exception is critical and something that’s related to that. Lastly, Kevin, which dovetails into the compliance, is absolutely making sure that you’re looking at two things: state laws again and then secondly, it has to be, is the demand that has been received compliant with due process. So is it official? Is it a response required by law, things of that nature? And I always advise all clients to absolutely reach out to an attorney when you get any sort of request for HIPAA information that’s not directly from the patient.   Kevin Chmura And Rachel, I take that advice myself from you and reach out to you whenever I have a question. So that’s excellent advice for the listeners. So the Connecticut cases is a great example and I guess maybe it leads to a more obvious question or something that’s a little more practical for people. Certainly keeping up on state laws and rulings, that’s important, that requires really the expertise of an attorney. I wonder if you can give the listeners any advice on any immediate steps they should be taking to adjust their use, their HIPAA policies, procedures and training in light of this decision and the entire environment? I mean, that’s really where they can have the most immediate impact on their organizations. Any advice for folks?   Rachel V. Rose Absolutely. So as I mentioned, I would put an update in red in any policy changes that were put into place as required in December of 2024. So just place hold it and, as I did for your clients in our model policies and procedures, just put that this update the policies and procedures pursuant to this court ruling and then note that there could be changes and that appeals and HHS, the landscape need to be stayed abreast of to know how this may shift. Right. Because it may shift back. We don’t, we don’t know. So that’s the first thing. The second thing, again, is to reiterate the law enforcement exception and as you also know, Kevin, under HIPAA, there is the ability for any provider to potentially report child abuse. Right. Or suspected child abuse or under Tarasov, which is a California Supreme Court cases, Tarasov One and Tarasov 2, a provider has the option of notifying law enforcement if a person is a risk to themselves or to another person. So appreciating other items which may come into play and then reading what’s known as, Amparo Materia is the Latin, or the in conjunction with the state law for what is a child right under state law and what constitutes child abuse? What requirements are in place for reporting that? Because what you want to avoid and we’ve seen this already, not only on the reporting of child abuse, but there was that case out of Ohio when a medical professional was naturally suffering a miscarriage and actually miscarried at home because the hospital sent home. And as a result, there was a criminal investigation into abuse of a corpse. Now, that was not upheld. The autopsy revealed that the miscarriage was, in fact, natural. It wasn’t induced by any chemical which would have run afoul of that particular state’s law. And as a result, and rightly so, the certain entities are being sued by this individual. So it’s a balance of the potential harm to individuals. And looking at that potential downstream liability as well as child abuse and potential Tarasov abuse reporting.   Kevin Chmura Yeah. Wow. So great, great advice as usual. So, Rachel, we up to this point, I wanted to make sure we kept everything grounded in in what’s happening now. Factor in your expert advice, now I’m going to ask you to look into your crystal ball maybe, and get to the place of speculation. So relative to world, do you expect HHS to appeal the decision? And if they do, what would that process look like.   Rachel V. Rose So, the process is something that is set forth in the rules of procedure. And because the northern District of Texas falls under the umbrella of the Fifth Circuit, a notice would be filed in the district court and then the appeal would eventually be filed in the Fifth Circuit Court of Appeals. So whether or not HHS does that, I from my perspective and from other perspectives that I’ve read, there’s really a tension here on the public policy because it’s reproductive healthcare related. But the fact that HHS does have some issues to contend with, including the definition of a child, which is I mentioned the U.S. Census Bureau defines differently, is something that we could see, another item that we could see potentially as a case being brought in another district court in another circuit. And so we could see that being an issue or an appeal specific to the APA. So I think we have a lot of different options that we could see play out. Ultimately, it is at the discretion of the government and then any other cases which may be brought on this topic or the APA topic in general.   Kevin Chmura Yeah, that was well said. So maybe as we move to our closing, what I’ll ask you a few more sort of simple things for practical advice for our listeners. Do you think there’s any other potential future legal or regulatory changes they should really be watching out for? And maybe, two-part question, How do they stay informed and prepare for any additional changes in the area?   Rachel V. Rose That’s a great question. I think first and foremost, your primary sources are your best sources. So I would always look at state websites, typically their own HHS items. I also would look to trusted partners such as Panacea and First Healthcare Compliance. And for example, AHEMA normally has really good reviews and experts. There are there’s Namaz. I mean, there are a lot of really good, reputable third parties that are conscientious about the content that they put out. So trying to stay abreast of all of the myriad of changes can be daunting. But I will say appreciating where to go in your own state is probably first and foremost what’s important, because as we’ve discussed, some of this is going to come down to the state level as well. And that’s something that is, you know, I tell your clients all of the time and I’m very cautious whenever I get asked questions to say state law may differ or alter the outcome. So it’s imperative that any covered entity or business associate consult those state laws and the HHS website.   Kevin Chmura But that’s great advice and I will add to it for our listeners case follow Rachel as well. She recently authored an article on this exact topic, which was helpful in me preparing for this today. So with that, Rachel, I say thank you very much as always, your expert advice here is invaluable. This is a shifting topic. So what I would say is for the listeners, pay attention. We’re likely to put out more content on this face. Rachel, I’ll reserve the right to ask you to come back and keep us updated because it feels like there will be more to talk about relative to Purl and other areas. We have a lot happening right now. So Rachel, thank you very much as always.   Rachel V. Rose You’re very welcome, Kevin. And one thing just to bear in mind is that the reproductive healthcare definition that was initially issued was broadly defined and actually not only considered maternity care and contraception, it also impacted vasectomies, mammograms, sexually transmitted infection screenings and in vitro fertilization, as well as the gender affirming care, which we also discussed.   Kevin Chmura Wow, yeah, so and that’s the complexity of these issues goes often beyond just the headline, which is why your advice is so helpful for everybody. So thank you again.   Rachel V. Rose Thank you., and we’ll look forward to next time, Kevin.   Kevin Chmura Thank you. So to our listeners, we encourage you to review your HIPAA policies, procedures, and training materials in light of these court decisions and stay informed on as legal landscape changes. So please pay attention. We’re here for you, at First Healthcare Compliance and Panacea. Rachel is a great resource for you as well. If you’d like to learn more, just visit our website, at First Healthcare Compliance, which is 1sthcc.com [https://1sthcc.com/]. Or you can go to Panacea [https://www.panaceainc.com/] and follow the links for compliance or reach out to our team at any time with questions. Don’t forget to subscribe to 1st Talk compliance on your favorite platform and never miss another episode. Thanks for tuning in and we’ll see you next time.

[https://1sthcc.com/wp-content/uploads/2025/06/1st-Talk_False-Claims-Podcast.png]https://1sthcc.com/mitigating-false-claims-act-podcast/1st-talk_false-claims-podcast/ In this episode of 1st Talk Compliance, Kevin Chmura is joined by Rachel Rose, JD, MBA, as they discuss the False Claims Act in detail. The FCA, one of five federal laws built to combat fraud, waste, and abuse, is the government’s primary fraud fighting tool, with the healthcare industry paying the largest contributor in recoveries for over a decade. Learn not only about how to avoid running afoul of this law, but also some details of cases in which it was violated, and the repercussions those who did so faced. In addition, find out how a proper compliance program can protect your practice in various ways, including staying up to date on cybersecurity training. Kevin Chmura Rachel, welcome to the podcast. Thanks for joining us.   Rachel V. Rose Thank you, Kevin, for having me back for another round of a very major healthcare compliance topic.   Kevin Chmura It very much is, yeah. This one generates some revenue for the government. So this is one that I think especially in today’s environment, people should be paying a lot of attention to. So as I said in the intro, we’re here to talk about the False Claims Act. It’s one of the most important fraud, waste and abuse laws that applies to physicians and health care practitioners of all kinds. The healthcare industry has consistently been one of the, if not the highest contributor to funds received under the False Claims Act. And it’s essential to be familiar with the law and maintain compliance programs to mitigate that risk. Rachel, I know you spend a fair amount of time in your practice in and around the False Claims Act defending and representing customers and providers. So you’re perfect to cover this topic for us. Wondering, though, if you could give us a brief synopsis of the False Claims Act and why is it unique?   Rachel V. Rose Absolutely. So as you mentioned, my practice focuses a lot on the False Claims Act, and I am fortunate to do a lot of compliance work not only around the False Claims Act, but HHS. OIG has identified five important federal fraud, waste and abuse laws. The False Claims Act, the Anti-Kickback Statute, the Stark Law, the Exclusion Authorities, and the Civil Monetary Penalties. And Kevin, as you mentioned, the False Claims Act is really the federal government’s primary fraud fighting tool. And in 2024, there were more than $2.9 billion in recoveries and, moreso healthcare represented over two thirds of that amount. That healthcare trend, as you mentioned, being the largest contributor, has gone on for at least the last decade. And what the False Claims Act does that makes it unique are really, I would say, five main things. But first, the False Claims Act goes back to 1863, and it is also known as the Lincoln Law. Its primary purpose, even back during the Civil War, was to root out fraud that was being perpetrated on the government. So how would that be done? Congress thought about it and said, well, the government could do it on its own if they caught wind of something, or they could insert a provision which gave an individual known as a relator, also known as a whistleblower, the potential to bring fraud to the government’s attention and receive a portion of the recovery. It’s very important to note that a relator and I represented several relators successfully, sometimes with co-counsel, sometimes with not, so I get to see the False Claims Act from the whistleblower standpoint as well. But this notion of being able to represent a whistleblower is the first distinguishing factor. And that’s because most other civil cases, a person can represent themselves on a pro say basis, meaning they don’t need a lawyer. There was a provision in the False Claims Act which in fact requires an individual to be represented by a lawyer. So unless the relator is a lawyer, then the individual needs to obtain counsel in order to file a False Claims Act case. That’s the first thing. Secondly, only the government can choose to open a criminal investigation. So even though certain laws like the federal Anti-Kickback Statute can have criminal penalties or civil penalties associated with them, only the federal government, or if a state has a similar type of law, the state can actually move and bring a parallel criminal investigation in potential proceeding. So that notion that only the government can bring in a criminal case is not unique to the False Claims Act. But what is unique is that a private party can bring a type of case, and that’s how the government learns of something to then potentially open a parallel criminal action. The process for the relator’s counsel is also very different. Normally, if I want to file a lawsuit in federal district court, I have to make sure that either a federal question is involved under 1331, or I need to meet the amount in controversy and diversity of the party’s requirement under 1332. While first, the False Claims Act is a federal statute, so it falls under 1331. So that’s the same. What is not the same is that before I even file a case under seal in a United States District Court, I have to provide a disclosure in evidence to the local United States attorney where I’m going to file the case, as well as providing that same information to Main Justice in Washington, D.C.. Another area that is relevant that I just mentioned is the seal. So that’s the third item. And initially, the statute itself provides for 60 days that the case is filed under seal, meaning no one knows about it but the relator, the lawyers, the judge, and whatever the court staff are, and that’s the way it has to stay. Now, the government may request what are known as deal extensions in this type of case. And another provision relates to the breaching of the seal. In the 2016 Supreme Court case, Rigsby versus State Farm, is the case that outlined different fact orders, which first stated A. Just because there may be a seal breached doesn’t mean that the case is automatically dismissed. But the court said we get to apply these factors and make that determination. I will say that even if the court says no, this case doesn’t need to be dismissed and the Government agrees with that, that the government on the back end, when we start to get to the fee issue where the relator can recover, they, the government, has the right to drop the recovery. If there has been a breach of the seal below what the typical statutory threshold is, and I’ll get to that in a moment. The other distinguishing factor in a False Claims, that case is once I filed the case, it’s really in the government’s hands until they make a decision. And there are three ways a case can go. The government can intervene in the case and intervention can occur at different times. I’ve had cases that have settled under seal and then the intervention decision is made and the seal is lifted by the court, so the government has taken the case through settlement, even though there has not been any action in court, so to speak. The second way to intervene is that if the defendant won’t settle while the case is under seal, the government can say, Hey, all right, relator, we like the case, we have adequate resources. And I don’t necessarily mean monetary resources. I made the specific notion of adequate human resources, right? Because the government only employs so many people and so many assistant U.S. attorneys to work on these cases. So the Georgia Tech case is an excellent example where the government intervened and they’re the ones who are leading trial. So in that instance, the relator’s counsel and the relator just sit back, and if the government needs help with something, then they’ll ask. Declining to intervene means that the government is not going to intervene, but they say to myself or other relator’s counsel, if you would like to move forward with the case and prosecuted, you’re able to. And so I’ve had that scenario as well. And then lastly, they can dismiss the case under C two way, and that’s always the government’s discretion. And the Supreme Court case, the Polansky case is a case from 2023 that actually addressed that very issue. Now, penalties and damages, damages can be trebled under these circumstances. Penalties up until 2016 ranged from $1500 to approximately, not  $1500, $5500 to approximately $11,000 per violation. So that was per healthcare claim. Now the absolute minimum is over $11,500, and the upper end of that penalty range per claim is closer to $25,000. Oftentimes we don’t see penalties assessed unless a case goes all the way through to verdict in a trial. But it can still be costly for damages being trebled depending on the type of case. The relator’s recovery, if the government intervenes in the case, is between 15 to 25% of the total recovery. If the government declines, then the relator is entitled to 25 to 30% in the event of a successful recovery. And it’s important to note that the False Claims Act is not an intent based statute.   Kevin Chmura So. Well, wow that was great, that’s so, it’s dense, right. And there’s, yeah there’s a lot there, and expensive for those that find themselves on the wrong end of this, and so super important. And you touched on I think a few of them but I wonder if you could zero in a little bit on what healthcare laws are often included in False Claims Act cases.   Rachel V. Rose Several laws that are included, Kevin, include the Stark Law and the Toomey case, which was brought several years ago and to date is still one of the largest False Claims Act cases involving the Stark Law. It went up to the Fourth Circuit and that had to do with, in essence, paying kickbacks to physicians where a Stark exception was not met and they were getting remuneration outside of what met fair market value in order to refer patients for designated health services. Now, designated health services is a term of art within the Stark Law. We don’t see that term in the Anti-Kickback Statute, which is another term. One main difference, aside from the designated health services being the only areas that apply to Stark Law, is that Stark is a civil statute, and more importantly, it’s a strict liability. So it’s like speeding. If you go over the speed limit, you can get a ticket the same as the Stark Law. By way of contrast, the Anti-Kickback Statute, which actually predates Stark Law by at least 17 years, is a criminal statute. It applies to every single federal healthcare program, with the exception of the federal employee health benefits program, and it applies to any type of remuneration, whether in cash or in-kind, for referrals to, or utilization of, goods or services related to the provision of health care to a Medicare beneficiary, Medicaid beneficiary, TRICARE or beneficiary, etc.. And there are safe harbors.   Kevin Chmura That’s good stuff. I know from my now a few decades in healthcare and all of the compliance and other training that you are really required to do, I spent a fair amount of time being educated on particularly Anti-Kickback, and I wonder if it would be helpful. Maybe if you could highlight a few recent cases involving AKS violations. I think it is kind of where the rubber meets the road on these. It can be very, very informative for folks.   Rachel V. Rose Absolutely. And one unique aspect of the False Claims Act that I did not address earlier, because I highlighted more of the procedure associated with the False Claims Act. But one of the more unique or interesting items, especially as it relates to the Anti-Kickback Statute, is the idea that first there’s a different see/enter requirement or knowledge requirement. So knowledge under the False Claims Act is defined as actual knowledge, deliberate disregard for truth or falsity of the information, or reckless disregard for truth or falsity of the information. Now, the Anti-Kickback Statute is intent based. Remember, the False Claims Act is not. So intent must be proven and it must meet that statute’s definite kind of knowing or willful. But a nice thing occurred in 2010 for relator’s counsel, and that was that Congress said, if you can substantiate and clear the hurdle of an AKS violation, then the False Claims Act violation really comes along for the ride, which makes sense because it’s a higher level of see/enter. And as I mentioned before, the AKS itself is criminal. So when we think about the types of cases where we see a lot of AKS violations, one great case is from 2021 is the settlement date on that. And that was United States Ex Rel Goodman versus Areva medical. And that was a case out of the middle District of Tennessee. That case settled for $160 million after the relator’s counsel, it was a decline case and the relator’s counsel move forward, responded to the defendant’s motion to dismiss. The judge denied the motion to dismiss, and the case settled. At issue was a type of kickback, which some people may not be as familiar with, but it has to do with the carte blanche waiver of co-pays and deductibles. And so a co-pay is able to be waived if there’s documentation that an individual had a financial need, but only for that individual. So you can’t just say, I’m going to waive all co-pays or deductibles without having individual documentation substantiating it. So that case is really telling in terms of that area, and that’s an area too, Kevin, as you can imagine, that a lot of providers could really sidestep and eventually end up in hot water for not appreciating that type of risk. Another case that involved the Anti-Kickback Statute was actually a case that I had that the government intervened in and settled while it was under seal in May of 2024. So just about a year ago, and that was in the Northern District of Texas, and there the medical device company had physician owners and there is a safe harbor in the Anti-Kickback Statute known as the 4060 Rule, or the small business safe harbor, where if you, an individual physician or a group of physicians, own a certain amount of a company, then the revenues that they generate cannot be a certain amount. And so, a certain percentage of total revenues. And that’s what happened here. They didn’t meet the framework. And for anyone who looks at compliance of fraud, waste and abuse laws, it’s very important to note that you have to fit within the four corners of the safe harbor in order for it to be applicable. A couple of other really big cases that have been around lately. One is one of my favorite cases. It’s called the Sayid case, and it went up to the Seventh Circuit. And the Seventh Circuit issued an opinion on May 2nd of 2024. And in this instance, a creative entrepreneur, I will say, started coloring outside the lines. And instead of being satisfied with the existing relationship he had with the Healthcare Consortium of Illinois, which really had a primary purpose of coordinating healthcare for lower income seniors in the state, he created a third entity and entered into a managed services agreement to pay this consortium $5000 a month for allegedly providing management services. But in practice, what he was doing was accessing the patient data, using that patient data to solicit business, and that in turn was billed to Medicare. And as you hear the term PHI, your HIPAA flare should be going off, too. And that’s exactly what the judges both at the district court level and at the appellate court level said. And one of the things that caught their attention and this is, this is pretty rich, which is why it always stands out in my mind. But Sayid testified that he had spent over three decades in the healthcare industry and knew that buying protected health information was illegal. And as we know, HIPAA has a criminal provision as well. And so what the appellate court says was, you know, the district court was right. They did not err in finding that the defendant knowingly and willfully violated both the Anti-Kickback Statute and HIPAA, and also that this type of personal service or management contract did not qualify under that particular safe harbor for the AKS. And then very recently, Kevin, we have a few cases. One was against Omnicare, CVS, we had Controlled Substances Act violations which were very significant. And then there was a case that was actually filed in 2012 and that was United States and various states Ex Relator Panelo versus Janssen products. And as I mentioned, that case has been ongoing since 2012. The original firm that filed the lawsuit brought in really good trial counsel, who I’ve been fortunate to co-counsel with, and it went to a jury trial. The jury did not focus on the Anti-Kickback claims, but what they did focus on was the illegal promotion of an HIV drug. And the judge entered a final judgment of $1.6 billion.   Kevin Chmura Wow, that is a very large number. You know, and so, you know, there is the big is why it’s helpful to look at actual cases, right. Where these, like I said before, where’s the rubber meeting the road in terms of actions being brought in settlements being a tell you what, you know, there are bad actors out there and some people that are knowingly skirting. So it’s, I think when you tell the story about the co-pay waiving it’s really, it really highlights why it’s so important to understand the False Claims Act, particularly in AKS, you know, that you could really just be in a situation where you think you’re doing something kind or nice for an individual or group of individuals and not even realize that you’re in violation of this. And it just speaks to the criticality of the understanding of what your obligations are. So that was super helpful. I wonder if we could pivot for just a just a few minutes, because you can’t really talk about healthcare today without also covering cybersecurity. There’s been such a huge push to digitizing everything over the last several decades, and we were digitizing things faster than we could keep up with. Those people that wanted to get at those digital records. And I wonder if you could highlight a few recent cybersecurity case settlements.   Rachel V. Rose Yeah, absolutely. So in terms of False Claims Act cases, I was fortunate, along with my co-counsel, to represent the whistleblower who brought the first case that settled under the DOJ’s Civil Cyber Fraud Initiative, and that announcement was made in March of 2022. At issue, there was a government contract with the State Department and some of our armed services. And in essence, there was a requirement to safeguard the information. There was an additional requirement to ensure that the HIPAA information was being secured in a way that HIPAA information should be secured. So in that instance, the government intervened and that was the first case. So I’d seen it, cybersecurity violations from the whistleblower side, I have actually conducted HIPAA audits for well over a decade and I’ve also represented people post-breach on the enforcement side, some more recent cybersecurity-related cases are, one of my favorite ones is actually the Jelly Bean case that came out of the middle district of Florida that was not a whistleblower case. The government brought that on its own. And it’s unfortunate because there was a breach of over 500,000 minors’ information. And what the government said about this company, Jelly Bean, and their owner was, hey, we contracted with you to provide services to keep this information secure. And it was an item that came about because of the breach, but what they found upon doing due diligence was that the common patches that should be done with software weren’t done for over a decade. They were using non-supported software, data was not encrypted, there were password issues, you name it, in this company had it. So they actually brought a False Claim that case because as we learned right out of the gate, the government can bring that too. So that was the Jelly Bean case. We’ve also seen it more recently, again with government contracts, That’s the morse case MORSE, that’s it, one that’s important. Penn State University settled a case. A colleague of mine brought that case that was brought in the Eastern District of Pennsylvania. And I will say this because in my experience, the whistleblowers in cyber cases are very sophisticated. They’re typically Chief Information Officers or highly educated people who understand what regulations are supposed to be met and what’s not being met. So I would say that if I am any type of company, whether it’s a business associate or a covered entity, I would ensure that I have my items in a row in terms of HIPAA compliance, because that’s one of the greatest areas of potential risk. And this area of the law is only going to be a focus of the DOJ, per their January of this year statement, that cybersecurity is going to continue to be an area that they focus on.   Kevin Chmura Yeah, totally. And really in healthcare today, you should have an orientation towards data security, cybersecurity training, all safeguards, and many of them are just good business practices to begin with, right? Certain things can be more complicated than others. But the, really to just run a business in healthcare, which we all do, it’s not really that complicated to stay to stay in good stead, but it’s something you were touching on there, and I think it’s maybe a good way to close. And that’s really, you know, how do we mitigate all of these risks really through, I guess, an effective compliance program? I mean, if you’re up on compliance, if you take it seriously, these things should fall into order. But I wonder if you could give our listeners maybe some advice and guidance in that direction.   Rachel V. Rose Absolutely. So there are five main areas that I would focus on. The first is make sure, to your point, Kevin, that your HIPAA compliance is where it needs to be in terms of the Security Rule, the Privacy Rule, the Breach Notification Rule, as well as information blocking, which was part of the 21st Century Cures Act. And as you and I talked about in another podcast episode, the HIPAA Reproductive Rules. So that’s one area that’s key. Cybersecurity also dovetails into a case in Stark Law, because of the December 2nd, 2020 Final Rules. Those are the, quote, “New Stark and AKS Final Rules,” but they updated their safe harbors related to what types of cybersecurity services or goods could be provided and what needs to be done. So you need to have an agreement in place. You need to make sure it’s not based on volume or value, and it needs to be for fair market value. So those are some areas to look at when you’re considering the intersection of cybersecurity as well as fraud, waste and abuse laws. In terms of fraud, waste and abuse, 42 C.F.R. Section 483.85 requires a mandatory compliance program, and this specific provision was highlighted in the November 2023 HHS OIG guidance. And although guidance is not binding in that sense, it provides a great roadmap. But the laws and the regulations that it references are binding. So it’s a great item to look at right out of the gate. So the seven elements, I call them the dirty seven, that are required for fraud, waste and abuse laws are: written policies and procedures, compliance and leadership, and oversight training, effective lines of communication, with a compliance point person in forcing the standards, having consequences, and incentives. Those should be documented both in an employee handbook as well as your regular policies and procedures. There should also be a non-retaliation provision for concerns that are brought in good faith. And I added that term good faith because I actually represented a client where they had a rogue former employee file, literally, a false claim with the government agency that they were not compliant. And so, it came back after I defended them that, yeah, they were compliant with everything that they had, and the individual did not bring that concern either to the company. He didn’t bring it to the company first, but he went externally and just filed it completely invalid and factually false complaint with a government agency. So that’s why if it’s in good faith, then people should listen. And I, on the flip side of that, a positive situation I had with another client was that they had someone who was in billing bring a coding issue to their attention. And lo and behold, there was a glitch in the EHR system. So it was applying the wrong code. They were able to get the EHR company involved, address that, and then resubmit the claims right away to government and private insurers. And that isn’t a great example of a good faith concern that was brought. It was investigated, and it really ended up helping the organization. And so that’s the benefit of looking like that instead of just retaliating against someone. Last two items are a risk assessment. And for audit, that’s a great way to have a third party come in and do an audit assessment and then responded to detected offenses as well. So the last part is just to review your contracts and make sure that if persons are receiving money that there is a contract that is in place and that it’s legal.   Kevin Chmura Wow. So a lot, but a very important topic because you can see it intersects with day to day life in healthcare myriad ways. So that’s great. Maybe a quick summary. I mean, if organizations are proactively investing in a compliance program, living it, taking it seriously, and it’s not just a binder on the shelf, it’s going to mitigate risk through from the False Claims Act, potentially reduce penalties, and avoid legal repercussions that can just, that can linger for quite some time. So Rachel, this has been great. Appreciate you as always. Your knowledge in this space is unbound and we’re really glad that you choose to share it with us, and I’ll reserve the right to bring you back for future episodes. Maybe catch up on some other things that are happening relative to this very important topic. So with that, I’ll say thank you, Rachel.   Rachel V. Rose Thank you, Kevin. And thank you, Panacea and First Healthcare Compliance for having me again as a guest.   Kevin Chmura We’ll have you back soon. Thanks.   Rachel V. Rose Thanks.

[https://1sthcc.com/wp-content/uploads/2025/05/HIPAA-Privacy-Rule-Graphics.png] In this episode of 1st Talk Compliance, Kevin Chmura is joined by Rachel Rose, JD, MBA, to discuss the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy, passed in 2024. With the reproductive healthcare landscape being very dynamic, this new rule has already passed one compliance date, with a second important date coming in February 2026. Tune in to learn about this new rule, and what it means in terms of reproductive health, patient privacy, and the legality between different states. In addition, learn some best practices for implementing the requirements of this rule into your practice. On June 18, 2025, The U.S. District Court for the Northern District of Texas – Amarillo Division (Carmen Purl, et al v. United States Department of Health and Human Services, et al., Case No. 2:24-cv-228-Z (N.D. Tex.)), issued an order vacating the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, published on April 26, 2024, which amended the HIPAA Privacy Rule (Reproductive Health Rule). The decision left intact amendments to the HIPAA rule regarding certain Notice of Privacy Practice provisions pertaining to substance use disorder regulations, which need to be adhered to by early 2026.   Kevin Chmura Rachel, thank you for joining us. Appreciate you joining us and looking forward to a timely discussion.   Rachel V. Rose Thank you, Kevin, for having me, as well as to Panacea and First Healthcare Compliance, it’s always my pleasure to coordinate and converse with you on our favorite healthcare compliance topics.   Kevin Chmura And it’s always great having you helping us with this and your expertise is invaluable. And you helped us and were the contributor, really writer, of an e-book on this particular subject that will be released very soon. Really this podcast is somewhat of a companion piece to that. And so what we’re talking about today is the HIPAA privacy rule to support reproductive health care privacy, passed in 2024. Reproductive health is a prominent and evolving topic within the healthcare policy landscape. It really, major changes have come down in recent years, and so there’s just a ton. So we thought it would be great to publish a book to get everybody up to speed and, but moreover, this podcast is an opportunity for people to hear directly from the person who helped us develop that. And that is Rachel. So, Rachel, I wonder, can you just start off by giving us a synopsis of the 2024 Final Rule, maybe some key terms we should be thinking about?   Rachel V. Rose Sure. As you mentioned, Kevin, the reproductive healthcare landscape is very dynamic and the rule itself was issued on April 22nd of 2024 with an effective date of June 25th of 2024. And basically what an effective date does is to start the clock running as to when certain requirements need to be implemented. In this particular rule, which I will refer to as the HIPAA Reproductive Rule, has two prongs of compliance dates. The first already passed and that had to be done by December 23rd, 2024. And for your clients who were with First Healthcare Compliance or Panacea at the time, they were able to access FAQs. And the first prong of the requirements really addressed every applicable item that I’ll run through, with the exception of the notice of privacy practices. Now, for anyone who’s been in the healthcare sector for a long time, and for anyone who goes to the doctor, a dentist or even a pharmacy to pick something up, we all know we have to sign the HIPAA authorization form, and then covered entities are required to post their notice of privacy practices. So the updated privacy practices, which need to include some of the reproductive health requirements among other items, does not need to be done until February 16 of 2026. So this is similar to the staggering of the compliance dates which we saw with the Final OmnibusRrule, which was published in the Federal Register, it’s hard to believe, but going on over 12 years ago and that was January 25th of 2013. Now specifically, the HIPAA reproductive rule really prohibits the disclosure of protected health information related to in these terms I need you to focus on: lawful reproductive health care in certain circumstances. And the reason it’s important is because legal means that whatever service or good is being sought, it has to be legal within the jurisdiction where the individual is receiving that care or that good, so to speak. And so if we want to take certain types of surgeries or certain types of procedures that in a viable fetus’s life, then you need to be in a jurisdiction or a state where that is permissible. So the terms are the meaning of a person. What is a person? If you read the Final Rule, it means a natural person, meaning a human being that is born alive, a trust or estate, a partnership, corporation, professional association or corporation, or other entity, public or private. And this definition is common. It was adopted by the U.S. Supreme Court several years ago. So when someone says a person, it can mean either an individual human being or one of the other more business-oriented items. Now, public health is also a term. And for this Final Rule, it’s used in terms of public health surveillance, public health investigation and public health intervention, and this means population level activities to prevent disease in, or promote the health of, populations. For those who are familiar with HIPAA, there has always been what’s known as the public health exception, and that has limited applicability. But one of the exceptions is to report a positive test for a communicable disease. We saw this during COVID. It is required for sexually transmitted diseases and other kinds of diseases. We’re seeing it now with all of the media attention on measles and those types of conditions. What’s important to note about public health is that those activities, which include identifying, monitoring, preventing or mitigating ongoing or prospective threats to health or safety, do not include any of the three following purposes, and that’s: to conduct a criminal, civil or administrative investigation into any person for the mere act of seeking, obtaining, providing or facilitating health care. Secondly, to impose criminal, civil or administrative liability on any person for the mere act of seeking, obtaining, providing or facilitating health care. And lastly, to identify any person for the activities that I just described. And I’m often asked, well, Rachel, what do you mean? If I’m seeking and what do you mean about going to a different jurisdiction? And for those who are familiar with the old school drinking age laws, for example, in Louisiana, the age used to be eighteen. So if you were eighteen, even though you were a Texas resident and went over the border to drink in Louisiana, it was legal and there was nothing that Texas could do as you were coming across the border. Now, intoxication while driving is a separate animal. But just because a person went over the border to drink in a jurisdiction or a state where it was legal doesn’t mean that Texas had any recourse against that person so long as they were sober coming back over the border. Right. A similar situation with reproductive health care. And that’s what the focus of this privacy is, if a person goes to a state to seek certain types of care, and the two areas that seem to be at issue particularly are surgical abortions or transgender care, especially as it relates to minors. So the other key term that everyone needs to be familiar with, and that should be in policies and procedures as well as training, is the term reproductive healthcare, and that means healthcare that’s been defined in this particular section, that affects the health of an individual and all matters relating to the reproductive system and to its functions and processes. This definition shall not be construed to set forth the standard of care or regulate what constitutes clinically appropriate reproductive healthcare. So what HHS, OCR said here is we are not looking to step into the shoes of the physician and determine what is appropriate under certain circumstances. We are not involved in the practice of medicine. We are just giving a roadmap of what is particular. And everything I just read really comports with the July 2022 opinion in Dobbs versus Jackson Women’s Health Organization, which overturned Roe v Wade. And what’s important about that opinion is actually Justice Kavanaugh’s concurrence. And it’s important because just as I mentioned, going across state lines to receive care or use the purchase and consumption of alcohol situation, by way of analogy. Justice Kavanaugh expressly stated that nothing in this opinion is meant to contradict or inhibit any other part of the Constitution, and interstate commerce is expressly stated in our Constitution. So really everything is aligned with Dobbs as well as the opinions in the case.   Kevin Chmura Yeah, it’s a great, great rundown. It’s impossible to talk about reproductive health in any context over the last several years in America without intersecting with Dobbs some way or another, right? That’s the seismic shift and I’m glad you touched on that. I think that’s a real critical area. And so, you know, the Final Rule is in concert with, or interacts is I guess a better way of saying it, considers Dobbs in the rule itself in all of the areas of Dobbs, correct?   Rachel V. Rose That’s absolutely correct, Kevin. And it goes back to that legally attainable reproductive health care, right? So if you’re in a jurisdiction where it’s not permissible or it’s not legal, then this rule is not going to help you on that front, right? It’s meant for individuals who are seeking care in a jurisdiction where it’s legal and nothing in this final rule tries to interfere with that. But it does make clear that just because someone goes across to seek care in another jurisdiction when they come back to their home state, the home state really has no recourse against them.   Kevin Chmura By the way, I’m just old enough to remember my oldest brother driving over the border from New Jersey to New York for the 18-year-old drinking age. I was not so lucky. But, so that’s a great analogy and it’s a great way of looking at it. So are there any other compliance items or dates that are critical that we should be thinking about?   Rachel V. Rose Well, as we mentioned from the outset, individuals and covered entities, etc. should have had the attestations which are now under 45 CFR Section 164.509. This is new as part as of the reproductive HIPAA rules and here regulated entities are required to obtain an attestation when it receives a request for PHI potentially related to reproductive health care. So what they need to do is first, create the attestation. Second, obtain the attestation from the requester that the use or disclosure is not for a prohibited purpose, and a prohibited purpose would be for health oversight activities, law enforcement purposes, and disclosures to coroners and medical examiners. So from these three bullet points, I would recommend A. Training the people who actually handle the medical records for your organization and making sure that they understand that if one of these requests are made and if you’re working in an OBGYN practice, it’s probably pretty easy, right? To make this a normal part of the processes. For other types of specialties, it might not be as common, but still training needs to occur. There is already a law enforcement exception under HIPAA and that’s found at CFR 164.512. But as we know, even with that law enforcement exception, it safeguards our due process, right? So really, this serves as a further safeguard so that law enforcement is not trying to get around the normal processes such as going to court, getting a warrant, getting a subpoena. I would recommend having an outside legal counsel review the requests, especially for the first few of them, snd also, if something just doesn’t seem appropriate. So that’s what I would recommend doing. And then we have a little bit of time left until February 16th of 2026, and that’s when covered entities are going to be required to update their notice of privacy practices to reflect changes to both the HIPAA Privacy Rule by including this reproductive component, as well as 42 CFR Part Two, which is more relevant to substance abuse and mental health disorders. And that relates more to SAMHSA, the Substance Abuse and Mental Health Services Administration.   Kevin Chmura That’s great. So throughout there you touched on Ithink a number of best practices necessary, but also best practices. Wonder for the listeners, maybe we wrap with as much advice as you’re willing to give to folks on how best to comply, what they should be thinking about immediately.   Rachel V. Rose Sure. So I think one thing to think about, if you haven’t already implemented what should have been implemented in December of 2024, I would jump on that. Secondly, what is your electronic health record doing? Are you working with your organization’s IT and provider to have a tab in the individual’s medical record, which requires a separate audit log and log in for sensitive information related to reproductive healthcare items? Psychotherapy note should already be in there if it’s that type of practice or the 42 CFR Part Two, so the substance use disorder item. So that’s one area to focus on there. Another area is the revised notices and there should be a separate provision that documents the Part Two changes. And then lastly, as part of the annual HIPAA risk analysis, I would absolutely recommend having the auditor include these facets of the HIPAA Reproductive Rule into the risk analyses so that you can ensure that it is covered.   Kevin Chmura That’s great and auditors are always looking for one more thing to audit for. So I’m sure that the audit community is happy to hear that. So Rachel, I think this has been great. I, we really appreciate it. This is a timely topic, probably one that’s worth revisiting as we move through February Compliance dates, and then into the future to probably talk about enforcement and other things that are happening all around this, because this is a topic that’s evolving and we’re coming into the middle of. So I would like to thank you for joining us and providing us so much information. Thank you.   Rachel V. Rose Oh, you’re most welcome, Kevin. And as always, thank you for having me as your guest.   Kevin Chmura And we look forward to bringing you back to continue the discussion on this. Thank you.   Rachel V. Rose Thank you.

[https://1sthcc.com/wp-content/uploads/2023/03/1746169_1stTalkImageResize_100923-300x188.jpg]https://1sthcc.com/wp-content/uploads/2023/03/1746169_1stTalkImageResize_100923.jpg 1st Talk Compliance features guest Raymond Ribble, CEO and Founder at SPHER, Inc., on the topic of “Employee Snooping & Insider Threats.” Ray joins our host Catherine Short to discuss snooping and insider threats and why user monitoring and ePHI access strategies are vital to the security of sensitive patient information and data protection. With so much attention and money surrounding cybersecurity in the healthcare industry, malicious employees may decide to purposefully disclose patient information. Since employees and contractors may have knowledge of your network setup, vulnerabilities, and access codes, snooping employees with malicious intent hold the key to exposing your organization to a series of unwanted risks and threats. Listen as we identify signs of unauthorized access, provide guidelines to prevent snooping, and offer procedures to detect insider threats. Catherine Short: Welcome, and let’s 1st Talk Compliance. I’m Catherine Short, Manager of Virtual Education at First Healthcare Compliance. Thanks for tuning in. This show is brought to you by First Healthcare Compliance as part of our commitment to provide high quality complementary educational resources. We help create confidence among compliance professionals throughout the United States. Please show your support by taking a moment to provide a review on Google, Facebook or iTunes. You can also follow us on Instagram, Twitter, and subscribe to our YouTube channel. On today’s episode, we are speaking with Raymond Ribble, CEO and founder at SPHER Inc, a market leading compliance analytics cybersecurity solution addressing HIPAA compliance, state privacy laws and ePHI security threats on the topic of “Employee Snooping and Insider Threats.” Snooping and insider threats are exactly why user monitoring and ePHI access strategies are vital to the security of sensitive patient information and data protection. With so much attention and money surrounding cybersecurity in the healthcare industry, malicious employees may decide to purposefully disclose patient information. Since employees and contractors may have knowledge of your network setup vulnerabilities and access codes, snooping employees with malicious intent hold the key to exposing your organization to a series of unwanted risks and threats. Listen, as we identify the signs of employee and contractor unauthorized access, provide guidelines to prevent employee snooping, and offer procedures to detect insider threats. So thank you, Ray, for joining me on First Talk Compliance. It’s a pleasure to have you on. Raymond Ribble Thank you for having me today. It’s great.   Catherine Short Yes, always wonderful to talk to you. So Ray, I have a question for you to start off. I know when people think about threats to their organization, they worry often about external risks such as hackers. Would you say that this is the right focus?   Raymond Ribble  2:15 For an organization, it’s not the wrong focus. It’s what we read about in the press the most. We’re online looking at some healthcare rag, what they’re talking about is some type of external threat that impacts the organizations. And I think from a cost perspective, it is the most impactful. Somebody coming in from the outside, a hacker to use the term, can cause hundreds of thousands if not millions of dollars in damage to an organization. Ransomware would be a perfect example of that. You or I don’t want to have to pay some X number of bitcoins in order to get access back to our data knowing that now that they’ve done that, that they’re probably going to come back and do it again. Having said that, I think the equal component of that is what we talked about in terms of snooping and the insider threat, because an individual snooping and then taking that information that they get through snooping and sharing it through social media, or in gossip to somebody on the outside, potentially could have a financial impact to an organization more so today in 2022, than say 20 years ago, or 30 years ago. So are hackers real? Yes, they are. Is the hacker the thing that you should stay awake at night worrying about? Not as much as you think. 26% of the breach events that are captured by most organizations that are responding to our surveys out there, IBM Parliament being the best, indicate that snooping and insider threats are much more detrimental to the business than the hackers on the outside. I think they’re more prevalent. I think that 67%, if I remember the number correctly, is what we have in terms of the percentage of healthcare breach types come from inside the organization, not outside. I think we tend to focus on what that cost is to the organization if we get caught, when we get caught and so therefore, hackers are more prominent because we use that word as a catch all for everything from phishing, to ransomware to XYZ. Does that make sense?   Catherine Short It does. So all the time in the news and media and everything we hear about ransomware, ransomware there’s a cyber attack. So if you were talking about ransomware and cyber attacks, versus insider snooping, which is one of the topics here and employees snooping, what would you say then? Could you expand on that just a little bit more?   Raymond Ribble I’m more worried about the insider threat personally, I think that there are things that we can do from a technology perspective to significantly limit our exposure to ransomware type events. So if we can educate our end users to not click on anything that comes up on their screen, to not look at third party applications or ads, and click on them to go see if that shirt from China is really interesting, and I really can get something for $25 that I’d have to pay $200 for, is worth it. Because when I click on that, what I’m actually doing is opening up a hole into my data system. So if we can educate people not to do those types of actions, through technology and encryption and such, then we can reduce the exposure to a ransomware event through that. On the other hand, if I have people in my office, who are snooping or worse, in a malicious sense, stealing the credentials, and giving those credentials to somebody else in order to create havoc, that cost is exponential to our organization. That goes back to a major breach, it goes back to being measured in hundreds of thousands, if not millions of dollars. The impact to your organization from a cybersecurity insurance perspective, is significant. The reason we have that feeling, Catherine is because what articles we typically see out there in the press, whether it’s online or in print are stories about ransomware, a hospital being shut down, not being able to access their files. It’s rare that we see a story about a snooping incident, such as say, the Justice Mueller in Chicago, where it makes it to the point of news that’s worthy of being talked about. So it’s kind of a hidden crime in an organization that a lot of people think well is really causing the damage?   Catherine Short So right. Can you give me some examples of what you’re talking about? When you mentioned insider threats or employee snooping?   Raymond Ribble Yeah, the worst one that we’ve had with our organization where we work with a client, was an incident where they were brand new to our technology, we implemented the system for them. And maybe a little bit of background. It is a rural hospital. You and I both know that we love to talk about others. I mean, TV is loaded with shows about other people’s lives and reality TV, but what’s more reality than snooping that what’s happening in my community, viz a viz their healthcare and what they’re coming in, what type of ailments they have. This organization went live with SPHER and in the first month of using the system, they had 1800 snooping alerts. 1800.   Catherine Short   7:50 Wow, that was from one organization   Raymond Ribble That was for one place, it was the hospital and when we sat down with that team, and investigated the 1800s, they were all legitimate. There was no false positives, everything was legitimate. They were they had a very, very bad problem in this hospital.   Catherine Short That was in a month?   Raymond Ribble That was in one month.   Catherine Short Oh, my gosh, there must be a lot of gossiping going on there.   Raymond Ribble  8:22 Yeah. I’m not gonna say where it was, other than it was a rural hospital. It would be bad. But let’s just say yeah, there was a lot of gossiping in an area that’s famous for gossip like that. Everybody listening can say, now that’s my area. But now though, this is one that we probably would all agree upon. We sat down with them and this is where once they understood this was real, then they said, Okay, how are we going to solve this problem? And it really came down to the CIO. In this case, the CISO, saying, Okay, we’re clearly not educating our users on security and we don’t have a culture of compliance in this organization. So she decided to make it very public what they had found, to share some of the analytics without calling anybody out since it was everybody and saying, Okay, this is going to change immediately. We’ve implemented the system to monitor so I’m looking at you, just know that from today. Within two months, the snooping dropped from 1800 to five, five incidents, and those five incidents she told us, could all be explained. So you know, in essence, she said, Yeah, they did look, but here’s the reason they looked and she could accept that so basically, zero. Once people knew that somebody was looking at them looking at other people’s data, they stopped. Maybe they found a new way to do it, but they weren’t using the EHR system or the EMR system as their main source of Office gossip. How’s that?   Catherine Short Wow. So when you have an incident where someone is looking at someone’s medical records, say like an ex spouse or the ex spouses new wife or something like that, what do you do?   Raymond Ribble So we have to be very careful. I think I mentioned this to many people. At SPHER, we’re not the HIPAA police. My tool that I make available to my clients, the SPHER dashboard and the alerts that you get, that’s where you start. We do the hard job of identifying areas that might be worthy of an investigation, you’re then looking at that data and determine is this meaningful information that SPHER is giving me and should I take action on it? Yes, or no. If it’s a normal action, you tell the system it’s normal and you won’t see that again. That becomes part of that person’s profile. However, in many instances, when people do identify and do the investigation, they’ve called us to say, hey, look, I just saw something here, I did an investigation, can you look at it with me, we have their permission to do so. And then we’re just looking with them to make sure that they’re interpreting the data correctly. Final decision is theirs, not ours. And as I say, whenever I speak, this is where they want to reach out to an organization like yours, Catherine, and have a conversation with somebody who’s like a HIPAA consultant, or like Rachel Rose, somebody who is a HIPAA law attorney, and have a discussion about how should I handle this going forward? We’ve had incidents where physicians have gone into the system and taken data that was so random that it showed up in the alert, and they were giving that data it turns out, to somebody else that used it, as part of your example, in a divorce proceeding for custody of the children. And the only way that that data could have been gotten on the wife in this instance, was through the medical record, because it was very private. How did he get it? Of course, somebody else took it out of the system, gave it to him, and he used it in a court of law. That was a no, no, and they should have thought about that before they did it but they did it anyways and so they got busted for that. I mean, think about the ramifications of a doctor in that in court. So we do see real instances of people at very high levels going in and snooping or maliciously exfiltrating data for the purposes of something that might be legal in nature or monetary in nature. And we see that more often than you’d like to believe.   Catherine Short  If you’re just tuning in, you’re listening to 1st Talk Compliance brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources. We help create confidence among compliance professionals throughout the United States. My guest today is Raymond Ribble, CEO and Founder at SPHER, Inc., on the topic of “Employee Snooping & Insider Threats.” Please show your support by taking a few minutes to provide a review of First Healthcare Compliance on Google or Facebook. You can also follow us and subscribe on all forms of social media. I have a question then. How do you recommend to administrators and managers for balancing and creating a culture of compliance and then balancing this with the feeling for employees? When a new system is implemented, that they might feel like they’re being micromanaged.   Raymond Ribble They’re very concerned, the administrators and the senior managers CISOs that we work with, they’re really concerned about that question that you’re asking. I want to do this but I don’t want to send a negative message to my employees. I don’t want to tell them I don’t trust them. I don’t want them to think that. Oh, you know, we’re watching everything they did – we are. How do I do this proactively? And so we’ve had some really creative organizations that have shared with us what they did do. That’s how I’ll answer your question, by sharing with you what I heard people do that I thought was very innovative So they have a regular lunch, or they have a regular session that’s scheduled every month or every couple of months in the organization. They take some of the analytics that they’ve learned from SPHER and integrate that into the learning process. They talk about, hey, we’ve noticed over the last couple of years in the United States, that the threat vector in terms of breaches through phishing, and hackers and even insider threats, is increasing and as an organization, we want to do what we can to protect ourselves, protect our patients. So it’s a bit of a manipulation of the words, but they come up with a very creative way of saying, We’re doing this to protect the people who come in here in order to get healthy and you know, this is a team effort. It’s not a me looking at you effort. It’s us looking at what’s happening effort in order to make sure that we’re protecting our patients from any external threat. The byproduct is the internal threat gets addressed as well.   So they take it from a negative message to a positive message and they use different vehicles like team training, or the company lunch or some type of a newsletter that they have in the organization to start making that a regular part of the presentation, and maybe introducing incidents that happened in the past and the corrective action that the organization took. It sends a secondary message of, hey, I am looking and we are aware of these things, and if that happens to you, you might be the person or at least the incident’s going to be highlighted in the next newsletter or the next company meeting. So let’s watch our P’s and Q’s let’s be better at how we access data and what we share.   Catherine Short   15:44 I think that’s very helpful for everyone.   Raymond Ribble You know, we always talk about penalties, we never talk about rewards. So if employees were to come to us with ideas on how we could improve our security posture, maybe there should be reward for them doing that versus penalties for somebody who does something wrong.   Catherine Short Right, everyone likes to be rewarded. No one likes to feel like they’re a bad dog, you know, with a smack with a newspaper or worse, obviously   Raymond Ribble I think it gets viewed by the team, the employees in a much more positive light, if this is something we’re doing together. Hey, and if you have an idea on how we can improve it, I’d love to hear it. We sat down with the doctors and I’m thinking about who we work with a lot of clinics that are somewhere in the range of say 100 to maybe 1000 employees. So they’re always looking for creative ways to incentivize everybody doing better, it’s performance based. So security becomes a performance metrics as well and providing better security and doing a better job of creating that culture should be something that can be rewarded within the organization.   Catherine Short True. I have a question again about audit. So what’s the probability that someone would get audited? What are your thoughts on that?   Raymond Ribble Yeah, broad question. I’m going to attack it based on just what I’ve seen. I live in California, Catherine. So last year, I think was last year, I lose track now, we passed the California Consumer Privacy Act. My understanding is within the next two years, if not all, almost all of the 50 states and territories will have some type of Consumer Privacy Act in place. In many instances, like in California, some of that law supersedes HIPAA, in terms of reporting, in terms of having to grant access to patient data to the consumer, to the patient, and that could result in punitive actions and or investigation. So when we think about audit, you and I, we probably focus more on OCR related,  health and human services related activities. I think what’s happened is the landscape has changed. It’s gone from a Federal HHS issue, to include state level, privacy and security laws that now in many instances, again, can supersede what we have in terms of accountability, record keeping, documenting, and being able to prove that somebody did or didn’t do something within an organization. I think the probability of an audit today is much higher than the probability of an audit, say, two years ago or five years ago. It’s not a real number for you. That’s what people are faced with today. So I can’t give you a specific number. I don’t know one. But I know that that threat vector for us as organizations is increasing, not decreasing, because now we have federal and state that impact us. Does that make sense to you in the way that I’m stating that?   Catherine Short   18:45 Absolutely, actually, yes. And I’m glad you mentioned California, because California I know, I always think of being kind of like Europe with the GDPR and having more stringent laws, than federal   Raymond Ribble A lot of other states flew into Sacramento and sat down with the state of California to see how they put that consumer privacy act together and in many instances, the other states, it’s a derivative of the California Privacy Act.   Catherine Short Right. I have another question concerning security. What are your thoughts on the security of automatic logins on the computer like if it asks you if you want to save the password, and then you can just log in automatically next time? And then following up on that isn’t a problem when it asks you show your password? I always feel like I’m suspicious that someone out there might be capturing my screen. I might be extra paranoid, but at that, I think maybe not. I don’t think so. I feel like somebody’s watching   Raymond Ribble Good question. I hate passwords. I bet you hate passwords too passwords. I’m a big advocate for at some point, I think we are going to move away from them, I think we’re going to move more towards biometrics, which I think is a better way to secure the data anyways, then whether it’s a fingerprint or a voiceprint, or an eyeball, whatever the case may be, I think they’re coming up with some really innovative solutions that we can incorporate. And I think we’re gonna see the MacBooks in the  Microsoft workstations out there start to incorporate that technology in the years to come. That will allow us to move away from passwords. So your question is about having those passwords saved? Because I know that in a Microsoft and in an Apple world, you find online they will say, Oh, do you want to save this password? and it gives you the username and the password and boom, it’s sitting there. So if somebody were to break into your PC, they can go find that file, it’ll tell them every application that you have access to and what the login and password is. So is that dangerous? Yes, it is.   I guess if you’re really smart, you know what you’re using? Don’t do it. Your question, you kind of answered your question in the way that you asked it, don’t do it. Is it a risk? Yes, it’s a risk. I would start by saying, make sure your PC is encrypted, make sure you actually have a sophisticated login process to get into your PC itself. Because there’s only a few barriers of deterrent between your PC and all that data that we’re talking about. So please make sure you have a real stringent password in place that you can remember, that’s not written down, by the way that one doesn’t get saved into that file, and you’re gonna have to remember that, right? otherwise, you’d have to do a jailbreak to get into your own machine. So you know, you’ve probably had those instances, and they’re like, well,  you don’t know the password and we’ve got to break into it, kind of a thing. So that’s a real problem.   The first part of my answer is, yeah, I think that is a risk. I know I have some there, I tried to think about which ones I want to have saved on there versus the ones that do. So I don’t want my bank information on there. I don’t want access to any sensitive materials on there. I don’t even want my Amazon account on there because God forbid somebody gets on Amazon and my cards already loaded into Amazon and they go on a shopping spree right? It might seem innocuous, but it actually can be very damaging to you. If you if you can avoid doing it, please do. And your applications on whether you’re using Chrome or whatever says, hey, do you want to store it? And you’re like, sure why not? That way, one more, I don’t have to remember. The problem is, the bad guys know how to find that file probably faster than you and I could.   Catherine Short Right. That’s why I’m asking   Raymond Ribble But the reality is, no, you don’t want to use it. If you can avoid using it, you want to create sophisticated passwords, which I think is the solution to that. Your username is usually your email, I mean, it’s almost 90% of the bar. And then sophisticated passwords, I always use the example and is just an example. I like the Boston Red Sox count that out in terms of the number of characters, anything longer than 12 characters, is really sufficient at defeating the algorithms that the hackers or a malicious insider might use in order to run against your machine to break the password code and get in. Most of the algorithms that they use are looking for an eight character based password. Once you move from eight to nine, nine to ten, ten to twelve, twelve to whatever, the time it takes for it to break into your machine grows exponentially. We’ll come back to why it’s taking too long, I don’t want to get into it. Now if they’re really hell bent on breaking into your PC or into your server, they’re going to do it because they’re happy to sit there hours, days, weeks to break into your PC will, you’re dead in the water. But most incidents are not that way. Another thing I might throw in here, just as a side note, Catherine, don’t use your PC at Starbucks or the local coffee shop because there are too many unscrupulous people out there using very simple $20 devices that can hack into your machine while you’re logged in. So, you know, if you’re on your phone, be careful what you’re looking at. Don’t do that kind of work, and don’t access those applications when you’re out in public. Keep that to your house and again, make sure you encrypt your PC and to the extent that you can avoid putting those passwords on your PC. There’s a long answer to an easy question, but sorry.   Catherine Short Okay, very sound advice. I very much appreciate that. Well, I think that we are just about out of time here. Have you thought of any words of advice that you wanted to leave with our listeners?   Raymond Ribble No, I don’t think so. I think what I try to do in my presentations, Catherine is the salient points that I’m trying to get across. I think for me, it’s upgrading your systems and making sure that the patches are properly up to date. It’s talking to your teams about security, I think it’s that simple. If they know that you’re thinking about it, they’ll think about it. If you don’t talk about it, they’re not going to be worried about it, talk about security, start talking about what can we do to improve security and work with my IT team to make sure that we have systems in place that allows us to regularly and properly monitor what’s happening within our system, not about trusting or not trusting your employees, we don’t know who’s surrounding them, we don’t know what’s happened in their life in terms of some life changing incident, that may move them from being the regular employee to be willing to do something that we might judge as malicious. And it could be again, for that personal gain but more importantly, it could be a reason for financial gain. If somebody is in a situation where they need to get money really fast, and the wrong person approaches them and tells them that, hey, some of those medical records would be worth thousands of dollars to me, you go from a very good employee to a very bad employee and sadly, it happens a lot. I’ve sat down with the FBI, I’ve sat down with OCR investigators, and they’ve heard enough stories about those types of situations, to know that it’s very real, that it’s that one incident that’s kind of broke the camel’s back and allowed or encouraged somebody to go do something that for many, many years they’ve never done before. So yeah, we trust our employees. I think we all do I do, I trust all the employees in my office, but having some type of regular and appropriate system that’s documented, that I can demonstrate to an outside party, defense lawyer during an audit or during a deposition that, hey, we do these things to protect our office and therefore, it’s not about not trusting my employees, it’s just making sure that we’ve done everything to protect our patients, I tend to look at it that way, Catherine   We had an organization who, using our technology, identified a user who had been with them for 17 years, who is going in and modifying records after the fact during lunch. Now, they were new to SPHER so they caught this with SPHERE. They radically looked at it, they started going back in the records, and they found that she’d been doing it for 10 years. Why? for financial gain. She was taking a little bit off the top and when we sat down with the doctor as part of the investigation, they indicated that Oh, wow, every year, we always seem to be coming up short in different areas and we thought it was really bad. We even changed our organization that did our collections for us a couple of times thinking that they were the ones doing it wrong. We never once considered there might have been somebody internally that was doing this.   Catherine Short Oh, wow! that’s actually very sad. You never know.   Raymond Ribble You never you never know. I don’t think you should feel bad about monitoring your end users. We’re just protecting our business from some event that could be catastrophic in terms of everybody losing their jobs because of a breach. With SPHER, we look at 100% of all the activity of all the users every day because you couldn’t possibly do that. Our users can read easily, and intuitively say oh, yeah, that’s a problem. I can see why SPHER flag that and let me investigate that. Bam. Make sense?   Catherine Short  28:22 Yes. Okay. Well, I think we’re about ready to wrap up our presentation then. So I wanted to thank you again, so much for sharing your time with us and your expertise. So thank you for being with us today.   Raymond Ribble Thank you for having me today. It’s always a pleasure and good luck to everybody out there.   Catherine Short  And thanks to our audience for tuning in to 1st Talk Compliance. You can learn more about the show on the program’s page on healthcarenowradio.com and lend your voice to the conversation on Twitter @1sthcc or #1stTalkCompliance. You can also email me at catherineshort@1sthcc.com. I’m Catherine Short of First Healthcare Compliance. Remember, compliance is the key to achieving peace of mind.

[https://1sthcc.com/wp-content/uploads/2023/11/1st-Talk-Image_11.8.23-300x188.jpg] In this episode of 1st Talk Compliance, we dive into an increasingly crucial topic in healthcare: price transparency and its ever-growing impact on the industry. Kevin Chmura, CEO at Panacea Healthcare Solutions, joins us to share expert insights on strategic pricing and compliance, emphasizing the transformative benefits for healthcare providers. Learn how to proactively engage with CMS regulations and set your organization apart as an ethical leader in the realm of price transparency.