Breaking Compliance News Blog

The Opioid Reckoning Has Just Begun

Posted by Margaret Scavotto, JD, CHC on 11/12/20 10:30 AM


Every few days, we see criminal charges brought against physicians and other individuals who provided controlled substances without a medical need; without a proper medical visit or exam; or in exchange for kickbacks or bribes.

On October 21, we had big news from the Department of Justice: settlements with Purdue Pharmacy and the Sackler family. Purdue Pharma, a pharmaceutical company primarily owned by the Sackler family, is most well-known for its opioid product OxyContin.

State, private, and federal lawsuits have increasingly been filed against opioid manufacturers, and many in the healthcare industry expected to see enforcement involving Purdue and the Sacklers. Here’s what happened in October:

Read More

Topics: Penalties and Enforcement, Opioids, compliance


Posted by Margaret Scavotto, JD, CHC on 10/13/20 10:15 AM

On September 15, 2020, the Office for Civil Rights (OCR) announced five settlements with providers who were accused of failing to comply with HIPAA’s right of access requirements. On October 7th, the OCR announced another patient rights settlement, which is the eighth HIPAA Right of Access Initiatives settlement to date. And on October 9th, the ninth settlement was announced (two Right of Access settlements were announced early in 2019 and 2020).

The Privacy Rule requires covered entities to respond to patients’ requests to inspect or obtain a copy of their medical records within 30 days. In some circumstances, the provider may extend this timeframe by 30 days – but it must let the patient know of the delay within the original 30-day period.

The new settlements involved:

Read More

Topics: Penalties and Enforcement, HIPAA, compliance

Be a compliance expert in 2020.

Posted by Margaret Scavotto, JD, CHC on 1/28/20 8:30 AM

MPA scours OIG and OCR enforcement updates and news so that you don't have to.

Every month, we summarize enforcement trends and bring you the latest compliance and HIPAA developments, and deliver them to your inbox in our Monthly Compliance News Report.

Not yet a subscriber? Use coupon code StayInformed to save 25% off the price when you sign up.  

You can read a sample report here.

Read More

Topics: Compliance Basics, Penalties and Enforcement, OIG compliance resources

DOJ cracking down on nursing homes

Posted by Margaret Scavotto, JD, CHC on 11/5/19 8:15 AM

The Department of Justice (DOJ) aims to use its Elder Justice Initiative to  pursue more criminal charges in nursing home investigations. Typically, the DOJ uses civil lawsuits to pursue False Claims Act violations against nursing homes. Toni Bacon, a DOJ associate deputy general, explains the shift: "We need to go after cases civilly because they [are] providing grossly substandard care and, in the appropriate case, refer it for a parallel criminal prosecution."

Read More

Topics: Penalties and Enforcement, compliance

OIG Launches Compliance Resources Portal

Posted by Margaret Scavotto, JD, CHC on 5/1/18 6:58 AM

At the HCCA Compliance Institute held in Las Vegas April 15-18, Keynote Speaker and HHS Inspector General Dan Levinson announced the OIG's new Compliance Resources Portal.

Now, compliance officers can find all of the OIG’s compliance resources on one page.

The resources include:

  1. Toolkits
  2. Provider Compliance Resources and Training*
  3. Advisory Opinions
  4. Voluntary Compliance and Exclusions Resources
  5. Special Fraud Alerts, Other Guidance, and Safe Harbor Regulations
  6. Resources for Health Care Boards
  7. Resources for Physicians
  8. Accountable Care Organizations

 * Compliance Program Guidance is housed here.

 Soon, the OIG will be posting a new resource: the OIG Toolkit to Identify Patients at Risk of Opioid misuse.

 If you are looking for criminal, civil or state enforcement actions, civil monetary penalties, exclusions or corporate integrity agreement enforcement, those update are still located under the Fraud tab.


Read More

Topics: Compliance Basics, Penalties and Enforcement, OIG compliance resources

The government is monitoring your claims data. Are you?

Posted by Margaret Scavotto, JD, CHC on 1/9/18 7:05 AM

Chemed Corporation, Vitas Hospice Services LLC, and Vitas Healthcare Corporation entered a $75 million settlement with the government to resolve false claims allegations. Vitas, the biggest for-profit provider of hospice services in the nation, allegedly “knowingly submitted or caused to be submitted false claims to Medicare for services to hospice patients who were not terminally ill” between 2002 and 2013. The DOJ also accused Vitas of awarding bonuses to employees based on the number of patients on hospice, regardless of need.

In addition, Vitas was accused of billing Medicare for continuous home care services that were not necessary, not provided, or did not meet Medicare requirements. Like with hospice services, Vitas allegedly set corporate goals for billing continuous home care services, regardless of patient need.

According to the Complaint, “Vitas regularly ignored concerns expressed by its own physicians and nurses regarding whether its hospice patients were receiving appropriate care.” Complaint, page 3. The Complaint also says the company’s own auditors knew of the problem – but changes were not made.


Let’s look at the data

Read More

Topics: Penalties and Enforcement, PEPPER, Auditing and Monitoring, Billing and Claims Submission

Misdirected Fax Leads to $387,200 HIPAA Settlement

Posted by Scott Gima on 5/31/17 7:00 AM

On September 12, 2014, the OCR received a complaint alleging that the Spencer Cox Center disclosed sensitive PHI information including HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis and physical abuse. St. Luke’s-Roosevelt Hospital Center Inc., which operates the Spencer Cox Center, entered a resolution agreement and corrective action plan with the OCR for possible HIPAA violations and has paid a $387,200 fine.

A Simple Mistake?

The OCR investigation found that St. Luke’s disclosed PHI of two patients by faxing PHI to the employer of one patient and faxing PHI to an office where the second patient volunteered. The OCR stated that St. Luke’s failed to reasonably safeguard the patients’ PHI from “intentional or unintentional disclosure.”

The OCR’s resolution agreement requires St. Luke’s to:

  • Review and if necessary, revise, its policies and procedures concerning the uses and disclosures of PHI including mailing, faxing or other electronic PHI transmission.
  • Distribute the policies and procedures to new hires and current employees, and obtain a signed compliance certification from each workforce member.
  • Assess, update and revise the policies and procedures at least annually.
  • Review and revise training programs pertaining to the safeguarding of PHI.
  • Train new and existing employees on PHI safeguards.
  • Review training at least annually and when there are updates needed to address changes in Federal law or HHS guidance, or any issues discovered during internal audits or reviews.
  • Block PHI access to any employees that has not certified receipt of safeguarding PHI policies and procedures.

This Has Happened Before

In 2010, a St. Louis man filed a lawsuit alleging that Quest wrongfully disclosed his HIV status when it faxed his lab results to his employer. The patient’s doctor wrote the patient’s work fax number on a lab order, so that office staff could fax the order to the patient at work. The patient took the order to Quest, who ran the labs, and faxed the results to the patient at work. Quest mistakenly believed the fax number was written on the order so that Quest would fax the results to the patient’s employer. Six months after the fax was received, the patient was terminated.

The doctor argued that the lab results did not reveal the patient’s HIV status. And, the employer claimed it already knew the patient was HIV positive, and terminated his employment for financial reasons.

Still, Quest had to pay to defend this lawsuit. It is easy to imagine the dire consequences when a fax is misdirected, especially when that fax contains sensitive information.

Could This Happen To You?

The OCR resolution agreement provides a roadmap for all providers to address similar issues. This settlement is one example of how a mistake can lead to a hefty HIPAA fine. Use your HIPAA Security Risk Analysis process, plus HIPAA Walk-Through audits, to identify areas where your employees could be making inadvertent or sloppy mistakes that could jeopardize patient confidentiality.


Read More

Topics: Penalties and Enforcement, HIPAA

DOJ Announces Biggest Health Care Fraud Case Against Individuals

Posted by Margaret Scavotto, JD, CHC on 8/8/16 6:00 AM

The DOJ recently announced the biggest criminal health care fraud case ever to be brought against individuals. The DOJ filed conspiracy, obstruction, money laundering, and health care fraud charges against an owner of 30+ nursing homes, a hospital administrator, and a physician's assistant.

These three individuals are accused of defrauding the Medicare and Medicaid programs of $1 billion.

Yes, you read that right: 3 people. $1 billion.

The DOJ alleges that these three individuals billed Medicare and Medicaid for medically unnecessary skilled nursing services. They are also accused of taking illegal kickbacks from other providers, who in turn rendered medically unnecessary services to these patients.

This example hopefully seems egregious, but should have even the most ethically-minded compliance officers asking: 

Do we know the claims we submit to Medicare and Medicaid are medically necessary?

How do we know?

Can we prove it?

Your compliance auditing program can help you verify your claims are reasonable and appropriate:

  • Conduct medical necessity audits of your claims and medical records. If this task seems burdensome, start with a small sample size and a quarterly audit, and work up to monthly audits with a larger sample size.
  • Use the results of the medical necessity audits to provide documentation education to your staff.
  • Monitor your PEPPER data at least quarterly, conducting chart reviews where warranted.

compliance risk assessment annual review

Read More

Topics: Penalties and Enforcement

Breaking Compliance News: False Claims Act penalties double

Posted by Margaret Scavotto, JD, CHC on 7/8/16 3:53 PM

On June 30, the Department of Justice passed an interim final rule that gave False Claims Act penalties a big raise. Here's what you need to know:

Read More

Topics: Compliance Basics, Penalties and Enforcement

HIPAA Hazard: The $750,000 Business Associate Agreement

Posted by Margaret Scavotto, JD, CHC on 4/21/16 10:42 AM

Yesterday, the Office of Civil Rights (OCR) announced a $750,000 HIPAA Privacy Rule settlement with an orthopedic practice that failed to enter a business associate agreement (BAA) with a business associate.

The Hazard.

A breach report revealed that the orthopedic practice gave x-ray information for more than 17,000 patients to a company that transfers x-ray images to electronic media, and then harvests the silver on the x-ray films. The problem with this arrangement is that the electronic media company had access to the practice's PHI - and yet there was not a business associate agreement in place.

Silos are for farmers - not health care organizations.

While we don't know how this particular problem happened, often these types of HIPAA violations occur when officers and managers work in "silos:" without talking to each other. For example, a new employee in the medical records department releases records without a proper authorization, because they didn't think to ask the Privacy Officer what to do. Or, IT and the Administrator decide to buy CNA kiosks, without discussing encryption and other security measures with the Security Officer. Or, a department head sends PHI out for storage or processing without asking the Privacy Officer for a BAA.

What You Can Do.


  • Remove silos. Structure your contracting and purchasing process so that your Privacy and Security Officers have a seat at the table BEFORE decisions are made. Likewise, recognize that individuals making changes to technology or processes need to communicate changes to your HIPAA and compliance officers, so risk can be assessed and management programs can be implemented.
  • Use your compliance committee meetings wisely. Does your compliance committee meet quarterly, and listen while the compliance officer reads the meeting agenda? If there's no discussion, you have a missed opportunity. Use these meetings to share information about emerging risks and upcoming contracts and deals. By getting committee members in the habit of including each other in big decisions, you can avoid costly communication breakdowns. 
  • Implement a BAA management system. Are you confident that all business associates have an up-to-date BAA in place? There should be a spreadsheet inventory of every business associate, and the date the BAA was in place. Also use a business associate due diligence process to monitor business associates' HIPAA practices and ensure your PHI is safe.

For more information on how to break down silos and improve compliance processes, click here.

Free  HIPAA Checklist

Read More

Topics: Penalties and Enforcement, HIPAA

    Privacy Policy           Terms of Use