Breaking Compliance News Blog

Margaret Scavotto, JD, CHC

Find me on:

Recent Posts

* Breaking News: OCR announces $1.6 million HIPAA penalty

Posted by Margaret Scavotto, JD, CHC on 11/7/19 3:04 PM

This afternoon, the Office for Civil Rights announced its second HIPAA enforcement this week - this time, with a governmental agency. 

The Texas Health and Human Services Commission (TX HHSC) received a $1.6 million civil monetary penalty from the OCR for HIPAA Privacy and Security violations committed by the Texas Department of Aging and Disability Services (DADS), which is now part of TX HHSC.

In 2015, DADS notified OCR of a breach after it discovered that the ePHI for 6,617 individuals was accessible via the internet. OCR explains:

Read More

Topics: HIPAA, data breach, security, breach notification

Stay informed with MPA's Monthly Compliance Newsletter

Posted by Margaret Scavotto, JD, CHC on 11/6/19 7:45 AM

MPA scours OIG and OCR enforcement updates and news headlines so you don't have to.

Every month, we summarize enforcement trends and deliver the latest compliance and HIPAA developments to your inbox with our Monthly Compliance News Report.

Coming to October's issue:

  • Nurse criminally charged after using whiteout on patient record
      
  • Doctor prescribed opioids without seeing patients
      
  • Personal care aide bribed patients and falsified time sheets
       
  • Pain practice put productivity over medical necessity
  • Hospital’s “wall of shame” has HIPAA and human rights law consequences

  • Abuse filmed and shared on social media

  • Hospice’s breach notification letters cause second breach

  • Ransomware causes healthcare provider to permanently close

  • ... and much more!

Not yet a subscriber? click here tosign up.  

You can read a sample report here.

Read More

Topics: Compliance Basics

* Breaking News: $3 million unencrypted mobile device HIPAA settlement

Posted by Margaret Scavotto, JD, CHC on 11/5/19 3:36 PM

This afternoon, the Office for Civil Rights (OCR) announced a $3,000,000 HIPAA settlement with the University of Rochester Medical Center (URMC). This settlement resolves Privacy and Security Rule allegations.

Read More

Topics: HIPAA, data breach, security

DOJ cracking down on nursing homes

Posted by Margaret Scavotto, JD, CHC on 11/5/19 8:15 AM

The Department of Justice (DOJ) aims to use its Elder Justice Initiative to  pursue more criminal charges in nursing home investigations. Typically, the DOJ uses civil lawsuits to pursue False Claims Act violations against nursing homes. Toni Bacon, a DOJ associate deputy general, explains the shift: "We need to go after cases civilly because they [are] providing grossly substandard care and, in the appropriate case, refer it for a parallel criminal prosecution."

Read More

Topics: Penalties and Enforcement, compliance

OCR announces $2.15 million HIPAA settlement

Posted by Margaret Scavotto, JD, CHC on 10/31/19 1:47 PM

 

Jackson Health System (JHS), a not-for-profit medical system in Miami, entered a $2.15 million settlement with the OCR to resolve potential violations of the Security and Breach Notification Rules.

In January 2013, JHS lost paper records for 756 patients. JHS reported this breach to the OCR in August 2013. During its investigation, JHS learned that three additional boxes of records affecting 1,436 patients were lost in December 2012; and JHS reported this breach to the OCR in June 2016.

In February 2016, JHS notified the OCR that an employee inappropriately accessed 24,000 patient records since 2011, and sold some patient PHI.

 

Upon investigating, the OCR found:

Read More

Topics: HIPAA, security, breach notification

CMS' New Affiliate Screening Requirements Are Coming

Posted by Margaret Scavotto, JD, CHC on 10/23/19 7:58 AM

On November 4, CMS' Program Integrity Enhancements to the Provider Enrollment Process final rule goes into effect. 

The "Affiliates" provision of this rule requires Medicare, Medicaid and CHIP providers to disclose to CMS any affiliations with organizations that have had a "disclosable event." Providers who fail to make these disclosures can be denied enrollment - or have their enrollment revoked. The purpose of this new process is to stop fraud and help CMS find parties that have committed fraud.

What's an "affiliation"?

There are five ways a provider can have an "affiliation' with an organization:

  • a 5% or more direct or indirect ownership interest in another organization
  • a general or limited partnership interest (of any percentage) in another organization
  • an interest in which an individual or entity exercises "operational or managerial control over, or directly or indirectly conducts, the day-to-day operations of another organization," by contract of another arrangement. This includes sole proprietorships.
  • when an individual is acting as officer or director of a corporation
  • a reassignment or payment assignment relationship

 

What's a "disclosable event"?

Providers must disclose "affiliations" within the past five years to CMS if the affiliated organization has a "disclosable event:"

  • current uncollected debt owed to Medicare, Medicaid or CHIP
  • current or prior payment suspension
  • current or prior OIG exclusions
  • Medicare, Medicaid or CHIP enrollment denial, revocation or termination

When does this go into effect?

Read More

Topics: Excluded Providers, compliance, vendor screening

Smartphones: The biggest HIPAA and abuse offenders

Posted by Margaret Scavotto, JD, CHC on 10/16/19 6:27 AM

It can be a HIPAA problem and an abuse problem: when nursing home staff take pictures of residents with their smartphones. Here’s an example.

CNA took photo of deceased resident and shared it to Snapchat

Five CNAs at a New York nursing home took photos and videos of residents—including one deceased resident—on their cell phones and shared them on Snapchat

The nursing home was notified of the incident when a member of the public called the administrator and reported that a CNA sent her a photograph of a deceased resident. This CNA admitted taking and sharing photos and videos of eight residents. Her reason for photographing the man who died was “because she was upset that the resident had passed away.” She also took five videos of another resident “mostly yelling and swearing” and sent them to another CNA.

Another CNA admitted that “everyone on the unit on the evening shift was using their cell phones.”

Read More

Topics: HIPAA, abuse, skilled nursing

Have you tested your compliance hotline lately?

Posted by Margaret Scavotto, JD, CHC on 10/2/19 7:28 AM

The Kansas Medicaid fraud and abuse complaint email inbox went unchecked for 17 months.

According to a report issued by the Kansas Office of the Medicaid Inspector General, 209 emails were unread. 95 of these emails "alleged fraud, waste, abuse, or illegal acts related to Medicaid, MediKan, or SCHIP, or were seeking information on how to report suspected fraud." 42 of these emails contained "partially or wholly substantiated allegations of Medicaid or SCHIP fraud, waste, abuse or illegal acts....

How did it happen?

The complaint inbox went unchecked from August 2, 2017 to January 9, 2019.

Read More

Topics: Hotline, annual review, compliance

HIPAA question of the day: Do your employees snoop?

Posted by Margaret Scavotto, JD, CHC on 9/24/19 8:07 AM

Nurse snooped records of 1,309 patients

A medical center employee snooped medical records of 1,309 patients over 15 months. The nurse looked up records for patients assigned to herself, or to another nurse - but did not have a treatment reason to view the records. The patients were notified.

Car accident leads to firing of 12 employees for snooping

A health system suspended approximately 12 employees while it investigated a potential HIPAA breach. The investigation likely involves a fatal motor vehicle accident involving a health system employee. The driver and another passenger from the car accident were treated at local hospitals for injuries.

Receptionist fired for looking up co-worker contact info in EHR

Read More

Topics: HIPAA

Email HIPAA Breaches On the Rise

Posted by Margaret Scavotto, JD, CHC on 9/18/19 7:29 AM

According to the U.S. Department of Health and Human Services Office for Civil Rights (OCR), email breaches are on the rise.

The OCR maintains a database of breaches of unsecured protected health information affecting at least 500 individuals. MPA crunched some numbers, looking at OCR breach reports still under investigation for each six month period for the past 24 months. The number of email breaches reported to the OCR between the second half of 2017 and the first half of 2019 more than quintupled.

Let’s look at some real world examples to see how email use can breach HIPAA.

Read More

Topics: HIPAA, data breach, security

    Privacy Policy           Terms of Use