Breaking Compliance News Blog

CMS' New Affiliate Screening Requirements Are Coming

Posted by Margaret Scavotto, JD, CHC on 10/23/19 7:58 AM

On November 4, CMS' Program Integrity Enhancements to the Provider Enrollment Process final rule goes into effect. 

The "Affiliates" provision of this rule requires Medicare, Medicaid and CHIP providers to disclose to CMS any affiliations with organizations that have had a "disclosable event." Providers who fail to make these disclosures can be denied enrollment - or have their enrollment revoked. The purpose of this new process is to stop fraud and help CMS find parties that have committed fraud.

What's an "affiliation"?

There are five ways a provider can have an "affiliation' with an organization:

  • a 5% or more direct or indirect ownership interest in another organization
  • a general or limited partnership interest (of any percentage) in another organization
  • an interest in which an individual or entity exercises "operational or managerial control over, or directly or indirectly conducts, the day-to-day operations of another organization," by contract of another arrangement. This includes sole proprietorships.
  • when an individual is acting as officer or director of a corporation
  • a reassignment or payment assignment relationship

 

What's a "disclosable event"?

Providers must disclose "affiliations" within the past five years to CMS if the affiliated organization has a "disclosable event:"

  • current uncollected debt owed to Medicare, Medicaid or CHIP
  • current or prior payment suspension
  • current or prior OIG exclusions
  • Medicare, Medicaid or CHIP enrollment denial, revocation or termination

When does this go into effect?

Read More

Topics: Excluded Providers, compliance, vendor screening

Smartphones: The biggest HIPAA and abuse offenders

Posted by Margaret Scavotto, JD, CHC on 10/16/19 6:27 AM

It can be a HIPAA problem and an abuse problem: when nursing home staff take pictures of residents with their smartphones. Here’s an example.

CNA took photo of deceased resident and shared it to Snapchat

Five CNAs at a New York nursing home took photos and videos of residents—including one deceased resident—on their cell phones and shared them on Snapchat

The nursing home was notified of the incident when a member of the public called the administrator and reported that a CNA sent her a photograph of a deceased resident. This CNA admitted taking and sharing photos and videos of eight residents. Her reason for photographing the man who died was “because she was upset that the resident had passed away.” She also took five videos of another resident “mostly yelling and swearing” and sent them to another CNA.

Another CNA admitted that “everyone on the unit on the evening shift was using their cell phones.”

Read More

Topics: HIPAA, abuse, skilled nursing

Breaking News: First social media HIPAA settlement!

Posted by Scott Gima on 10/8/19 7:15 AM

 

Whenever a settlement agreement is announced, the OCR is sending a message to all providers. On October 2nd, The OCR announced a $10,000 settlement agreement with Elite Dental Associates in Dallas Texas. At first glance, it is easy to overlook this settlement; $10,000 does not seem to be a big deal when there are other cases with fines in the millions of dollars. For example, Anthem paid a record $16 million following the PHI breach of close to 79 million people; the largest health data breach in history. So what is the big deal? Or more importantly, what are the lessons to be learned from this breach? There are several.

Read More

Topics: HIPAA, Social Media

Have you tested your compliance hotline lately?

Posted by Margaret Scavotto, JD, CHC on 10/2/19 7:28 AM

The Kansas Medicaid fraud and abuse complaint email inbox went unchecked for 17 months.

According to a report issued by the Kansas Office of the Medicaid Inspector General, 209 emails were unread. 95 of these emails "alleged fraud, waste, abuse, or illegal acts related to Medicaid, MediKan, or SCHIP, or were seeking information on how to report suspected fraud." 42 of these emails contained "partially or wholly substantiated allegations of Medicaid or SCHIP fraud, waste, abuse or illegal acts....

How did it happen?

The complaint inbox went unchecked from August 2, 2017 to January 9, 2019.

Read More

Topics: Hotline, annual review, compliance

HIPAA question of the day: Do your employees snoop?

Posted by Margaret Scavotto, JD, CHC on 9/24/19 8:07 AM

Nurse snooped records of 1,309 patients

A medical center employee snooped medical records of 1,309 patients over 15 months. The nurse looked up records for patients assigned to herself, or to another nurse - but did not have a treatment reason to view the records. The patients were notified.

Car accident leads to firing of 12 employees for snooping

A health system suspended approximately 12 employees while it investigated a potential HIPAA breach. The investigation likely involves a fatal motor vehicle accident involving a health system employee. The driver and another passenger from the car accident were treated at local hospitals for injuries.

Receptionist fired for looking up co-worker contact info in EHR

Read More

Topics: HIPAA

Email HIPAA Breaches On the Rise

Posted by Margaret Scavotto, JD, CHC on 9/18/19 7:29 AM

According to the U.S. Department of Health and Human Services Office for Civil Rights (OCR), email breaches are on the rise.

The OCR maintains a database of breaches of unsecured protected health information affecting at least 500 individuals. MPA crunched some numbers, looking at OCR breach reports still under investigation for each six month period for the past 24 months. The number of email breaches reported to the OCR between the second half of 2017 and the first half of 2019 more than quintupled.

Let’s look at some real world examples to see how email use can breach HIPAA.

Read More

Topics: HIPAA, data breach, security

CMS Changes SNF Compliance Program Requirements – Again

Posted by Margaret Scavotto & Scott Gima on 9/10/19 7:13 AM

Ladies and gentlemen, long-anticipated compliance program requirements are changing, one more time. Let’s take a look at what has changed – and what hasn’t.

The proposed rule

On July 16, 2019, CMS published a proposed rule that would modify multiple aspects of Phase III of the Long-Term Care Facilities Requirements for Participation (the “Proposed Rule”). The goal of the Proposed Rule is to reduce regulatory burdens and costs, allowing nursing homes to focus resources on providing quality resident care. Some of the most discussed proposed amendments are those to the Compliance and Ethics Program requirements (42 CFR 483.85), which, if finalized, will become effective one year later. With comments from the public due September 16, 2019, our best guess is that enforcement will begin October or November 2020.

Good news: fewer compliance-related F-tags ahead

Nursing homes: LeadingAge (and other associations) successfully lobbied on your behalf. 

Read More

Topics: Affordable Care Act, OIG compliance resources, skilled nursing, compliance

* Breaking News; OCR enters first HIPAA settlement in Right of Access Initiative

Posted by Margaret Scavotto, JD, CHC on 9/9/19 12:36 PM

* Breaking News *

The Office for Civil Rights (OCR) just announced its first settlement in the HIPAA Right of Access Initiative. 

Bayfront Health St. Petersburg paid an $85,000 settlement and entered a corrective action plan with the OCR to resolve allegations that it violated the HIPAA Privacy Rule by denying a patient the right to timely access to the medical records of her unborn child.

Read More

Topics: HIPAA

Not-for-profit provider hit with ransomware twice in four months

Posted by Scott Gima on 8/28/19 6:35 AM

A not-for-profit community health center that provides health care for low-income and uninsured patients experienced two ransomware attacks in a four-month period. 

 

The first attack shut down computers for three weeks while the center rebuilt its systems from backups, and did not pay the ransom. This approach is consistent with industry advice for two reasons. First, there is no guarantee that the data will be reinstated after ransom is paid. Second, paying ransom encourages future ransomware attacks.

The second attack likewise locked the center out of its medical records.

Read More

Topics: HIPAA, data breach, security

Nursing home sued after aides taunt resident on Snapchat

Posted by Margaret Scavotto, JD, CHC on 8/22/19 7:37 AM

Two nursing home certified nurse aides were fired and charged with disorderly conduct after filming a 91-year old resident in distress and posting the video to Snapchat. 

The two aides allegedly took a video recording of the resident in distress, while they waved a gown in her face - and the resident tried to push it away. The video caption read: "[Resident name] hates gowns," and was accompanied by laughing/crying emojis. Staff at the nursing home were aware that this resident did not care for hospital gowns.

Read More

Topics: HIPAA, abuse, skilled nursing

    Privacy Policy           Terms of Use