This fall, the Office for Civil Rights (OCR) will again solicit public comment on a proposed rule that would modify HIPAA’s privacy regulations as necessary to implement the accounting of disclosures provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH). OCR will withdraw the previous notice of proposed rule-making (76 FR 31426) that was published in 2011.
A series of recent enforcement actions confirms just how serious the government is about assessing monetary penalties against covered entities who disclose protected health information (PHI) to business associates without written business associate agreements (BAAs) in place.
On February 9, 2018, Congress passed and the President signed into law the Bipartisan Budget Act of 2018 (BBA), a comprehensive piece of legislation that provides for a two-year budget agreement and funds the federal government through March 23, 2018. The BBA’s sweeping measures address federal spending for the military, domestic programs, and disaster relief, and contain several provisions impacting federal healthcare programs. Among other things, the BBA:
Topics: Billing and Reimbursement
Healthcare providers and other HIPAA covered entities have until March 1, 2018 to report to the U.S. Department of Health & Human Services’ Office for Civil Rights (“OCR”) breaches involving fewer than 500 individuals that were discovered in the 2017 calendar year. Although covered entities must notify HHS of breaches involving 500 or more individuals within 60 days of the date the breach is discovered, breaches affecting fewer than 500 individuals may be documented in a breach log and reported on an annual basis. Covered entities who elect to report smaller breaches on an annual basis must make their submissions to HHS through the OCR online portal within 60 days after the end of the year in which the breaches were discovered, giving them a March 1, 2018 notification deadline.
Topics: HIPAA and Cybersecurity
An Oklahoma physician agreed on August 28, 2017 to pay the government $580,000 to resolve allegations that he violated the False Claims Act by submitting claims to the Medicare program for services he did not provide or supervise. According to the government, the physician allowed a company that employed him and in which he had an ownership interest, to use his national provider identification (NPI) numbers to bill Medicare for physical therapy evaluation and management services that he did not provide or supervise. The government further alleged that after he separated from the company and deactivated his NPIs associated with the company, he reactivated those NPIs so that the company could use them to bill Medicare for services he neither performed nor supervised.
Topics: Billing and Reimbursement
In 2010, Georgia nursing home owner and operator, George Houser, was charged in a federal indictment with conspiracy to commit healthcare fraud on the theory that he had billed Medicare and Medicaid for services that were so inadequate or deficient that they were essentially “worthless.”
Los Angeles-based acute care hospital, Pacific Alliance Medical Center (PAMC), has agreed to pay $42 million to resolve whistleblower allegations that it violated the False Claims Act (“FCA”) by submitting, or causing to be submitted, false claims to Medicare and MediCal for services rendered to patients who had been referred by physicians with whom PAMC had improper financial relationships.
On July 13, the Department of Justice (“DOJ”) announced charges against 412 individuals, including 115 doctors, nurses, and other licensed medical professionals, for their alleged participation in health care fraud schemes involving approximately $1.3 billion in false billings to health care programs.