Preparing Privacy Compliance For Emergencies-Ebola Crisis Prompts HHS OCR To Share Guidance On HIPAA Privacy in Emergency Situations

November 11, 2014

The recent US Ebola scare provided an important reminder to health care providers, health insurers and health plans, health care clearinghouses, employers and others of the importance of understanding and preparing to deal with health care privacy and other challenges arising from epidemics and other emergencies.  In response to the recent Ebola and other contagious disease outbreaks and just as U.S. health care and other business leaders are working to prepare for the biggest contagious disease time of the year, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is reminding health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates that the privacy rules of the Health Insurance Portability & Accountability Act (HIPAA) requiring Covered Entities and their business associates to limit the use, access and disclosure of patient’s protected health information (PHI) continue to apply during emergency situations and help them understand when HIPAA allows them to share PHI in emergency situations in a new notice titled “HIPAA Privacy in Emergency Situations” (Guidance) published November 10, 2014. A business associate of a covered entity (including a business associate that is a subcontractor) also must continue to comply with HIPAA and may only make disclosures permitted by the Privacy Rule on behalf of a Covered Entity or another business associate to the extent authorized by its business associate agreement and consistent with HIPAA’s requirements.

Sharing Patient Information

The Guidance begins by reminding Covered Entities and their business associates that HIPAA’s Privacy Rule continues to apply in emergency situations and requires Covered Entities protect and prohibits their use, access or disclosure of patient’s protected health information except as allowed by HIPAA unless the patient authorizes the Covered Entity to disclose the PHI in accordance with HIPAA’s requirements for authorization set forth in 45 CFR 164.508.

The Guidance then goes on to discuss the following circumstances that the HIPAA Privacy Rule might allow Covered Entities to share PHI without getting patient authorization, subject to the reminder that in many cases, HIPAA will require that the Covered Entity limit the disclosure to the minimum necessary disclosure necessary for the allowable purpose and require other conditions to be fulfilled:

  • Treatment.

Under the Privacy Rule, covered entities may disclose, without a patient’s authorization, protected health information about the patient as necessary to treat the patient or to treat a different patient. Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment. See 45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and the definition of “treatment” at 164.501.

  • Public Health Activities.

The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed protected health information without individual authorization:

  • To Or At The Direction Of A Public Health Authority.

The HIPAA Privacy Rule allows Covered Entities to share protected health information with Public Health Authorities authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability like the Centers for Disease Control and Prevention (CDC) or a state or local health department. This would include, for example, the reporting of disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. A “public health authority” is an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. See 45 CFR §§ 164.501 and 164.512(b)(1)(i). For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Ebola virus disease.

The HIPAA Privacy Rule also allows Covered Entities to share information at the direction of a public health authority:

    • To a foreign government agency that is acting in collaboration with the public health authority. See 45 CFR 164.512(b)(1)(i); and
    • To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations. See 45 CFR 164.512(b)(1)(iv)
  • Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification.

The HIPAA Privacy Rule allows a Covered Entity to share protected health information:

    • With a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care;
    • About a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death including where necessary to notify family members and others, the police, the press, or the public at large. See 45 CFR 164.510(b).

The Guidance reminds Covered Entities, however, that the Privacy Rule requires the Covered Entity to get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible. If the individual is incapacitated or not available, the Guidance states Covered Entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.

The Guidance also confirms that Covered Entities may share protected health information with disaster relief organizations authorized by law or by their charters to assist in disaster relief efforts like the American Red Cross for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

  • Imminent Danger

The Guidance also states that Covered Entities that are health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. See 45 CFR 164.512(j).

  • Disclosures to the Media & Others Not Involved in the Care of the Patient/Notification

The Guidance also reminds Covered Entities of the importance of closely adhering to HIPAA’s rules when responding to information requests from the medial or others not involved in the care of a patient. The Guidance states that when the media or other other party not involved un the patient’s care asks the Covered Entity for information about a particular patient by name, a hospital or other health care facility may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient. See 45 CFR 164.510(a). In general, except in the limited circumstances authorized in the HIPAA Privacy Rule, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative who is a person legally authorized to make health care decisions for the patient).

  • Minimum Necessary Restriction Requirement

The Guidance cautions Covered Entities and their business associates that for most disclosures, a Covered Entity generally must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose. However, this minimum necessary requirement does not apply to disclosures to health care providers for treatment purposes.

Covered Entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary when making disclosures in response to request from those parties. For example, a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Ebola virus disease is the minimum necessary for the public health purpose.

  • Required Internal Restrictions On Use, Access & Disclosure

Internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties. See 45 CFR §§ 164.502(b), 164.514(d).

Safeguarding Patient Information

Beyond limiting the use, access and disclosure of PHI, the Guidance also reminds Covered Entities and their business associates that even in emergency situations, HIPAA continues to require them to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures as well as to apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic PHI.

Limited Waiver

Although HHS has yet to take steps to trigger a limited waiver, the Guidance also reminds Covered Entities and their business associates that HHS has the power to do so, the effect of a limited waiver and the circumstances under which HHS could elect to apply  a limited waiver to waive sanctions against a hospital for certain specific types of HIPAA violations while the waiver is in effect.

As the Guidance notes, the HIPAA Privacy Rule is not suspended during a public health or other emergency.  Rather, the limited waiver rules only operates to permit the Secretary of HHS to waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act. The limited waiver only applies when the President declares an emergency or disaster and HHS declares a public health emergency. When and if these requirements are met, HHS may waive sanctions and penalties against a Covered Entity that is a hospital for failing to comply with the following HIPAA Privacy Rule provisions:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b).

If the Secretary issues such a waiver, Covered Entities and their business associates should keep in mind the waiver only applies to the list violations and only applies:

  • For so long as the waiver remains in effect;
  • In the emergency area and for the emergency period identified in the public health emergency declaration
  • To hospitals that have instituted a disaster protocol; and
  • For up to 72 hours from the time the hospital implements its disaster protocol.

When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

Not Necessarily Just About HIPAA

HIPAA is not necessarily the only law that Covered Entities, business associates or others need to consider when deciding what to disclose during an emergency or otherwise.  The HIPAA Privacy Rule applies to disclosures made by and Covered Entities, business associates employees, volunteers, and other members of a Covered Entity’s or Business Associate’s workforce. The Privacy Rule does not apply to disclosures made by entities or other persons who are not Covered Entities.

Beyond HIPAA, Covered Entities, their business associates or members of their workforce, employers, and other organizations also need to consider whether other federal or state laws, ethical rules, contracts or policies may restrict use or disclosure, safeguard, or take other steps to protect PHI or other information.  For instance, other federal laws, state law, professional ethical rules, contracts, facility policies or procedures, or other restrictions often apply to health care provides, insurers, brokers, employers or others.  Employers, health care organizations, insurers and others also need to be concerned about potential discrimination, common law and statutory privacy, retaliation, defamation and other exposures.

Prepare For Compliance Now

The recent experiences of various health care organizations intimately involved in caring for the Ebola patients highlights the importance of anticipating, preparing and conducting training, and having your workforce practice to prepare  to deal with the special challenges of dealing with HIPAA and other legal responsibilities in advance of emergency events.  When preparing for these events, Covered Entities and business associates need to take into account the need to comply operationally as well as to document and retain records of compliance.   They should  both should anticipate and prepare to respond to both typical inquiries as well as those from the media, public and others.   They also should consider how various types of emergencies could create new privacy or security risks.  For instance, in certain emergency situations, recordkeeping or other systems could be disrupted, impacting the ability retain and subsequently produce required documentation.  Furthermore, Covered Entities also should prepare to manage the patient and public relations aspects of these events including adverse impressions that often arise when the media or others are disappointed at being denied information because of compliance obligations, from breaches or perceived breaches, or other similar events.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.  The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights,  Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns.  Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.  In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans,  as well as  HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for  Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2014 Cynthia Marcotte Stamer, P.C. Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.


Parkview Hospital To Pay $800K To Settle HIPAA Charges After Retiring Physician Blows The Whistle

July 6, 2014

Health care providers, health plans, heath care clearinghouses and their business associates heed both the lesson about properly protecting protected health information and the more subtle lesson about the role of employees and other whistleblowers in bringing these violations to the attention of regulators contained in the latest Health Insurance Portability & Accountability Act (HIPAA) resolution agreement.

Late last month, the Department of Health & Human Services Office of Civil Rights (HHS) announced that complaints of a retiring physician over the mishandling of her patient records by Parkview Health System, Inc. (Parkview) prompted the investigation that lead Parkview to agree to pay $800,000 to settle charges that it violated HIPAA’s Privacy Rule.

The resolution agreement settles charges lodged by HHS based on an OCR investigation into the retiring physician’s allegations that Parkview violated the HIPAA Privacy Rule by failing to properly safeguard the records when it returned them to the physician following her retirement.

As a covered entity under the HIPAA Privacy Rule, HIPAA requires that Parkview appropriately and reasonably safeguard all protected health information in its possession, from the time it is acquired through its disposition.

In an investigation prompted by the physician’s complaint, OCR found that Parkview breached this responsibility in its handling of certain physician patient records in helping the physician to transition to retirement.

According to OCR, in September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice.

Subsequently on June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. OCR concluded this conduct violated the Privacy Rule.

To settle OCR’s charges that these actions violated HIPAA, OCR has agreed to pay the $800,000 resolution amount and to adopt and implement a corrective action plan requiring Parkview to revise their policies and procedures, train staff, and provide an implementation report to OCR.

The resolution agreement highlights the role that current or former physicians, employees or others can play in helping OCR to identify HIPAA violations.  Health care providers and other covered entities and their business associates should take into account the likelihood that physicians on their own or other facility medical staffs, their employees and other participants in the care delivery system often may have and be motivated to report to government sensitive information about violations of HIPAA or other laws.  Since HIPAA and most other laws prohibited covered entities from forbidding or retaliating against a person for objectiving to or reporting the concern and offer whistleblowers potential participation in the reporting and prosecution of violations, employees or other workforce members increasingly make the complaints bring violations to OCR and other regulators.

Whether from an internal employee complaint, a  patient or competitor complaint or other source, HIPAA violations carry significant liability risks.  The HITECH Act tightened certain rules applicable to the use, access or disclosure of protected health information by covered entities and their business associates.  In addition, the HITECH Act added breach notification rules, extended direct responsibility for compliance with HIPAA to business associates, increased penalties for noncompliance with HIPAA and made other refinements to HIPAA’s medical privacy rules and made certain other changes.  Furthermore, enforcement of HIPAA and the resulting penalties have increased since the HITECH Act took effect.

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

For Help With Investigations, Policy Review & Updates Or Other Needs

If you need assistance in auditing or assessing, updating or defending your HIPAA, or other health or other employee benefit, labor and employment, compensation, privacy and data security, or other internal controls and practices, please contact the author of this update, attorney Cynthia Marcotte Stamer at cstamer@solutionslawyer.net or at (469)767-8872.

The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on HIPAA and other privacy and data security, health plan, health care and other human resources and workforce, employee benefits, compensation, internal controls and related matters.

For more than 23 years, Ms. Stamer has counseled, represented and trained employers and other employee benefit plan sponsors, plan administrators and fiduciaries, insurers and financial services providers, third party administrators, human resources and employee benefit information technology vendors and others privacy and data security, fiduciary responsibility, plan design and administration and other compliance, risk management and operations matters.  She also is recognized for her publications, industry leadership, workshops and presentations on privacy and data security and other human resources, employee benefits and health care concerns.  Her many highly regarded publications on privacy and data security concerns include “Privacy Invasions of Medical Care-An Emerging Perspective.” ERISA Litigation Manual. BNA, 2003-2009; “Privacy & Securities Standards-A Brief Nutshell.” BNA Tax Management and Compliance Journal. February 4, 2005; “Cybercrime and Identity Theft: Health Information Security beyond HIPAA.” ABA Health eSource. May, 2005 and many others.  She also regularly conducts training on HIPAA and other privacy and data security compliance and other risk management matters for a broad range of organizations including the Association of State and Territorial Healthcare Organizations (ASTHO), the Los Angeles County Health Department, a multitude of health plans and their sponsors, health care providers, the American Bar Association, SHRM, the Society for Professional Benefits Administrators and many others.  Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see www.CynthiaStamer.com or contact Ms. Stamer directly.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing some of our other Solutions Law Press resources available at http://www.solutionslawpress.com including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at www.SolutionsLawPress.com.

©2014 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press.  All other rights reserved.


Health Care & Other HIPAA Covered Entities Should Review New Reports As Part of HIPAA Risk Management Efforts

June 11, 2014

Health care providers, health plans and insurers, health care clearinghouses (collectively “Covered Entities”), their business associates, and others concerned about medical privacy regulations or protections should check out two new reports to Congress about breach notifications reported and other compliance data under the Health Insurance Portability & Accountability Act (HIPAA) by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).   Reviewing this data can help Covered Entities and their business associates identify potential areas of exposures and enforcement that can be helpful to minimize their HIPAA liability as well as to expect OCR enforcement and audit inquiries.

Required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, the two new reports discuss various details about HIPAA compliance for calendar years 2011 and 2012.  They include the following:

  • Report to Congress on Breach Notifications, discussing the breach notification requirements and reports OCR received as a result of these breach notification requirements; and
  • Report to Congress on Compliance with the HIPAA Privacy and Security Rules, summarizing complaints received by OCR of alleged violations of the provisions of Subtitle D of the HITECH Act, as well as of the HIPAA Privacy and Security Rules at 45 CFR Parts 160 and 164 .
  • Covered entities and their business associates should review the finding reported as part of their compliance practices. Others concerned about medical or other privacy or data security regulations or events also may find the information in the reports of interest.

Under HIPAA, covered entities generally are prohibited from using, accessing or disclosing protected health information about individuals except as specifically allowed by HIPAA,  In addition, HIPAA also requires Covered Entities to establish safeguards to protect protected health information against improper access, use or destruction, to afford certain rights to individuals who are the subjects of protected information, to obtain certain written assurances from service providers who are business associates before allowing those service providers to use, access or disclose protected health information when carrying out covered functions for the Covered Entity, and meet other requirements.

The HITECH Act tightened certain rules applicable to the use, access or disclosure of protected health information by covered entities and their business associates.  In addition, the HITECH Act added breach notification rules, extended direct responsibility for compliance with HIPAA to business associates, increased penalties for noncompliance with HIPAA and made other refinements to HIPAA’s medical privacy rules and made certain other changes.

Enforcement of HIPAA and the resulting penalties have increased since the HITECH Act took effect.

Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the HITECH Act since March 26, 2013 and to have updated business associate agreements in place since September 23, 2013.  Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the rule changes implemented in  the Omnibus Final Rule.

Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance on its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:

Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

For Help With Investigations, Policy Review & Updates Or Other Needs

If you need assistance in auditing or assessing, updating or defending your HIPAA, or other health or other employee benefit, labor and employment, compensation, privacy and data security, or other internal controls and practices, please contact the author of this update, attorney Cynthia Marcotte Stamer at cstamer@solutionslawyer.net or at (469)767-8872.

The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on HIPAA and other privacy and data security, health plan, health care and other human resources and workforce, employee benefits, compensation, internal controls and related matters.

For more than 23 years, Ms. Stamer has counseled, represented and trained employers and other employee benefit plan sponsors, plan administrators and fiduciaries, insurers and financial services providers, third party administrators, human resources and employee benefit information technology vendors and others privacy and data security, fiduciary responsibility, plan design and administration and other compliance, risk management and operations matters.  She also is recognized for her publications, industry leadership, workshops and presentations on privacy and data security and other human resources, employee benefits and health care concerns.  Her many highly regarded publications on privacy and data security concerns include “Privacy Invasions of Medical Care-An Emerging Perspective.” ERISA Litigation Manual. BNA, 2003-2009; “Privacy & Securities Standards-A Brief Nutshell.” BNA Tax Management and Compliance Journal. February 4, 2005; “Cybercrime and Identity Theft: Health Information Security beyond HIPAA.” ABA Health eSource. May, 2005 and many others.  She also regularly conducts training on HIPAA and other privacy and data security compliance and other risk management matters for a broad range of organizations including the Association of State and Territorial Healthcare Organizations (ASTHO), the Los Angeles County Health Department, a multitude of health plans and their sponsors, health care providers, the American Bar Association, SHRM, the Society for Professional Benefits Administrators and many others.  Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see www.CynthiaStamer.com or contact Ms. Stamer directly.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing some of our other Solutions Law Press resources available at http://www.solutionslawpress.com including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at www.SolutionsLawPress.com.

©2014 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press.  All other rights reserved.


CMS To Host Provider Webinar To Celebrate National Health IT Week

September 13, 2013

In celebration of the third annual National Health IT Week is September 16-20, the Centers for Medicare & Medicaid Services (CMS) will host several webinars and launching new eHealth tools and resources that it intends to help providers participate in eHealth programs.  These programs may be of interest to providers as well as payers who are interested in what providers are doing to use eHealth tools.

Details of Webinar

The eHealth Provider Webinar will be held on Thursday, September 19th from 12:00 p.m. to 1:30 p.m. ET.  CMS plans to present an overview of the eHealth programs and its eHealth initiative—an initiative that aligns health IT and electronic standards programs on:

  • Administrative Simplification
  • eRx Incentive Program
  • ICD-10
  • Quality Measurement

A portion of the webinar will also be dedicated to Q&A.

Registration Information

Space is limited.  Register now to secure your spot for the eHealth Provider WebinarOnce registration is complete, you will receive a follow-up email with step-by-step instructions on how to log-in to the webinar.  Listserv messages are sent prior to each webinar session with registration information.

If you’d like to view past webinars, the PowerPoint presentations and recordings can now be accessed on the Resources page of the eHealth website.  For more information about CMS’ eHealth Initiatives, visit the CMS eHealth website for the latest news and updates on CMS’ eHealth initiatives.

For More Information Or Assistance

If you need assistance responding to this invitation or with other health industry regulatory, enforcement or other developments, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement action or with other health care related risk management, compliance, training, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years experience advising health industry clients about these and other matters. Her experience includes extensive work advising, representing and training health industry and other clients on HIPAA and other privacy, data protection and breach and other related matters.  She also advises hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past three years, Ms. Stamer also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns as well as a wide range of other workshops, programs and publications on other compliance, operational and risk management, and other health industry matters. Ms. Stamer also has extensive other public policy and regulatory experience with HHS and other U.S. federal and state agencies as well as internationally. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see  here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here.  THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.  

©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.


Tell HHS What You Think-Comment On HHS Strategic Plan Now!

September 9, 2013

Health care providers, health plans, employers and others concerned about the regulatory and enforcement activities of the Department of Health & Human Services (HHS) can make their concerns known by speaking up now.  Share your input on the draft HHS strategic plan that will guide HHS’ regulatory and enforcement agenda for the next 4 years.

Every 4 years, HHS updates its strategic plan, which describes its work to address complex, multifaceted, and ever-evolving health and human service issues, including:

  • Health Care
  • Research and Innovation
  • Prevention and Wellness

HHS is inviting public input on the draft HHS Strategic Plan for FY 2014-2018. The comment period is open until October 15, 2013.  Individuals or organizations wishing to respond to this invitation can read the HHS Strategic Plan FY 2014-2018 (Draft) and submit your comments several ways including:

For More Information Or Assistance

If you need assistance responding to this invitation for comment or other health industry regulatory, enforcement or other developments, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement action or with other health care related risk management, compliance, training, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years experience advising health industry clients about these and other matters. Her experience includes extensive work advising, representing and training health industry and other clients on HIPAA and other privacy, data protection and breach and other related matters.  She also advises hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past three years, Ms. Stamer also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns as well as a wide range of other workshops, programs and publications on other compliance, operational and risk management, and other health industry matters. Ms. Stamer also has extensive other public policy and regulatory experience with HHS and other U.S. federal and state agencies as well as internationally. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see  here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here.  THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.  

©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.


55 Hospitals To Pay $35M+ To Settle FCA Claims Charges On Kyphoplasty Procedures

July 6, 2013

Whistleblowers Played A Big Role, Collectively Will Receive $5.5 Million From Settlement Proceeds

Fifty-five hospitals in 21 states will pay a total of more than $34 million to settle Justice Department allegations that the health care facilities submitted false claims to Medicare for a minimally-invasive procedure used to treat certain spinal fractures that often are due to osteoporosis known as “kyphoplasty.”

The settlement stems from charges by the Justice Department and Department of Health & Human Services (HHS) Office of Inspector General (OIG) that the settling hospitals frequently billed Medicare for performing kyphoplasty procedures on the more costly inpatient basis, rather than an outpatient basis, in order to increase their Medicare billings  when the kyphoplasty could have been performed safely and effectively as an outpatient procedure without any need for a more costly hospital admission.

With the settlements announced July 1,  the Justice Department says it has now reached settlements with more than 100 hospitals totaling approximately $75 million to resolve allegations that they mischarged Medicare for kyphoplasty procedures.   Justice Department officials credited whistleblowers with helping it to identify the charged misconduct in virtually all of the cases.  They collectively will receive an estimated $5.5 million of the total of $34 million to be paid under the settlements.

 55 Settlements Impact Systems & Providers Across The Nation

According to the Justice Department’s July 1 announcement of the settlements, the settling facilities, and the amounts they have agreed to pay, include 23 hospitals affiliated with HCA Inc., Nashville, TN, who have agreed to pay a total of $7,145,842.72.  These include:

  •  Aventura Hospital & Medical Center, Aventura, FL
  • Capital Regional Medical Center, Tallahassee, FL
  • Coliseum Medical Center,  Macon, GA
  • Coliseum Northside Hospital, Macon, GA
  • Conroe Regional Medical Center, Conroe, TX
  • Denton Regional Medical Center, Denton, TX
  • Doctors Hospital of Sarasota,  Sarasota, FL
  • Edmond Regional Medical Center, Edmond, OK
  • Fawcett Memorial Hospital, Port Charlotte, FL
  • Fort Walton Beach Medical Center, Fort Walton Beach, FL
  • Garden Park Medical Center, Gulf Port, MS
  • JFK Medical Center, Atlantis, FL
  • Los Robles Regional Medical Center, Thousand Oaks, CA
  • North Florida Regional Medical Center,  Gainesville, FL
  • Northlake Medical Center,  Tucker, GA
  • Oklahoma University Medical Center,  Oklahoma City, OK
  • Palmyra Medical Center,  Albany, GA
  • Redmond Regional Medical Center,  Rome, GA
  • Southwest Florida Regional Medical Center,  Fort Myers, FL
  • St. Lucie Medical Center,  Port Saint Lucie, FL
  • Summit Medical Center,  Hermitage, TN
  • Sunrise Hospital & Medical Center,  Las Vegas, NV
  • Wesley Medical Center, Wichita, KS

Also 6 hospitals affiliated with Lifepoint Hospitals, Inc., Brentwood, TN, have agreed to pay a total of $2,522,502.69.  These include:

  • Andalusia Regional Hospital, Andalusia, AL
  • Jackson Purchase Medical Center, Mayfield, KY
  • Lake Cumberland Regional Hospital,  Somerset, KY
  • Minden Medical Center,  Minden, LA
  • Russellville Hospital, Russellville, AL
  • Western Plains Medical Complex,  Dodge City, KS

Also, 5  hospitals affiliated with Trinity Health, Livonia, MI, have agreed to pay a total of $3,910,017.53.  These include:

  • Mercy Medical Center, – Dubuque,  Dubuque, IA
  • Mercy Medical Center – Sioux City,  Sioux City, IA
  • St. Joseph Mercy Hospital,  Pontiac, MI
  • Mercy Health Partners,  Muskegon, MI
  • Mount Carmel New Albany Surgical Hospital,  New Albany, OH

Justice Department officials also report that 4hospitals affiliated with Morton Plant Mease BayCare Health System, Clearwater, FL, have agreed to pay a total of $2,378,325.45.  These include:

  • Morton Plant Hospital,  Clearwater, FL
  • Morton Plant North Bay Hospital,  New Port Richey, FL
  • Mease Dunedin Hospital, Dunedin, FL
  • Mease Countryside Hospital, Safety Harbor, FL

Justice Department officials also say 3  hospitals affiliated with Baptist Memorial Health Care Corporation, Memphis, TN, have agreed to pay a total of $691,168.  These are:

  • Baptist Memorial Hospital-Golden Triangle, North Columbus, MS
  • Baptist Memorial Hospital-Collierville,  Collierville, TN
  • Baptist Memorial Hospital-Memphis,  Memphis, TN

In addition, Justice Department officials say 2 hospitals affiliated with Covenant Health, Knoxville, TN, have agreed to pay a total of $1,845,641.74.  These are  Parkwest Medical Center in  Knoxville, TN  and Methodist Medical Center of Oak Ridge in Oak Ridge, TN.

Meanwhile, 2 hospitals affiliated with Bayhealth Medical Center, Newark, DE, also reportedly have agreed to pay a total of $1,115,306.37.  These are Bayhealth Kent General Hospital,  Dover, DE  and Bayhealth Milford Memorial Hospital,  Milford, DE.

In addition to these hospitals, the following facilities have agreed to pay the following settlements:

  • Atrium Medical Center, Middletown, OH, has agreed to pay $4,232,992.50
  • Altru Health System, Grand Forks, ND, has agreed to pay $1,492,690
  • Cedars Sinai Medical Center, Los Angeles, CA, has agreed to pay $1,485,846
  • Des Peres Hospital, St. Louis, MO, has agreed to pay $900,000
  • Mount Sinai Medical Center, Miami, FL, has agreed to pay $1,846,194.00
  • New England Baptist Hospital, Boston, MA, has agreed to pay $374,814.48
  • St. Anne’s Hospital, Fall River, MA, has agreed to pay $552,745
  • The Queen’s Medical Center, Honolulu, HI, has agreed to pay $1,055,249.57
  • Trover Health System, Madisonville, KY, has agreed to pay $1,162,837
  • Wayne Memorial Hospital, Goldsboro, NC, has agreed to pay $1,250,000.

In addition to today’s settlement, the government previously settled with Medtronic Spine LLC, the corporate successor to Kyphon Inc., for $75 million to settle allegations that the company defrauded Medicare by counseling hospital providers to perform kyphoplasty procedures as inpatient rather than outpatient procedures.

According to Tom O’Donnell, Special Agent in Charge of the Office of Investigations of the HHS-OIG New York Regional Office,  “The settlements related to kyphoplasty billing that have been reached with over 100 hospitals represent one of the largest and most successful multi-party health care investigations in the nation.”

While these settlements relate specifically to kyphoplasty procedures, they send a message impacting all procedures and practice areas that they risk OIG and/or Justice Department prosecution if procedures are performed in a most costly manner to increase reimbursement which is not medically necessary.  Justice Department officials warned health care providers  that Justice and OIG will act “Whenever hospitals knowingly overcharge Medicare, critically needed resources are wasted and health costs are driven up.”

Whistleblower Involvement Played Big Role

As in other recently announced settlement agreements, see e.g., Whistleblower Collects $2.7 M of $14.5M Sound Inpatient Physicians Overbilling Settlement, whistleblower involvement played a key role in helping OIG and Justice to identify and prosecute the alleged misconduct.

According to the Justice Department, all but four of the settling facilities announced today were named as defendants in a qui tam, or whistleblower, lawsuit brought under the False Claims Act, which permits private citizens to bring lawsuits on behalf of the United States and receive a portion of the proceeds of any settlement or judgment awarded against a defendant.  The lawsuit was filed in federal district court in Buffalo, N.Y., by Craig Patrick and Charles Bates.  Mr. Patrick is a former reimbursement manager for Kyphon, and Mr. Bates was formerly a regional sales manager for Kyphon in Birmingham, Ala.  The whistleblowers will receive a total of approximately $5.5 million from the settlements.

 Mitigate Risks With Effective Oversight of Both Documentation & Operations

As Acting Assistant Attorney General for the Civil Division Stuart F. Delery noted in the settlement announcement. “Physicians who participate in Medicare and other federal health care programs must document and bill for their services accurately and honestly.” With qui tam and other whistleblower participation, the Justice Department, HHS and other federal and state fraud investigators go beyond merely challenging whether the medical record documentation supports the charges billed to question whether the medical record itself accurately reflects the care in fact delivered by relying upon testimony of employees or other “insiders” often with an axe to grind against the provider.

To mitigate these exposures, health care providers clearly should work diligently both to ensure that their billing and other compliance programs accurately, honestly and completely document the care provided and code and bill for those services in accordance with the currently applicable federal program rules.  While these compliance and risk management programs are indispensable components of any effective health care fraud compliance program, health care providers also should recognize that the effectiveness of their health care fraud and other compliance program also may depend on the effectiveness of their operational and workforce oversight and management.  Along with effective billing and other fraud detection and compliance programs, providers also need effective medical quality and records documentation, provider and workforce performance and management, investigations and other management programs.

As a key element of these activities, providers should constantly be on watch for evidence of gaps between the medical and billing documentation and the factual realities looking at broad range of sources. Providers should target these activities to cover both specific medical documentation, coding and care, and other operational indicators that could show a problem.  With qui tam and other whistleblower claims rising, however, providers should keep in mind that mere auditing of records and billing patterns alone often fails to uncover key evidence of potential concerns.

To help identify potential areas of scrutiny, providers should carefully monitor and examine the adequacy of their compliance and risk management agreements against corporate integrity agreements with other providers who have reached settlements with the Department of Justice, HHS Office of Inspector General or other agencies like the TranS1 Inc. Corporate Integrity Agreement .

Health care providers also should take into account a plethora of other potential indicators including but not limited to peer review and quality assurance data, deficient as well as inexplicably exceptional medical record or other record keeping documentation, hotline, exist interview and other workforce feedback, disagreements among providers in patterns of care, political and interpersonal differences, and a host of other indicators that could show a valid compliance concern or a developing hostility that could become the incentive for a whistleblower or other complaint. Providers should document these and other efforts to investigate, monitor and redress potential concerns  In addition, providers also should guard against qui tam, retaliation and other claims by ensuring that their human resources, peer review, credentialing, background and other investigations, privacy and other operational activities are designed, documented to be both legally compliant and defensible.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years experience advising health industry clients about these and other matters.

Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients to establish and administer compliance and risk management policies and to respond to DEA and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns including a number of programs and publications on OCR Civil Rights rules and enforcement actions. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to ask about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here. 

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.   ©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press, Inc..  All other rights reserved.


Whistleblower Collects $2.7 M of $14.5M Sound Inpatient Physicians Overbilling Settlement

July 6, 2013

Former employee-turned Whistleblower Craig Thomas will collect $2.7 million out of the $14.5 million settlement that Sound Inpatient Physicians Inc. (SIP) will pay $14.5 million to settle allegations that it overbilled Medicare and other federal health care programs under a settlement announced by the Justice Department on July 3, 2013.  The SIP announcement comes the same day the Justice Department announced medical device manufacturer TranS1 Inc., now known as Baxano Surgical Inc., will pay $6 million to resolve whistleblower-prompted FCA allegations that TranS1 Inc. caused health care providers to submit false claims to Medicare and other federal health care programs for minimally-invasive spine surgeries.

Both the SIP and TranS1 Inc. charges and settlement clearly show the ever-growing risk of Justice Department prosecution that providers face when billing Medicare or other government programs for care beyond the level delivered and documented in the medical record. The litigation and resulting settlement also show the too-often underappreciated rule that employees, vendors and other whistleblowing insiders increasingly play in the initiation and success of these prosecutions and how they impact the ability of providers charged with fraud to prove they have billed Medicare or other federal health plans accurately and honestly for services actually delivered in the manner documented in the record and in accordance with applicable Federal program rules.

To mitigate these exposures, health care providers both should strengthen their health care medical record documentation, billing and other fraud and compliance programs and their employee, vendor and other workforce relations and management processes.

Former SIP Employee’s Qui Tam Claim Prompted Suit

The settlement resolves charges that SIP fraudulently inflated billings to government programs brought in U.S. ex rel. Craig Thomas v. Sound Inpatient Physicians, Inc. and Robert A. Bessler, Civil Action No. C09-5301RBL (W.D. Wash.) that initially came to the government’s attention through a lawsuit filed by former SIP employee, Craig Thomas, under the qui tam, or whistleblower, provisions of the False Claims Act  (FCA).  The FCA allows private citizens to bring civil actions on behalf of the government and share in any recovery.  Thomas will receive $2.7 million of the $14.5 million settlement for exposing Sound Physicians’ inflated claims.

In the lawsuit, the Justice Department alleged that SIP, a Tacoma, Washington-based employer of more than 700 hospitalists and post-acute physicians at 70 hospitals and a growing network of post-acute facilities in 22 states, between 2004 and 2012, knowingly submitted inflated claims to federal health benefits programs for its hospitalist employees for higher and more expensive levels of service than documented by hospitalists in patient medical records.

The SIP civil settlement illustrates the growing reliance on whistleblowers and other FCA tools by the Federal government in its rising campaign against false claims and other health care fraud by physicians, hospitals and other health care providers under the Health Care Fraud Prevention and Enforcement Action Team (HEAT) initiative announced in May 2009 by Attorney General Eric Holder and Health and Human Services (HHS) Secretary Kathleen Sebelius.   Since January 2009, the Justice Department claims to have recovered a total of more than $14.7 billion through FCA cases, with more than $10.7 billion of that amount recovered in cases involving fraud against federal health care programs.

TranS1 Inc.  Whistleblower Gets $1M+ Out of $6M Settlement

Whistleblower claims also prompted the charges and settlement announced against medical device manufacturer TranS1 Inc. The Justice Department announced July 3 that TranS1 Inc. has agreed to pay the United States $6 million to resolve allegations under the FCA.  Whistleblower Kevin Ryan, whose qui tam claim prompted the investigation that lead to the settlement will collect $1,020,000 from the settlement.

The settlement resolves Justice Department charges developed out of the qui tam action of a former employee that TranS1 knowingly caused health care providers to submit claims with incorrect diagnosis or procedure codes for minimally-invasive spine fusion surgeries using Trans1’s AxiaLIF System.  That device was developed as alternative to invasive spine fusion surgeries.  The United States alleges that TranS1 improperly counseled physicians and hospitals to bill for the AxiaLIF System by using incorrect and inaccurate codes intended for more invasive spine fusion surgeries.  The Justice Department alleged that, as a result, health care providers received greater reimbursement than they were entitled to for performing the minimally-invasive AxiaLIF procedures.

The Justice Department also claimed TranS1 knowingly paid illegal remuneration to certain physicians for participating in speaker programs and consultant meetings intended to induce them to use TranS1 products, in violation of the Federal Anti-Kickback Statute, 42 U.S.C.  § 1320a-7b(b), and thereby caused false claims to be submitted to federal health care programs.  The Anti-Kickback Statute prohibits offering or paying remuneration to induce referrals of items or services covered by federally-funded programs and is intended to ensure that a physician’s medical judgments are not compromised by improper financial incentives and are based solely on the best interests of the patient.

In addition, the Justice Department alleged that TranS1 promoted the sale and use of its AxiaLIF System for uses that were not approved or cleared by the U.S. Food and Drug Administration, including use in certain procedures to treat complex spine deformity, and which were thus not covered by federal health care programs.

“A medical device manufacturer violates the law when it advises physicians and hospitals to report the wrong codes to federal health insurance programs in order to increase reimbursement rates,” said Rod J. Rosenstein, U.S. Attorney for the District of Maryland.  “Health care providers are required to bill federal health care programs truthfully for the work they perform.”

As part of the settlement, TranS1 has agreed to enter into a corporate integrity agreement with the Office of Inspector General of the Department of Health and Human Services.  That agreement provides for procedures and reviews to be put in place to avoid and promptly detect conduct similar to that which gave rise to this matter.

Mitigate Risks With Effective Oversight of Both Documentation & Operations

As Acting Assistant Attorney General for the Civil Division Stuart F. Delery noted in the settlement announcement. “Physicians who participate in Medicare and other federal health care programs must document and bill for their services accurately and honestly.” With qui tam and other whistleblower participation, the Justice Department, HHS and other federal and state fraud investigators go beyond merely challenging whether the medical record documentation supports the charges billed to question whether the medical record itself accurately reflects the care in fact delivered by relying upon testimony of employees or other “insiders” often with an axe to grind against the provider.

To mitigate these exposures, health care providers clearly should work diligently both to ensure that their billing and other compliance programs accurately, honestly and completely document the care provided and code and bill for those services in accordance with the currently applicable federal program rules.  While these compliance and risk management programs are indispensable components of any effective health care fraud compliance program, health care providers also should recognize that the effectiveness of their health care fraud and other compliance program also may depend on the effectiveness of their operational and workforce oversight and management.  Along with effective billing and other fraud detection and compliance programs, providers also need effective medical quality and records documentation, provider and workforce performance and management, investigations and other management programs.

As a key element of these activities, providers should constantly be on watch for evidence of gaps between the medical and billing documentation and the factual realities looking at broad range of sources. Providers should target these activities to cover both specific medical documentation, coding and care, and other operational indicators that could show a problem.  With qui tam and other whistleblower claims rising, however, providers should keep in mind that mere auditing of records and billing patterns alone often fails to uncover key evidence of potential concerns.

To help identify potential areas of scrutiny, providers should carefully monitor and examine the adequacy of their compliance and risk management agreements against corporate integrity agreements with other providers who have reached settlements with the Department of Justice, HHS Office of Inspector General or other agencies like the TranS1 Inc. Corporate Integrity Agreement .

Health care providers also should take into account a plethora of other potential indicators including but not limited to peer review and quality assurance data, deficient as well as inexplicably exceptional medical record or other record keeping documentation, hotline, exist interview and other workforce feedback, disagreements among providers in patterns of care, political and interpersonal differences, and a host of other indicators that could show a valid compliance concern or a developing hostility that could become the incentive for a whistleblower or other complaint. Providers should document these and other efforts to investigate, monitor and redress potential concerns  In addition, providers also should guard against qui tam, retaliation and other claims by ensuring that their human resources, peer review, credentialing, background and other investigations, privacy and other operational activities are designed, documented to be both legally compliant and defensible.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years experience advising health industry clients about these and other matters.

Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients to establish and administer compliance and risk management policies and to respond to DEA and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns including a number of programs and publications on OCR Civil Rights rules and enforcement actions. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to ask about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here. 

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.   ©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press, Inc..  All other rights reserved.


Follow

Get every new post delivered to your Inbox.

Join 659 other followers

%d bloggers like this: