Georgia's Trusted Healthcare
& Medical Provider Attorneys

Healthcare Providers: Your Business Associates Could Cost You Millions

HIPAAHealthcare providers must ensure business associates adequately safeguard private health information

The Department of Health and Human Services (HHS) recently entered into a HIPAA settlement with a Minnesota hospital for $1.5 million because the hospital failed to have a written business associate agreement with one of its contractors.

Business associates are non-covered-HIPAA entities that require access to protected health information (PHI) to perform services for covered entities, often a contractor or subcontractor. The hospital’s policies failed to ensure the business associate adequately protected consumer’s PHI.

While HIPAA applies to certain covered entities, those entities must also ensure that any business associates also adequately secure PHI. HHS found that the Minnesota hospital overlooked two important aspects of the HIPAA rules.

  1. The hospital did not have a written, compliant business associate agreement with one of its IT contractors, and
  2. The hospital failed to have an accurate and thorough risk analysis of its entire IT infrastructure.

HHS investigated after the hospital reported that a laptop was stolen from an employee of the business associate. The laptop contained password protected but unencrypted PHI for almost 10,000 individuals.

The $1.5 million settlement underscores the importance of HIPAA compliance. Healthcare providers must ensure they have compliance agreements with anyone who has access to protected health information. One example of this is when a healthcare provider contracts IT services. Without compliance agreements, companies can be responsible for hefty fines even if a business associate actually causes the PHI security breach.

If you need help creating policies or contracts to protect safeguard private healthcare information, we can help. Please contact Jonathan Anderson at Janderson@JeyLaw.com or 678.325.3872.

Work In Healthcare? You Could Face Steep Fines Or Jail Time For Healthcare Fraud

Healthcare FraudNewly Released Health Care Fraud Report shows that HHS/DOJ Enforcement Efforts Remain Strong

The Department of Health and Human Services (HHS) and the Department of Justice (DOJ) recently released their annual joint report outlining the results of their healthcare fraud enforcement efforts throughout FY 2015.

The Report shows that during that period the DOJ opened 983 new criminal health care fraud investigations and over 800 new civil health care fraud investigations. Additionally, HHS investigations resulted in 800 criminal actions against individuals or entities that engaged in crimes related to Medicare and Medicaid, and 667 civil actions, CMP settlements, and administrative recoveries related to provider self-disclosure matters.

Over the course of the year, the government won or negotiated over $1.9 billion in health care fraud judgment and settlements.

High Number Of Fraud Convictions

The Report also highlights the activity of the Medicare Fraud Strike Force whose efforts resulted in over 300 guilty pleas and 48 defendant convictions throughout the year, and over 260 defendants going to jail. The Report summarizes several successful enforcement actions by the Strike Force including:

  • 2 physicians owners of a mental health clinic were each sentenced to 10+ years in prison for certifying that certain Medicare patients qualified for partial hospitalization services when they did not and paying kickbacks to group home operators and patient recruiters in exchange for referring Medicare patients;
  • An owner of a DME company was sentenced to 84 months in prison for paying kickbacks to medical clinics for fraudulent prescriptions for DME which the patients did not need; and
  • 2 home health directors were sentenced to over 10 years in prison and ordered to pay $18.6 million in restitution after pleading guilty to conspiracy to commit fraud and payment of kickbacks in exchange for Medicare referrals and home health service prescriptions.

You Could Personally Be Fined Or Go To Jail

The government is clearly cracking down and the healthcare industry should heed the warning. The Report indicates that any individual in the healthcare realm, whether physician or hospital CFO, could incur steep fines, penalties and even serve jail time for violating the Federal Anti-Kickback Statute, Stark Law and False Claims Act.

Jeyaram & Associates can help you assess and minimize your risk under these healthcare fraud and abuse laws. If you have any questions please contact Danielle Hildebrand at Dhildebrand@jeylaw.com or 678.325.3872.

To review the Report it is available here.

Are You Compliant? HHS Issues Guidance & Likely To Continue HIPAA Compliance Scrutiny

HIPAA AuditThe Department of Health and Human Services (HHS) started the year by publishing new HIPAA guidance with respect to patient access to medical records.

While the recent HHS guidance does not add anything new to the regulations, it serves as a reminder to providers of certain provisions in the law. The guidance is intended as a tool to aid individuals in exercising their rights to access their medical records and to help providers ensure HIPAA compliance.

HHS highlighted certain provisions in the HIPAA regulations including provider obligations to respond to a request from a patient within 30 days and provide PHI in an electronic format if requested (assuming the electronic format requested can be readily produced by the provider).

The guidance also reminds providers that covered entities are not required to provide every single record about an individual even if the individual asks. Certain exceptions to a patient’s right to access include:

  • Patients do not have the right to access to information that is not used to make decisions about that individual. For example, certain quality assessment or improvement records, patient safety activity records, or business planning, development and management records that are used for business decisions do not have to be provided to an individual.
  • Individuals do not have a right to access psychotherapy notes that a mental health professional maintains separately from the individual’s medical record and that document or analyze the contents of a counseling session with the individual.
  • Providers can deny access to certain records if a licensed health care professional determines in the exercise of professional judgment that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person.
  • Patients do not have a right to access certain records compiled in reasonable anticipation of, or for use in, a legal proceeding.

Additionally, providers do not have to create new information, such as explanatory materials or analyses, that does not already exist in the record.

The government’s emphasis on HIPAA is expected to continue with pending audits of covered entities and business associates likely to take place this quarter. Now is the time for healthcare providers to review their policies to ensure that they are complying with the HIPAA regulations.

If you would like to review the HHS guidance it is available at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.

If you need help ensuring HIPAA compliance, please contact Danielle Hildebrand at dhildebrand@jeylaw.com or 678.325.3872.

 

 

Need Proof As To Why You Need To Conduct HIPAA Risk Assessments? Read On

HIPAAAn employee’s stolen laptop with unencrypted files led to a HIPAA investigation and ultimately a $750,000 settlement

The Department of Health and Human Services (HHS) recently issued a press release announcing a settlement with a 13-physician radiation oncology practice related to HIPAA violations. Cancer Care Group, P.C. settled allegations of HIPAA noncompliance for an amount of $750,000. One of the major factors that led HHS to conclude that Cancer Care was in widespread non-compliance with the HIPAA Security Rule was the practice’s failure to conduct a proper risk analysis.

HHS investigated the practice because of a HIPAA breach that occurred in 2013. The breach occurred when a laptop bad was stolen from an employee’s car. The laptop contained unencrypted files which included patient Protected Health Information (PHI) such as names, addresses, birth dates, Social Security numbers, and clinical information.

HHS notes that if Cancer Care had conducted an enterprise-wide risk analysis, they could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI and adopted policies and procedures to reduce such risk. HHS Office of Civil Rights Director, Jocelyn Samuels emphasizes that “organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information.”

HHS also notes that Cancer Care should have had a comprehensive device and media control policy in place. Failure to have a policy that outlined employee responsibilities when removing devices containing ePHI from the facility contributed to the breach.

This settlement is another reminder that health care practices should not ignore their obligation to conduct periodic comprehensive risk assessments. Failure to do so might put practice patient information at risk of breach and could be costly for the practice if it is investigated by HHS.

The full HHS Press Release is available here, and the Cancer Care Settlement Agreement is available here.

Please contact Danielle Hildebrand at dhildebrand@jeylaw.com or (678) 325-3872 if you have questions about conducting a risk assessment for your practice.

Physicians Need To Be Prepared For Increased Medicare & Medicaid Fraud Scrutiny

doctor-in-handcuffs-caption-1HHS increases resources to root out and penalize fraud:  Review existing financial arrangements NOW

On June 30th the federal Department of Health and Human Services Office of the Inspector General announced that it has created a specialized unit comprised of attorneys focused on Medicare and Medicaid fraud. This announcement comes on the heels of the OIG Special Fraud Alert reminding physicians of anti-kickback liability for illegal compensation related to arrangements with healthcare institutions.

Physicians should be prepared for increased scrutiny and an uptick in enforcement actions for kickback violations. According to OIG official Lisa Re, the new unit will be targeting kickback cases and will be going after not only the individual or organization paying the kickbacks but also the recipient of the kickbacks, e.g., the physicians.

Physicians who have financial arrangements that violate the Federal Anti-Kickback Statute would not only be subject to fines in the form of Civil Money Penalties, but could also be excluded from the Medicare and Medicaid programs.

Now is the time for physicians to review existing or proposed financial arrangements to ensure that they do not pose any risk of violating the Anti-Kickback Statute.

If you have any questions about a particular arrangement our attorneys can help. Please call Danielle Hildebrand or DJ Jeyaram at 678-325-3872 for legal counsel.

What Physicians Need to Know About the Stark In-Office Ancillary Services Exception

Stark LawThe Federal Stark Law generally prohibits physicians from referring Medicare/Medicaid payable Designated Health Services (DHS) to any organization in which they have a financial interest, including their own medical practice. Because the Stark prohibition applies when physicians refer their patients within their own practice to obtain DHS, such an arrangement must meet the requirements of an exception in order to comply with the law.

If you are a physician practice that intends to offer to your patients related services which are also DHS, for example, imaging or laboratory services, you might be able to rely upon the In-Office Ancillary Services (IOAS) exception. This exception is designed to protect the provision of Designated Health Services that are truly ancillary to the medical services being provided by your physician practice.

In order to take advantage of this exception, your practice must meet three specific requirements related to

  1. supervision
  2. location
  3. billing

Additionally, multi-physician practices must be considered a “group practice” as provided in the Stark Law.

Physicians providing MRIs, CT and PET scans through their medical practices must also provide a disclosure and notice to patients. Such notice must be in writing and provided at the time of the referral. The notice must disclose to the patient that he or she may obtain those services from other suppliers and provide a list of those suppliers in close proximity to the physician’s office.

Although this exception enables physicians to offer a number of ancillary services and still maintain compliance with the Stark Law, this exception is likely to be restricted in the future. The Department of Health and Humans Services’ (HHS) FY ‘16 proposed budget indicates that HHS intends to limit which practices may offer therapy services, advanced imaging, radiation therapy and anatomic pathology services. Only “clinically integrated” practices that demonstrate cost containment would be able to use the IOAS exception when offering such services.

Additional information on the HHS FY ‘16 Budget Proposal can be found at http://www.hhs.gov/budget/fy2016-hhs-budget-in-brief/hhs-fy2016budget-in-brief-cms-medicare.html.

If you have any questions about the IOAS exception or need legal advice with respect to offering ancillary services through your practice please contact DJ Jeyaram at DJ@jeylaw.com or Danielle Hildebrand at Dhildebrand@jeylaw.com.