Georgia's Trusted Healthcare
& Medical Provider Attorneys

Healthcare Providers: Your Business Associates Could Cost You Millions

HIPAAHealthcare providers must ensure business associates adequately safeguard private health information

The Department of Health and Human Services (HHS) recently entered into a HIPAA settlement with a Minnesota hospital for $1.5 million because the hospital failed to have a written business associate agreement with one of its contractors.

Business associates are non-covered-HIPAA entities that require access to protected health information (PHI) to perform services for covered entities, often a contractor or subcontractor. The hospital’s policies failed to ensure the business associate adequately protected consumer’s PHI.

While HIPAA applies to certain covered entities, those entities must also ensure that any business associates also adequately secure PHI. HHS found that the Minnesota hospital overlooked two important aspects of the HIPAA rules.

  1. The hospital did not have a written, compliant business associate agreement with one of its IT contractors, and
  2. The hospital failed to have an accurate and thorough risk analysis of its entire IT infrastructure.

HHS investigated after the hospital reported that a laptop was stolen from an employee of the business associate. The laptop contained password protected but unencrypted PHI for almost 10,000 individuals.

The $1.5 million settlement underscores the importance of HIPAA compliance. Healthcare providers must ensure they have compliance agreements with anyone who has access to protected health information. One example of this is when a healthcare provider contracts IT services. Without compliance agreements, companies can be responsible for hefty fines even if a business associate actually causes the PHI security breach.

If you need help creating policies or contracts to protect safeguard private healthcare information, we can help. Please contact Jonathan Anderson at or 678.325.3872.

60 Day Overpayment Questions Answered – CMS Releases Final Rule

Calendar CMSThe Centers for Medicare & Medicaid Services (CMS) published the Final 60 Day Overpayment Rule on Thursday, four years after the initial rule was released.

This Final Rule clarifies application of the 60-day reporting requirements instituted pursuant to the Affordable Care Act. Under the 60-day Overpayment Rule Medicare providers must report and return overpayments within 60 days of when an overpayment is identified (or the cost report due date, when applicable).

Prior to the publication of the Final Rule, there was much speculation, and interpretation by courts as to how to define “Identification.” This definition is important because when an overpayment has been “identified” as provided in the law, the 60 day clock starts ticking and the deadline for reporting and repayment is set.

Key Clarifications On Overpayment

The Final Rule provides a key addition in how “identification” is defined by adding that an overpayment is “identified” after such overpayment has been quantified. The Rule also requires that providers exercise “reasonable diligence,” which according to CMS requires “both proactive compliance activities to monitor claims and reactive investigative activities undertaken in response to receiving credible information about a potential overpayment.”

The Final Rule further clarifies that providers have up to 6 months to investigate a possible billing error before the 60-days start to run. This replaces an indefinite requirement set forth in the Proposed Rule that providers act with “all deliberate speed.”

Another noteworthy change in the Final Rule is the stated “look-back period.” In the Proposed Rule, overpayments had to be reported and returned if a person identified the overpayment within ten years of the date the overpayment was received. However, the Final Rule reduces this time frame to six years. This shortened “look-back period” is likely to reduce the administrative burden of complying with the law.

To review the Final Rule in its entirety it is available at here

Need Help?

If you have questions about the overpayment rules or need assistance, we can help you. Please contact Danielle Hildebrand at or 678.325.3872.


Are You Compliant? HHS Issues Guidance & Likely To Continue HIPAA Compliance Scrutiny

HIPAA AuditThe Department of Health and Human Services (HHS) started the year by publishing new HIPAA guidance with respect to patient access to medical records.

While the recent HHS guidance does not add anything new to the regulations, it serves as a reminder to providers of certain provisions in the law. The guidance is intended as a tool to aid individuals in exercising their rights to access their medical records and to help providers ensure HIPAA compliance.

HHS highlighted certain provisions in the HIPAA regulations including provider obligations to respond to a request from a patient within 30 days and provide PHI in an electronic format if requested (assuming the electronic format requested can be readily produced by the provider).

The guidance also reminds providers that covered entities are not required to provide every single record about an individual even if the individual asks. Certain exceptions to a patient’s right to access include:

  • Patients do not have the right to access to information that is not used to make decisions about that individual. For example, certain quality assessment or improvement records, patient safety activity records, or business planning, development and management records that are used for business decisions do not have to be provided to an individual.
  • Individuals do not have a right to access psychotherapy notes that a mental health professional maintains separately from the individual’s medical record and that document or analyze the contents of a counseling session with the individual.
  • Providers can deny access to certain records if a licensed health care professional determines in the exercise of professional judgment that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person.
  • Patients do not have a right to access certain records compiled in reasonable anticipation of, or for use in, a legal proceeding.

Additionally, providers do not have to create new information, such as explanatory materials or analyses, that does not already exist in the record.

The government’s emphasis on HIPAA is expected to continue with pending audits of covered entities and business associates likely to take place this quarter. Now is the time for healthcare providers to review their policies to ensure that they are complying with the HIPAA regulations.

If you would like to review the HHS guidance it is available at

If you need help ensuring HIPAA compliance, please contact Danielle Hildebrand at or 678.325.3872.



Jonathan Anderson Joins Jeyaram & Associates

Jonathan AndersonPlease help us welcome Jonathan Anderson to our legal team!

Mr. Anderson is an associate attorney specializing in healthcare law. Prior to joining Jeyaram & Associates, Mr. Anderson worked as a legal intern on the Disability Integration Project for the Atlanta Legal Aid Society.

Mr. Anderson provided legal support to individuals with disabilities to help them remain in or move back the community rather than live in institutions. He also worked extensively with state Medicaid waivers including appealing the State’s decisions to terminate benefits of disabled individuals.

Mr. Anderson also served as an intern for the Health Law Partnership (HeLP) which serves clients whom meet certain income requirements and have a treatment relationship with Children’s Healthcare of Atlanta (CHOA). He conducted interviews, drafted briefs for Supplemental Security Insurance, and researched how changes in Supplemental Security Insurance regulations affected HeLP clients.

Legal Expertise

  • Medicaid Waivers
  • Medicare
  • Mediation

Jonathan can be reached at

Jeyaram & Associate Medicaid Fraud Expert Interviewed On “Mostly Medicaid”

Medicaid FraudJeyaram & Associate attorney Kimberly Sheridan was interviewed about Medicaid fraud.

The segment originally aired today on the national site “Mostly Medicaid.”

To hear the interview, click here.


Medicare & Medicaid Deadline For Overpayment Clarified

60 Days Medicaid and Medicare RuleFederal Court Finds Sixty Day Rule Deadline Begins to Run When Put on Notice of Potential Overpayments

When the Affordable Care Act (ACA) was passed, a new requirement for reporting overpayments was created. This new obligation, often referred to as the ‘Sixty Day Rule’ requires providers who receive an overpayment of Medicare or Medicaid funds to “report and return” the overpayment to the government.

According to the statute, an overpayment must be reported and returned within sixty days of the “date on which the overpayment was identified.” Failing to do so is a violation of the False Claims Act.

Although Centers for Medicare and Medicaid Services (CMS) has provided some guidance on when an overpayment is “identified” within the context of Medicare, now a New York Federal Court has weighed in on the meaning and application of the ACA sixty-day rule as it applies to Medicaid.

In a case before a New York Federal Court, the U.S. Department of Justice asserted that a hospital improperly billed Medicaid in 2009 and 2010 and violated the FCA by delaying the return of overpayments. Such overpayments were the result of a billing system software glitch. The case was brought with the assistance of a former employee who had investigated the issue. Such employee had provided to hospital administrators a list of around 900 claims that were likely affected by the glitch which was subsequently ignored by the hospital.

The Court had to decide how to define the key term in the statute – “identified.” In the case, the former employee had not conclusively proven the identity of any overpayments. As it turned out, hundreds of the claims he listed had not actually been overpaid. However, he did recognize nearly five hundred claims that did in fact turn out to be overpaid as worthy of attention.

After looking at the legislative history and purpose, the Court concluded that the 60-day clock begins ticking when a provider is put on notice of a potential overpayment, rather than when the overpayment is conclusively ascertained. This holding is in line with CMS’s patchwork of guidance for Medicare overpayments.

As a result, providers facing a potential overpayment must take action immediately to meet the 60 day deadline and avoid False Claims liability. Every health care practice should have a protocol in place to ensure that possible overpayments are investigated in a timely manner and such investigation is documented appropriately. Failure to report overpayments within that time frame could subject providers to huge penalties.  

If you have any questions about the 60-day rule or need assistance with investigating and reporting a potential overpayment contact Danielle Hildebrand at

ICD-10 Deadline Less Than 3 Months Away – Need Help?

CMS Announces Measures To Help Ease Transition

The countdown to the ICD-10 has begun in earnest, and the Centers for Medicaid & Medicare Services (CMS) has made it clear that it will not back down on the deadline of October 1, 2015. However, CMS announced on July 6, that it is adopting policies to help ease the transition to ICD-10.

The ICD-9 code sets used to report medical diagnoses and inpatient procedures will be replaced by ICD-10 code. ICD-10 will affect diagnosis and inpatient procedure coding for everyone covered by the Health Insurance Portability Accountability Act (HIPAA), not just those who submit Medicare or Medicaid claims.

Although the American Medical Association (AMA)  has long opposed the ICD-10 conversion, it issued a joint press release with CMS on July 6. The press release addresses some of the AMA’s concerns and offers some concessions by CMS. To assuage concerns from healthcare providers about inadvertent coding errors that could lead to audits and penalties, CMS has named a CMS ICD-10 Ombudsman to triage and answer questions about the submission of claims. The ICD-10 Ombudsman will be located at CMS’s ICD-10 Coordination Center. CMS has also released provider training videos and an outline of its implementation plan.

Additionally, CMS has announced that for one year past the Oct. 1, 2015, deadline, it will reimburse for incorrectly coded claims as long as that erroneous code is in the same broad family as the right one.

Providers should note that claims for services provided on or after the compliance date will need to be submitted with ICD-10 diagnosis codes; but claims for services provided prior to the compliance date should be submitted with ICD-9 diagnosis codes.

It is important for providers to have their practices ready to implement ICD-10 on October 1, 2015. If you need help with the ICD-10 transition and implementation, call Jeyaram & Associates’ Kimberly Sheridan at 678-708-4703.

Physicians Need To Be Prepared For Increased Medicare & Medicaid Fraud Scrutiny

doctor-in-handcuffs-caption-1HHS increases resources to root out and penalize fraud:  Review existing financial arrangements NOW

On June 30th the federal Department of Health and Human Services Office of the Inspector General announced that it has created a specialized unit comprised of attorneys focused on Medicare and Medicaid fraud. This announcement comes on the heels of the OIG Special Fraud Alert reminding physicians of anti-kickback liability for illegal compensation related to arrangements with healthcare institutions.

Physicians should be prepared for increased scrutiny and an uptick in enforcement actions for kickback violations. According to OIG official Lisa Re, the new unit will be targeting kickback cases and will be going after not only the individual or organization paying the kickbacks but also the recipient of the kickbacks, e.g., the physicians.

Physicians who have financial arrangements that violate the Federal Anti-Kickback Statute would not only be subject to fines in the form of Civil Money Penalties, but could also be excluded from the Medicare and Medicaid programs.

Now is the time for physicians to review existing or proposed financial arrangements to ensure that they do not pose any risk of violating the Anti-Kickback Statute.

If you have any questions about a particular arrangement our attorneys can help. Please call Danielle Hildebrand or DJ Jeyaram at 678-325-3872 for legal counsel.

CMS Proposes New Quality Reporting Measures for Medicare Payment

MedicareThe Centers for Medicare and Medicaid Services (CMS) has proposed a rule regarding Medicare payments for inpatient rehabilitation facilities. Through this new rule, CMS introduces new quality measures that will be tied to reimbursement.

Such quality measures generally focus on overall performance with respect to specific components of the health status of patients, like new or worsening pressure sores, and certain events, such as falls causing major injuries.

A facility’s failure to submit the information regarding these quality measures would result in a reduction in Medicare payments to that facility.

In the CMS publication, the government estimates the new quality reporting requirements will cost inpatient rehab facilities around $24 million. However, because the rule also proposes a modest rate increase, the government estimates that the changes under the rule will result in $130 million increase in payments to those facilities.

The Proposed Rule can be found here.

If you have questions regarding these new quality reporting requirements, please contact DJ Jeyaram or Danielle Hildebrand at 678.325.3872.

Supreme Court Rules Medicaid Providers Cannot Sue To Enforce Their Rights

US Supreme CourtOn March 31, 2015, in a 5-4 decision, the United States Supreme Court issued its opinion in Armstrong v. Exceptional Child Center, Inc.[1] This decision essentially precludes all Medicaid providers from bringing a private cause of action to enforce their rights under the Medicaid Act.

Through Medicaid, the federal government subsidizes the States’ providing of medical services to qualified people. To get the federal monies, a state must adopt, and the federal government must approve, its Medicaid plan. Section 30(A) of the Medicaid Act requires that a state Medicaid plan must contain procedures to ensure that reimbursement rates for healthcare providers “are consistent with efficiency, economy, and quality of care and are sufficient to enlist enough providers” to meet the need for care and services in the geographic area.

In Armstrong, a group of providers filed suit under the Supremacy Clause to enforce the provisions of Section 30(A) and to enjoin the Idaho Health and Welfare Department officials from continuing to reimburse the providers at rates lower than rates set forth in a provider cost study that had recommended increasing reimbursement rates. The 9th Circuit ruled that the Supremacy Clause gave the providers an implied right of action to bring suit. The Supreme Court disagreed.

The majority of the Supreme Court reasoned that while the Supremacy Clause instructs the courts to give federal law priority when there is a clash between a federal law and a state law, it does not create a cause of action.

The Majority went on to hold that the providers could not proceed in equity because the power of the federal courts to enjoin unlawful state action must be set out expressly or implicitly in statute. Here, the court reasoned that the Medicaid Act set out an express provision of a single remedy for the State’s failure to comply with the Medicaid act. That remedy is found in 42 U.S.C. Section 1396(c) and stated that the Secretary of Health and Human Services may withhold Medicaid funds if the State is failing to comply with the Medicaid Act.

What are the real life implications of this suggested remedy? As pointed out in Justice Sotomayor’s dissent, the Majority’s suggested remedy-withholding state funds will lead to the very result the law was enacted to prevent: depriving the poor of essential medical assistance.

What is the potential impact of this decision? If low rates cannot be challenged, Medicaid recipients will have fewer choices of health care providers because lower reimbursement rates make it harder for healthcare providers to choose to provide care to Medicaid recipients.[2]

What remedies are left for a provider? In Georgia, a Medicaid provider’s relationship with the State is based in contract, so remedies under the contract may still exist. If you are a provider and have a question about your rights under the Medicaid Act, please contact Kimberly Sheridan at Jeyaram & Associates at 678-709-4703.

[1] For the full opinion, please go to