cybersecurity – Duane Morris Health Law

Neville M. Bilimoria

With all the regulatory changes facing nursing homes these days, it is no wonder most are behind in the world of compliance. It seems nursing homes are constantly berated with new regulations and more issues to deal with on a daily basis. The recent article in the May 22, 2017 edition of Modern Healthcare was, therefore, not a surprise: “Regulation: Nursing homes and hospice providers face looming emergency preparedness deadline.”

The article discusses the real November 15, 2017 deadline for nursing homes to comply with the emergency preparedness regulations promulgated by the Centers for Medicare & Medicaid Services (“CMS”) in September 2016. The article further discusses how most facilities are not close to complying by the November 15, 2017 deadline. The problem is that while nursing homes have historically had some emergency preparedness policies and procedures, the new CMS rules impose more robust policies, procedures, and mechanisms to be in place prior to November 15, 2017. That would require nursing homes to partner with local hospitals, police and fire departments to make sure their preparedness plans are up to date, robust, and systematically applied. The rules mandate, among other things, back-up generator contingencies, cybersecurity attack back up plans, and widespread training on a myriad of emergency preparedness policies and procedures that need to be developed by nursing homes. The rules even require disaster drills to be conducted by the nursing home in conjunction with local emergency response agencies.

Continue reading “Nursing Homes Ready For Emergency Preparedness Rules?”

On January 13, 2017, the Centers for Medicare and Medicaid Services (“CMS”) sent a Memorandum (“Memo”) to State survey agency directors encouraging long-term care providers to “consider cybersecurity when developing or reviewing their emergency preparedness plans.” The Memo was a follow-up to the CMS long-term care emergency preparedness rule published in the Federal Register on September 16, 2016: “Medicare and Medicaid Programs; Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers.” Under that final rule, long-term care facilities were held to additional standards, including requirements to have emergency and standby power systems in place. Nursing homes were also required to create plans regarding missing residents that could be activated regardless of whether the facility has activated its full-scale emergency plan. The rule was spurred on by recent flooding in Baton Rouge, Louisiana, and other emergency disasters, such as Hurricane Sandy and the 2009 H1N1 pandemic, according to CMS.

Whether State surveyors will actually enforce lack of cybersecurity plans for emergency preparedness as violations remains to be seen from this Memo. But certainly, a State survey agency could impose deficiencies for failure to have a proper cybersecurity plan and/or a proper cybersecurity back‑up plan as part of a facility’s emergency preparedness going forward. It is not clear why CMS decided to send this encouragement Memo three months after the Final Rule on emergency preparedness, but it likely has something to do with the fact that 2016 was a banner year for HIPAA privacy infractions and HIPAA enforcement by the Office for Civil Rights (“OCR”), the entity responsible for HIPAA compliance. In 2016, payouts for HIPAA violations skyrocketed to record heights of $23.51 million from OCR enforcers against health care providers. That number was triple the previous record of almost $7.94 million in payouts in 2014, followed by $6.19 million in payouts in 2015.

Continue reading “Cybersecurity and Emergency Preparedness for Long-Term Care”