Breaking Compliance News Blog

Scott Gima

Recent Posts

Compliance lessons from recent fraud cases

Posted by Scott Gima on 7/20/22 9:15 AM

 

Outlier billing patterns will get you noticed!

A New York ENT physician was convicted of filing false claims with Medicare and Medicaid. The physician submitted claims totaling about $585,000 to Medicare and Medicaid and was paid roughly $191,000.

The fraudulent act was upcoding of ear exams or ear wax removal to an incision procedure of the external ear. An analysis of Medicare and Medicaid data identified this physician’s billing was an outlier and was found to be the highest biller for this procedure in the State of New York. 

Compliance lesson: Enforcement agencies are actively using data analytics to identify, investigate and prosecute providers with unusual billing activity – and so should you. Audit your claims regularly to identify potential false claims, so they can be corrected and/or reported.

 

Mole billing fraud scheme totals $4.1 million in false claims over 7 years

The second case involves a Chicago physician who conducted cancer screenings on moles that were removed from his patients. The US Attorney’s office in the Northern District of Illinois recently filed charges in the US District Court in Chicago. The press release includes the allegation that the physician removed more moles from patients than was medically necessary, totaling $4.1 million in fraudulent payments between 2015 and 2021.

But how does a simple case of removing one mole but billing for removing multiple moles leads to $4.1 million? Well, it turns out that the scheme was, shall we say, creative. Here is what was included in the charge document:

  • More moles were removed that were medically necessary
  • If multiple moles were removed from one area of the body, false documentation would be created to indicate that the moles were removed from different areas of the body
  • When multiple moles were removed from a patient, the specimens would not be submitted immediately to pathology
  • The practice would instead submit one specimen at a time to pathology on different days
  • False documentation was created to show the removal of a single mole on different visits
  • Some of the fraudulent visits were submitted on days when the physician was out of town
  • Fraudulent documentation was submitted in response to Medicare audits

That is how you collect $4.1 million in false claims over a seven-year period.

Compliance Lesson: Examples like this fall into the category of “truth is stranger than fiction.” It is impossible to draft policies and train staff on for every possible compliance risk scenario. The goal of an effective compliance program is to train employees and staff to trust their instincts – if something does not seem right, notify the compliance officer directly or anonymously.

 

How well is your compliance program performing?

Find out with MPA's compliance program assessments.

Learn more.

Read More

Topics: Penalties and Enforcement, Billing and Claims Submission

Cold Hard HIPAA Stats: Where Do You Stand?

Posted by Scott Gima on 5/25/22 1:15 PM

HIPAA risks change constantly – and so must our response to them. The latest HIPAA statistics reveal how HIPAA risk is shifting (and increasing):

Read More

Topics: HIPAA, security

Compliance Lessons from the Phillies: Own Your Mistakes and We’ve Got Your Back

Posted by Scott Gima on 5/17/22 8:45 AM

Alec Bohm, a third overall pick in the 2018 draft, is playing his third season with the Phillies. On April 11, against the Mets, Bohm was playing third base and committed three throwing errors early in the game. In the second inning, the Philadelphia fans mockingly cheered Bohm after a clean fielding play for an out. While walking back to third base, the TV broadcast captures Bohm telling shortstop Didi Gregorius, “I ****ing hate this place.”

Wow. Was he talking about the fans, the city, the situation right then and there? This is one of those “fork in the road” events that could turn a young player with a promising career into an exiled player. Just give social media the chance. The Phillies came back from a 4-run deficit to win the game with five runs in the 8th, which ironically started off with a walk to Bohm. But the comeback was clearly not the story of the game. In the clubhouse after the game, the reporters gathered around Bohm to hear what he had to say. Keep in mind that the video of what Alec Bohm said to his shortstop was not 100% clear. This is what he had to say:

Read More

Topics: compliance

When Senior Tech Support Scams are a Cybersecurity/HIPAA Issue

Posted by Scott Gima on 5/10/22 9:45 AM

The FTC regularly sends out consumer alerts on various scams. Turbo Tax’s “free” tax service and car dealer junk add-on fees are just a couple of recent alerts. Many times, these emails hit the trash bin after reading the subject line. This morning, my inbox had the FTC’s latest alert: Shutting Down Tech Support Scams. This morning was different – I opened the email and read the alert. Why? Because an older family member was a victim of a tech support scam.

First, let me tell you about my family member’s experience with a tech support scam. Some of the facts have been changed to protect the family member’s identity. But to make it easier, let’s call my family member Mom. Mom and Dad are retired and in their 80s. A few years ago, my family went to Mom and Dad’s house for Thanksgiving. While there, other siblings and cousins are discussing possible Christmas gifts, so I jump on Mom’s computer to do a little online shopping.

In the bottom right-hand corner, the Windows task bar typically has a bunch of icons that show programs that are loaded on startup. Mom’s taskbar showed a TeamViewer icon. TeamViewer is a legitimate remote desktop program that is typically used by tech support people to obtain remote access to a workstation, computer or laptop. I recognized the icon because TeamViewer has been used by our own company’s tech support. But there is no reason for Mom to have this program on her home computer. So I start asking questions and this is what I learned.

Read More

Topics: HIPAA, security

What the Russia-Ukraine Conflict Means for Your Cybersecurity

Posted by Scott Gima on 3/22/22 8:15 AM

 

I recently had a conversation with Scott Wolff, President and owner of LanServ, a St. Louis IT and managed service provider. Scott was a recent guest expert for a MPA webinar that discussed HIPAA Security Risk Assessment and cybersecurity.

I asked Scott if there has been an increase in cyber threat activity as a result of the Russian invasion of Ukraine. Surprisingly, Scott has so far found a significant decrease in hacker activity with his clients. Maybe all the hackers are focused on Russia and Ukraine, but regardless of the reason, it is very easy for organizations to let their guard down.

Coincidently, the same thing was discussed earlier this week with some members of Congress who received a briefing on the elevated Russia cyber threat to the US. Former Cybersecurity and Infrastructure Security Agency (CISA) Director Chris Krebs led the briefing which was closed to the public. The Washington Post was able to speak to Krebs after the briefing. He is worried about complacency. He told the Post “We have been talking with some alarm for weeks, if not months, about the potential Russian threat and fatigue is real and the desensitization to ongoing activities that are happening elsewhere is real.”

Krebs also stated: “the Russian cyberthreat as especially elevated now because Putin has already demonstrated he’s willing to cross Western red lines by invading Ukraine.”

I agree with Krebs. Just because cyberattacks have not yet occurred against the United States, organizational efforts to improve cybersecurity should continue and be responsive to new threats. This is especially true for critical infrastructure entities including health care providers.

I asked Scott Wolff, President/Director of IT Operations for LanServ, Inc., for his take on the situation:

The current reduction in cyber security events started a few weeks ago, and appears to coincide with the Russian invasion of Ukraine.  To many of us this may provide a much needed break from responding to the high volume increase in cyber security events over the last few years, and thus take the time to kick back and breathe a little bit. 

However, I am approaching this temporary reduction in events as a “quiet before the storm scenario.”  Currently, I am spending even more time than normal implementing additional security measures, as well as learning from the Russian cyber-attacks against Ukraine to build future cyber defenses should these same cyber-attacks be used against us.  There is no better time than now to assess your overall network system security, and user password hygiene before the storm potentially heads back this way.

What you can do

Discuss cyber threats with your IT team or managed service provider. The Cybersecurity and Infrastructure Security Agency (CISA) provides security updates and free resources. With a high threat level, now is the perfect time to update your HIPAA Security Risk Analysis.

Need more HIPAA help? MPA can help with t he HIPAA Security Risk Analysis.

Read More

Topics: HIPAA, security, compliance

Healthcare Provider Ransomware Risk is Elevated – What Do We Do???

Posted by Scott Gima on 11/5/20 10:00 AM

On October 28, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) that provided a warning of imminent ransomware attacks to U.S. hospitals and healthcare providers.

This advisory provides technical information on the methods used by the hackers so healthcare providers can better protect themselves. In particular, the advisory mentioned the hackers’ use of Ryuk and Conti ransomware.

Leading up to this advisory, Universal Health Services was a recent target of a ransomware attack in late September. UHS is a large health care provider with 26 hospitals in the U.S., Puerto Rico and the U.K. It is believed that the Ryuk ransomware was used in the attack.

I don’t know about you, but for me, a non-IT person, the technical details are way over my head. However, the user awareness best practices are relevant to anybody who uses a workstation or laptop. Here are the user awareness best practices found in the advisory (direct quote):

Read More

Topics: HIPAA, data breach, security, compliance

Protect your organization from skyrocketing COVID cyber scams

Posted by Scott Gima on 4/30/20 11:00 AM

Google’s Threat Analysis Group (TAG) is responsible for identifying online vulnerabilities and threats. The Group released a report on April 22, 2020 that describes their latest information on COVID-19 related threats. This report provides a timely reminder that cybersecurity concerns continue and everyone must remain cautious and vigilant with their email accounts.

COVID-19 Themed Attacks

In April, Google has detected 18 million COVID-19 related malware and phishing Gmail messages per day and more than 240 million COVID-related daily spam messages. If you use Gmail, 99.9% of these messages never reach your inbox. The TAG has found that these attacks are government sponsored. They have identified over a dozen government-backed attacker groups using COVID-19 related topics.

Type of Attacks

The attack tools are no different from what has been used in the past; phishing emails that lure you to click malicious links or download files that contain malware. Google provided the following examples:

Free meals and coupons in response to COVID-19.

Links to malicious websites disguised as online ordering and delivery options, where the recipient is asked to provide their Google account credentials.

Emails that impersonate the World Health Organization:


Emails luring users who may be working from home:


Stimulus package theme:



Best Practices Reminder

These types of attacks are not limited to Gmail and everyone must be vigilant with all email accounts, work and personal. For all your accounts, users should:

  • Never download file attachments - or, verify an email attachment with the recipient by voice or text before downloading – this is an old-fashioned version of two-factor authentication.
  • Don’t click on an email link. An alternative safe option is to go directly to the web-page or google the target described in the link. For example, if it is an email from your bank that could be legitimate, open a new browser page and type in the website or search for the website.
  • If possible, use or activate two-factor authentication.

MPA can help with your HIPAA Security Risk Analysis - contact me today to learn more.

Read More

Topics: HIPAA, security, COVID-19

Breaking News: First social media HIPAA settlement!

Posted by Scott Gima on 10/8/19 7:15 AM

 

Whenever a settlement agreement is announced, the OCR is sending a message to all providers. On October 2nd, The OCR announced a $10,000 settlement agreement with Elite Dental Associates in Dallas Texas. At first glance, it is easy to overlook this settlement; $10,000 does not seem to be a big deal when there are other cases with fines in the millions of dollars. For example, Anthem paid a record $16 million following the PHI breach of close to 79 million people; the largest health data breach in history. So what is the big deal? Or more importantly, what are the lessons to be learned from this breach? There are several.

Read More

Topics: HIPAA, Social Media

Not-for-profit provider hit with ransomware twice in four months

Posted by Scott Gima on 8/28/19 6:35 AM

A not-for-profit community health center that provides health care for low-income and uninsured patients experienced two ransomware attacks in a four-month period. 

 

The first attack shut down computers for three weeks while the center rebuilt its systems from backups, and did not pay the ransom. This approach is consistent with industry advice for two reasons. First, there is no guarantee that the data will be reinstated after ransom is paid. Second, paying ransom encourages future ransomware attacks.

The second attack likewise locked the center out of its medical records.

Read More

Topics: HIPAA, data breach, security

The Threat of Nation-State Sponsored Cyber Attacks

Posted by Scott Gima on 7/31/18 7:13 AM

 

The public continues to be bombarded by the media coverage and debate of President Trump’s support or non-support of the U.S. intelligence agencies’ position on Russia. What has taken a backseat is the substance and urgency of a possible cyber-attack. The purpose of this blog is to discuss the threats and its relevance to covered entities and business associates.

On Friday, July 13, 2018, Dan Coats, the director of National Intelligence spoke at the Hudson Institute and discussed the current national security threats against the US. He equated the current risk of a cyber-attack to terrorist attack threats prior to September 11, 2001. The following are a few quotes from his speech:

     In 2001, our vulnerability was heightened…At the time, intelligence and law enforcement communities               were identifying alarming activities that suggested that an attack was potentially coming to the United                 States. It was in the months prior to September 2001 when, according to then CIA Director George Tenet,         the system was blinking red. And here we are nearly two decades later, and I'm here to say the warning             lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack.

     Every day, foreign actors — the worst offenders being Russia, China, Iran and North Korea — are                     penetrating our digital infrastructure and conducting a range of cyber intrusions and attacks against targets       in the United States. The targets range from U.S. businesses to the federal government (including our               military), to state and local governments, to academic and financial institutions and elements of our critical         infrastructure — just to name a few.

     All of these disparate efforts share a common purpose: to exploit America's openness in order to undermine       our long-term competitive advantage.

Threat to Healthcare Providers?

Mr. Coats never mentions healthcare providers. So does this mean there is nothing to worry about? Probably not.

Back in January, the Washington Post reported about NotPetya, a 2017 a Russia-sponsored cyber-attack against Ukraine, designed to disrupt their financial system. The ransomware wiped computer data from banks, energy firms, and senior government officials. While 50% of affected computer systems were located in the Ukraine, the attack spread across the globe and affected systems in Denmark, India and the United States. Half of the victims were unintended targets of the attack.

If government-sponsored cyber-attacks are imminent, the NotPetya attack reminds us that another attack can easily result in collateral damage against unintended victims. Healthcare providers could easily become collateral damage, especially those who have not adequately prepared for a ransomware attack. In the healthcare context, that collateral damage can include costly HIPAA Breaches, and, more alarmingly, patient harm due to lack of utilities and electronic medical records.

Mr. Coats’ “red-flag” warning makes clear that cyber-security measures must be in place. The OCR recommends the following preventative security measures as part of HIPAA compliance:

  • Complete a security management process, which includes a risk analysis and implementing security measures to mitigate or remediate those identified risks
  • Implementing policies and procedures to guard against and detect malicious software
  • User training so staff can assist in detecting and report attacks
  • Implementing access controls to limit access to ePHI to only persons or software programs requiring access.

 

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: HIPAA, data breach, security

    Privacy Policy           Terms of Use