Cybersecurity is more critical than ever before. Personal health information is incredibly sensitive data, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates strict regulations to protect it.
Covered entities, including healthcare providers, are responsible for ensuring that their vendors comply with HIPAA regulations. However, simply claiming to be HIPAA compliant and secure is not enough. Vendors, including web developers, of covered entities who falsely claim to be HIPAA compliant and secure but fail to take appropriate security measures can be held liable under the False Claims Act.
What is the False Claims Act:
The False Claims Act is a federal law that prohibits anyone from knowingly submitting false claims or statements to the government to receive payment. This law applies to anyone who submits a false claim or statement, including vendors of covered entities who falsely claim to be HIPAA compliant and secure.
Why it matters:
Failure to take appropriate security measures can leave personal health information vulnerable to attack. If a vendor falsely claims to be HIPAA compliant and secure, and their negligence leads to a security breach or other violation of HIPAA regulations, they can be held liable under the False Claims Act. This can result in significant financial penalties and damage to the vendor's reputation.
In the know:
To avoid False Claims Act liability, vendors must understand their obligations under HIPAA regulations. This includes taking appropriate security measures to protect personal health information, like implementing HIPAA-compliant email or two-factor authentication. Vendors should also be honest and transparent about their security practices and back up their HIPAA compliance and security claims with evidence.
In the News:
In a recent case, Jelly Bean Communications Design LLC and its manager settled False Claims Act liability for cybersecurity failures on a Florida Medicaid enrollment website. Jelly Bean Communications Design created, hosted, and maintained the website HealthyKids.org for the Florida Healthy Kids Corporation.
However, from January 1, 2014, through December 14, 2020, Jelly Bean did not provide secure hosting of applicants' personal information and knowingly failed to properly maintain, patch, and update the software systems underlying the website. This resulted in a breach of personal health information and liability under the False Claims Act.
Go Deeper:
To avoid such cybersecurity failures, companies should ensure that they have proper security measures to protect personal information. Here are some steps that could have been taken to prevent the incident:
- Implementing HIPAA compliant email and two-factor authentication
- Conducting regular security assessments
- Ensuring compliance with HIPAA regulations
- Properly maintaining, patching, and updating software systems
The bottom line:
Healthcare organizations must always vet vendors carefully and ensure compliance with HIPAA regulations to protect sensitive data and avoid liability. Companies need to prioritize cybersecurity and take proactive steps to prevent data breaches and other security incidents.
Dean Levitt
