Identity Theft |

Medical Identity Theft/Fraud Convictions Highlight Need For Health Care Providers To Safeguard Health Information, Guard Against Fraud Schemes

November 27, 2011

Convictions Highlight Health Care Data Bases Attractive, Vulnerable Target For Medicare Fraud Schemers

A Federal judge sentenced 25 year old Miami resident Yenky Sanchez, 25 to serve more than 5 years in Federal prison for his role in the theft of Medicare numbers and other information of elderly and disabled Florida residents as part of a plan to defraud Medicare, Medicaid and other federal programs. Coming on the heels of a November 3 conviction in West Virginia of Sargis Tadevosyan in a separate identity theft for Medicare fraud scheme, the convictions highlight the growing commitment and effectiveness of Federal and state investigators in investigating and prosecuting individuals who seek to use identity theft schemes to defraud Medicare or other federal programs.

Sanchez Conviction & Sentencing

The sentence arises from criminal charges brought by the U.S. Department of Justice (DOJ) in conjunction with other federal and state agencies, which charged Sanchez considered to commit health care fraud, authentication feature fraud and aggravated identity theft. According to DOJ documents, Sanchez, participated in a scheme with Raul Diaz-Perera, to steal and sell Medicare numbers and other data about clients of their employer, the Florida Department of Children and Families’ (DCF). Diaz-Perera previously was employed with DCF. According to the evidence at trial against Sanchez and a factual proffer filed with the court during the plea hearing for co-defendant Diaz-Perera, Sanchez used his position as employees at a DCF call center in downtown Miami to steal Medicare numbers and other personal information for purposes of committing health care fraud and identity theft. The intent of Sanchez and his co-conspirator was for those numbers to be used to fraudulently bill Medicare for services that were never provided to the DCF beneficiaries. Sanchez was convicted of conspiring to commit health care fraud, in violation of Title 18, United States Code, Section 1349; conspiring to commit authentication feature fraud, in violation of Title 18, United States Code, Sections 1028(a)(3) and (f); and aggravated identity theft, in violation of Title 18, United States Code, Section 1028A(a)(1). Based on these convictions, U.S. District Judge Cecilia M. Altonaga sentenced Sanchez on November 21, 2011 to 65 months in prison, followed by three years of supervised release. Judge Altonaga also imposed a $5,000.00 fine on Sanchez.

Tadevosyan Conviction

Federal officials previously also had scored another Medicare fraud/identity theft prosecution victory just a few short weeks earlier in West Virginia. On November 3, 2011, a federal jury convicted Armenia citizen Sargis Tadevosyan in connection with a health care fraud scheme that intended to defraud millions of dollars from Medicare. Tadevosyan was found guilty of two felony counts: conspiracy to commit health care fraud and wire fraud and aggravated identity theft. Tadevosyan faces up to 20 years in prison for the conspiracy conviction and a mandatory consecutive sentence of two years for aggravated identity theft and a $250,000 fine when he is sentenced on January 26, 2012.

In contrast to the small scale conspiracy that apparently occurred in the Sanchez case, the Tadovosyn scheme apparently was orchestrated by organized crime. Department of Health and Human Resources Office of Inspector General (HHS-OIG) uncovered the activities of Tadovosyn as part of its investigation of fraud schemes involving false front providers, whereby a company posed as a Medicare health care provider, and unlawfully billed Medicare as if they were providing legitimate services. Ultimately, investigators discovered that Tadevosyn and others were involved in defrauding Medicare and other health care payers as part of a scheme that used false front provider companies. In total, more than $4 million in Medicare claims were submitted by the false front providers. To co-conspirators of Tadevosyn pleaded guilty in September to aiding and abetting aggravated identity theft in connection to the health care fraud plot. Those two co-defendants are scheduled to be sentenced on December 1, 2011.

In announcing the Tadevosyan conviction, federal officials affirmed their commitment to finding and prosecuting identity theft targeting Medicare and other health insurance programs. “This investigation revealed that organized criminal groups are still brazenly attempting to steal taxpayer money from our national health insurance programs,” said Nicholas DiGiulio, Special Agent in Charge for the Inspector General’s Office of the United States Department of Health and Human Services. “Today’s results demonstrate that we will do whatever it takes to catch these individuals in the act before they receive a penny of taxpayers’ money.”

Federal Laws, Investigations & Prosecutions of Medical Identity Theft Schemes Tightening

Whether from deliberate schemes to misappropriate data or other less sinister compromises of personal health information or other sensitive data, health care providers, health plans and other businesses face rising responsibilities to protect data and increasing exposures for failing to do so.

Federal law imposes stiff sanctions against organizations and individuals that engage in theft of personal or other sensitive information, health or other federal program fraud or both. In an effort to stem the tide of health care and identity theft fraud, federal and state legislators and regulators have tightened federal and state laws to strengthen laws prohibiting health care fraud and identity theft, to require that health care providers, health plans, federal and state agencies and others that collect, possess or access sensitive personal health information, personal financial information or other sensitive date safeguard and protect sensitive information against improper access or misuse, to increase the penalties for violation of these federal and state laws and to provide law enforcement with expanded tools to investigate and prosecute violations of these laws. See e.g., Cybercrime and Identity Theft: Health Information Security Beyond HIPAA.

As a result of these new and expanded mandates, health care providers, health plans, financial organizations and a broad range of other businesses and governmental agencies face a host of complicated mandates to protect personal health information, personal financial information and other sensitive data under laws such as the Health Information Portability & Accountability Act (HIPAA), the Fair & Accurate Credit Transactions Act (FACTA), state and federal identity theft and data security and other laws and significant liability for failing to fulfill these responsibilities.

Health care providers, health insurers and others handling protected health information are particularly at risk when their data is compromised. Recent amendments to HIPAA require these entities and their business associates to tighten their data privacy and security safeguards and to monitor and timely report data breaches, as well as significantly expand their potential liability exposure for failing to comply with HIPAA’s requirements. See e.g., UCLA Health Systems Payment of $865,500 To Settle HIPAA Charges Shows Rising HIPAA Risk; CVS Settles Privacy Charges; Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case As Office of Civil Rights Proposes Tighter HIPAA Privacy & Security Regulations; 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information; President Signs Long-Sought Red Flag Rule Exemption Into Law. As part of its ongoing implementation of stepped up enforcement responsibility and powers enacted as part of these recent amendments, the HHS Office of Civil Rights (OCR) announced on November 8, 2011 its kickoff of a new compliance audit effort. These developments send a forceful message that all businesses generally and health care providers, health plans, healthcare clearinghouses and their business associates specifically must get serious about compliance with the privacy, security and data breach requirements of HIPAA and other applicable law by implementing and administering the policies, procedures, training and oversight necessary to comply with these and other federal and state mandates regarding the protection of personal health information and other sensitive data. Learn more about the recent convictions and related data breach exposures here.

For Help With Compliance, Investigations Or Other Needs

If you need assistance providing compliance or other training, reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns/ She also regularly designs and presents risk management, compliance and other training for health care providers, professional associations and others. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

About Solutions Law Press

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Leave a Comment » | ARRA, Childrens Health Insurance Program, Doctor, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employer, FACTA, false claims act, Federal Sentencing Guidelines, Genetic Information, GINA, Health Care, Health Care Fraud, Health Care Provider, Health Care Quality, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Medicaid, Medicare, Medicare Advantage, Mental Heatlh, Money Laundering, OCR, Reimbursement, Technology, Telemarketing, Telemedicine, Veterans Health Administration | Tagged: Data Security, FACTA, Health Care Fraud, HIPAA, Identity Theft, Justice Department, Medicaid, Medicare, OCR, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

President Signs Long-Sought Red Flag Rule Exemption Into Law

December 9, 2010

Allowing customers or clients to pay for services and supplies over time will not cause doctors, dentists, hospitals, veterinarians, and other health care providers, lawyers, accountants, consultants and other service providers to be required to comply with the burdensome “Red Flag Rules” of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) after all. President Obama earlier today (December 9, 2010) signed into law the “Red Flag Program Clarification Act of 2010 (S. 3987/H.R. 6420) (Act), which exempts businesses engaging in these limited financing transactions from the obligation to comply with the Red Flag Rule’s identity theft monitoring and prevention requirements.

FACTA’s Red Flag Rules generally require “creditors” to comply with burdensome identity theft prevention and monitoring rules issued by the Federal Trade Commission (FTC). Before the Act became law today, FTC regulations set to take effect December 31, 2010 construed health care providers, attorneys, consultants or other service providers as covered creditors simply if they allowed customers finance and pay charges to the service provider over time. Despite widespread outcry over this interpretation, efforts to overturn this interpretation had proven unsuccessful until recent weeks.

The Act intended by Congress to make clear that doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of health care providers, lawyers and other service providers will no longer be classified as ‘creditors’’ for the purposes of the Red Flags Rules just because they do not receive payment in full from their clients at the time they provide their services, when they don’t offer or maintain accounts that pose a reasonably foreseeable risk of identity theft.

As amended by the Act, the Red Flag Rule’s definition of “creditor” generally will continue to apply to a person who obtains or uses consumer reports in connection with a credit transaction, furnishes information to consumer reporting agencies in connection with credit transactions, or advances funds based on the recipients obligation to repay (or permit the funds to be repaid through specific property of the recipient), or otherwise is a creditor that the Federal Trade Commission (FTC) by rule determines should be covered as a creditor that offers or maintains accounts subject to a reasonably foreseeable risk of identity theft. However, a person that only “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person” now is expressly excluded from the definition of “creditor” for purposes of the Red Flag Rules.

The Act’s passage follows a multi-year battle by health care providers and other professional services providers to reverse the FTC’s interpretation of the Red Flag Rules as applicable to service providers that allow customers and clients to pay for services and supplies over time. The outcry about the FTC’s interpretation of the scope of the rules and the perceived cost and complexity of their provisions lead the FTC to delay implementation several times. See e.g., Health Care Red Flag Rule Compliance Deadline Extended To August 1; Prompt Action Still Required.

Congressional action to overturn the interpretation took wings beginning in November. After the Senate passed S. 3987, on November 30, 2010, the House of Representatives acted quickly to send the Act to the President for signature by approving H.R. 6420 on December 7.

The relief provided under the Act is particularly welcomed by health care providers, who already face significant civil and criminal liability exposures under the health-industry specific privacy and data security requirements of the Health Insurance Portability & Accountability Act (HIPAA). See CVS Settles Privacy Charges; Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case As Office of Civil Rights Proposes Tighter HIPAA Privacy & Security Regulations; 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information.

While the Act exempts these limited transactions from the Red Flag Rules, businesses should avoid underestimating the scope of relief provided. Even with the new exemption, these and other businesses generally face significant responsibilities and risk under other federal electronic crimes, and other federal and state data security, identity theft and other laws and precedent, as well as pursuant to contractual commitments incorporated into a broad range of agreements in response to FACTA, HIPAA and other risk management concerns. Unless they take action to reform contracts and policies, health industry and other services covered by the new exemption generally may face contractual obligations to continue to comply with many of the Red Flag Rule mandates under contractual commitments incorporated into various agreements in anticipation of the effective date of the Red Flag Rule requirements. Health industry and other businesses expecting to enjoy relief from the Red Flag Rules as a result the Act should review contractual and other obligations to properly understand their continuing legal responsibilities and, where warranted, consider revising contracts and policies to remove or adjust provisions incorporated solely in anticipation of Red Flag Rules mandates. Health care providers and other businesses that fail to take these and other appropriate steps to clean up their contracts and procedures risks unnecessarily obligating themselves to continue to comply with rules despite their exemption from these legal mandates.

For More Information or Assistance

If you need assistance evaluating or responding the health industry or other privacy and data security concerns or other technology and process, compliance, risk management, transactional, operational, enforcement or public policy concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (469) 767-8872, cstamer@Solutionslawyer.net.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising physicians, hospitals and other health industry clients about quality assurance, peer review, licensing and discipline, and other medical staff performance matters. She continuously advises health industry clients about the use of technology, process and other mechanisms to promote compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational needs. As part of this experience, she has worked extensively with health care providers, payers, health care technology and consulting and other health industry clients, as well as other businesses, on privacy, data security, trade secret and related matters. A popular lecturer and widely published author on health industry concerns, Ms. Stamer also publishes and speaks extensively on health care staffing and human resources, compensation and benefits, technology, medical staff, public policy, reimbursement, privacy, technology, and other health and managed care industry regulatory, and other operations and risk management concerns for medical societies and staffs, hospitals, the HCCA, American Bar Association, American Health Lawyers Association and many other health industry groups and symposia. Her highly popular and information packed programs include many highly regarded publications on HIPAA, FACTA, medical confidentiality, state identity theft and privacy and other many other related matters. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. To review some of her many publications and presentations, or for additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

For More Information

We hope that this information is useful to you. You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources. If you or someone else you know would like to receive future updates and notices about other upcoming Solutions Law Press events, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile here. For important information concerning this communication click here.

Leave a Comment » | Corporate Compliance, Doctor, E-Prescribing, Electronic Health Records, FACTA, Health Care, Health Care Provider, HIPAA, HITECH Act, Hospital, Hospital, Physician | Tagged: Data Security, FACTA, Health Care, Identity Theft, Red Flag Rule | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website

February 25, 2010

By Cynthia Marcotte Stamer

The Department of Health and Human Services Office of Civil Rights (OCR) has begun posting on its website the names and certain information about health care providers, health insurers, employer and other health plans, health care clearinghouses and their business associates (Covered Entities) reporting to OCR “breaches” of “unsecured protected health information” (UPHI) under new breach notice rules added by the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

Covered Entities should anticipate the posting of the breach information and other HITECH Act breach notices coupled with amendments to the medical privacy and security requirements of the Health Insurance Portability & Accountability Act (HIPAA) effective since February 17, 2010, will heighten enforcement risks and public sensitivities about medical information privacy safeguards. As failing to comply with the amended rules effective February 17, 2010 can trigger obligations under the Breach Regulations and other significant liability exposures, Covered Entities should act quickly to manage these emerging risks.

Covered Entity Breach Notification Requirements

The initial list of Covered Entities reporting breaches of UPHI affecting 500 or more individuals posted by OCR on February 22, 2010 discloses the Covered Entity’s name and State, the approximate number of individuals affected, the date and type of breach and the location of the breached information. OCR’s posting of this information is required under the HITECH Act breach notification requirements as part of its implementation and enforcement of new breach notification requirements added to HIPAA by Section 13402(e)(3) of the HITECH Act.

The HITECH Act amended HIPAA to require Covered Entities to require Covered Entities provide notification to individuals, OCR and others when certain breaches of UPHI happen. The implementing interim “Breach Notification For Unsecured Protected Health Information” regulations (Breach Regulation) published by OCR here require Covered Entities subject to HIPAA to notify affected individuals, OCR and in some cases the media within specified periods following a “breach” of UPHI occurring on or after September 23, 2009 unless the Covered Entity can demonstrate that the breach qualified as exempt from the breach notification obligation under the Breach Regulations.

Covered Entities generally should consider the need to provide breach notification under the Breach Regulation whenever electronic or non-electronic protected health information which is not adequately encrypted or destroyed to qualify as “secured” under the breach rules is used, accessed or disclosed in violation of HIPAA.

Since the potential need to provide breach notification is triggered by an impermissible use, access or disclosure of UPHI, up-to-date maintenance, monitoring and enforcement is at the heart of compliance with the Breach Regulation as well as HIPAA generally.

You can review the currently posted list of Covered Entities that have reported breaches on the OCR website here. Learn more about the Breach Regulation requirements here.

Broader & Stricter Medical Privacy Mandates Effective 2/17/210

The new breach notification requirements are part of a series of changes made to HIPAA under the HITECH Act that are increasing the responsibilities and liability exposures of Covered Entities. On February 17, 2010, Covered Entities and their business associates also became subject to tighter federal requirements for the use, access, protection and disclosure of protected health information under amendments to HIPAA’s Privacy & Security Standards enacted in the HITECH Act. When the HITECH Act was signed into law on February 17, 2009, Covered Entities also became subject to expanded sanctions and remedies for HIPAA violations.

To comply with the HITECH Act changes to HIPAA effective on February 17, 2010, most Covered Entities and their business associates generally will need to update their written policies, operational procedures, technical safeguards, privacy notices, vendor and other agreements, training, and other management procedures in several respects. For more details, see here.

While the HITECH Act gave Covered Entities and business associates a year to complete the necessary arrangements to comply with these HITECH Act changes, many Covered Entities and business associates have not adequately implemented the necessary arrangements. To mitigate these exposures, Covered Entities and their business associates should act quickly to review and update their policies, procedures, training, business associate and other services agreements, and other practices and procedures, as well as to implement the training, oversight, and other management necessary to comply with the HITECH Act changes and to mitigate other HIPAA risks.

Exposures Significant & Growing

HIPAA-associated exposures for Covered Entities are significant and growing. Timely action to comply with the amended HIPAA requirements and Breach Regulations is important to avoid triggering the breach notification requirements; to prevent loss of public trust and reputation; and to minimize exposures to legal actions, administrative complaints and sanctions and the investigation, defense and correction costs likely to result when a Covered Entity violates or is accused of violating HIPAA or otherwise mishandling medical or other personal information.

Even before the HITECH Act changes became effective, federal regulators were stepping up HIPAA enforcement. The HITECH Act amendments further increase the risk that Covered Entities violating HIPAA face investigation and sanction. The HITECH Act amendments increase the likelihood that Covered Entities violating HIPAA will get caught and will face some form of damage or penalty assessment. Heightened awareness of UPHI breaches resulting from HITECH Act mandated breach notifications are likely to fuel new HIPAA-related complaints, charges and demands. Covered Entities, workforce members who wrongfully access protected health information now face potential civil penalties, criminal prosecution, civil lawsuits and other actions. Allowing state attorneys general to bring suit adds more manpower to the enforcement team. Furthermore, the wrongful use, access or disclosure of protected health information or other confidential information also increasingly is the basis of civil or criminal actions brought under a variety of other federal and state laws.

New Risks Created By HITECH Act Amendments

Heightened HIPAA exposures stem in part from the HITECH Act’s amendments to HIPAA’s remedy provisions. Among other things, the HITECH Act amended HIPAA to:

Allow a State Attorney General to sue Covered Entities that commit HIPAA violations after February 16, 2009 for damages caused to state citizens;
Expand the mandate by OCR to investigate violations and audit compliance with HIPAA;
Require OCR to impose civil sanctions against Covered Entities and business associates involved in violations of HIPAA in accordance with tightened standards added to HIPAA by the HITECH Act;
Revise the criminal sanctions that the Department of Justice can seek against Covered Entities and others for violations of HIPAA; and
Amend HIPAA to make clear that workforce members and others improperly using, accessing or disclosing protected health information in violation of HIPAA can face criminal prosecution.

State Attorney General Lawsuit Exposures

Covered Entities must be concerned about the potential that a state Attorney General may bring civil suit to remedy damages caused to state citizens by a breach of HIPAA. In certain situations, the HITECH Act empowers a state attorney general to sue Covered Entities for damages if their HIPAA violations harm state citizens. Statutory damages equal to the sum of the number of violations multiplied by 100 up to a maximum of $25,000 per calendar year plus attorneys fees and costs are authorized.

A HIPAA civil lawsuit demonstrates the willingness of at least some states to exercise the new authority to sue Covered Entities. On January 13, 2010 Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. (Health Net) for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach. The first attorney general enforcement action brought based on amendments made to HIPAA under the HITECH Act, Connecticut charges that Health Net violated HIPAA by failing to safeguard protected medical records and financial information on almost a half million Health Net enrollees in Connecticut then allowing this information to remain exposed for at least six months before notifying authorities and consumers. The suit also names UnitedHealth Group Inc. and Oxford Health Plans LLC, who have acquired Health Net.

Stepped Up Federal Enforcement

Even before the HITECH Act amendments, OCR and Department of Justice increased HIPAA investigation and enforcement. The Department of Justice has obtained a variety of criminal convictions against violators of HIPAA. See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information. Meanwhile, OCR also is emphasizing HIPAA enforcement. In February, 2009, OCR announced that CVS Pharmacies, Inc. would pay $2.25 million to resolve HIPAA charges. This announcement followed OCR’s announcement in July, 2008 that Providence Health Care would pay $100,000 to resolve HIPAA violation charges. OCR also has taken HIPAA enforcement actions against a broad range of other Covered Entities. See more details here. While not resulting in the significant payments involved in CVS or Providence, all Covered Entities involved in these and other enforcement actions or investigations have incurred significant legal and other defense costs, loss of community trust, or both.

In addition to these HIPAA-specific exposures, wrongful use, access or disclosure of medical information also can expose Covered Entities, members of their workforce and others improperly using, accessing or disclosing protected health information to liability under other federal or state laws. Federal and state prosecutors may and increasingly do bring criminal or civil actions against organizations or individuals for improperly accessing or using medical or other personal information under a variety of other federal or state laws . See e.g., Cybercrime & Identity Theft: Health Information Security Beyond HIPAA; NY AG Cuomo Announcement of 1st Settlement For Violation of NY Security Breach Notification Law; Woman Who Revealed AIDs Info Gets A Year.

State Civil Lawsuits

Covered Entities also need to prepare to defend HIPAA-related conduct in state civil actions. Individual plaintiffs increasingly used alleged HIPAA violations in state privacy, negligence, retaliation, wrongful discharge or other lawsuits. State courts have allowed private plaintiffs to use the obligations imposed by HIPAA as the basis of a Covered Entity’s duty for purposes of certain state law lawsuits. In Sorensen v. Barbuto, 143 P.3d 295 (Utah Ct. App. 2006), for example, a Utah appeals court ruled a private plaintiff could use HIPAA standards to establish that a physician owed a duty of confidentiality to his patients for purposes of maintaining a state law damages claim. Similarly, the Court in Acosta v. Byrum, 638 S.E. 2d 246 (N.C. Ct. App. 2006) ruled that a plaintiff could use HIPAA to establish the “standard of care” in a negligence lawsuit. Meanwhile, disgruntled employees or other business partners performing services for Covered Entities also increasingly are pointing to HIPAA as the basis for their retaliation or wrongful discharge claims. See, e.g., Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim. Read more here.

Coupled with the HITECH Act changes, these and other enforcement actions signal growing potential hazards for Covered Entities that fail to properly manage their HIPAA compliance obligations and risks. To help guard against these exposures, Covered Entities should act quickly to strengthen their HIPAA defenses by updating policies, contracts, practices, security, training, oversight, documentation and management.

Covered Entities & Business Associates Urged To Act Promptly To Manage Mitigating Expanded HIPAA Risks & Obligations

Faced with these expanding obligations and exposures, Covered Entities should prepare for the need to defend the adequacy of their HIPAA compliance efforts on paper and in operation. As part of these efforts, Covered Entities should consider:

Reviewing the adequacy of the practices, policies and procedures of the Covered Entities, business associates, and others that may come into contact with protected health information within the scope of attorney-client privilege taking into consideration the Corrective Action Plan, published OCR noncompliance and enforcement statistics, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable;
Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility;
Renegotiating and enhancing service provider agreements to detail the specific compliance obligations of each party; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; to clarify rights of indemnification; and other related relevant matters;
Improving technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information;
Conducting well-documented training as necessary to ensure that members of the Covered Entity’s workforce understand and are prepared to comply with the expanded requirements of HIPAA, can detect potential breaches or other compliance concerns, and understand and are prepared to follow appropriate procedures for reporting and responding to suspected violations;
Tracking actual and near miss violations and making adjustments to policies, practices, training, safeguards and other compliance components as necessary to deter future concern
Establishing and providing well-documented monitoring of compliance;
Establishing and providing well-documented timely investigation and redress of reported violations or other compliance concerns;
Establishing contingency plans for responding in the event of a breach;
Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements;
Preparing and maintaining a well-documented record of compliance activities; and
Pursuing other appropriate strategies to enhance the Covered Entity’s ability to demonstrate its compliance commitment both on paper and in operation.

For Assistance With Compliance Or Other Concerns

The author of this article, Ms. Stamer has extensive experience advising and assisting health care practitioners and other businesses and business leaders to establish, administer, investigate and defend health care fraud and other compliance and internal control policies and practices to reduce risk under federal and state health care and other laws. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact the author of this article, Cynthia Marcotte Stamer, CTT Health Care Practice Group Chair, at cstamer@cttlegal.com, 214.270.2402 or another Curran Tomko Tarski LLP attorney of your choice. You can get more information about the CTT Health Care Practice and more specifics about Ms. Stamer’s health industry experience here.

Ms. Stamer is nationally known for her work, training and presentations, and publications on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 22 years experience advising clients, conducting workshops and other training, and providing policy advice about health care, privacy, data security, and other matters. She advises health care providers, health insurers and administrators, employer and other health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, ERISA, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. A widely published author on privacy, data security, health care and other related matters, Ms. Stamer is the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

Other Helpful Resources & Other Information

If you found these updates of interest, you also be interested in one or more of the following other recent articles:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

Leave a Comment » | ARRA, Electronic Health Records, Genetic Information, GINA, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Medicare, Medicare Advantage, Mental Heatlh, Pharmacy, Prescription Drugs, Privacy, Wellness | Tagged: ARRA, Corporate Compliance, Data Security, Doctor, Federal Sentencing Guidelines, Health Care, Health Care Policy, Health Care Provider, Health Insurance, Health Plans, HIPAA, Hospital, Identity Theft, Physicians, Privacy, retaliation, Retalitory Discharge | Permalink
Posted by Cynthia Marcotte Stamer

Federal HEAT & Other Federal Health Care Fraud Efforts Score More Than 15 Successes As OIG Claims $20.97 Billion Saved From Enforcement Activities In December

December 30, 2009

As the interagency Medicare Fraud Strike Force targeting Medicare Fraud scored another series of more than 15 successful criminal enforcement actions across the national during December, 2009, the Department of Health & Human Services (HHS) Office of Inspector General (OIG) credited the Medicare Fraud Strike Force and other stepped up oversight and enforcement activities as helping it achieve $20.97 Billion in Medicare and other federal health care program savings during Fiscal Year 2009 in its Semiannual Report to Congress.

The Detroit convictions were among three of more than 15 other criminal enforcement successes reported by the Department of Justice during December. These and other reports document the rising prosecution and enforcement risks that health care providers face for failing to tailor their billing and other practices to comply with federal health care fraud laws. In light of the growing enforcement and emphasis of federal prosecutors and regulations on the detection and prosecution of organizations and individuals participating in billing or other activities that violate federal health care fraud laws, health care organizations, their officers, directors, employees, consultants and other business partners should tighten practices and step up oversight to minimize the likelihood that they or their organizations will engage in activities that federal regulators view as federal health care fraud.

December 13 Detroit Criminal Convictions

The U.S. Department of Justice Criminal Division (Justice Department), Federal Bureau of Investigation (FBI) and Inspector General for the U.S. Department of Health and Human Services (HHS) jointly announced Friday (December 11, 2009) that Baskaran Thangarasan, Sandeep Aggarwal and Wayne Smith had plead guilty for their roles in connection with several Detroit-area health care fraud scheme.

On December 9, 2009, Thangarasan plead guilty to one count of conspiracy to commit health care fraud and Aggarwal plead guilty to one count of conspiracy to launder money. On December 11, 2009, Smith plead guilty to one count of conspiracy to commit health care fraud.

Thangarasan Guilty Plea To Conspiracy To Commit Health Care Fraud

On December 9, 2009, Thangarasan plead guilty to one count of conspiracy to commit health care fraud. And Aggarwal plead guilty to one count of conspiracy to launder money. He faces a maximum sentence of 10 years in prison and a $250,000 fine at sentencing.

According to information contained in plea documents, Thangarasan, a licensed physical therapist, admitted that he began working in approximately September 2003 as a contract therapist for a co-conspirator. This co-conspirator owned and controlled several companies operating in the Detroit area that purported to provide physical and occupational therapy services to Medicare beneficiaries. Thangarasan admitted that he, the co-conspirator and others created fictitious therapy files appearing to document physical therapy services provided to Medicare beneficiaries, when in fact no such services had been provided. According to court documents, the fictitious services reflected in the files were billed to Medicare through sham Medicare providers controlled by Thangarasan’s co-conspirators.

Thangarasan admitted that his role in creating the fictitious therapy files was to sign documents and progress notes indicating he had provided physical therapy services to particular Medicare beneficiaries, when in fact he had not. Thangarasan was paid approximately $50 by co-conspirators per file that he falsified in this manner. Thangarasan also admitted that in the course of the scheme charged in the indictment, he signed approximately 1,011 fictitious physical therapy files, falsely indicating he had provided physical therapy services to Medicare beneficiaries. Thangarasan admitted he knew that the files he helped falsify were used to justify fraudulent billings to Medicare.

In addition, Thangarasan admitted that between approximately September 2003 and May 2006, his co-conspirators submitted claims to the Medicare program totaling approximately $5,055,000 for files that were falsified by Thangarasan. Medicare actually paid approximately $2,325,000 on those claims. Thangarasan admitted that throughout the conspiracy, he was fully aware that Medicare was being billed for occupational therapy services he had falsely indicated he had performed.

Aggarwal Guilty Plea to Money Laundering

Aggarwal faces a maximum sentence of 20 years in prison and a $500,000 fine after admitting in the same case to assisting co-conspirator Suresh Chand in laundering the proceeds of Chand’s Medicare fraud scheme. Chand, who pleaded guilty in September 2009 to conspiracy to commit health care fraud and conspiracy to launder money, admitted to conspiring to submit approximately $18 million in fraudulent physical and occupational therapy claims to the Medicare program. Aggarwal, who admitted working at Chand’s office, acknowledged that his role in the scheme was to set up sham entities at Chand’s direction, with the purpose of using those entities to distribute the proceeds of the fraud to the various co-conspirators. According to plea documents, one such entity was called Global Health Care Management Services. Aggarwal admitted that Global Health Care Management Services, which he helped create, provided no health or management services of any type, but existed solely as a mechanism to conceal the location of fraudulently obtained Medicare proceeds. Aggarwal admitted in his plea that he and Chand laundered approximately $393,000 through this sham entity.

Smith Guilty Plea To Conspiracy To Commit Health Care Fraud

At sentencing, Smith face a maximum sentence of 10 years in prison and a $250,000 fine for his participation in a scheme to falsely bill Medicare. His indictment charged that he transported and paid Medicare beneficiaries to attend Sacred Hope Center, a Southfield, Mich.-infusion clinic. According to the indictment, the Medicare beneficiaries he paid and transported were paid to sign paperwork indicating that they had received infusions and injections of specialty medications that they did not in fact receive.

According to the indictment, Sacred Hope Center routinely billed the Medicare program for services that were medically unnecessary and/or never provided. The primary owners and operators of Sacred Hope Center have pleaded guilty and admitted purchasing only a small fraction of the medications that the clinic billed the Medicare program for providing. These co-conspirators have also stated that patients were prescribed medications at the clinic based not on medical need, but instead based on which medications were likely to generate Medicare reimbursements.

Other Criminal Enforcement Actions During December

The Detroit convictions are three of nearly 20 successful criminal enforcement activities that DOJ announced during December, 2009. During the same month, DOJ also announced:

On December 20, 2009, sentencing of an Audiologist to six months in prison for Medicare Fraud in California here
On December 17, 2009 , the guilty plea and sentencing of a Houston physician for operating an illegal pill mill here
On December 16, 2009, the sentencing in Michigan of the owner of health care agency to 18 months prison in Medicare kickback scheme here
On December 15, 2009, the sentencing of a Lexington. South Carolina doctor to perform community service in a health care fraud case here
On December 15, 2009, the guilty plea of a Plymouth, Minnesota man to defrauding Medicaid out of $74,000 here
On December 14, 2009, the sentencing of a Miami, Georgia man to more than a decade in Federal prison for million dollar Medicaid fraud here
On December 11, 2009, the charging of a durable medical equipment company and six other defendants in Pennsylvania in a Medicare Fraud And Kickback Scheme here
On December 11, 2009, the guilty plea of an Aulander, North Carolina woman to $650,000 Health Care Fraud here
On December 7, 2009, the guilty plea of a corporation various health care fraud schemes here
On December 6, 2009, the guilty plea of a Dallas, Texas durable medical equipment business owner to aggravated id theft in a Medicare Fraud scheme here
On December 3, 2009, the arrest of the owner of a Florida home health care provider and his alleged accomplice for a scheme to bribe a government contractor here
On December 3, 2009, the conviction of two defendants for Health Care Fraud in Idaho here
On December 2, 2009, the entry of an order requiring a Sioux City, Iowa hospital to pay $400,000 to resolve false claims allegations here
On December 1, 2009, the admission by a Maryland man to health care fraud on a hospital in the District of Columbia here
On December 1, 2009, the arrest of a Miami, Florida man for obstructing a Health Care Fraud Investigation here
On December 1, 2009, the $125,000 fine of a Michigan chiropractor for Falsifying Records here

HEAT Operations Continued & Expanded

The Detroit and many of these other criminal successes resulted from joint investigations by the FBI and the OIG as part of the Medicare Fraud Strike Force as part of various interagency Medicare Fraud “Strike Forces” operating in several regions of the U.S. as part of the continuing Health Care Fraud Prevention and Enforcement Action Team (HEAT) operations of the FBI, HHS and the Justice Department which DOJ credits with producing more than 250 criminal convictions since their inception, Based on initial successes of Strike Force operations in Miami (Phase One) and Los Angeles (Phase Two), the Justice Department and HHS on May 20, 2009 expanded the scope of these operations to include Detroit and Houston Strike Force teams. Recently, DOJ and HHS announced the expansion of its HEAT operations to include Strike Force teams also targeting health care fraud in Brooklyn, New York; Tampa, Florida and Baton Rouge, Louisiana.

The heightened emphasis on enforcement of federal health care fraud laws reflected in the HEAT program the enactment of recent amendments to the False Claims Act, 31 U.S.C. § 3729 (FCA) under the “Fraud Enforcement and Recovery Act of 2009”(FERA). The FERA amendments increase the likelihood both that whistleblowers will turn in health care providers and other individuals and organizations that file false claims in violation of the FCA and the liability that violators may incur for that misconduct.

The FERA amendments and the HEAT Team and Strike Force activities are part of a broader emphasis in the enforcement of federal health care fraud laws by both the Administration and Congress. President Obama’s proposed Fiscal Year 2010 budget seeks to further increase funding for fraud prevention and enforcement by investing $311 million — a 50 percent increase from 2009 funding — to strengthen program integrity activities within the Medicare and Medicaid programs. The Obama Administration anticipates that all combined, the anti-fraud efforts in the President’s budget could save $2.7 billion over five years by improving oversight and stopping fraud in the Medicare and Medicaid programs, including the Medicare Advantage and Medicare prescription drug programs. Many state agencies also are stepping up their health care fraud investigations and enforcement.

Health Care Providers Must Step Up Compliance & Risk Management

In light of this new emphasis upon health care fraud detection and enforcement, health care providers now more than ever need to prepare to demonstrate the appropriateness and defensibility of their health care billing and other compliance efforts.

Solutions Law Press author and Curran Tomko and Tarski LLP Health Care Practice Chair Cynthia Marcotte Stamer has extensive experience advising and assisting health care practitioners and other businesses and business leaders to establish, administer, investigate and defend health care fraud and other compliance and internal control policies and practices to reduce risk under federal and state health care and other laws. You can get more information about the CTT Health Care Practice and more specifics about Ms. Stamer’s health industry experience here on the CTT Website.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Cynthia Marcotte Stamer, CTT Health Care Practice Group Chair, at cstamer@cttlegal.com, 214.270.2402, CTT White Collar Defense Litigation Practice Chair Edwin J. Tomko at etomko@cttlegal.com, or 214.270.1405 or another Curran Tomko Tarski LLP attorney of your choice..

Other Helpful Resources & Other Information

We hope that this information is useful to you. If you found these updates of interest, you also be interested in other updates on HEAT activities such as the following:

Other recent updates that also may be of interested published on our electronic Solutions Law Press Health Care Update publication include:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please register to receive this Solutions Law Press Health Care Update here and be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

Leave a Comment » | Anti-KickBack, Corporate Compliance, false claims act, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Hospital, Inpatient Rehabilitation Facility, Medicaid, Medicare, Money Laundering, OIG, Physician, Reimbursement, Stark | Tagged: Corporate Compliance, Doctor, false claims act, Federal Sentencing Guidelines, Fraud, Health Care, Health Care Fraud, Health Care Provider, Health Care Reimbursement, HHS, Hospital, Identity Theft, Medicare, Medicare Part B, Physician, Physicians, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

HIT Committee To Meet October 14 In Washington, D.C.

September 29, 2009

The next meeting of the HIT Standards Committee of the Office of the National Coordinator for Health Information Technology (ONC) will be held on October 14, 2009, from 9 a.m. to 3 p.m./Eastern Time at the Omni Shoreham Hotel, 2500 Calvert Street, NW., Washington, DC. The hotel telephone number is 202-234-0700. Interested members of the public are invited to attend.

Created under the American Recovery and Reinvestment Act of 2009 (ARRA), the HIT Standards Committee is charged with making recommendations to the Office of National Coordinator for Health Information Technology (ONC) on standards, implementation specifications, and certification criteria for the electronic exchange and use of health information consistent with the implementation of the Federal Health IT Strategic Plan, and in accordance with policies developed by the HIT Policy Committee. Even as Congress debates further reforms, the activities of the HIT Committee and other components of the ONC are key actors in the continuing efforts of the Obama Administration to promote health care efficiency by reengineering health care technology.

During a previous meeting on August 20, 2009, the HIT Committee finalized certain recommendations concerning meaningful use of electronic medical records, clinical quality, and privacy and security of protected health information, which are available for review here.

According to the ONC announcement regarding the upcoming meeting in today’s (September 29, 2009) Federal Register available here, the Committee plans during the meeting to:

Discuss reports from its Clinical Operations, Clinical Quality, and Privacy and Security Workgroups
Take testimony from invited experts in the field of security as it relates to health information technology

Interested persons may present data, information, or views, orally or in writing, on issues pending before the committee. Written submissions may be made to the contact person on or before October 6, 2009. Oral comments from the public will be scheduled between approximately 2:30 p.m. to 3 p.m. Time allotted for each presentation may be limited. If the number of speakers requesting to comment is greater than can be reasonably accommodated during the scheduled open public hearing session, ONC will take written comments after the meeting until close of business.

ONC hopes to make background material available to the public at least two (2) business days prior to the meeting. However, if ONC is unable to post the background material on its Web site before the meeting, it will make that material publicly available at the location of the advisory committee meeting, and post the background material on ONC’s web site after the meeting here.

The designated person to contact for additional information is Jonathan Ishee, Office of the National Coordinator, HHS, 200 Independence Ave, SW., Room 729-G, Washington, DC 20201, 202-205-8493, Fax: 202-690-6079, e-mail: jonathan.ishee@hhs.gov.

If you need assistance preparing or presenting comments to the HIT Standards Committee or with monitoring or responding to other health care IT, privacy and data security, regulatory, operational, public policy or other health care concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Chair and Partner Cynthia Marcotte Stamer at (214) 270-2402 or via e-mail at CStamer@CTTLegal.com.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Solution Law Press Updates available online by clicking on the applicable article title below:

For More Information

We hope that this information is useful to you. If you need assistance with auditing or defending these or other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270‑2402, cstamer@cttlegal.com, Ms. Stamer has extensive experience advising clients and writes and speaks extensively on these and other health industry and other reimbursement, operations, internal controls and risk management matters.

You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here, registering to receive updates in blog form here or e-mailing this information to support@solutionslawyer.net.

Leave a Comment » | ARRA, Doctor, Electronic Health Records, Electronic Medical Records, Health Care, Health Care Finance, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Laws, Medicaid, Medicare, Medicare Advantage, Outcomes Data, Physician, Technology | Tagged: ARRA, Health Care, Health Care Policy, Health Care Provider, Health Care Reform, Health Care Reimbursement, Health Insurance, Health IT, Health Plans, Health Policy, Health Technology, HHS, HIPAA, Hospital, Identity Theft, Medicare, Medicare Part B, PBMs, Privacy, Public Policy, Reimbursement, Technology | Permalink
Posted by Cynthia Marcotte Stamer

Two Recent Criminal Prosecutions For HIPAA Privacy Rule Violations Signal Rising Criminal Enforcement Risks

September 8, 2009

Register here To Participate In September 9 or September 17 Briefings on New HIPAA Data Breach Rules

September 8, 2009

Two recent separate criminal actions against hospital workers for wrongfully accessed medical records in violation of the medical privacy provisions of the Health Insurance Portability & Accountability Act of 1996, as amended (HIPAA) are the latest reminders to health care providers, health plans, health care clearinghouses, their business associates and members of their workforce that the criminal provisions of the HIPAA Privacy Rules have teeth.

Palmetto General Hospital Employee And Accomplice Indicted For Stealing Patient Records As Part Of Fraud

In Miami-Dade County, federal felony charges are pending against Jacquettia L. Brown, 29, and Tear Renee Barbary, 25, prosecution on for offenses relating to the theft of patient profile records from Palmetto General Hospital to further a fraud scheme.

A seven-count Indictment announced by the Department of Justice on May 26, 2009 charges Brown and Barbary with conspiracy to commit access device fraud in violation of Title 18, United States Code, Section 1029(b)(2), and criminal violations of HIPAA. In addition, Brown is charged with aggravated identity theft, in violation of Title 18, United States Code, Section 1028A(a)(1). If convicted, the defendants face a statutory maximum of five (5) years’ imprisonment on Count 1, and a statutory maximum of ten (10) years’ imprisonment as to each of Counts 2, 3, and 7. As to Counts 4-6, Brown faces a two (2) year mandatory prison sentence per count.

According to the Indictment, Brown, a medical records employee of Palmetto General Hospital, took records containing personal profile information of Palmetto General Hospital patients. Defendant Brown and Barbary then used the stolen personal information to further a credit card fraud conspiracy. The patient profile records that Brown stole included personal identifying information, such as patients’ names, birthdates, Social Security numbers, addresses, driver’s license numbers, and next of kin contacts. Brown used the stolen identifying information to obtain patients’ credit card account numbers. She gave patient profile records and credit card account numbers to Barbary, who used the information to make unauthorized credit card purchases. When law enforcement officials disrupted the scheme, Brown was in possession of 41 patient profile records and Barbary was in possession of six patient profile records.

Curiosity Check of Medical Records Results In Arkansas Doctor, 2 Former Hospital Employees Guilty Plea To HIPAA Violation

Three Arkansas health care workers could be sentenced to up to 1 year in prison, a fine of not more than $50,000, or both after pleading guilty in July, 2009 to misdemeanor violations of the health information privacy provisions of HIPAA for accessing a patient’s record without any legitimate purpose.

United States Magistrate Judge Henry L. Jones, Jr. accepted the guilty pleas of Dr. Jay Holland, age 56, of Little Rock, Arkansas; Sarah Elizabeth Miller, age 28, of England Arkansas; and Candida Griffin, age 34 of Little Rock, Arkansas after each admitted to accessing patient records to satisfy their own curiosity.

Dr. Holland, Medical Director of Select Specialty Hospital, located on the 6 floor of the St. Vincent Infirmary Medical Center (SVIMC), admitted that after watching news reports on television, he logged on to the SVIMC patient records from his computer at home and accessed a patient’s files to determine if the news reports were accurate. He admitted he accessed the file because he was curious even though he had had HIPAA training and understood he was violating HIPAA when he accessed the file. SVIMC suspended Dr. Holland’s privileges for two weeks and required him to complete on-line HIPAA training.

Sarah Elizabeth Miller, formerly an account representative at SVIMC, Sherwood Campus, was responsible for checking patients in and out of the clinic and for processing patient billing. In order to perform her duties, she had access to the SVIMC patient records program which includes all locations, not just that of the Sherwood clinic. Miller admitted that on October 20 and 21, 2008, she accessed a patient’s files approximately 12 times out of curiosity. She admitted that she accessed the records without any legitimate purpose. Records show that Miller was trained on HIPAA privacy laws by SVIMC. SVIMC fired Miller from her position.

Candida Griffin was the emergency room unit coordinator at SVIMC. Her responsibilities were to order patient tests, perform data entry into electronic patient files for patients and perform other secretarial functions in the emergency room. Griffin admitted that on October 20, 2008, she was told by the charge nurse to set-up an alias for a particular patient admitted to the emergency room. On October 21, 2008, after the patient had been moved to ICU, Griffin admitted that she became curious about the patient’s status and accessed the medical chart to find out if the patient was still living. Although Griffin did not inform anyone about accessing the chart, hospital records show that the patient’s records were accessed three times that day by Ms. Griffin. SVIMC records show that Griffin was trained on HIPAA privacy laws. SVIMC fired Griffin from her position.

Pursuant to plea agreements with the United States, Holland, Miller and Griffin pleaded guilty to a misdemeanor a violation of the health information privacy provisions of HIPAA based on their accessing a patient’s record without any legitimate purpose. Each faces a maximum penalty of 1 year imprisonment, a fine of not more than $50,000, or both. A sentencing date has not yet been set, but is expected within the next few weeks.

Criminal Referral and Enforcement Continues

Together with the HIPAA-related criminal convictions of in 2008 of David Gibson, Ferando Ferrer, Jr. and Andrea Smith discussed here, these new Arkansas and Florida criminal actions document the willingness of Justice Department attorneys to investigate and prosecute certain criminal violations. Because they involved the theft of health information for use in furtherance of other health care fraud schemes, many have viewed as predictable and understandable the prosecution of Gibson, Ferrer, Brown and Barbary. In contrast, the willingness of Jane W. Duke, United States Attorney for the Eastern District of Arkansas, to prosecute criminally the wrongful access by the SVIMC health care workers and Andrea Smith in the absence of other health care fraud motives challenges the perception widely held among certain segments of the health care and health plan industry that the criminal provisions of HIPAA have little teeth. Since U.S. Attorney Duke pursued both the SVIMC and Smith prosecutions, it remains to be seen whether other U.S. Attorneys will be equally willing to pursue prosecution of HIPAA violations in the absence of evidence of other federal health care crimes.

Less speculative is the growing readiness of the Department of Health & Human Services Office of Civil Rights to pursue civil remedies for HIPAA violations. On February 18, 2009, for instance, OCR and the Federal Trade Commission (“FTC”) issued a joint announcement (the “Announcement”) ordering CVS Pharmacy, Inc., the nation’s largest retail pharmacy chain, to pay the U.S. government a $2.25 million settlement and to take other corrective action to ensure that it does not violate the privacy rights patients under HIPAA when disposing of patient information such as identifying information on pill bottle labels. In a coordinated action, CVS Caremark Corp., the parent company of the pharmacy chain, also signed a consent order and agreed to a settlement with the FTC to settle potential violations of the FTC Act. The investigation resulting in the settlement marks the first instance where the OCR formally coordinated on investigation and resolution of a case with the FTC.

Coming as new data breach notification requirements for HIPAA-covered entities are set to take effect on September 23, 2009, these and other stepped up oversight and enforcement activities make it critical that all health care providers, health plans, health care clearinghouses and their business associates need to update their policies and practices, tighten their compliance and data breach monitoring processes, and strengthen their internal controls, compliance in preparation for defending their actions under the newly strengthened Privacy Rules. Covered entities and their business associates more than ever must ensure their ability to demonstrate to federal regulators the effectiveness of their HIPAA compliance efforts by both adopting the written policies and procedures required by HIPAA and continuously monitoring and administering these safeguards. Covered entities should consider reviewing the adequacy of their current HIPAA Privacy and Security compliance practices taking into consideration the Corrective Action Plan, published OCR noncompliance and enforcement statistics, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

If you need assistance with auditing, updating or defending your organizations HIPAA and other privacy and data security practices, please contact Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer at (214) 270-2402 or via e-mail at CStamer@CTTLegal.com.

Register Now For Upcoming September Health Industry Update Programs

If you found this information of interest, you also may be interested in one of the following upcoming health industry programs to be presented by Ms. Stamer during September:

HITECH ACT Health Data Security & Breach Update on September 9, 2009 hosted live or via teleconference by Curran Tomko Tarski LLP
How to Ensure That Your Organization Is In Compliance With Regulations Governing Discrimination — What You Should Be Doing To Be Prepared for the New, Stepped Up Enforcement Actions on September 10, 2009 hosted via teleconference by Health Resources Publishing
Health Information Security & Data Breach Under HITECH Act on September 17, 2009 hosted via teleconference by the Health Care Compliance Association

To register or for other details about these and other upcoming programs and presentations by Ms. Stamer and other Curran Tomko Tarski members, see here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Curran Tomko Tarski LLP Latest in Health Care Updates available online by clicking on the article title:

For More Information

We hope that this information is useful to you. If you need assistance with auditing or defending these or other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270‑2402, cstamer@cttlegal.com, Edwin J. Tomko at (214) 270-1405 or another Curran Tomko Tarski LLP Partner of your choice. Ms. Stamer has extensive experience advising clients and writes and speaks extensively on these and other health industry and other internal controls and risk management matters.

You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information to cstamer@cttlegal.com.

Leave a Comment » | Corporate Compliance, Electronic Medical Records, FACTA, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, HIPAA, OCR | Tagged: ARRA, Doctor, Federal Sentencing Guidelines, Health Care, Health Care Provider, Health Insurance, HIPAA, Hospital, Identity Theft, Physician, Physicians, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Health Care Providers & Other HIPAA-Covered Entities & Their Business Associates Must Comply With New HHS Health Information Data Breach Rules By September 24

August 24, 2009

Register Now To Participate in September 9 “HITECH Act Health Data Security & Breach Update”

Health care providers, health clearinghouses, health plans and their business associates generally must start complying with new federal data breach notification rules on September 24, 2009.

The new “Breach Notification For Unsecured Protected Health Information” regulation (Breach Regulation) published here in today’s Federal Register requires health care providers, health plans, health care clearinghouses and their business associates (Covered Entities) covered under the personal health information privacy and security rules of the Health Insurance Portability & Accountability Act (HIPAA) to notify affected individuals following a “breach” of “unsecured” protected health information. The Breach Regulation is part of a series of guidance that HHS is issuing to implement new and stricter personal health information privacy and data security requirements for Covered Entities added to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA).

You are invited to catch up on what these new rules mean for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Wednesday, September 9, 2009 from Noon to 1:30 P.M. Central Time.

HITECH Act Data Breach and Unsecured PHI Rules

Scheduled for publication in the Federal Register on August 24, 2009, the new Breach Regulation implements the HITECH Act requirement that Covered Entities and their business associates notify affected individuals, the Secretary of HHS, and in some cases, the media, when a breach of “unsecured protected health information” happens and the form, manner, and timing of that notification. Covered Entities must begin complying with the new Breach Regulation on September 24, 2009.

Part of a series of new HHS rules implementing recent changes to HIPAA enacted under the HITECH Act to strengthen existing federally mandates requiring Covered Entities to safeguard protected health information, the Breach Regulation will obligate Covered Entities and business associates to provide certain notifications following a breach of “protected health information” that not secured at the time of the breach through the use of a technology or methodology meeting minimum standards issued by HHS pursuant to other provisions of the HITECH Act.

Under the HITECH Act, the breach notification obligations contained in the Breach Notification only apply to a breach of “unsecured protected health information.” The Breach Regulation exempts breaches of protected health information that qualify as “secured” under separately issued HHS and Federal Trade Commission (FTC) standards for encryption and destruction of protected health information from its breach notification requirements.

For purposes of the HITECH Act, electronic protected health information is considered “unsecured” unless the Covered Entity has satisfied certain minimum standards for the protection of that data established pursuant to the HITECH Act. Earlier this year, HHS and the FTC issued interim rules defining the minimum encryption and destruction technologies and methodologies that Covered Entities must use to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals for purposes of determining when protected health information is “unsecured” for purposes of the HITECH Act. Concurrent with its publication of the Breach Regulation, HHS also released guidance updating and clarifying this previously issued guidance.

Read the Breach Regulation here. To review the HITECH Act Breach Notification Guidance and Request for Information, see here.

September 9 “HITECH Act Health Data Security & Breach Update” Briefing

Interested persons are invited to register here now to learn what these new rules mean for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Wednesday, September 9, 2009 from Noon to 1:30 P.M. Central Time. For a registration fee of $45.00, registrants will have the option to participate via teleconference or in person at the offices of Curran Tomko Tarski LLP, 2001 Bryan Street, Suite 2050, Dallas Texas 75201. For information about registering for this program or other questions here.

Conducted by Curran Tomko and Tarski LLP Partner Cynthia Marcotte Stamer, the briefing will cover:

Who must comply
What your organization must do
How to qualify protected health information as exempt from the breach regulations as “secure” protected health information
What is considered a breach of unsecured protected health information
What steps must a covered entity take if a breach of unsecured protected information happens
What liabilities do covered entities face for non-compliance
What new contractual requirements, policies and procedures Covered Entities and Business Associates will need
How the Breach Regulation, the Privacy Regulation, impending FTC red flag rules and state data breach and privacy rules interrelate
Other recent developments
Practical tips for assessing, planning, moving to and defending compliance
Participant questions
More

About The Presenter

The program will be presented by Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer. Ms. Stamer is nationally known for her work, publications and presentations on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts.

Vice President of the North Texas Health Care Compliance Professionals Association and Past Chair of the ABA Health Law Section Managed Care & Insurance Section, and Former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 20 years experience advising clients about health and other privacy and security matters. A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer is the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010, as well as the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. She has continuously advises employers, health care providers, health insurers and administrators, health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

We hope that this information is useful to you. If you need assistance monitoring, evaluating or responding to these or other compliance, risk management, transaction or operation concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or another Curran Tomko Tarski LLP Partner of your choice.

Other Helpful Resources & Other Information

If you found these updates of interest, you also be interested in one or more of the following other recent articles published on our electronic Curran Tomko Tarski LLP publications available for review here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

Leave a Comment » | ARRA, Disease Management, Doctor, Electronic Health Records, Electronic Medical Records, Employer, FACTA, FDA, Health Care, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Indian Health, Inpatient Rehabilitation Facility, Medicaid, Medical Licensure, Medical Malpractice, Medicare, Medicare Advantage, Mental Heatlh, OCR, Outcomes Data, Peer Review, Physician, Prescription Drugs, Privacy, Reimbursement, Tax | Tagged: ARRA, Corporate Compliance, Data Security, Doctor, Health Care, Health Care Provider, Health Care Reimbursement, HHS, HIPAA, Hospital, Identity Theft, Long Term Care Hospital, Medicare, Medicare Part B, Physician, Physicians, Privacy, public health, Public Policy, Red Flag Rules, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

HHS Issues Interim Final Requiring Health Care Provider, Health Plans & Other Covered Entities To Give Breach Notifications When Certain Personal Health Information Breached Beginning In September; Register to Participate In September 10th Briefing on New Rules In Person or Via Telephone

August 20, 2009

The U.S. Department of Health and Human Services (HHS) yesterday (August 19, 2009) issued “breach notification” regulations requiring health care providers, health plans and other covered entities (Covered Entities) under the personal health information privacy and security rules of the Health Insurance Portability & Accountability (HIPAA) to notify affected individuals following a “breach” of “unsecured” protected health information. Scheduled for publication in the Federal Register on August 24, 2009, the new breach notification regulations are part of a series of new rules that implement new electronic personal health information data security and data breach notification requirements for Covered Entities added to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA). Covered entities must begin complying with the new rules no later than September 24, 2009.

Curran Tomko Tarski, LLP Health Practice leader Cynthia Marcotte Stamer will conduct a briefing on these new protected health information data security and data breach rules on Thursday, September 10, 2009 from Noon to 1:30 P.M. Central Time. For a registration fee of $45.00, registrants will have the option to participate via teleconference or in person at the offices of Curran Tomko Tarski LLP, 2001 Bryan Street, Suite 2050, Dallas Texas 75201. For more information, e-mail here.

HITECH Act Data Breach and Unsecured PHI Rules

The new data breach notification rules are part of a series of recent HIPAA enacted under the HITECH Act to strengthen the federal rules requiring HIPAA covered entities to safeguard electronic and certain other protected health information. Enhanced data security and data breach rules added as part of these HITECH Act amendments obligate covered entities and business associates to provide certain notifications following a breach of “unsecured” “protected health information” within the meaning of HIPAA, as amended. “Unsecured protected health information” is defined as protected health information that is not secured through the use of a technology or methodology specified by the HHS Secretary.

The new data breach regulations implement the HITECH Act requirement that Covered Entities and their business associates notify affected individuals, the Secretary of HHS, and in some cases, the media, of a breach and the form, manner, and timing of that notification. For purposes of the HITECH Act, electronic protected health information is considered “unsecured” unless the covered entity has satisfied certain minimum standards for the protection of that data established pursuant to the HITECH Act. HHS and the Federal Trade Commission previously issued certain initial guidance concerning the HITECH Act standards for determining when electronic personal health information qualifies as secure. To help further define when electronic health information is treated as “unsecured” and therefore subject to the breach notification requirements, the data breach rules also update and clarify the previously issued existing HHS guidance specifying encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals published earlier this year by HHS to for purposes of determining when protected health information will be considered “unsecured” for purposes of the HITECH Act data breach rules. Entities subject to the HHS and FTC regulations that secure health information as specified by the guidance through encryption or destruction are relieved from having to notify in the event of a breach of such information.

The HHS interim final regulations are effective September 24, 2009, which is the date 30 days after the date they will be published on the Federal Register and include a 60-day public comment period. To review the interim final data breach regulations, see here. To review the HITECH Act Breach Notification Guidance and Request for Information, see here.

For More Information

The author of this article, Curran Tomko and Tarski LLP Health Care Practice Chair Cynthia Marcotte Stamer has extensive experience advising and assisting health care providers, payors and their business associates about HIPAA and other privacy and data security matters, as well as a diverse range of health care policy, regulatory, compliance, risk management and operational concerns.

Past chair of the American Bar Association Health Law Section Managed Care & Insurance Section, Martindale Hubble AV-rated and recognized in International Who’s Who of Professionals, Ms. Stamer continuously advises health care providers, health care payers and administrators, employers, governments and others about health care, insurance, human resources, privacy and data security, technology, and other legal and operational concerns. A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer also writes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. She currently serves as the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010. Examples of her other works include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of others. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service Privacy Report, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a various other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

We hope that this information is useful to you. If you need assistance monitoring, evaluating or responding to these or other proposed health care or other regulatory reforms or with other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or your other favorite Curran Tomko Tarski LLP Partner.

We also encourage you and others to join the discussion about these and other health care reform proposals and concerns by joining the Coalition for Responsible Health Care Reform Group on Linkedin, registering to receive these updates here.

Other Helpful Resources & Other Information

We hope that this information is useful to you. If you found these updates of interest, you also be interested in one or more of the following other recent articles published on our electronic Solutions Law Press Health Care Update publication available here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please register to receive this Solutions Law Press Health Care Update here and be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

Leave a Comment » | ARRA Funding, Corporate Compliance, Doctor, Electronic Health Records, Electronic Medical Records, FACTA, Health Care, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Physician, Privacy | Tagged: ARRA, Corporate Compliance, Data Security, Doctor, Federal Sentencing Guidelines, Health Care, Health Care Policy, Health Care Provider, Health Insurance, Health Plans, Hospital, Identity Theft, Physician, Physicians, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Reassignment of HIPAA Security Rule Enforcement Signals Growing Seriousness About Enforcing HIPAA

August 4, 2009

The Department of Health & Human Services (HHS) today (August 3, 2009) transferred authority for the administration and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to the Office for Civil Rights (OCR). Prior to this announcement, responsibility for interpretation and enforcement of the Security Rule rested with the Centers for Medicare & Medicaid Services (CMS). The change reflects the growing seriousness of HHS and others about enforcing federal privacy and data security mandates for health information. HHS anticipates the transfer of authority will eliminate duplication and increase efficiencies in how the department ensures that Americans’ health information privacy is protected.

HHS has the authority for administration and enforcement of the federal standards for health information privacy called for in HIPAA. The Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. OCR has been responsible for enforcement of the Privacy Rule since 2003. The Security Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA), mandated improved enforcement of the Privacy Rule and the Security Rule.

Through a separate delegation, CMS continues to have authority for administration and enforcement of the HIPAA Administrative Simplification regulations, other than privacy and security of health information.

The transfer of Security Rule enforcement authority comes as guidance about new data breach rules for electronic protected health information is impending. This impending guidance relates to the implementation of new breach notification rules for covered entities and their business associates concerning their obligation to use of technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by amendments to HIPAA enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA) last February. OCR officials have stated that they are working to publish the next set of regulations regarding these new breach notifications before the end of August, 2009.

In addition to adding the breach notification requirements, the HITECH Act also tightened the HIPAA mandates in several other respects. Among other things, it amended HIPAA to:

Broaden the applicability of the HIPAA’s Privacy Rules and penalties to include business associates;
Clarify that HIPAA’s criminal sanctions apply to employees or other individuals that wrongfully use or access PHI held by a covered entity;
Increase criminal and civil penalties for HIPAA Privacy Rules violators;
Allow State Attorneys General to bring civil damages actions on behalf of certain state citizens who are victims of HIPAA Privacy and Security Rule violations;
Modify certain HIPAA use and disclosure and accounting requirements and risks;
Prohibits sales of PHI without prior consent;
Tighten certain other HIPAA restrictions on uses or disclosures;
Tighten certain HIPAA accounting for disclosure requirements;
Clarify the definition of health care operations to excludes certain promotional communications; and
Expand the Business Associates Agreement Requirements.

These and other developments make it imperative HIPAA covered entities and their business associates take prompt action to immediately review and update their data security and privacy practices to guard against growing liability exposures under HIPAA and other federal and state laws. Covered entities must update policies and practices to avoid these growing liabilities. Business associates that have not already done so also must appoint privacy officers and adopt and implement privacy and data security policies and procedures fully compliant with HIPAA and other applicable federal and state rules, including amendments enacted as part of the American Recovery and Reinvestment Act of 2009 signed into law on February 17, 2009.

For more information about today’s announcement, see here. See here for the initial guidance and request for comments issued by HHS regarding these new security standards.

For More Information

We hope that this information is useful to you. If you need assistance with health care privacy and data security, technology, or other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or your other favorite Curran Tomko Tarski LLP Partner. Ms. Stamer has extensive experience advising clients and writes and speaks extensively on these and other health care privacy and data security and related matters.

You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information to cstamer@cttlegal.com.

Leave a Comment » | Doctor, Electronic Health Records, Electronic Medical Records, Health Care, Health Care Reform, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Physician, Privacy, Technology | Tagged: Data Security, Health Care, Health Care Provider, Health Insurance, Health Plans, HIPAA, Hospital, Identity Theft, Nonprofits, Personal Health Information, PHI, Physicians, Privacy, Red Flag Rules | Permalink
Posted by Cynthia Marcotte Stamer

FTC Issues FAQ Guidance On Red Flag Rules Applicable To Health Care Providers & Others

June 12, 2009

The Federal Trade Commission (FTC) and five other federal agencies yesterday (June 11, 2009) jointly issued a set of frequently asked questions (FAQs) about federal regulations on the “Red Flags and Address Discrepancy Rules” (Red Flag Rules) implementing sections of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) now scheduled to take effect on August 1, 2009.

Health care providers and a broad range of other entities are among the organizations generally required to comply with the broadly reaching Red Flag Rules, which require “financial institutions” and “creditors” to develop and implement written Identity Theft Prevention Programs and require issuers of credit cards and debit cards to assess the validity of notifications of changes of address. The rules also provide guidance for users of consumer reports regarding reasonable policies and procedures to employ when consumer reporting agencies send them notices of address discrepancy.

The sweeping reach of the definition of “creditor: and “financial institutions” in the Red Flag Rules and other confusion about the Red Flag Rules have prompted the agencies to delay the deadline for compliance several times. The most recent delay, which extended the compliance deadline from May 1 to August 1, 2009, was announced by the FTC on April 30, 2009. The FTC promised to issue additional guidance to help promote better understanding of the rules when it announced this latest delay in the compliance deadline on April 30, 2009.

Fulfilling this promise, the FAQs discuss numerous aspects of the Red Flag Rules, including:

Types of entities and accounts covered;
Establishment and administration of an Identity Theft Prevention Program;
Address validation requirements applicable to card issuers; and
Obligations of users of consumer reports upon receiving a notice of address discrepancy.

FACTA directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Some examples of creditors are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many doctors and other health care providers and other professionals. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers. The FTC has made clear it perceives most health care providers as falling within the scope of these rules.

FACTA is only one of a growing list of the evolving privacy and data security mandates applicable to businesses under federal and state laws that organizations must address under applicable federal laws. In addition to FACTA, most businesses also face other specific data security and data breach requirements under a tapestry of other federal and state laws which are constantly evolving. In addition to these FACTA and other generally applicable data security and breach rules, many organizations face evolving industry specific mandates. For example, health care providers, health plans, health care and their business associates also are required to update their privacy and data security practices to comply with recent amendments to the Health Insurance Portability & Accountability Act Privacy & Security Standards signed into law February 17, 2009.

Many of these federal laws provide for both civil penalties as well as criminal penalties that bring violations of these regulations under the Federal Sentencing Guidelines. As a consequence, most organizations need to implement and administer compliance programs to manage these Federal Sentencing Guideline risks. Even where criminal sanctions are not triggered, noncompliance with these and other data security mandates can trigger substantial judgment awards, administrative penalties or both.

If you need assistance with auditing, updating, administering or defending your privacy, data security or other privacy and data security practices or addressing other health care compliance, risk management, transactions or operations concerns, please contact Cynthia Marcotte Stamer at (214) 270-2402, CStamer@CTTLegal.com.

For More Information

We hope that this information is useful to you. You can find more information about the Red Flag Rules and other privacy and identity theft matters at here. You also can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information to CStamer@CTTLegal.com.

Leave a Comment » | Corporate Compliance, Doctor, FACTA, Federal Sentencing Guidelines, Health Care, Health IT, HIPAA, Privacy | Tagged: ARRA, Corporate Compliance, Data Security, Doctor, Federal Sentencing Guidelines, Health Care, Health Care Provider, Health Insurance, Health Plans, Health Policy, HIPAA, Hospital, Identity Theft, Physician, Physicians, Privacy, Red Flag Rules | Permalink
Posted by Cynthia Marcotte Stamer

Newly Enacted FERA Amendments To False Claims Act Signal New Risks For Health Industry Organizations & Others

May 26, 2009

Health care providers and other parties covered by the False Claims Act, 31 U.S.C. § 3729 (FCA), now face expanded whistleblower and other liability under amendments to the FCA enacted under the “Fraud Enforcement and Recovery Act of 2009”(FERA). The amendments increase the likelihood both that whistleblowers will turn in health care providers and other individuals and organizations that file false claims in violation of the FCA and the liability that violators may incur for that misconduct.

Signed into law by President Obama last Wednesday (May 20, 2009), FERA immediately upon enactment:

Amends the whistleblower protections afforded to employees, contractors and agents who suffer retaliation for taking lawful efforts to stop violations of the FCA and to make it easier for those individuals to pursue retaliation claims;
Expands liability under for making false or fraudulent claims to the federal government under the FCA;
Applies liability under the FCA for presenting a false or fraudulent claim for payment or approval (currently limited to such a claim presented to an officer or employee of the federal government); and
Requires persons who violate such Act to reimburse the federal government for the costs of a civil action to recover penalties or damages

Concurrent with President Obama’s signature of FERA into law, the U.S. Departments of Justice (DOJ) and Health & Human Services (HHS) jointly announced the expansion of federal health care fraud enforcement efforts. On May 20, 2009, HHS and DOJ announced their activation of a new interagency team to combat health care fraud highlights the increasing need for health care providers and health plans to review and tighten their practices for dealing with Medicare and other federal programs to survive scrutiny under federal health care fraud initiatives. Coupled with FERA and the already significant increase in federal health care fraud detection and enforcement activities in recent years and a proposed 50 percent increase in funding for these activities included in President Obama’s Fiscal Year 2010 budget, health care providers and payers must be prepared to defend their dealing with Medicare, Medicaid and other federal health care programs.

The expanded protections afforded under FERA to whistleblowers and others suffering retaliation for opposing or reporting illegal actions can be expected to serve as a key tool in these efforts. These new retaliation safeguards are designed further increase the likelihood that employees and other insiders will help government officials ferret out false claims and other fraud. Specifically with regard to retaliatory action claims Section 4(d) of FERA amends 31 U.S.C.§ 3730(h) to provide for the recovery of “all relief necessary to make that employee, contractor, or agent whole” where that individual is discharged, demoted, suspended, threatened, harassed, or in any other manner discriminated against in the terms and conditions of employment because of lawful acts he does or takes on behalf of an individual in furtherance of other efforts to stop a violation of the FCA.

FERA expressly provides that relief to victims of retaliation will include “reinstatement with the same seniority status that employee, contractor, or agent would have had but for the discrimination, 2 times the amount of back pay, interest on the back pay, and compensation for any special damages sustained as a result of the discrimination, including litigation costs and reasonable attorneys’ fees.”

The FERA amendments to the FCA, the new TEAMS enforcement effort announced simultaneously with its signature into law mean that health care industry organizations and others covered by the FCA must implement appropriate fraud prevention, detection, redress and other procedures to help defend against possible FCA or other health care fraud claims and investigations.

The attorneys at Curran Tomko Tarski, LLC have extensive experience representing and advising health industry and other clients against FCA and other federal health care and fraud laws.

For More Information

We hope that this information is useful to you. If you need assistance with auditing or defending health care fraud concerns or other health care compliance, risk management, transactions or operations concerns, please contact Curran Tomko Tarski LLP Partners Cynthia Marcotte Stamer at (214) 270-2402, CStamer@CTTLegal.com; Michael T. Tarski at (214) 270-1420 or MTarski@CTTLegal.com; Edwin J. Tomko at (214) 270-1405 or ETomko@CTTLegal.com.

You can review other recent health care and internal controls resources and additional information about the health industry and white collar experience of the Curran Tomko Tarski LLP attorneys at http://www.CTTLegal.com. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at CTTLegal.com or e-mailing this information to CStamer@CTTLegal.com.

Leave a Comment » | Anti-KickBack, ARRA, Construction, Corporate Compliance, Doctor, Federal Sentencing Guidelines, Grants, Health Care, Health Care Fraud, Health Care Provider, Health Care Reform, Health Plan, Health Policy, Hospital, OCR, OIG, Physician, Prescription Drugs, Reimbursement, Stark | Tagged: Antitrust, ARRA, Bid Rigging, Construction, Corporate Compliance, Data Security, Doctor, Economic Aid, Employer, false claims act, Federal Sentencing Guidelines, Fraud, Health Care, Health Care Provider, Health Care Reform, Health Care Reimbursement, Health Insurance, Health Plans, Health Policy, Hospital, Identity Theft, Medicare, Medicare Part B, Nonprofits, PBMs, Physician, Physicians, Prescription Drugs, public health, Reimbursement, retaliation, Retalitory Discharge, Whistleblower | Permalink
Posted by Cynthia Marcotte Stamer

FTC Extends Red Flag Rule Compliance Deadline From May 1 to August 1, 2009

May 1, 2009

Today is no longer the deadline for health care providers and other businesses regulated by the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) to begin complying with the identity theft detection and prevention (“Red Flag Rules”) adopted by the Federal Trade Commission (“FTC”).

While health care providers have more time to comply, they can’t breathe easy. Finalizing arrangements to comply with these new mandates and other recent amendments to the health care privacy and data security requirements applicable to health care providers under recently enacted amendments to the Health Insurance Portability & Accountability Act (“HIPAA”) and FACTA and other recent regulatory and enforcement changes to these rules requires that health care providers move quickly. Learn more about these recent changes at http://solutionslaw.wordpress.com/2009/04/18/hhs-ftc-release-guidance-on-hitech-act-data-breach-rules-for-hipaa-covered-entities-entities-dealing-with-personal-health-records.

The FTC announced yesterday (April 30, 2009) its extension of the Red Flag Rule enforcement date to until August 1, 2009. Before yesterday’s announcement, health care providers and certain other FACTA-regulated businesses were required to comply with the Red Flag Rules today. The announcment means these organizations now have an additional three months to adopt the necessary policies and processes to monitor and respond to possible identity theft required under the Red Flag Rules.

According to the FTC announcement, organizations regulated by FACTA also will need to review their practices in light of additional guidance that the FTC expects to issue soon. For entities that have a low risk of identity theft, such as businesses that know their customers personally, the FTC plans to soon release a template to help them comply with the law. Yesterday’s announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight.

The FACTA directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Some examples of creditors are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many doctors and other health care providers and other professionals. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

During outreach efforts last year, the FTC staff learned that some industries and entities within the agency’s jurisdiction were uncertain about their coverage under the Red Flags Rule. During this time, FTC staff developed and published materials to help explain what types of entities are covered, and how they might develop their identity theft prevention programs. Among these materials was an alert on the Rule’s requirements, www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm. The resources also included a Web site with more resources to help covered entities design and implement identity theft prevention programs, www.ftc.gov/redflagsrule.

You can find more information about the Red Flag Rules and other privacy and identity theft matters at CynthiaStamer.com. If you need assistance with questions or compliance with these or other privacy and data security rules or other health law matters, contact Cynthia Marcotte Stamer at (214) 270.2402, or cstamer@cttlegal.com. To receive future Solutions Law Press Health Care Updates, register to participate in this Solution Law Press Health Care Update blog, register at CynthiaStamer.com or join the SLP Health Care Risk Management & Operations Group on linkedin.com.

Leave a Comment » | Anti-KickBack, Corporate Compliance, Doctor, Federal Sentencing Guidelines, Health Care, Health Care Provider, HIPAA, Hospital, Medicare Advantage, Physician, Privacy | Tagged: Doctor, Health Care, HIPAA, Hospital, Identity Theft, Physicians, Privacy, Red Flag Rules | Permalink
Posted by Cynthia Marcotte Stamer

Medical Identity Theft/Fraud Convictions Highlight Need For Health Care Providers To Safeguard Health Information, Guard Against Fraud Schemes

President Signs Long-Sought Red Flag Rule Exemption Into Law

HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website

Covered Entity Breach Notification Requirements

Broader & Stricter Medical Privacy Mandates Effective 2/17/210

Exposures Significant & Growing

New Risks Created By HITECH Act Amendments

State Attorney General Lawsuit Exposures

Stepped Up Federal Enforcement

State Civil Lawsuits

Covered Entities & Business Associates Urged To Act Promptly To Manage Mitigating Expanded HIPAA Risks & Obligations

For Assistance With Compliance Or Other Concerns

Other Helpful Resources & Other Information

Federal HEAT & Other Federal Health Care Fraud Efforts Score More Than 15 Successes As OIG Claims $20.97 Billion Saved From Enforcement Activities In December

December 13 Detroit Criminal Convictions

Thangarasan Guilty Plea To Conspiracy To Commit Health Care Fraud

Aggarwal Guilty Plea to Money Laundering

Smith Guilty Plea To Conspiracy To Commit Health Care Fraud

Other Criminal Enforcement Actions During December

HEAT Operations Continued & Expanded

Health Care Providers Must Step Up Compliance & Risk Management

Other Helpful Resources & Other Information

HIT Committee To Meet October 14 In Washington, D.C.

Two Recent Criminal Prosecutions For HIPAA Privacy Rule Violations Signal Rising Criminal Enforcement Risks

Health Care Providers & Other HIPAA-Covered Entities & Their Business Associates Must Comply With New HHS Health Information Data Breach Rules By September 24

HHS Issues Interim Final Requiring Health Care Provider, Health Plans & Other Covered Entities To Give Breach Notifications When Certain Personal Health Information Breached Beginning In September; Register to Participate In September 10th Briefing on New Rules In Person or Via Telephone

Reassignment of HIPAA Security Rule Enforcement Signals Growing Seriousness About Enforcing HIPAA

FTC Issues FAQ Guidance On Red Flag Rules Applicable To Health Care Providers & Others

Newly Enacted FERA Amendments To False Claims Act Signal New Risks For Health Industry Organizations & Others

FTC Extends Red Flag Rule Compliance Deadline From May 1 to August 1, 2009

Recent Posts

Archives

About Cynthia Marcotte Stamer

Share this blog

Archives

Solutions Law Press Health Care Update

Share this:

Like this:

Share this:

Like this:

Covered Entity Breach Notification Requirements

Broader & Stricter Medical Privacy Mandates Effective 2/17/210

Exposures Significant & Growing

New Risks Created By HITECH Act Amendments

State Attorney General Lawsuit Exposures

Stepped Up Federal Enforcement

State Civil Lawsuits

Covered Entities & Business Associates Urged To Act Promptly To Manage Mitigating Expanded HIPAA Risks & Obligations

For Assistance With Compliance Or Other Concerns

Other Helpful Resources & Other Information

Share this:

Like this:

December 13 Detroit Criminal Convictions

Thangarasan Guilty Plea To Conspiracy To Commit Health Care Fraud

Aggarwal Guilty Plea to Money Laundering

Smith Guilty Plea To Conspiracy To Commit Health Care Fraud

Other Criminal Enforcement Actions During December

HEAT Operations Continued & Expanded

Health Care Providers Must Step Up Compliance & Risk Management

Other Helpful Resources & Other Information

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Recent Posts

Archives

About Cynthia Marcotte Stamer

Share this blog

Archives

Solutions Law Press Health Care Update