Breaking Compliance News Blog

Compliance lessons from recent fraud cases

Posted by Scott Gima on 7/20/22 9:15 AM

 

Outlier billing patterns will get you noticed!

A New York ENT physician was convicted of filing false claims with Medicare and Medicaid. The physician submitted claims totaling about $585,000 to Medicare and Medicaid and was paid roughly $191,000.

The fraudulent act was upcoding of ear exams or ear wax removal to an incision procedure of the external ear. An analysis of Medicare and Medicaid data identified this physician’s billing was an outlier and was found to be the highest biller for this procedure in the State of New York. 

Compliance lesson: Enforcement agencies are actively using data analytics to identify, investigate and prosecute providers with unusual billing activity – and so should you. Audit your claims regularly to identify potential false claims, so they can be corrected and/or reported.

 

Mole billing fraud scheme totals $4.1 million in false claims over 7 years

The second case involves a Chicago physician who conducted cancer screenings on moles that were removed from his patients. The US Attorney’s office in the Northern District of Illinois recently filed charges in the US District Court in Chicago. The press release includes the allegation that the physician removed more moles from patients than was medically necessary, totaling $4.1 million in fraudulent payments between 2015 and 2021.

But how does a simple case of removing one mole but billing for removing multiple moles leads to $4.1 million? Well, it turns out that the scheme was, shall we say, creative. Here is what was included in the charge document:

  • More moles were removed that were medically necessary
  • If multiple moles were removed from one area of the body, false documentation would be created to indicate that the moles were removed from different areas of the body
  • When multiple moles were removed from a patient, the specimens would not be submitted immediately to pathology
  • The practice would instead submit one specimen at a time to pathology on different days
  • False documentation was created to show the removal of a single mole on different visits
  • Some of the fraudulent visits were submitted on days when the physician was out of town
  • Fraudulent documentation was submitted in response to Medicare audits

That is how you collect $4.1 million in false claims over a seven-year period.

Compliance Lesson: Examples like this fall into the category of “truth is stranger than fiction.” It is impossible to draft policies and train staff on for every possible compliance risk scenario. The goal of an effective compliance program is to train employees and staff to trust their instincts – if something does not seem right, notify the compliance officer directly or anonymously.

 

How well is your compliance program performing?

Find out with MPA's compliance program assessments.

Learn more.

Read More

Topics: Penalties and Enforcement, Billing and Claims Submission

BREAKING NEWS: CMS TO ENFORCE SNF COMPLIANCE IN OCTOBER

Posted by Margaret Scavotto & Scott Gima on 6/29/22 8:09 PM

Today, CMS issued new and revised guidance for long-term care surveyors. This guidance includes the following updates:
  • Clarifications and technical corrections of Phase 2 guidance issued in 2017
  • New guidance for Phase 3 requirements that went into effect November 28, 2019
  • Arbitration requirements and guidance which went into effect September 16, 2019
  • Changes to the Psychosocial Severity Guide
The new guidance for Phase 3 requirements includes the long-awaited F-Tag F895: Compliance and Ethics Programs.
 
In addition to the surveyor guidance, CMS has posted training on the new compliance guidance for surveyors, and the updated State Operations Manual provisions related to F895 (Appendix PP). Here’s what you need to know:
 

ENFORCEMENT

CMS will begin reviewing nursing home Compliance and Ethics programs via survey on October 24, 2022.
 

WHAT ABOUT THE PROPOSED RULE?

The State Operations Manual uses the original Compliance and Ethics Programs rule that was issued as part of Phase 3 – not the proposed rule. Nursing homes should make sure their compliance programs are built to the original rule (plus OIG guidance). MPA has summarized the requirements for you below.
 

NURSING HOME COMPLIANCE REQUIREMENTS

All nursing homes must have the following:
  • Written compliance and ethics policies and procedures that:
    • Reduce the risk of criminal, civil and administrative violations
    • Promote quality of care
    • Designate a compliance contact to receive reports
    • Include an anonymous way to report non-compliance without retribution
    • Include disciplinary standards
    • Apply to contractors and volunteers
  • Policies and procedures communicated to all staff, contractors, and volunteers
  • Assigned high-level personnel oversight for the compliance program, and sufficient resources and authority for such high-level personnel
  • Due care not to delegate substantial discretionary authority to individuals the SNF knew or should have known had a propensity to commit a crime
  • Auditing and monitoring
  • A reporting system
  • Consistent enforcement via discipline
  • Annual review. 
Organizations with five or more facilities must also have:
  • A mandatory annual compliance training program, and
  • A compliance officer who reports directly to the governing body, with designated compliance liaisons at each site
(For a comprehensive list of requirements, please see 42 CFR 483.85).
 

WHAT ELSE IS IN THE GUIDANCE?

The CMS guidance also addresses other Phase 2 and Phase 3 provisions of the long-term care regulations. You can read the other changes here
 

IF YOU NEED HELP

MPA is ready to help you meet these compliance and ethics requirements, MPA has nursing home compliance programs available for download on our store.
 
And, we can review your existing compliance program, or do your annual review. Reply to this email for more information.

Read More

Topics: Penalties and Enforcement, Affordable Care Act, compliance, surveys

HIPAA Nightmare: Dentist tells patient to Get a Life

Posted by Margaret Scavotto, JD, CHC on 4/28/22 9:00 AM

Dr. U. Phillip Igbinadolor, D.M.D. & Associates received a $50,000 civil monetary penalty after his practice disclosed patient PHI in its response to a negative online review.

 

The practice did not respond to the OCR’s data request, did not respond to an administrative subpoena, and did not contest the findings in the OCR’s Notice of Proposed Determination.

 

The dentist’s response to the patient’s review stated:

 

It’s so fascinating to see [Complainant’s full name] make unsubstantiated accusations

when he only came to my practice on two occasions since October 2013. He never

came for his scheduled appointments as his treatment plans submitted to his insurance

company were approved. He last came to my office on March 2014 as an emergency

patient due to excruciating pain he was experiencing from the lower left quadrant. He

was given a second referral for a root canal treatment to be performed by my

endodontist colleague. Is that a bad experience? Only from someone hallucinating.

When people want to express their ignorance, you don't have to do anything, just let

them talk. He never came back for his scheduled appointment Does he deserve any

rating as a patient? Not even one star. I never performed any procedure on this

disgruntled patient other than oral examinations. From the foregoing, it's obvious that

[Complainant’s full name] level of intelligence is in question and he should continue

with his manual work and not expose himself to ridicule. Making derogatory

statements will not enhance your reputation in this era [Complainant’s full name].

Get a life.

 

Lessons to be Learned

The first lesson is obvious: don’t post PHI on social media without a valid HIPAA authorization. This is not the first time providers have responded to Yelp posts that included PHI or information that could identify the patient. Providers can respond to reviews with generic information about their practice – or ask patients to call. Provider responses should never reveal any information about the patient or their visit.

Another lesson is that the OCR is an equal-opportunity enforcement agency. All providers big and small can be investigated. In this instance, this was not a large provider.

Lastly, if you are unsure of what needs to be in place to comply with HIPAA to protect PHI, read the OCR resolution agreement for a prior - and similar - social media breach. The OCR provided the dental practice with “Corrective Action Obligations." These obligations can be used as a checklist to be used to evaluate your current privacy rule practices. Here are some (but not all) key requirements:

  • Policies and procedures that comply with the Privacy Rule.
  • The policies should cover the following:
    • Permissible and impermissible uses and disclosures of PHI
    • Administrative, technical and physical safeguards to protect the privacy of PHI
  • Privacy authorization form
  • A Notice of Privacy Practices – that lists the way PHI is used on social media
  • Provider contact to address Privacy issues – usually the designation of a Privacy Officer
  • Internal reporting mechanisms of possible violations
  • Policies that address corrective action of privacy policy violations
  • Privacy practice employee training

Read More

Topics: Penalties and Enforcement, HIPAA, Social Media

The Opioid Reckoning Has Just Begun

Posted by Margaret Scavotto, JD, CHC on 11/12/20 10:30 AM

 

Every few days, we see criminal charges brought against physicians and other individuals who provided controlled substances without a medical need; without a proper medical visit or exam; or in exchange for kickbacks or bribes.

On October 21, we had big news from the Department of Justice: settlements with Purdue Pharmacy and the Sackler family. Purdue Pharma, a pharmaceutical company primarily owned by the Sackler family, is most well-known for its opioid product OxyContin.

State, private, and federal lawsuits have increasingly been filed against opioid manufacturers, and many in the healthcare industry expected to see enforcement involving Purdue and the Sacklers. Here’s what happened in October:

Read More

Topics: Penalties and Enforcement, Opioids, compliance

HIPAA ALERT: OCR CRACKS DOWN ON PATIENT RIGHTS VIOLATIONS

Posted by Margaret Scavotto, JD, CHC on 10/13/20 10:15 AM

On September 15, 2020, the Office for Civil Rights (OCR) announced five settlements with providers who were accused of failing to comply with HIPAA’s right of access requirements. On October 7th, the OCR announced another patient rights settlement, which is the eighth HIPAA Right of Access Initiatives settlement to date. And on October 9th, the ninth settlement was announced (two Right of Access settlements were announced early in 2019 and 2020).

The Privacy Rule requires covered entities to respond to patients’ requests to inspect or obtain a copy of their medical records within 30 days. In some circumstances, the provider may extend this timeframe by 30 days – but it must let the patient know of the delay within the original 30-day period.

The new settlements involved:

Read More

Topics: Penalties and Enforcement, HIPAA, compliance

Be a compliance expert in 2020.

Posted by Margaret Scavotto, JD, CHC on 1/28/20 8:30 AM

MPA scours OIG and OCR enforcement updates and news so that you don't have to.

Every month, we summarize enforcement trends and bring you the latest compliance and HIPAA developments, and deliver them to your inbox in our Monthly Compliance News Report.

Not yet a subscriber? Use coupon code StayInformed to save 25% off the price when you sign up.  

You can read a sample report here.

Read More

Topics: Compliance Basics, Penalties and Enforcement, OIG compliance resources

DOJ cracking down on nursing homes

Posted by Margaret Scavotto, JD, CHC on 11/5/19 8:15 AM

The Department of Justice (DOJ) aims to use its Elder Justice Initiative to  pursue more criminal charges in nursing home investigations. Typically, the DOJ uses civil lawsuits to pursue False Claims Act violations against nursing homes. Toni Bacon, a DOJ associate deputy general, explains the shift: "We need to go after cases civilly because they [are] providing grossly substandard care and, in the appropriate case, refer it for a parallel criminal prosecution."

Read More

Topics: Penalties and Enforcement, compliance

OIG Launches Compliance Resources Portal

Posted by Margaret Scavotto, JD, CHC on 5/1/18 6:58 AM

At the HCCA Compliance Institute held in Las Vegas April 15-18, Keynote Speaker and HHS Inspector General Dan Levinson announced the OIG's new Compliance Resources Portal.

Now, compliance officers can find all of the OIG’s compliance resources on one page.

The resources include:

  1. Toolkits
  2. Provider Compliance Resources and Training*
  3. Advisory Opinions
  4. Voluntary Compliance and Exclusions Resources
  5. Special Fraud Alerts, Other Guidance, and Safe Harbor Regulations
  6. Resources for Health Care Boards
  7. Resources for Physicians
  8. Accountable Care Organizations

 * Compliance Program Guidance is housed here.

 Soon, the OIG will be posting a new resource: the OIG Toolkit to Identify Patients at Risk of Opioid misuse.

 If you are looking for criminal, civil or state enforcement actions, civil monetary penalties, exclusions or corporate integrity agreement enforcement, those update are still located under the Fraud tab.

 

Read More

Topics: Compliance Basics, Penalties and Enforcement, OIG compliance resources

The government is monitoring your claims data. Are you?

Posted by Margaret Scavotto, JD, CHC on 1/9/18 7:05 AM

Chemed Corporation, Vitas Hospice Services LLC, and Vitas Healthcare Corporation entered a $75 million settlement with the government to resolve false claims allegations. Vitas, the biggest for-profit provider of hospice services in the nation, allegedly “knowingly submitted or caused to be submitted false claims to Medicare for services to hospice patients who were not terminally ill” between 2002 and 2013. The DOJ also accused Vitas of awarding bonuses to employees based on the number of patients on hospice, regardless of need.

In addition, Vitas was accused of billing Medicare for continuous home care services that were not necessary, not provided, or did not meet Medicare requirements. Like with hospice services, Vitas allegedly set corporate goals for billing continuous home care services, regardless of patient need.

According to the Complaint, “Vitas regularly ignored concerns expressed by its own physicians and nurses regarding whether its hospice patients were receiving appropriate care.” Complaint, page 3. The Complaint also says the company’s own auditors knew of the problem – but changes were not made.

 

Let’s look at the data

Read More

Topics: Penalties and Enforcement, PEPPER, Auditing and Monitoring, Billing and Claims Submission

Misdirected Fax Leads to $387,200 HIPAA Settlement

Posted by Scott Gima on 5/31/17 7:00 AM

On September 12, 2014, the OCR received a complaint alleging that the Spencer Cox Center disclosed sensitive PHI information including HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis and physical abuse. St. Luke’s-Roosevelt Hospital Center Inc., which operates the Spencer Cox Center, entered a resolution agreement and corrective action plan with the OCR for possible HIPAA violations and has paid a $387,200 fine.

A Simple Mistake?

The OCR investigation found that St. Luke’s disclosed PHI of two patients by faxing PHI to the employer of one patient and faxing PHI to an office where the second patient volunteered. The OCR stated that St. Luke’s failed to reasonably safeguard the patients’ PHI from “intentional or unintentional disclosure.”

The OCR’s resolution agreement requires St. Luke’s to:

  • Review and if necessary, revise, its policies and procedures concerning the uses and disclosures of PHI including mailing, faxing or other electronic PHI transmission.
  • Distribute the policies and procedures to new hires and current employees, and obtain a signed compliance certification from each workforce member.
  • Assess, update and revise the policies and procedures at least annually.
  • Review and revise training programs pertaining to the safeguarding of PHI.
  • Train new and existing employees on PHI safeguards.
  • Review training at least annually and when there are updates needed to address changes in Federal law or HHS guidance, or any issues discovered during internal audits or reviews.
  • Block PHI access to any employees that has not certified receipt of safeguarding PHI policies and procedures.

This Has Happened Before

In 2010, a St. Louis man filed a lawsuit alleging that Quest wrongfully disclosed his HIV status when it faxed his lab results to his employer. The patient’s doctor wrote the patient’s work fax number on a lab order, so that office staff could fax the order to the patient at work. The patient took the order to Quest, who ran the labs, and faxed the results to the patient at work. Quest mistakenly believed the fax number was written on the order so that Quest would fax the results to the patient’s employer. Six months after the fax was received, the patient was terminated.

The doctor argued that the lab results did not reveal the patient’s HIV status. And, the employer claimed it already knew the patient was HIV positive, and terminated his employment for financial reasons.

Still, Quest had to pay to defend this lawsuit. It is easy to imagine the dire consequences when a fax is misdirected, especially when that fax contains sensitive information.

Could This Happen To You?

The OCR resolution agreement provides a roadmap for all providers to address similar issues. This settlement is one example of how a mistake can lead to a hefty HIPAA fine. Use your HIPAA Security Risk Analysis process, plus HIPAA Walk-Through audits, to identify areas where your employees could be making inadvertent or sloppy mistakes that could jeopardize patient confidentiality.

 

Read More

Topics: Penalties and Enforcement, HIPAA

    Privacy Policy           Terms of Use