Episode Transcript

CJ: Welcome everybody to another episode of Compliance Conversations. I am CJ Wolf with Healthicity. And today's guest is compliance consultant and author Susan Walberg. Welcome to the podcast, Susan!  

Susan: Thank you so much CJ, I'm happy to be here.  

CJ: We are excited to talk to you today but before we get into our topic, we always love to have our guests tell us a little bit about how they got where they are. You know, we all come into compliance from different paths, right? Like who grows up thinking; "I'm going to be a compliance officer!" And so, it's always interesting to hear from people like what brought them into compliance and what they're doing today. And a little bit about their journey. So, if you want to share a little bit about that, we'd love to hear.  

Susan: Sure! I'd be happy to. Yeah, I didn't grow up wanting to be a compliance officer. Actually, I wanted to be a writer as a kid. So, I've kind of come full circle, but my first real job was at Blue Shield and I worked my way up to be a medical underwriter and then a fraud investigator. This was in Seattle. And I went to school at night to get a law degree. First, I got a master's and then a law degree at night, because the fraud investigations were fascinating to me and I became really familiar with the legal process and it just became kind of something that I wanted to do.  

So, I went to law school at night and then ended up working for a large health system, and they recruited me, they didn't recruit me, they hired me from an informational interview to be jointly owned by the legal and Compliance department. And I had never even heard of a compliance department at that point, it was pretty new. This was like back in the late '90s, so I've been at it for a while.  

But I ended up moving over 100% to the compliance shop that was, I was there for probably eight or nine years before moving to the East Coast. And then I got my first actual compliance officer job. So, I've done healthcare investigations and in-house counsel. I did about a year working as a subcontractor under Medicare doing part C & D fraud and abuse, which was a really interesting experience too. So, I've been around for a while and I've written a couple of compliance books. One is for compliance officers, like for newbies or someone who's building a program for the first time. That's Insider's Guide to Compliance. 

CJ: Okay!  

Susan: My second one is; for Physician Practices, but that one is really, any small healthcare organization that can't afford a compliance officer. It's kind of the how-to guide if you're not a compliance person. So, those are kind of my side gig and I've written a couple of novels. But the second one is a medical legal thriller so that one also, people might be interested in if they like fiction. It's a compliance thriller.  

CJ: Hey, that's cool.  

Susan: Yeah! So, I'm living in Florida now. I work with a lot of clients that are under CIAs. I've worked with some startups. Still, I'm, in fact, I got interested in this topic just by happenstance when I read an FTC article and it got me thinking and doing a little research. So, I started my next book, which is a health tech and compliance, which is what we're going to talk about today, I guess.  

CJ: Yeah, that's absolutely right. And for those listening in the show notes, we'll include some links to information about Susan as well as links to her books if you want to check those out. The one that you know, because I'm an MD by schooling, even though I've been doing compliance full time and left kind of the clinical route that one about the physician practices kind of caught my attention and we have a lot of listeners who are kind of in that space where you know they may be in a small practice, they know compliance is important, but they don't have the resources, you know to hire a Susan Wahlberg full time.  

Susan: Right!  

CJ: And so, they are looking for those kinds of tools and you know, Healthicity has some tools as well to help those individuals. So, that one looks like a really interesting one to me.  

Susan: Great! Thank you! 

CJ: And you are right, we are talking today about health tech, right? And that's such a big topic. So, well we probably won't be able to cover every little thing under the sun, right? But a lot of us hear about it, right? Our lives in general are becoming more technology-driven, right? And you know, I'm like you, I started compliance back in the '90s and was using, you know, paper and pencil and maybe an e-mail or two and then it went to spreadsheets and now we've got software that helps you run compliance programs and that's you know and then in our personal lives and so all sorts of interesting things under this large topic, so let's jump right in and kind of maybe at least in your opinion level set a little bit and share what you think we're referring to when we all talk about, quote—unquote, “Healthcare technology.”  

Susan: Sure! And you know, I'll just claim from the get-go that this isn't everything, but these are the sorts of technologies that I've been kind of digging into from the regulatory perspective. I will also just claim that I am not a techie person, I'm a regulatory person, I tell people that I can barely spell IT, which is kind of an exaggeration, but I just want to just claim that this is, you know, me being on the regulatory side.  

So, with that being said, one of the big ones is apps just in general because apps are something that are used by everyday people. They put their own information into it. There's just a lot of activity. There are thousands of new startups and new apps every year. There's also apps that are being used within the provider or insurance community; those are treated differently from a regulatory perspective. There's connected devices, wearables, implantables, and software. There's obviously a big growing movement in the telehealth space. There's whole practices being developed with nothing but telehealth, and they use these other tools as well. So, technology is the entire practice. And lastly, artificial intelligence is the big thing on everybody's mind as well, and that is a moving target from a regulatory perspective. And that's one that I'm finding fascinating from a variety of standpoints.  

CJ: Absolutely! You know, you mentioned some topics there that we've done a couple of past podcasts on. So, if people are interested in a deeper dive, check out some episodes and maybe we can put some of these episodes in the show notes. There was one you talked to a gentleman who's an expert in software as a medical device, he talked about wearables and some of those things. And then just recently, I think our most recent podcast that we released was with a doctor who has expertise in AI, in a specific part of healthcare which was kind of assessing medical records with AI to help clinicians improve care and improve documentation. And so, you know, check out some of those episodes if that is of interest to you.  

Susan: Excellent! 

CJ: Yeah! So that's, a really good kind of definition, or at least something we can use to talk about. And because we're talking, you know, we're compliance nerds. Let's talk a little bit about what you think some of those compliance risks might be related to health tech. If you've kind of come across some of those already.  

Susan: Sure! I mean the big one and the one that I hear as soon as I talk to a startup is obviously; Privacy and Security. And that's, I mean that's a big one from the standpoint of AI from the standpoint of apps, wearables, all of these things pose a vulnerability if they might be hacked. If there are issues with access, there's just I mean, I don't have to go into the HIPAA risks with the health tech space in general. I mean, privacy and security is number one on everybody's mind. What I think is interesting is some of the other risks that we're seeing more and more of, and especially on the enforcement side.  

So, one of them is patient safety is a big risk, so if you have things that are being run by a software program or wearables and those things, software as a medical device or medical devices in general that are diagnosing or facilitating some sort of an impact on a patient, those things can be a safety risk. That goes along with privacy and security, obviously, but it's a different way of kind of looking at it. Another thing is hacking and the malware, access I already mentioned.  

Another note on the privacy side when it comes to AI and this is something that kind of concerns me, it's an open question as far as I'm concerned is how are the AI tools being trained? Where is that information coming from? In other words, is patient information being fed to inform AI systems and to teach them patients consented to that. Are they aware of that? Then there's the consent aspect of that. So, I'm kind of, I'm sorry, I'm kind of going down a little rabbit hole and going a little bit sideways here, but I think some of those are the big concerns.  

On the other side; is Fraud and Abuse, so we're seeing cases and this is my sweet spot; I love these cases because they're fascinating, but we're seeing cases where cyber security is being prosecuted under the False Claims Act or settled out under False Claims Act. So, you have Fraud and Abuse cases that involve, for instance, pre EHR being given to physicians or provider groups for referral arrangements and I'll get into some of those cases but the Fraud and Abuse piece is real.  

CJ: Yes! 

Susan: And another risk area is Marketing. So, the FTC has been very interested in categorizing cyber-related shortcomings as unfair, deceptive practice when certain conditions are met. So, it's really a lot broader than just privacy and security that we typically think of. There's just a lot of other issues that are coming into play and they're being prosecuted or settled out with the federal government under a lot of interesting legal theories.  

CJ: Yeah! So interesting, and one that you know, I recently read the OIG's General Program Compliance Guidance, right? And they talk about information blocking as well, I know that might not affect a lot of providers as much, but this technology brings these new things into healthcare.  

The other thing that you know, since you're kind of this medical thriller author, you may be familiar, when you're talking about medical devices, you may be familiar with the Showtime series Homeland, and this is a spoiler alert if no one's watched it. But it's been out there for years, so you better watch it if you haven't watched it yet!  

You may remember that there was an episode there I think it was the vice president who had a pacemaker or some heart device and, you know, terrorists and bad guys were hacking into that device, I don't know how realistic that is, I'm not a techie person either, but it made for good storytelling. And so, you know, those types of things you do have to worry, especially with remote monitoring, that's becoming a lot more common, right? With clinically monitoring people, because it can be a cost-saving and a quality improvement when you can monitor things in real-time from home or you know from outside the office.  

Susan: Exactly! And think about implantable devices. What if a controversial senator had an implantable, you know, I don't know pacemaker. I don't know how pacemakers are handled, but what if someone hacked into it and did a number on it for political reasons? I mean, I can think of all sorts of interesting points for another book, but yeah, it is interesting.  

CJ: Exactly, yeah! And that's exactly what happened in that Showtime episode that I was watching it. They were hacking into kind of doing bad things to him.  

Susan: I'll have to watch that. I confess I have not.  

CJ: It's super good. Anyway, we're going to take a quick break and then we're going to come right back with talking to Susan some more.  

Welcome back everyone from the break, we are talking with Susan Walberg, who is a compliance consultant and an author, and we're talking about health tech and we're going to move on a little bit and now talk about how health tech might be regulated. Like what is what's currently, you know, in place for it to be regulated. And then what might be some of those gaps? So, Susan, do you have any thoughts kind of on that?  

Susan: Sure! And what I've found in researching this has been so fascinating because it seems like everybody wants a piece of this. So, I'll kind of go down the list of players here. Obviously, Health and Human Services, they have HIPAA and all the related HIPAA privacy and security rigs. So, I mean, we know that piece.  

One, that's a big player these days is the Federal Trade Commission; FTC. So, the FTC has a breach notification rule as well. And what's interesting about that is that a couple of things. First of all, it specifically excludes, per their own statement, covered entities under HIPAA, so this is health providers who by definition include a variety of vendors that provide health tech. So, that's interesting in terms of the applicability with, for instance, app developers. So, an app developer under this FTC rule is now a healthcare provider, fascinating!  

CJ: Wow! 

Susan: Yeah! And that has had enforcement activity. They issued a memo clarifying in 2021 that they are going to be enforcing this and that they do mean all these people are included.  

The other thing that's interesting is what is a breach. A breach is basically any disclosure that has not been authorized. So, it's not just getting hacked or, you know, whatever. It's anytime, so if you, for instance, log into an app and you put your blood sugar readings in there or whatever that you're using to track your diabetes, those things are not necessarily protected. So, they were selling information to Google, to Facebook. I mean, there was a pretty much a super highway from a lot of these apps going right to big Tech and that's a big deal. I mean, in my mind when you talk about gaps, they're starting to fill that gap. But I think it's a pretty big one still.  

CJ: Yeah, because that data is king, right? Like you know, these big, I mean, that's how they make algorithms for advertising for decision making for, you know. So, I hear that loud and clear.  

Susan: Yeah, it's a huge one. It's definitely a huge one. The other one... Oh! On the FTC note, the deceptive practices, too. So, they've been applying that, the Federal Trade Commission Act and that's the one that gets out the unfair practices, and they've been using, and I have a case I'll talk about that one in a little bit, but they do use that to go after cyber security failures. So, it's interesting how the FTC is getting into this.  

The other big one is the FDA. When you think about these devices that are classified as medical devices and software as medical device. That's all coming under FDA purview, so the food, drug and Cosmetics Act now applies to a lot of medical devices, but not all. So, there's a lot of steps to go through that analysis in terms of, what function they perform, how they perform it, but if they're impacting a human being basically directly, you can consider it as a medical device. So that's another one there. The FDA is very interested in cybersecurity. So, if you go on their website, you're going to see all kinds of stuff about cybersecurity as well.  

In addition to those you've got the Department of Justice and the US Attorney's Office, Homeland Security, I mean, these are all folks that are getting really involved and are worrying about this. The Department of Justice has a civil cyber fraud initiative, and that's where we're going to get a couple of these cases where it doesn't look like it's a False Claims Act or a kickback case. It looks like it's a cyber issue, but no, they're going after it as a False Claims. So, those are the players on some of the key laws that are in play right now.  

CJ: Interesting! And, you know, you mentioned you're in Florida, you can correct me if I'm wrong. This is kind of in the HIPAA space. It's really more of the privacy space. Didn't Florida have a law that went into place where data like patient data could not go offshore other than North America? I think they allowed Canada and the US, are you familiar with that one?  

Susan: It sounds familiar, but I haven't read it closely to speak with any kind of expertise on it.  

CJ: So, you know, I shouldn't, I'm not an expert in any of either, but I just remember hearing about that and that some people ask me questions about it, so state laws might come into some of this, especially some of...  

Susan: Lots of state laws, especially around breaches.  

CJ: Yeah! Some of the more active states like California and some of these others that are a little bit more regulatory, in there...  

Susan: Oh, yeah! Believe me, when I worked on the West Coast, California was always. Yeah, I was on the West Coast when HIPPA became a law. So, trust and believe we had a breach that we had to look up breach notification laws in like 15 different States and California was right up at the top with, you know, all the steps we had to go through.  

CJ: So, let's kind of transition a little bit and talk about some of those cases and how this, you know, this patchwork of these laws, how they're currently being applied, you know, what might be some of the enforcement activities relating to health tech products and companies that you're aware of?  

Susan: Sure! And I've got a couple that are probably familiar names, so I'll start off with the biggie, which is GoodRx. So, GoodRx is an app and it's used by consumers and pharmacy benefit managers to provide discounts. In fact, I use it. I don't use the app, but I use the tool, the discount tool. But that case was, it was the FTC that went after them under the breach notification rule and the purpose was because they didn't notify the consumers of how they were using the data and this is a classic case where it went to Google, it went to Facebook. It's getting sold out, 55 million consumers were, you know, using GoodRx. So, they had a $1.5 million fine. But it was FTC, and that was breach notification and again it wasn't a hack, it was just unauthorized disclosure, then GoodRx is a huge company though, and that definitely made the news.  

Let's see what's another interesting one. Modernizing Medicine, that's an EHR tech vendor, and they're a Florida company and this one had a $45 million fine and they had a little, quote—unquote, "business partner," who got fined $ 63 million. So, in this case, they were found to have violated the False Claims Act. They were accepting and providing, quote—unquote, "Unlawful remuneration in exchange for referrals." And causing inaccurate reporting under meaningful use. So, by virtue of that little gem that put them into the ability to call it a False Claims Act.  

CJ: Ah, interesting!  

Susan: But they also went after it for Deceptive Trade Practices, I believe they went after him for a whole bunch of stuff, but False Claims Act is key because when they use that as, I'm sure you know, they can do trouble damages.  

CJ: Exactly! 

Susan: So, they love that tool. So Modernizing Medicine that was in 2022, and that was a tech vendor. I'm finding it fascinating, I guess in general that some of these tech vendors are being prosecuted under traditional healthcare laws, it's fascinating to me. Some of them are business associates, but they're not even being chased down because of HIPAA, they're using the big tools. They're using the False Claims Act.  

CJ: What will be interesting, oh, sorry! Go ahead.  

Susan: Oh, there's a quote out of this case from the Department of Justice saying; "Vendors of EHRs will be held to the same standards of compliance as providers," there you go!  

CJ: Yeah, exactly! And what I was going to say, sorry to interrupt you before it will be interesting as those theories become more as individuals and employees become more aware of those theories as you mentioned with the False Claims Act, they'll be whistleblowers too. And so yes, the DOJ comes from it from one angle, but you also have those incentives for whistleblowers to bring these sort of things forward, and as they become more aware of those kinds of theories, that will probably be interesting to see how that kind of progresses over the years.  

Susan: Absolutely! And another aspect of this for people to just be aware of is, you know, the marketing programs were at the root of this. So, whether you're working in a tech company or maybe you're the person trying to decide what vendor to go with, be very wary of freebies and referral arrangements where they're like; "We'll give you X if you send people to our product or our website or our services or whatever." You know, in the past growing up with this like you did too, kickbacks were between like physicians and labs or something like that, not an EHR vendor, so it's different. It's a different world.  

CJ: The OIG in there, again in this general compliance program guidance document, they have a section on what they call; "new entrance into the healthcare industry," and they referenced that where you know people who are coming into healthcare and are used to marketing and other things that are okay in other industries, right? Like if I go open a bank account or get a new visa card, they can give me $300 on my next statement or something, or give me a toaster, that's just not allowed in healthcare. And so, the OIG brought that up as; "Look, these new entrants that are coming in, you got to get used to this environment."  

Susan: Exactly! You know, when I work with startups and they say; "Well, we need a compliance program." And so, I asked them; "OK, well, what are your concerns?" And it's privacy and security. Which, it should be. I mean I'm not saying that's wrong, but they don't.  

CJ: Right! 

Susan: I mean this kind of stuff is not on their radar at all. So, you know, a lot of people unwittingly can just like the physician practices, right, that don't have compliance backgrounds, people just unwittingly do what looks like good business, you know, to get referrals or to get started or whatever, and then they find themselves in the crosshairs, especially as you say if we start having more whistleblowers as people get more informed.  

One other case I want to mention for sure and I don't know how we are on time, but the Jelly Bean case was a fascinating case. Also, now if you're familiar with that one...  

CJ: No, I'm not.  

Susan: Okay! Well, Jelly Bean Communications Design; they did websites design and they did a website for let me get the name right; Florida Healthy Kids Corporation, which was a federally funded kids insurance program and they had an online app and so people could put their information in and apply online. You already know where this is going, right? I'm surprised it didn't go under the Online Children's Online Privacy Act, but it did not. They had supposedly HIPAA-compliant hosting, which is what they claimed. But they did not, and they were hacked. And half a million applicants were compromised in that one. So, this is another one where they went after a web developer under the False Claims Act for a HIPAA violation.  

CJ: It's so interesting.  

Susan: That would just fix my brain twitch like, wow! 

CJ: Wow! And all these cases I'm assuming, were settlements they didn't go to trial.  

Susan: Right! 

CJ: Interesting!  

Susan: Yeah, some of them they, some of them, they pay fines, some of them they just put them under a really onerous kind of like a corrective action plan, similar to the corporate integrity agreements that we see now.  

CJ: Are those corrective action plans public? like the OIG-CIAs.  

Susan: You know, that's a great question. I didn't go and look it up. So, I'm going to have to go look it up now. I would imagine it is.  

CJ: Yeah, because I know sometimes the FTC and you're probably more well versed than I, but they sometimes will post like press releases and stuff at least like the DOJ does so, it gives us ideas of what's going on. 

Susan: And a lot of times there's a link that's on their website to look at the cases develop.  

CJ: Yeah, I'm always curious and digging deeper I often go to PACER, which you probably know, and what our listeners; Public Access to Court Electronic Records, because I want to see complaints. I want to see what did the complainant bring, and what are the details. Because some of those DOJ press releases kind of start to read the same over and over again.  

Susan: Yeah, they do! They have their canned language, and then they stick in the other stuff. So, I don't know if you want any more cases, there's...  

CJ: We have a couple more minutes. Maybe if you can share one more and any of the other concluding thoughts. And while you were talking, I did look up that Florida law Google's good for me. It amended, it was a law that Governor De Santis signed in May of 2023, bill CS/CS/SB 264, amending the Florida Electronic Health Records Exchange Act, which effective July 1st of 2023 the law required that the offsite storage of certain personal medical information be physically maintained in the continental US territories or Canada, so I you know, I think that means again, I'm not a lawyer, but I think that means you can't have, you know, servers in India or Asia or something with this personal information according to this Florida law.  

Susan: Interesting! So, what if you're what if your corporate headquarters is in Delaware and you have a subsidiary in Florida, or I mean I can just see all sorts of angles on this where this could turn into a much bigger thing than just Florida.  

CJ: Yeah, and it's new, so we'll see. Where it goes but I just wanted to throw that in there. Yeah! So, if you have one more case or any other concluding thoughts that you think might be interesting?  

Susan: OK, I have one. Let's see, SkyMed is another FTC case. They did emergency medical evaluations; I think insurance evaluations. They used a HIPAA logo on their website, as if to suggest that they were, you know, HIPAA compliant.  

CJ: Right!  

Susan: They also did not secure records, so they made a lot of implied claims, didn't secure records. They were prosecuted as unfair practice under the FTC for a failure to secure and also for the use of the HIPAA logo. And this one is one of the companies that was made to enact compliance program and have monitoring by the government or maybe an IRO-type situation. So, that one was another big one that was, I just feel like it's interesting because I look at how they prosecute them and it's, there are like several different ways and I like to see who is it that grabs this case, you know, because it's not HHS. It's some of these other guys. And that's what I find so interesting.  

CJ: Right! 

Susan: I mean, there's a ton of, I put them a lot of them in my I'm trying to every section in my book. I'm trying to put a case in each section to show it because there are so many out there and to me it's that's what makes this real and interesting is seeing how it plays out and seeing the emphasis now from so many agencies.  

CJ: Yeah, I love reading those cases because that's like how this theoretical, you know, as compliance officers, we're always saying; "This is what could go wrong." And then well, here's where it actually did go wrong. Here's the storyline. And so, I'm excited.  

When do you anticipate the book to kind of come out? I know those deadlines are always moving, but...  

Susan: Yeah, it's been through one round of editing and I'm doing my updates after the editor, so I'm going to get a couple of beta readers. Probably more than a couple and certainly if someone's in this space and is interested in reading over some of it, you know, reach out to me. You know, I'm on LinkedIn because I'll be looking for that just as quality control and input so I'd like to say within six months, but I'm working on two books right now and I'm doing my day job as well, so I was going to have it done this year and then I moved and it took about three or four months out of my life. And so, everything kind of got shuffled around this year. I'm back in the saddle and I'm going to try and crank that thing out soon.  

CJ: That's good.  

Susan: But the thing is with this book and with this topic, it changes every day! So, like every day you go and look on the FTC website, for instance, and you'll see some new thing that they're doing, some new initiative or a new case, something, it's truly a hot topic.  

CJ: I know, right? Yeah! And it and it's moving so fast, that you're going to have to make new additions of that book every year.  

Susan: Yeah, exactly! Oh God, yeah, exactly! So, I guess for a couple of closing thoughts, I mean for people who are not in a tech startup thinking it might not apply to you, I would just recommend that you know, be aware of those marketing practices because, like the Kickback statute it applies to both sides of the transaction, so just be aware of that.  

CJ: Right!  

Susan: It's a risk, obviously. Check any vendors very carefully. Don't just sign contracts. You know, find out about their privacy and security practices, their compliance programs. Make sure that they're up to par, do your due diligence, in other words. And don't take any freebies without at least talking to, you know, compliance or legal or whoever you talk to, just to validate, even if it seems like a good deal, that would really help the practice, sometimes those come with strings you don't want.  

CJ: Yeah, they're often good intention, but you know, in our marketing folks and I love them. They're trying to do what they've been trained to do, which is, you know, generate business. And so, they're very creative, and again, I don't think anyone's doing it on purpose, but you just need to be used to the environment and healthcare. It's different than other industries. 

Susan: It truly is and you know, it's just a lot of it just comes down to education, you know, making sure that people really do understand, especially if you've got smaller practice, and I mean, you know, I've had clients that are basically barely making payroll. They might like the idea of a free EHR system in exchange for X or whatever. And I've heard that my whole career, even in mega health systems, it's like; "Yeah, but we'd get a great savings, blah, blah blah!" It's like, "Oh, at what cost there, honey?" I mean, come on! 

CJ: Exactly! Oh, so true. Susan, we could talk all day about this. Maybe we'll have to have you come back another time.  

Susan: I would love to. I'd love to. I'm a geek. I love talking about this stuff. 

CJ: Yeah, me too. Thank you so much, Susan, for sharing your expertise, and your knowledge. And we look forward to the book. And as I mentioned at the beginning, we'll include some links that Susan's sharing with us in the show notes so that you can either reach out to her or look at some of her other books. Thank you again, Susan, we really appreciate it! 

Susan: Thank you so much. And we'll hopefully talk again soon.  

CJ: Thank you! And thanks to all of our listeners. The parting message that I always give is, you know, if you like these podcasts, please share them with friends, hit the like and subscribe, and all those good things. And we really like to know what other topics you want to hear about. If you have a guest or somebody that you think would be a good guest. Please share that with us at Healthicity. So, until our next episode, Happy Compliance, everybody! Take care!