Breaking Compliance News Blog

HIPAA threat: Are you protected from insiders?

Posted by Margaret Scavotto, JD, CHC on 12/13/17 7:03 AM

Jean Baptiste Alvarez was found guilty of federal charges of conspiracy to defraud the United States with respect to false claims, misuse of a Social Security number, aggravated identity theft, and aiding or assisting in the preparation of false federal income tax returns. Alvarez was accused of stealing census sheets containing patient names, SSNs and DOBs from his employer, the Kirkbride Center, a behavioral health facility where Alvarez worked as a mental health tech. Alvarez sold the census sheets for $1,000 per sheet.  The stolen information was then used to file fraudulent tax returns and obtain refunds, yielding, on average, $1,500 per refund. Due to the vulnerable nature of the victims, who struggled with mental health issues and drug addiction, Alvarez was sentenced to 5 years in prison and ordered to pay $266,985 restitution.  

It is challenging, and sometimes impossible, for providers to prevent HIPAA breaches caused by determined criminals. However, providers should keep in mind that 29.7% of data breaches in the healthcare industry are caused by insiders. Almost 1/3 of data breaches come from within our own walls.

What can you do?

Read More

Topics: HIPAA

Guest Blog: 10 Reasons Why Pre-transactional OIG Exclusion Checking is Essential

Posted by Margaret Scavotto, JD, CHC on 12/7/17 7:03 AM

Today's guest blog comes from Michael Rosen, Esq., Co-Founder of ProviderTrust. Michael is one of the nation's leading experts on excluded provider screens.

10 Reasons Why Pre-transactional OIG Exclusion Checking is Essential

“The early bird catches the worm.”

“If you want to see the sunrise, get up early.”

“An ounce of prevention is worth a pound of cure.”

All of these sayings signify that it is never too early to do the right thing and when it comes to avoiding fines and penalties, that means pre-transactional OIG exclusion due diligence. 

Lawyers know that the devil is in the detail. That is why careful consideration and time is taken to conduct thorough and complete due diligence as a part of a transaction. If done properly, it will include an audit of many areas of compliance. An article in the Nashville Post discusses this point. According to the article, evaluating deals requires a larger compliance push that is driving up the overall cost of deals. “Compliance is actually the reason most deals don’t get done,” said Todd Rudsenske, Cain Brothers managing director. “If proper compliance checks haven’t been made, then what happens when the value goes out the door?”

Read More

Topics: Excluded Providers

Compliance is the new normal.

Posted by Michael Scavotto on 12/5/17 7:03 AM

Just a few years ago, if you had asked me to name the primary functions of the governing body, I would have said there are four:

  1. Quality of Services
  2. Strategy
  3. Finance
  4. Policy

I see these primary functions as equally important. The leadership challenge for the CEO and Board is to keep the organization balanced by not focusing on one function to the detriment of another. To be sure, there is a lot of room regarding what could be included under each function; that, too, presents a leadership challenge and requires balance. We all have a natural tendency to reinforce existing strengths and not develop things that we know will require a lot of work but will ultimately make the organization stronger.

Some people would argue for Oversight as a fifth primary function, but I would counter that no managerial endeavor is really any good without oversight. In other words, you can’t say you are responsible for something and then not confirm that you did it. Whether we review something monthly, quarterly, semi-annually or annually, we need some basis for proving that we did indeed carry out our mission. Better yet, we made changes to become more effective.

The Fifth Function

Today, I would add a fifth primary function: Compliance.

Read More

Topics: Board Involvement

Physical HIPAA security matters: Burglars target paper medical records

Posted by Margaret Scavotto, JD, CHC on 11/30/17 7:05 AM

A medical practice in New Jersey reports that burglars took 13 boxes of paper medical records from an off-site storage facility. Approximately 1,000 patient records were stolen.  

Fortunately, when the burglar attempted to sell the patient records, he was apprehended by police. He now faces charges of second degree trafficking in personally identifiable information, second degree identity theft, and third-degree burglary, with a minimum 5 year jail sentence.

This is not the only recent example of paper PHI being pilfered. This May, a Colorado medical practice was hit by a burglary – and later discovered that paper medical records were missing. The swiped records included patient names, DOBs, SSN, medical information, health conditions/diagnoses, financial information, and insurance information.

Individuals are actively seeking paper records in order to turn a profit on the black market. Why?

Read More

Topics: HIPAA

When PR Becomes a HIPAA Problem

Posted by Margaret Scavotto, JD, CHC on 11/21/17 7:05 AM

Compliance officers and HIPAA privacy and security officers typically worry about HIPAA violations all day long. But does your public relations department?

An arrest and a press release

In May 2017, a not-for-profit health system in Texas entered a $2.4 million settlement with the OCR to resolve allegations that it violated the HIPAA Privacy Rule.

A patient presented a fake ID at a health system OB/GYN clinic. The clinic called the police – which complied with the Privacy Rule’s provisions for reporting a crime on the premises. But, then the health system issued a press release about the arrest. The press release title included the patient’s name.

Why the press release?

Read More

Topics: HIPAA

U.S. vs Epic Software – Lessons for EMR Users

Posted by Scott Gima on 11/14/17 7:00 AM

A whistleblower False Claims case against Epic Software Corp. (ESC or Epic) was made public on November 2, 2017. The complaint was originally filed in January of 2015, and states that Epic was overbilling Medicare for anesthesia services.

As of January 1, 2012, base units should not be billed to Medicare – only the physician’s time is submitted by the provider. The lawsuit alleges that Epic’s billing software has a default setting that charges both 1) base units for anesthesia provided for a procedure; and 2) the time of the procedure. As a result, payors are overbilled.

The whistleblower filed a lawsuit after attempts to get Epic to change the software were met with resistance.

Why Are the Hospitals Being Sued?

The breadth of this False Claims complaint is immense. In addition to Epic Systems, the defendants in this case include customers of Epic Systems, which number more than 280. The complaint states: “it is probable that most of ESC’s software customers (ie, the other listed Defendants) are using ESC’s Epic billing software as written.” These customers may have been submitting false claims” by not recognizing and correcting billing errors caused by flawed billing software. The DOJ is sending a clear message that providers are accountable and liable for overbilling errors that are caused by billing software.

Read More

Topics: HIPAA

Prevent “Worthless Services” With a QAPI Checklist

Posted by Scott Gima on 11/7/17 7:02 AM

In October, Health Services Management, Inc., the parent company for Huntsville Health Care Center, agreed to pay the U.S. government $5 million to resolve a whistleblower lawsuit that included allegations that the company billed Medicare and Medicaid for “worthless services” and services that were not provided. The settlement includes an agreement to enter a Corporate Integrity Agreement with the OIG. The whistleblower was an employee of the facility who claimed she witnessed patient physical and verbal abuse and neglect, inadequate care, and the absence of basic services including food and water.

The common response to this settlement is “This can’t happen in our building!!!” But how is it prevented? With a strong QAPI program.

Read More

Topics: Quality Assurance

Outdoor Engine Power Equipment Company Reports HIPAA Breach – Could this happen to you?

Posted by Scott Gima on 11/1/17 7:03 AM

Briggs and Stratton is not a healthcare provider – they make gasoline engines for lawn and outdoor power equipment. Yet, on September 29, 2017, the company notified OCR of a breach of unsecured protected health information (PHI). According to the OCR Breach Portal, the breach affected 12,789 individuals as a result of a hacking/IT incident affecting desktop computers, laptops, and network server(s).


Briggs and Stratton is not a health care provider or a business associate under HIPAA. But, it offers an employer-sponsored health plan – which makes it a HIPAA covered entity. This is a reminder that any employer that provides health insurance may need to be HIPAA compliant if PHI is shared with the employer. This includes employers who are self-insured or provide health insurance through a group health plan. Simply put, an employer that handles PHI could be a covered entity that needs to be in 100% compliance with HIPAA’s privacy, security and breach notification requirements.

Read More

Topics: HIPAA

What’s In Your Envelope? HIPAA Wants to Know.

Posted by Margaret Scavotto, JD, CHC on 10/25/17 7:05 AM

This summer, Aetna made headlines when it used a contractor to send a mailing to 12,000 members. The mailing involved letters sent in windowed envelopes typical of mass business mailings. For some patients, the following language, revealing the members’ HIV status, was visible through the envelope window: “The purpose of this letter is to advise you of the options…Aetna health plan when filling prescriptions for HIV Medic…members can use a retail pharmacy or a mail order pharma….”

This breach of sensitive patient information had health care providers scratching their heads: We didn’t think about this as a risk. How can we possibly anticipate every possible HIPAA breach?

Four months later, we see another HIPAA gaffe involving – yes – a mass mailing. This time, the breach involved a not-for-profit community health plan that provides care and coverage to Medicaid patients with chronic health conditions – like HIV.

The health plan mailed flyers to HIV patients, promoting an HIV research project. The mailroom was careful to assemble the mailing so that no PHI was visible through the envelope window. But, the language “Your HIV detecta” could potentially be seen through the paper envelope.

What’s a provider to do?

Providers are already scrambling to keep up with skyrocketing cyber threats to their ePHI. These two envelope breaches are reminders that HIPAA risks are everywhere, and a HIPAA Privacy Officer’s job never ends. How do we prevent breaches that seem so hard to anticipate?

  • Remember that paper still counts. Yes, healthcare is the #1 target of cyber-attacks. But paper breaches are still very common, and need our attention, too.
  • Use your security risk analysis. Make an ePHI inventory.Then, expand it to include paper and verbal PHI. Include all ways PHI is stored, used, disclosed, and accessed. This should cast a wide net, and capture paper mailings.
  • Use a team approach. When it comes to identifying risks in a diverse and evolving field, more heads are better than one. Talk to your Compliance Committee regularly about HIPAA. Constantly ask people what they are working on, so you can identify HIPAA risks where others may have overlooked them.
  • Keep an eye on your neighbors. These two envelope examples are a cautionary tale for other providers. Watch the headlines and OCR settlements and guidance. Find out how other providers experienced breaches, and do everything you can to prevent them in your own organization.

Free  HIPAA Checklist

Read More

Topics: HIPAA, data breach

Nurse Unsuccessfully Sues Hospital over HIPAA Firing

Posted by Margaret Scavotto, JD, CHC on 10/17/17 7:03 AM

A nurse was fired from a Kentucky hospital after she told a physician and EKG technician to wear gloves for a procedure – because the patient has Hepatitis C. The patient was behind a privacy curtain, with other patients and staff nearby.

The patient complained to the hospital that the nurse revealed his diagnosis to nearby patients and staff who overheard her. The nurse was fired for violating HIPAA, and sued the hospital for wrongful termination. The nurse argued that she did not violate HIPAA, because her disclosure was “incidental” and permitted under HIPAA.

The nurse lost at trial, and, later, on appeal. The appellate court stated: “…even if [the hospital] were objectively wrong that [the nurse] violated HIPAA’s patient confidentiality provisions, [the nurse] cannot rely on HIPAA as a basis for a wrongful discharge claim, since HIPAA’s confidentiality provisions exist to protect patients and not healthcare employees.”

The nurse also sued the hospital for defamation. The nurse said a hospital employee defamed her when she reported the nurse’s HIPAA-based termination to the Metropolitan Louisville Healthcare Consortium. The Court upheld the trial court’s finding that no defamation occurred, because the hospital told the truth: the nurse was in fact terminated for violating HIPAA after she disclosed more information than the minimum necessary.

This is just one Kentucky court’s opinion – and keep in mind that the OCR has not released any enforcement regarding this instance. But, this lawsuit is an example of two things:

  • A provider successfully firing someone for violating HIPAA; and
  • An ongoing need to train staff on common HIPAA risks

New Call-to-action

Read More

Topics: Training and Education, HIPAA

Read the Breaking Compliance News Blog disclaimer here.