Speaker 1:
You're listening to the Pharmacy Podcast Network. Since 2009, the Pharmacy Podcast has been leading podcast publications as the insider voice of the pharmacy industry. To explore the profession and business of pharmacy through audio, join us at pharmacypodcastdot.com or subscribe on Apple podcasts, Spotify, Google, or any of your favorite podcast directories
Compliance is hard, but finding the answers doesn't need to be. Join Jeff Hedges and his staff on the Pharmacy Compliance Guide, as they help you and your pharmacy staff navigate through some of the complexities to help you stay stress-free and in compliance. The Pharmacy Compliance Guide is a proud member of the Pharmacy Podcast Network.
Becky Templeton:
Hello, hello, and welcome back to another episode of the Pharmacy Compliance Guide. I'm Becky Templeton with R.J. Hedges & Associates, and I'm joined today by Mr. Jeff Hedges, our in-house compliance guru, an expert of all things relating to compliance within the pharmacy industry. And today, we're doing ransomware with HIPAA breaches. This is going to be part two. In our first podcast, we talked about ransomware and touched a little bit on HIPAA breaches. As we've seen on a lot of the news channels, ransomware is a major threat to any and all computer networks. So all companies, large, small, healthcare, non-healthcare can be impacted by it. Ransomware is a cyber attack where the user cannot obtain access to their system, and cyber attacks are criminal acts that must be treated as one. Swift action is required to protect your systems and your patients' personal health information known as PHI.
Jeff and I are going to be spending a little bit of time talking today about ransomware. If you missed the first podcast, I would encourage you to go back through the Pharmacy Compliance Guide archives, listen to the first podcast on ransomware and breaches. It was really good. We had a guest that was in here as an information technology expert who helped outline what ransomware was and how you as a business owner or as a member of management within a business can prepare yourself, and what types of things you can do to help prevent ransomware attacks from your business. Jeff, are ransomware attacks technically a HIPPA breach?
Mr. Jeff Hedges:
Yes. In almost every case, the answer is yes. PHI has been compromised and you really don't know who has your data, if it's been downloaded or if it's been sold.
Becky Templeton:
So I'm a victim of ransomware in my business, what should I do?
Mr. Jeff Hedges:
The first thing is unplug your internet connections from your computer, from your server, and shut everything down. That is the most important thing to do. Contact your information technology department immediately, whether they're in-house or external. They need to be able to determine what the attack is, shut it down for their networks, and then also check the active backups and or multiple backups. You may be able to restore your system so backups are important.
Becky Templeton:
Now, if I have the cyber attack, do I have to report it anywhere? Do I report it within my company? Do I report it with the police? Do I report it to some type of business entity? Who all do I potentially need to report a cyber attack to?
Mr. Jeff Hedges:
Well, technically, you're not required by law to notify law enforcement. However, yes, you need to. It might be part of your cybersecurity insurance contact, your local law enforcement, and the local FBI field office. Cyber attacks are usually coming from overseas. That's why the FBI is needed.
Becky Templeton:
Now, you stated that cyber attack and ransomware probably are HIPAA breaches. What do I need to do from that aspect with compliance in regards to HIPAA?
Mr. Jeff Hedges:
First off, you have to realize that ransomware breach with that, is going to be a reportable breach to the secretary of health and human services. The pharmacy or healthcare provider must begin their breach protocol. Breach protocol is part of your HIPAA compliance program. You have 60 days to gather the data and make the initial report to the U.S. health and human services, Office for Civil Rights or OCR. In the initial report, the following items are needed. Identify the source of the breach, how the PHI was secured, begin documenting what has and is occurring. Date and time of the breach, the type of breach, how many patients are involved which will normally be all the patients within your server. Has law enforcement been notified? Local, state, and FBI.
Becky Templeton:
So that's a pretty big list of things that I need to get done. But I know there's probably some extra steps that I need to have some of my staff working on. What else do I need to do?
Mr. Jeff Hedges:
Well, one of the things you have to prepare for, is to notify all affected patients in writing, with the description of the breach and what measures need to be taken on their end, such as notifying their banks and or their credit bureaus. Notify local news media of the breach and what actions the patients must take. Contact LifeLock or another reputable company, to secure the patient's data, and to have a reportable notice if an attempt is made on their personal accounts.
Becky Templeton:
If I'm having a cyber attack and I have ransomware ongoing, will my cyber insurance cover everything?
Mr. Jeff Hedges:
Devil is in the details. Insurance is like everything else. They carve things out, they add things in. Cyber insurance will assist with the notifications, repairs of hardware and software, and LifeLock protection. The policy are normally written for 500,000, a million or a million and a half dollars. But really it needs to be $2 million or more, depending on the size of your server capacity. This is one time you don't go cheap. If your insurance agency gives you a quote on cyber insurance, always look at the coverage. You always want to go higher with the coverage because the more you have, the better shape you are during a cyber attack. Cyber insurance does not cover the cost of the OCR investigations and fines or any other agency that may fine you.
Becky Templeton:
Jeff, you mentioned fines just a minute ago, and you mentioned OCR in the beginning. So I'm assuming that if I have one of these breaches, obviously OCR could be assessing me a fine, but how exactly am I going to get fined if I was the one who's attacked? It wasn't necessarily me who leaked the information, someone breached my system.
Mr. Jeff Hedges:
The breach is not just you, it's all your patients. The fastest way to get fined is by hiding a cyber attack or a breach, not following the recovery processes, failure to act, failure to report to the OCR, and failure to your state. Each state has its own individual privacy requirements and different agencies.
Becky Templeton:
Okay. So I've now had the cyber attack of some kind, I've notified my local authorities because I felt like it was necessary. I've contacted the FBI, I'm getting ready with the OCR. How exactly do I go about this? What exactly does reporting look like? How much time do I have to work with? Is it something like, "I noticed over the weekend, we had something happen. Now it's Monday morning at 10:00 AM we've realized we've had an issue." What's the timeframe that we're also dealing with on how fast we need to be moving on this?
Mr. Jeff Hedges:
As I stated earlier, you have sick 60 days. That's not work days, that's calendar days. The 60-day notice to OCR is only the initial notification. It demonstrates what corrective actions have been taken. What your plan is to continue with the investigation and collecting data. The final OCR breach report includes, and this is just the initial list. Show what corrective actions have been taken to prevent future cyber attacks, change passwords every 90 days with a minimum of eight characters; large case, small-case letters, a number, and a symbol. Passwords should never be family members information, birth dates, anniversaries, addresses. Nothing like that. I personally use a passphrase, two unrelated words with numbers and symbols mixed in between. My current passphrase is 17 characters. This type of password is a bit excessive, but it is very effective way to protect my systems. The passphrase permits the user to remember a complex password. Commit this to memory, do not write it on a sticky note and fix it to the monitor of your computer or under the keyboard.
Becky Templeton:
I guess that's like putting the key under my mat or under the pot of plants that's outside my front door?
Mr. Jeff Hedges:
That is absolutely correct. What harm has occurred because of this breach? How many patients were not notified. And that means you have to notify all your patients in writing, by mail. And the most important thing is how many letters were returned. That number has to be tracked, and how these patients were notified.
Becky Templeton:
Okay, Jeff, so let me make sure I've got this all down pat, in case someone on the other end of our podcast is taking copious notes here. A side note, as you're listening to our podcast, we always have a transcription, because Jeff gets into very detailed items, which is great. So if you're listening to this on your drive to the pharmacy, to the work, you're at the gym and you go, "Gosh, I need a pen and a piece of paper." Don't worry. You can go back in the show notes and you can actually get a full transcript of this. For those of you who are pedaling away or driving away, I'm going to recap a couple things.
So a final OCR breach report, we're talking about all the different things that we need to do or that we have done. We're going to show it to OCR, that these are the things that we're doing right now. Everything from, "We notified our patients. Here's how we notified them. Here's how many came back in the mail. We've changed our passwords. We've got a whole bunch of different processes that we're putting in place to make sure this never happens again." Maybe we're referencing back to that first podcast we did with some of the suggestions from Nick, on items that we could have in place to make our systems more secured. So now we've got this report put together, outlining all of that information. What harm has actually happened to our patients' data that has been compromised. And then I hate that, but that's where we're going. And then, that's just really the start of it, right?
Mr. Jeff Hedges:
That's the beginning of it. But also you have training. You have to train your staff what happened and how to prevent it from happening in the future. Once you get all this done, you submit your OCR, a HIPAA breach report. This is done electronically. Yes, every bit of information, documentation needs to be kept.
Becky Templeton:
And how long do I need to keep it?
Mr. Jeff Hedges:
Well, HIPAA's rules are six years for your retention. However, the way OCR is working and there are so many breaches they're investigating. Don't expect to hear from anybody from one to three years after a report is submitted. Think about it. OCR is going to contact you three years afterwards to talk in details.
Becky Templeton:
Three years and two months, because I've got 60 days to report my breach.
Mr. Jeff Hedges:
Ah, always the technical.
Becky Templeton:
Well, I mean that's a long time. Three years and two months. We were just talking about high school not that long ago. Freshman year, sophomore year, junior year, two months into my senior year. That's how long I'm going to have to remember what happened. So I guess that's really why documentation is even more important now. It's not just, this is what I'm required to send in. I want to document everything because they go to ask me a question three years down the road. I'm going to be able to remember, what did you have for breakfast three days ago?
Mr. Jeff Hedges:
Toast.
Becky Templeton:
Do you have toast every morning for breakfast?
Mr. Jeff Hedges:
No.
Becky Templeton:
Oh, okay. You just remember three days ago it was toast. I thought I'd catch you on that one. I was hoping, you'd say you didn't know. I have no idea what I had for breakfast three days ago, but I guess that's why we need to take so many copious notes and do so much reporting, is just that we have a good reference point for ourselves, whenever these reports actually get on OCR's desk and they're starting to look at them and review them. And now they're notifying me to say, "All right, we've opened the investigation."
Mr. Jeff Hedges:
That's correct. The investigation starts when they open a case file. Now, when we're looking at this, OCR is going to send you a letter and then they're going to call you. That's okay. Don't freak out. As long as your documentation is fine. They're going to set up an interview, and you're going to go over the case with all the details. If you've done everything right, they're going to ask you to send all the documents to them. If you have everything done in accordance with the statute, when it goes into the OCR, they review it, they see what happened, they what you've done, they may call back and they may just say, "I only have one more question." And then they write up a case note and it closes the case and you get that letter. When you get that letter, that's a party day.
Becky Templeton:
Wait a minute. I'm going to get a fined though, aren't I?
Mr. Jeff Hedges:
No.
Becky Templeton:
Oh, okay. So then it is a party. I got through it. My paperwork was right. Slap hands with all of my admin people. We survived. We get to have cupcakes and pizza.
Mr. Jeff Hedges:
Yes. However, if they ask you, "I need this report. What training did you do? I want to know what papers you notified." And you don't document all that, if they are not satisfied with your answers, they're not going to say anything to you. But sometime in the near future, you're going to have a knock on the door and it'll be an investigator from the Office for Civil Rights. And then it's bad. Everything's bad at that point. You never lie, you never hide anything, you always give them everything they ask for. But the problem is, if it happened three years ago and you were supposed to do it, and you did it, but it's not documented, or you didn't do it at all, now that's where you run into the peril of fines.
Becky Templeton:
So fines are really then assessed based on negligence and inability to report things adequately. Or if they find that you have lied or there's misconception that was documented or just gross negligence that happens. Is that a fair assessment?
Mr. Jeff Hedges:
Pretty much.
Becky Templeton:
So if I'm trying to gauge how much trouble I'm actually in and how much work I have ahead of me. Basically, once they open up that case file, I get that initial phone call, the fewer the questions the better?
Mr. Jeff Hedges:
Absolutely.
Becky Templeton:
So the fewer the questions from that OCR, I'll call them inspectors. Is that what we're officially calling them? Investigators?
Mr. Jeff Hedges:
Investigators.
Becky Templeton:
Investigators. So the fewer questions from the OCR investigator, the better I can be. But that still leaves a whole bunch of perils out there that I'm not sure what's going to happen until I get my final notice.
Mr. Jeff Hedges:
That is correct. They're going to ask, they are normal people. They are not out to fine or harm anybody. So they're going to ask questions, if you don't understand the question you ask them, "What do you mean?" And they will come back and they'll explain it to you. The biggest thing they're looking for is cooperation and compliance. As far as the fines are concerned, if you're doing everything right and you missed a small step or one thing was not done, you may get a small fine. Hey, if you did something more, it might be a $10,000-fine. However, if you didn't do anything or you hid it or you told a lie, your fine is at least $1.5 million. And if you decide, "Well, I can't afford that. I'm going to declare bankruptcy and close my business." That fine follows you into your personal life because the owners cannot get away from these fines.
Becky Templeton:
Oh Wow. Now, my cyber insurance is going to cover that, right?
Mr. Jeff Hedges:
No.
Becky Templeton:
Ah, nuts. Okay. So even though, let's say I have like a $2 million limit on my cyber insurance. That's really only going to cover the hardware, software, the man hours to get my system back up and running again and secure. Getting my staff paid, loss of wages, loss of work, that type of stuff. So it's not covering fines at all.
Mr. Jeff Hedges:
That's Correct. They're also covering all the notices to your patients.
Becky Templeton:
Oh sure. And I imagine probably those cyber insurance policies will cover my attorney costs that I have to get involved. If I'm working with a consultant such as yourself, some of those billable hours might be able to get tucked in there?
Mr. Jeff Hedges:
Normally. Yes. But again, it goes back to the policy. Are you covered? Did you go in a little bit extra and make sure you have all these items taken care, of because you don't want to be sitting there and find out, "Oh, I have to notify the news and they're going to come in and interview me. And I don't have anybody for counsel. I don't have anybody to talk to beforehand. And I'm just left out there for the rules." No, the insurance doesn't cover it unless it's in policy.
Becky Templeton:
So for this, we really need the three Cs. We need cooperation, we need correctness, and we need compliance.
Mr. Jeff Hedges:
Absolutely.
Becky Templeton:
And we want to avoid the biggest C, which is complacency.
Mr. Jeff Hedges:
Complacency. They throw the key away.
Becky Templeton:
Okay. And that's why you're starting to see these big fines that are over a million dollars.
Mr. Jeff Hedges:
Right. Small and midsize companies in healthcare sector are getting fined. You don't hear about it a lot because they may just quietly go away. And you may see the notice in the newspaper, then you may see a notice that, so and so went out of business. It all depends on the sensationalism because the OCR does like sensational fines. Right now, they are on a countdown of how many major issues they're doing. They're up to 14, I believe is the one that came out the other day.
Becky Templeton:
This year?
Mr. Jeff Hedges:
Yes.
Becky Templeton:
Okay.
Mr. Jeff Hedges:
Everyone, I read down through these, whether it's large, small, or medium, someone always messed up because normally they hide it. No one wants to admit that their server's been hack, that their patient information has been disseminated to parts unknown in the world. And you don't know what's going to happen to your business.
Becky Templeton:
So we've talked about quite a few different things here today as far what... We're going to work backwards here. We've talked about what you need to do if you end up having something happen where your files are breached. It doesn't matter if you pay the fine or not. In the end, your files are breached. So you've got these things that you have to take care of. Now, obviously, you've got what we talked about in our first podcast, where the system requirements that you have to go through and update your system so you can prevent breaches from happening. I know when Nick was here, he was sharing that we already had four this year that we didn't even know about. That the infrastructure that was in place on our network stopped it. So we didn't even know about it. They knew about it because they monitor it for us. But whenever it comes to a healthcare facility, if somebody gets into their system, it's a reportable breach no matter what.
Mr. Jeff Hedges:
That is correct.
Becky Templeton:
We've gone through the steps of, what you have to do immediately, how you have to report it, what kind of things you can expect later on. We've talked about some of these fines. For me, that was just amazing to think about how much money someone can actually have invested in reworking their network, all the notifications, all the attorneys. You mentioned LifeLock, having one of those monitoring systems in place, and then to add an extra fine into it. I mean, that is catastrophic for a lot of businesses. Do you think when these types of things happen, a lot of businesses have no choice but to close?
Mr. Jeff Hedges:
If you are a major health system or insurance company, you just pay to fine. It's going to be here today and tomorrow, everybody will forget about it. Not a small or midsize business. Your reputation is the most important. And you breached your reputation by given out your patients' information. You didn't do it intentionally, but that's the impression of what the public is. And because you're local, everybody will remember that.
Becky Templeton:
Do you really think that a small to midsize healthcare practice can actually do all of these things? I know there's probably people listening to this going, "Gosh, my pharmacy only has two or three people working in it. How in the world can I," based on your first podcast, "have all of those security measures in place, have all of this security information done." And now if something does happen, "How in the world am I going to go through all of this all on my own?"
Mr. Jeff Hedges:
By yourself, you can't. First thing you need is a good information technology specialist. Actually a company. Not someone working out of their garage, but someone actually has a established business with good reputation. Then you're going to need help. You can either go hire an attorney which will be covered by your cyber insurance, or you can work with a company like us, R.J. Hedges & Associates and let them guide you through it. Now, for our clients, and if you have HIPAA compliance, when these breaches come up, first call is to your IT company. The second call is to me. And at that point, I become your to-do best friend for at least the next 90 days and possibly longer. We actually do the process, we do the writing, we do the reporting, and we become the contact when OCR calls. So when OCR calls in three years, we have everything recorded, whether it's voice or documented and we can answer everything. And the first thing we do, we shoot them a stack of relevant documents that they're about to ask for. And if they have a problem, they call back and they come to me. We let you know about it, but we're handling on our end.
Becky Templeton:
So we've gone over a lot of information today. Hopefully, we haven't scared too many people. I think sometimes when we have these conversations, they can be a little bit scary and intimidating to think, "Oh my gosh, worst case scenario $1.5 million plus for a fine." That's kind of scary for a lot of people. But if we're doing things every day, every week, every month, and we have good safe practices in place, we have a good strong security network, we've got a good IT group that we're working with, am I okay? Can I sleep at night?
Mr. Jeff Hedges:
Absolutely. It sounds scary. And the big item is, is constant awareness. You've trained your staff. They understand what's going on. Same thing applies here. It works as soon as something happens, you address it. Don't wait until a year after this is all happening, and call me, expect me to save your bacon because it's not going to happen.
Becky Templeton:
I got you. Now, I do have one thing as we were talking that kind of popped into my mind, just because I had someone reach out earlier today on one of our blog posts, asking about business associate agreements. So I've got one parting thought. So, get your thinking cap on. In regards to cyber security, I've got a really great system in place. I feel safe, secure, I'm good, but I transmit information all the time to different entities, whether it's something through my pharmacy software, it's the billing company. It's somebody else. And they're not as good as what I am on my security. And now they've had the breach, but it's still my data. Can you talk to me about how that kind of breach might be a little bit different or what type of things that I might need to consider in that specific scenario?
Mr. Jeff Hedges:
Good question. The way to HIPPA statutes are written as of today, and they're going to release a new set of rules probably in 2022. And we're going to go from 1990s technology to 2020 technology. So if you remember back then, there was no iPhones, there was none of the other things we have today.
Becky Templeton:
Hot technology is the new fax machine.
Mr. Jeff Hedges:
Right? Yeah. Fax machine with a memory.
Becky Templeton:
Oh, right. Okay.
Mr. Jeff Hedges:
Whoever's responsible for the breach, they are ultimately the person who's responsible. Not necessarily to the business, but to the individual that the person knowingly and willingly did that. Knowing and willingly means you have received training. But it goes down to the business associate. They're required, depending on the days in your business associate agreement, to notify you of the breach. But then they're the ones that are going to be reporting to breach to the OCR.
Becky Templeton:
Okay. So even though it's my patients and my data, but it was on their watch. They're really in charge. Can I get in trouble for it though, as the small business, as the healthcare facility? If they're completely complacent, like clearly they did something that wasn't correct, that's why the breach happened in the first place. And they said, "We're not even going to worry about this."
Mr. Jeff Hedges:
You'll be staying in business. You may have a headache here into answering questions because you got an OCR investigator in your office or in your pharmacy or your healthcare practice. However, the poor guy who blew it off, remember we talked about the fines at 1.5 million? Well, that's where they're at. This applies to anybody that has a business associate agreement or an actual covered entity. Again, the business associates all must have the same type of HIPAA policies and procedures that the healthcare provider does.
Becky Templeton:
What happens if I don't have a business associate agreement in place with somebody that should, just because I haven't gotten around to it yet?
Mr. Jeff Hedges:
You need to fix that immediately, because if you don't do it, the business associate agreement, then you're culpable.
Becky Templeton:
And you mentioned that there's a new draft going on right now with HIPAA. And I know with this draft that it's got a lot to do with information technologies and data transmission and the technology space that we're working with here in the year 2020 plus. I'm going to say 2020 plus, because I think it actually was set to hit last year, and then during the great pause with COVID and all the regulations just got froze in the government, that it's going to eventually get thought out and then we're going to have all these regulations going all over the place. But when we're looking at these business associates for the people who are listening to us right now, that are maybe going, "Gosh, do I have a business associate? When was the last time I touched it?" Now the last time there was a change was, with the high tech requirements that happened in 2013.
Mr. Jeff Hedges:
And all the business associate agreements had to be done by September 14th, 2014.
Becky Templeton:
Oh, I was wrong. Al right. So people, if you heard I was wrong, he was right. This is why he's on the call. So 2014. Basically, if you have business associate agreements that are older than 2013, they're really mute.
Mr. Jeff Hedges:
They're null and void.
Becky Templeton:
They're null void. So if someone wants to do a little bit of homework, just on that last topic that we were talking about, make sure business associate agreements have been updated at least since 2013. Really, it would be 2014 date because that's whenever it had to be implemented by, right?
Mr. Jeff Hedges:
Yeah. You could have done it when the law came out. Like our clients, we were done in 2013.
Becky Templeton:
Okay. Good deal. All right. We're going to rewind here real quick. We talked about business associate agreements. That's a great homework assignment for people to check on. We've now, in the last podcast, we spent a lot of time talking about the systems. Now, we've got people kind of caught up on what they actually need to do is ransomware and a cyber attack actually HIPAA breach, what to be on the lookout for, how they need to report it, what the ramifications could potentially be if they choose to do nothing. We've also gone over what they should do for reporting initial reporting, and all those other items that we've gone through, including, things in their corrective action plans, passwords, we've talked about getting those letters out to patients. Is there anything else that we've missed?
Mr. Jeff Hedges:
No. We pretty much covered everything. But looking ahead for this new rule, everybody will be doing new notices of privacy practices. Everybody will be doing new business associate agreements. So that's what we're looking forward to, plus the technology. Everybody's sending information now electronically, even through your own personal phone. What's PHI, what's not? All of that is being addressed in this new regulation. When it comes out, stay tuned. We'll have another podcast on this.
Becky Templeton:
Sounds good folks. Well, thanks for too tuning into another episode of the Pharmacy Compliance Guide here with R.J. Hedges & Associates. We're so glad that you tuned in. And as Jeff alluded, we've got a couple more podcasts that will be coming out with here in the near future. So we hope that you'll tune back in.
Speaker 1:
Thanks for listening to another episode of the Pharmacy Compliance Guide, sponsored by R.J. Hedges & Associates. Be sure to search the entire library of podcasts, helping you stay informed on the latest pharmacy compliancy issues by visiting pharmacycomplianceguide.com.
Speaker 5:
This podcast is a part of the C-Suite Radio network. For more top business podcasts, visit c-suiteradio.com.