HCPro.com - Compliance Monitor

Editor's Note: Final issue of Compliance Monitor

Wed, 27 Jun 2012 04:00:00 GMT

This is the final Compliance Monitor. Thank you for being a loyal subscriber.

Various alternatives are available. Please consider subscribing to other free e-newsletters from HCPro, Inc., that address various HIM, HIPAA, and medical record management topics. Click here to browse our entire catalogue of free e-newsletters.

NJ hospital pays $9 million to settle fraud allegations

Wed, 27 Jun 2012 04:00:00 GMT

AHS Hospital Corp., Atlantic Health System Inc., and Overlook Hospital, located in New Jersey, will pay almost $9 million to resolve allegations of Medicare fraud, the Department of Justice announced June 21.

Overlook Hospital, which is owned and operated by AHS and Atlantic Health System, allegedly billed Medicare for inpatient treatment for patients who should have been received outpatient treatment or observation services.

The settlement partially resolved allegations in a whistleblower suit filed by former Overlook employees.

Oklahoma hospital, physician settle Medicare fraud claims for $1.5 million

Wed, 27 Jun 2012 04:00:00 GMT

Harmon County Healthcare Authority (HCHA) and Akram R. Abraham, MD, of Hollis, Okla., will pay $1.55 million to settle charges that they defrauded Medicare, according to a June 20 Department of Justice (DOJ) press release.

HCHA and Abraham allegedly submitted claims that violated both the Anti-kickback Statue and the Stark Law from July 1, 2001, through May 30, 2008. HCHA entered into a contract with Abraham that provided him excess and unreasonable payment. The DOJ said the illegal remuneration included:

Free rent for office space
Free billing and staff personnel
Reimbursement of uncollected accounts receivable
Duplicative per encounter payments for emergency department services
Improper payment of locum tenens physician services

HCHA and Abraham also falsely certified that the Medicare and Medicaid claims they submitted complied with federal and state regulations.

HCHA and Abraham agreed to $550,000 and $1 million repayments, respectively, to settle the claims.

Detroit clinic owner admits defrauding Medicare

Wed, 27 Jun 2012 04:00:00 GMT

Louisa Thompson, 63, of Detroit, pleaded guilty to participating in a $16 million Medicare fraud scheme, according to a June 20 Department of Justice (DOJ) press release.

Beginning in January 2006, Thompson billed Medicare for psychotherapy services through two companies, TGW Medical Inc. and Caldwell Thompson Manor Inc., for services she never provided or that were provided by unlicensed staff.

Thompson also received money from the owner of P&C Adult Day Care Inc., a psychotherapy clinic, to allow the clinic to use Thompson’s provider number. Thompson also admitted signing therapy documents for P&C patients she never saw or treated.

Thompson admitted to submitting or causing to be submitted approximately $15.9 million in fraudulent psychotherapy claims.

HIPAA Q&A: Sharing patient information with specialists

Wed, 27 Jun 2012 04:00:00 GMT

Q: A patient who presented with an order from the primary care physician for laboratory work had also seen a specialist who ordered x-rays. Both physicians were entered into the system, and both received the laboratory test results and x-rays. The patient said this violated HIPAA because the specialist did not need the laboratory test results. Did this violate HIPAA?

A: Pursuant to the HIPAA Privacy Rule [45 CFR 164.502(b)(2)(i)], the minimum necessary standard does not apply when sharing patient information for treatment purposes.

The ultimate question is whether the specialist needed to see the laboratory results with respect to the care being provided. If the answer is yes, the disclosure did not violate HIPAA.

If the specialist should not have received the laboratory results, a breach-although not necessarily a reportable breach-may have occurred. This merits investigation because it would constitute a security incident. All security incidents should be investigated, regardless of whether a breach occurred.

You should investigate this incident. You are not required to notify the patient or OCR if you conclude upon investigation that the patient will not experience significant harm. Refer to 45 CFR 164.402.

You must document the investigation. Responding to the patient complaint and explaining that you are taking steps to implement practices to prevent future similar occurrences is advisable.

Work with the laboratory to the extent feasible to prevent transmission of PHI to providers without a "need to know."

Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore. answered this question, which also appears in the July Briefings on HIPAA. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.

Editor's Note: Compliance Monitor to cease publication June 27

Wed, 20 Jun 2012 04:00:00 GMT

Next week’s issue will be the final Compliance Monitor. Thank you for being a loyal subscriber.

Brooklyn physician convicted of defrauding Medicare

Wed, 20 Jun 2012 04:00:00 GMT

A jury in U.S. District Court in Brooklyn convicted Boris Sachakov, MD, 43, of one count of healthcare fraud and five counts of healthcare false statements, the Department of Justice (DOJ) announced June 15.

Sachakov, owner and operator of Colon and Rectal Care of New York P.C., fraudulently billed Medicare and private insurance companies for surgeries and other medical services he did not perform between January 2008 and January 2010.

Sachakov’s clinic submitted more than $22.6 million in false and fraudulent claims to Medicare and private insurance companies, and received more than $9 million for those claims, according to the DOJ.

Sachakov faces a maximum penalty of 35 years in prison and an $18 million fine.

Health system settles False Claims Act allegations

Wed, 20 Jun 2012 04:00:00 GMT

Christus Spohn Health System Corp. of Corpus Christi, Texas, paid $5 million to settle allegations it violated the False Claims Act, according to a Department of Justice (DOJ) press release.

The health system fraudulently reported inpatient codes for services it should have reported with outpatient codes, according to the DOJ. The health system consequently received higher reimbursement than it should have.

The settle involves six of the health system’s hospitals including Christus Spohn Hospitals in Corpus Christi, Shoreline, Corpus Christi–Memorial, Corpus Christi–South, Alice, Beeville, and Kleberg.

Philadelphia clinic owner convicted of Medicare fraud

Wed, 20 Jun 2012 04:00:00 GMT

A federal jury in Philadelphia convicted Jo Benoit, 77, of King of Prussia, Pa., of 76 counts of healthcare fraud, aggravated identity theft, distribution of controlled substances, and distribution of controlled substances to minors. The U.S. Attorney’s Office for the Eastern District of Pennsylvania announced the conviction June 12.

Benoit founded Transition Phase III in 2008 and advertised it as a trauma-specific mental health clinic, for victims of trauma, children, and members of the military and their families. Benoit inaccurately portrayed herself as a psychiatrist. She forged prescriptions on actual psychiatrists’ used prescription pads to medicate patients she claimed to be treating.

Benoit also used the name of an actual psychiatrist to bill insurance companies for more than $500,000, as if the patients were seeing a psychiatrist.

Benoit faces in excess of 100 months in prison, a mandatory minimum sentence of three years, a fine of up to $48 million, mandatory restitution, and three years of supervised release.

HIPAA Q&A: Home health patient information books

Wed, 20 Jun 2012 04:00:00 GMT

Q: A home health agency was informed by an assisted living facility that the home health agency may not leave its patient information book at the facility because doing so violates HIPAA. The patient information book does not include any PHI. The assisted living facility stated the home health agency could not see patients if it leaves the patient information book. State law requires the home health agency to distribute information contained in the patient information book. Does leaving the patient information book at the assisted living facility violate HIPAA?

A: No. HIPAA addresses protecting the privacy of individually identifiable health information or PHI. If state law requires making certain information available to residents of a long-term care facility such as an assisted living facility, the home health agency would be in violation of state law if the information was not made available to residents. Nothing prohibits leaving what appears to be educational material for residents to review.

If the purpose of the patient information book is marketing services provided by the home health agency, the gray area of HIPAA regulations that pertains to marketing requires examination. As long as the same information is available to all residents and is not used to target marketing to certain individuals with specific diagnoses, this practice does not violate the marketing provisions of HIPAA or HITECH.

Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore. answered this question, which first appeared in the May Briefings on HIPAA. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.

Miami woman receives 46-month sentence for Medicare fraud

Wed, 13 Jun 2012 04:00:00 GMT

U.S. District Judge Patricia A. Seitz of the Southern District of Florida sentenced Leyanes Placeres, 32, of Miami, to 46 months in prison for her part in a Medicare fraud scheme, the Department of Justice (DOJ) announced June 11.

Placeres pleaded guilty in March to one count of conspiracy to commit healthcare fraud and one count of conspiracy to pay and receive illegal kickbacks. She claimed to transport patients to American Therapeutic Corporation (ATC), which claimed to operate partial hospitalization programs (PHPs) in seven locations in south Florida and Orlando. The patients did not qualify for PHP services, but ATC billed Medicare for false, fake, and fictitious services, according to the DOJ.

Placeres also helped ATC pay illegal kickbacks to owners and operators of assisted living facilities and halfway houses to recruit patients for ATC.

he plea agreement also requires Placeres to pay $2.7 million in restitution.

Detroit man sentenced for Medicare fraud

Wed, 13 Jun 2012 04:00:00 GMT

Victor Jayasundera, 59, of Detroit, faces 30 months in prison for his role in a scheme that defrauded Medicare of more than $1.9 million, according to a Department of Justice press release.

Jayasundera co-owned Jos Campau Physical Therapy, a Detroit-area physical and occupational therapy company. Jayasundera and codefendant Fatima Hassan paid recruiters to provide Medicare beneficiary information and signatures so they could create fictitious physical and occupational therapy files.

Jayasundera falsified patient evaluation forms and created patient notes for therapy he did not perform.

Jos Campau Physical Therapy did not have a Medicare provider number and could not bill Medicare directly. Jayasundera and Hassan sold the fictitious physical and occupational therapy files to multiple fraudulent therapy companies that had Medicare provider numbers. Those companies then billed Medicare and paid kickbacks to Jos Campau Physical Therapy.

From approximately June 2005 through May 2007, the therapy companies submitted approximately $1.9 million in false claims to Medicare for physical and occupational therapy services that Jos Campau Physical Therapy never provided.

Jayasundera pleaded guilty to one count of conspiracy to commit healthcare fraud and six counts of healthcare fraud. Hassan also pleaded guilty and was sentenced to 48 months in prison.

Jury convicts LA physician assistant in $18.9 million Medicare fraud scheme

Wed, 13 Jun 2012 04:00:00 GMT

A jury convicted David James Garrison, 50, of Los Angeles, of conspiracy, healthcare fraud and aggravated identity theft charges for his role in an $18.9 million Medicare fraud scheme, according to a June 4 Department of Justice (DOJ) press release.

Garrison stole the identities of physicians to write prescriptions for medically unnecessary durable medical equipment (DME) and diagnostic tests at the fraudulent clinics between March 2007 and September 2008, according to the DOJ.

Garrison and his coconspirators owned and operated several Los Angeles medical clinics established for the sole purpose of defrauding Medicare. They paid kickbacks to patient recruiters to find Medicare beneficiaries who were willing to sell their Medicare billing information. Garrison wrote prescriptions for power wheelchairs, which the beneficiaries did not need and did not use, according to the DOJ.

After Garrison wrote prescriptions for power wheelchairs, his coconspirators sold them to the owners and operators of approximately 50 fraudulent DME supply companies, which used them to submit fraudulent power wheelchair claims to Medicare.

Garrison also ordered the same medically unnecessary diagnostic tests for every Medicare beneficiary, including tests for sleep studies, ultrasounds, and nerve conduction studies. Fraudulent diagnostic testing companies then used the prescriptions to bill Medicare and paid kickbacks to Edward Aslanyan, one of Garrison’s coconspirators.

Garrison faces a maximum penalty of 72 years in prison and a $2 million fine.

HIPAA Q&A: Transporting records to satellite clinic

Wed, 13 Jun 2012 04:00:00 GMT

Q: Our physician practice operates a satellite clinic. The practice does not use an electronic medical record. Charts are transported to a workforce member’s home at the end of the week and are transported to the satellite clinic Monday morning. Does this practice violate HIPAA? Also, who is responsible for the breach of patient PHI if someone steals the charts from a workforce member’s vehicle?

A: HIPAA does not prohibit transporting charts temporarily to a workforce member’s home. Medical practices that do so must reasonably ensure that charts are secured while they are en route and temporarily stored at the workforce member’s home. Ideally, store charts in a locking file cabinet or safely in the workforce member’s home.

Exercise the same care that is necessary when transporting laptop computers. Don’t leave charts in plain sight in unattended vehicles. If it becomes necessary to leave charts in an unattended vehicle, lock them in the trunk or out of sight of passersby if there is no trunk. These practices (transportation and remote storage of charts) must be documented in policy and enforced.

If the charts are stolen, ultimately the practice is liable. The incident would be considered a breach of unsecure PHI, and the practice would be required to notify patients within a reasonable period of time and follow all requirements of the interim breach notification rule (45 CFR 164.400–164.414).

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore., answered this question. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.

Missouri psychologist faces Medicare, Medicaid fraud charges

Wed, 06 Jun 2012 04:00:00 GMT

A Missouri psychologist faces charges of allegedly defrauding Medicare and Medicaid of $1.2 million, according to a Department of Justice (DOJ) press release.

Rhett E. McCarty, 67, of Lake Ozark, Mo., is a licensed psychologist and private practitioner who provided psychotherapy services to Medicare and Medicaid recipients in their Lebanon area homes. He billed Medicare and Medicaid for $1.2 million for services he allegedly provided to 19 patients.

McCarty allegedly worked every day from mid-September 2008 through early April 2012, except Christmas, according to the DOJ. However, patients told investigators that McCarty saw them once a week or less frequently.

Texas chiropractor to serve two years, pay restitution for fraud conviction

Wed, 06 Jun 2012 04:00:00 GMT

U.S. District Judge Nancy F. Atlas sentenced Justina Okehie, aka Dr. Tina Collins, of Richmond, Texas, to 24 months in prison and ordered Okehie to pay $1.9 million in restitution for her part in a scheme to defraud Medicare and Texas Medicare.

Okehie, 55, owned and operated Adom Rehabilitation Services and Healthcare and Wellness Medical Center in Houston. Both clinics claimed to provide physical therapy and chiropractic services. As part of the conspiracy, Okehie paid patient recruiters to refer Medicare beneficiaries to her clinics, according to a Department of Justice press release. Okehie also paid Medicare beneficiaries to visit her clinics.

Okehie submitted false claims in excess of $8.5 million of claims to the Medicare and Medicare programs from January 2007 through August 2010.

Atlas previously sentenced Okehie’s co-conspirators Cassandra Tasby Barnes, 48, of Houston, and Melloneen Davis, 53, of Stafford, Texas, to three years’ probation each for their roles in a conspiracy to violate the Anti-Kickback Statute.

Task force uncovers $452 million in Medicare fraud

Wed, 06 Jun 2012 04:00:00 GMT

Medicare Fraud Strike Force operations in seven U.S. cities resulted in fraud charges against 107 people, including physicians, nurses and other licensed medical professionals. These individuals are charged with submitting false billing for a total of $452 million, according to a Department of Justice press release.

The defendants face various healthcare fraud charges, including:

Conspiracy to commit healthcare fraud
Healthcare fraud
Anti-kickback statute violations
Money laundering

The charges stem from a variety of alleged fraud schemes involving various medical treatments and services, such as home healthcare, mental health services, psychotherapy, physical and occupational therapy, durable medical equipment, and ambulance services.

The Department of Health and Human Services also suspended or took other administrative action against 52 providers following a data-driven analysis and credible allegations of fraud.

HIPAA Q&A: Answering service messages

Wed, 06 Jun 2012 04:00:00 GMT

Q: Is a physician who uses an answering service and receives unencrypted messages from an answering service in violation of the HIPAA Security Rule?

A: A physician who uses a smartphone to contact an answering service is not in violation of the HIPAA Security Rule. This activity may represent a risk, but mobile and landline telephone transmissions generally don’t require encryption unless the answering service is an automated service that stores messages on a server that is open to the Internet (e.g., cloud-based answering services).

Even then, encryption is not required, but it is strongly recommended. Conduct a risk analysis, identify risks such as those related to unencrypted PHI, and then determine whether those risks are acceptable.

Covered entities and business associates can elect to prohibit physicians and other workforce members from using smartphones to access messages from an answering service. However, this is a decision made at the entity level, and is not a HIPAA mandate.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.

Boston area hospital to pay $750,000 for data breach

Wed, 30 May 2012 04:00:00 GMT

Failing to keep confidential information secure will cost South Shore Hospital in Weymouth, Mass., $750,000, according to a press release from the Massachusetts Attorney General’s Office.

South Shore Hospital allegedly failed to protect confidential information, including individuals' names, Social Security numbers, financial account numbers, and medical diagnoses.

In February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes to contractor Archive Data Solutions, so that it could erase and resell the tapes. However, the hospital never informed Archive Data that the tapes contained personal, protected information and didn't make sure the vendor had sufficient safeguards in place to protect the information.

Multiple companies handled the boxes during shipping, and only one box arrived at its destination in June 2010. The other two boxes have not been recovered, although no one has filed a report of unauthorized use of the information.

Kansas women admit Medicaid fraud

Wed, 30 May 2012 04:00:00 GMT

Two Kansas women pleaded guilty to defrauding the Kansas Medicaid agency and will pay $13,000 in total restitution, according to a press release from the Kansas Attorney General’s office.

Teresa Corber, 39, and Molly Musgrove, 58, both of Independence, pled guilty to one count of unlawful acts relating to the Medicaid program, one count of making a false claim to the Medicaid program, and one count of theft.

Corber submitted claims as a personal care attendant for Medicaid beneficiaries for services she never provided. Musgrove, a Medicaid beneficiary, filed paperwork to receive reimbursement for bathroom remodeling that never occurred.