Breaking Compliance News Blog

Compliance lessons from recent fraud cases

Posted by Scott Gima on 7/20/22 9:15 AM


Outlier billing patterns will get you noticed!

A New York ENT physician was convicted of filing false claims with Medicare and Medicaid. The physician submitted claims totaling about $585,000 to Medicare and Medicaid and was paid roughly $191,000.

The fraudulent act was upcoding of ear exams or ear wax removal to an incision procedure of the external ear. An analysis of Medicare and Medicaid data identified this physician’s billing was an outlier and was found to be the highest biller for this procedure in the State of New York. 

Compliance lesson: Enforcement agencies are actively using data analytics to identify, investigate and prosecute providers with unusual billing activity – and so should you. Audit your claims regularly to identify potential false claims, so they can be corrected and/or reported.


Mole billing fraud scheme totals $4.1 million in false claims over 7 years

The second case involves a Chicago physician who conducted cancer screenings on moles that were removed from his patients. The US Attorney’s office in the Northern District of Illinois recently filed charges in the US District Court in Chicago. The press release includes the allegation that the physician removed more moles from patients than was medically necessary, totaling $4.1 million in fraudulent payments between 2015 and 2021.

But how does a simple case of removing one mole but billing for removing multiple moles leads to $4.1 million? Well, it turns out that the scheme was, shall we say, creative. Here is what was included in the charge document:

  • More moles were removed that were medically necessary
  • If multiple moles were removed from one area of the body, false documentation would be created to indicate that the moles were removed from different areas of the body
  • When multiple moles were removed from a patient, the specimens would not be submitted immediately to pathology
  • The practice would instead submit one specimen at a time to pathology on different days
  • False documentation was created to show the removal of a single mole on different visits
  • Some of the fraudulent visits were submitted on days when the physician was out of town
  • Fraudulent documentation was submitted in response to Medicare audits

That is how you collect $4.1 million in false claims over a seven-year period.

Compliance Lesson: Examples like this fall into the category of “truth is stranger than fiction.” It is impossible to draft policies and train staff on for every possible compliance risk scenario. The goal of an effective compliance program is to train employees and staff to trust their instincts – if something does not seem right, notify the compliance officer directly or anonymously.


How well is your compliance program performing?

Find out with MPA's compliance program assessments.

Learn more.

Read More

Topics: Penalties and Enforcement, Billing and Claims Submission


Posted by Margaret Scavotto & Scott Gima on 6/29/22 8:09 PM

Today, CMS issued new and revised guidance for long-term care surveyors. This guidance includes the following updates:
  • Clarifications and technical corrections of Phase 2 guidance issued in 2017
  • New guidance for Phase 3 requirements that went into effect November 28, 2019
  • Arbitration requirements and guidance which went into effect September 16, 2019
  • Changes to the Psychosocial Severity Guide
The new guidance for Phase 3 requirements includes the long-awaited F-Tag F895: Compliance and Ethics Programs.
In addition to the surveyor guidance, CMS has posted training on the new compliance guidance for surveyors, and the updated State Operations Manual provisions related to F895 (Appendix PP). Here’s what you need to know:


CMS will begin reviewing nursing home Compliance and Ethics programs via survey on October 24, 2022.


The State Operations Manual uses the original Compliance and Ethics Programs rule that was issued as part of Phase 3 – not the proposed rule. Nursing homes should make sure their compliance programs are built to the original rule (plus OIG guidance). MPA has summarized the requirements for you below.


All nursing homes must have the following:
  • Written compliance and ethics policies and procedures that:
    • Reduce the risk of criminal, civil and administrative violations
    • Promote quality of care
    • Designate a compliance contact to receive reports
    • Include an anonymous way to report non-compliance without retribution
    • Include disciplinary standards
    • Apply to contractors and volunteers
  • Policies and procedures communicated to all staff, contractors, and volunteers
  • Assigned high-level personnel oversight for the compliance program, and sufficient resources and authority for such high-level personnel
  • Due care not to delegate substantial discretionary authority to individuals the SNF knew or should have known had a propensity to commit a crime
  • Auditing and monitoring
  • A reporting system
  • Consistent enforcement via discipline
  • Annual review. 
Organizations with five or more facilities must also have:
  • A mandatory annual compliance training program, and
  • A compliance officer who reports directly to the governing body, with designated compliance liaisons at each site
(For a comprehensive list of requirements, please see 42 CFR 483.85).


The CMS guidance also addresses other Phase 2 and Phase 3 provisions of the long-term care regulations. You can read the other changes here


MPA is ready to help you meet these compliance and ethics requirements, MPA has nursing home compliance programs available for download on our store.
And, we can review your existing compliance program, or do your annual review. Reply to this email for more information.

Read More

Topics: Penalties and Enforcement, Affordable Care Act, compliance, surveys

HIPAA Reminder: Paper Still Counts

Posted by Margaret Scavotto, JD, CHC on 6/21/22 11:40 AM

Lately, my inbox is flooded with warnings, reminders, and webinars about cybersecurity. Rightly so: cyberattacks are on the rise, and healthcare remains the #1 target. At MPA, we recently updated our HIPAA Security Risk Analysis, and we carefully documented every source of electronic PHI.

But: Paper still counts.

With so much of our efforts focused on cybersecurity and electronic PHI, we can’t lose sight of the risks posed by paper PHI. For example:

  • A patient went to the emergency department at a hospital to get her blood pressure checked. While there, her nurse wrote down the blood pressure result on a piece of paper. The patient noticed that the other side of the paper listed another patient’s name, number, address, and positive HIV status. 
  • A health system “became aware of a break-in to an off-site storage facility where certain limited patient records were housed. Six boxes of paper documents were removed from the facility without authorization.” 

In the HIPAA world, paper PHI still counts! Make sure your HIPAA security risk analysis and mitigation plan include paper PHI in addition to electronic PHI.

  • Remember:
Read More

Topics: HIPAA, security, privacy

“That’s so cute!” (if there’s a HIPAA authorization)

Posted by Margaret Scavotto, JD, CHC on 6/14/22 11:17 AM


Are you on TikTok?
I’m not (although I hear it’s worth it for the air fryer recipes).
But everyone else is, including an increasing number of healthcare professionals and healthcare providers.
Social media use increased during the early pandemic days as a way to connect with the world from inside locked down facilities. It also brings a healthy dose of levity.
For example:
  • A nursing home’s videos of residents enjoying therapy dogs Floyd and Loki went viral on TikTok. 
  • Last Thanksgiving, one nursing home’s TikTok video of the administrator dressed as a Thanksgiving turkey went viral. 
  • In a Scotland nursing home, a 102-year-old resident ‘s daily exercise dance routine – done with two nurses – was posted to TikTok. In the video, the resident and two of his caregivers are seen dancing. The home claims the videos “have been a great way to get the residents up and moving, and they’ve loved taking part.”
I love these videos! They are so cute. And they are okay to use – IF the patients signed a valid HIPAA authorization before the videos were taken.
Without a HIPAA authorization, the cute factor fades, and we are left with a potential HIPAA breach to investigate.
Thinking of going viral? Have fun – but make sure everyone involved understands the HIPAA consequences.

What you can do:

Read More

Topics: Training and Education, HIPAA, Social Media, security, privacy

Last Chance: Sign up for MPA's Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 6/7/22 12:03 PM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

Cold Hard HIPAA Stats: Where Do You Stand?

Posted by Scott Gima on 5/25/22 1:15 PM

HIPAA risks change constantly – and so must our response to them. The latest HIPAA statistics reveal how HIPAA risk is shifting (and increasing):

Read More

Topics: HIPAA, security

Subscribe to MPA’s Compliance Newsletter and Stay on Top of Compliance

Posted by Margaret Scavotto, JD, CHC on 5/25/22 8:45 AM

MPA scours OIG, DOJ, FBI, OSHA, & OCR updates so you don't have to.

We summarize enforcement trends and deliver the latest compliance and HIPAA developments to your inbox with our Monthly Compliance News Report.

Read MPA’s News Report to stay current with compliance news and developments. Then, forward the News Report (or excerpts) to your Board, Compliance Committee, and management team, to keep them informed with little effort. MPA’s clients use the News Report to find ideas for compliance and HIPAA training, and identify areas where policies or audits are needed.

This month’s issue includes:

  • A summary of the 33 OIG health care fraud enforcement cases announced last month
  • Examples of False Claims, Kickback, opioid, and state enforcement from last month
  • Items added to the OIG Work Plan  
  • The latest OIG Advisory Opinion
  • OSHA update
  • Four new HIPAA enforcements, including a dentist who told a patient to "Get a life" in response to an online review
  • The end of multiple COVID-19 PHE waivers for SNFs
  • The DOJ's first settlement under its Civil Cyber-Fraud Initiative
  • Biden's Cyber Incident Reporting Act, which will require health care providers to notify CISA of cyber incidents within 72 hours
  • Telehealth for 151 more days
  • ... and more!
  • You can read a sample report here

Price: $25/month

Cancel any time.

Subscribe today


Read More

Topics: Training and Education, compliance

Sign up for MPA's Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 5/19/22 8:45 AM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

Compliance Lessons from the Phillies: Own Your Mistakes and We’ve Got Your Back

Posted by Scott Gima on 5/17/22 8:45 AM

Alec Bohm, a third overall pick in the 2018 draft, is playing his third season with the Phillies. On April 11, against the Mets, Bohm was playing third base and committed three throwing errors early in the game. In the second inning, the Philadelphia fans mockingly cheered Bohm after a clean fielding play for an out. While walking back to third base, the TV broadcast captures Bohm telling shortstop Didi Gregorius, “I ****ing hate this place.”

Wow. Was he talking about the fans, the city, the situation right then and there? This is one of those “fork in the road” events that could turn a young player with a promising career into an exiled player. Just give social media the chance. The Phillies came back from a 4-run deficit to win the game with five runs in the 8th, which ironically started off with a walk to Bohm. But the comeback was clearly not the story of the game. In the clubhouse after the game, the reporters gathered around Bohm to hear what he had to say. Keep in mind that the video of what Alec Bohm said to his shortstop was not 100% clear. This is what he had to say:

Read More

Topics: compliance

When Senior Tech Support Scams are a Cybersecurity/HIPAA Issue

Posted by Scott Gima on 5/10/22 9:45 AM

The FTC regularly sends out consumer alerts on various scams. Turbo Tax’s “free” tax service and car dealer junk add-on fees are just a couple of recent alerts. Many times, these emails hit the trash bin after reading the subject line. This morning, my inbox had the FTC’s latest alert: Shutting Down Tech Support Scams. This morning was different – I opened the email and read the alert. Why? Because an older family member was a victim of a tech support scam.

First, let me tell you about my family member’s experience with a tech support scam. Some of the facts have been changed to protect the family member’s identity. But to make it easier, let’s call my family member Mom. Mom and Dad are retired and in their 80s. A few years ago, my family went to Mom and Dad’s house for Thanksgiving. While there, other siblings and cousins are discussing possible Christmas gifts, so I jump on Mom’s computer to do a little online shopping.

In the bottom right-hand corner, the Windows task bar typically has a bunch of icons that show programs that are loaded on startup. Mom’s taskbar showed a TeamViewer icon. TeamViewer is a legitimate remote desktop program that is typically used by tech support people to obtain remote access to a workstation, computer or laptop. I recognized the icon because TeamViewer has been used by our own company’s tech support. But there is no reason for Mom to have this program on her home computer. So I start asking questions and this is what I learned.

Read More

Topics: HIPAA, security

    Privacy Policy           Terms of Use