Contract Enforcements Tie Cybersecurity to Financial Fraud and Liability

The receptionist you yelled at for shopping online could turn you in and get a $900,000 reward.

When it comes to compliance, ignoring the contracts you sign – including with Medicare and your insurance policies – can hit you really hard and really fast. How long will your organization, and your career, survive if you lose your primary funding contracts, are blacklisted by Medicare, or have your cyber insurance carrier deny a multi-million dollar claim?

All it takes is one disgruntled employee.

The U.S. Department of Justice (DOJ) settled a $930,000 federal False Claims Act (FCA) case against Comprehensive Health Services, LLC for not adequately securing data, a fundamental HIPAA requirement. Many healthcare organizations are getting hit with cybersecurity questionnaires from their funding sources. Cyber insurance applications have gone from a few questions to multiple pages of complex gotcha questions, with lots of policy exclusions. Get it wrong and your policy may not pay off. The Federal Trade Commission penalized a company after a data breach for 20 years because it displayed a HIPAA compliance shield on its website.

When you think of government contractors you might picture companies making submarines and fighter jets. But, if you are a healthcare provider that accepts Medicare and Medicaid, you are a government contractor and subject to the federal False Claims Act.

The False Claims Act goes back to the Civil War when suppliers were defrauding the Union Army. It is still around and, in 2021, the Department of Justice announced a new cyber fraud initiative to penalize organizations that defraud the government by failing to “follow required cybersecurity standards.” This a covers a wide range of businesses including healthcare providers, defense contractors, and cloud services.

False Claims Act penalties include TRIPLE the amount of money paid by the government, plus penalties for each claim. That means that if you received $1 million in Medicare funding you may have to pay back $3 million plus additional penalties.

The DOJ incentivizes whistleblowers for turning in their current or former employers by paying 15% – 30% of each settlement. Your $3 million penalty can mean a $900,000 reward to a whistleblower.

  • Think of how many times your IT department has asked for an increased cybersecurity budget only to be denied.
  • Think of the additional security services offered by your outsourced IT Managed Services Provider (MSP) and how much financial protection you can get with a relatively small cybersecurity investment.
  • Think of each time you prioritized convenience over cybersecurity because extra login time is annoying and inconvenient.
  • Think of how many people know what you have done.

Now contrast the cost of cybersecurity with the risks of losing your primary funding sources.

Contracts with health plans, funding sources, third-party partners, health information exchanges, supervisory agencies, and others can include general requirements like “Parties agree to comply with all applicable laws and regulations…” or specific references – sometimes spanning multiple pages – detailing a wide range of cybersecurity and compliance requirements.

These contracts may have been signed and filed away without sharing the requirements with your IT or compliance teams.

How do you protect yourself from the death sentence of losing your funding sources and insurance coverage?

  1. Know ALL your compliance requirements, including all applicable federal and state laws, industry requirements, contracts, and insurance policies.
  2. Pull out and review your contracts and insurance policies. Medicare and Medicaid require HIPAA compliance. Other funding sources may have different requirements. Note all specific language related to cybersecurity, compliance, and breach notifications.
  3. Connect the dots between your requirements and what you are actually doing. This may take special tools and an independent consultant to validate what your people are telling you.
  4. Remember that contracts and insurance policies are legal documents that, if audited or enforced, will require documented evidence of compliance. Even if you are doing the right things, if you don’t have monthly reports to show consistency over time, you may still fail an audit. This level of documentation requires special tools and additional effort beyond basic IT services.
  5. Don’t fall for gimmicks like questionnaire-based risk assessments and phony website shields of compliance. Have someone get under the skin of your network to see what is really going on.

More than anything, look at cybersecurity costs as an investment in protecting your main revenue streams, the people you serve, the people who work for your organization, and your career. So, if $50,000 in additional cybersecurity seems expensive, just compare it to the $3 million in False Claims Act penalties you could pay by not doing the right things, and the $900,000 reward your online-shopping receptionist could earn for turning you in between purchases.

About Mike Semel

Mike Semel is the President and Chief Compliance Officer at Semel Consulting. He is the best-selling author of How to Avoid HIPAA Headaches and knows his job is to keep you out of the headlines and embarrassing board meetings.