HIPAA Compliance for Medical Practices
84.6K views | +1 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

243 arrested in 10 states for healthcare fraud, false claims, kickbacks, medical ID theft

243 arrested in 10 states for healthcare fraud, false claims, kickbacks, medical ID theft | HIPAA Compliance for Medical Practices | Scoop.it
The Medicare Fraud Strike Force swept through 10 states and arrested 243 people—46 of them physicians, nurses, and other licensed medical professionals—for allegedly defrauding the government out of $712 million in false Medicare and Medicaid billings, federal officials announced June 18. In addition to targeting instances of false claims and kickbacks, the strike force also uncovered evidence of medical identity theft.
Among the defendants is Mariamma Viju of Garland, Texas, an RN and the co-owner and nursing director for Dallas Home Health, Inc. A federal indictment accuses Viju and a co-conspirator of stealing patient information from Dallas-area hospitals in order to then solicit those patients for her business, as well as submitting false Medicare and Medicaid claims, and paying out cash kickbacks to beneficiaries.
In total, the scheme netted Viju $2.5 million in fraudulently obtained payments between 2008 and 2013. She was arrested June 16 and charged with one count of conspiracy to commit healthcare fraud, five counts of healthcare fraud, and one count of wrongful disclosure of individually identifiable health information.
The indictment says Viju allegedly took patient information from Baylor University Medical Center at Dallas, where she worked as a nurse until she was fired in 2012. Dallas Home Health then billed Medicare and Texas Medicaid for home health services on behalf of beneficiaries who were not homebound or otherwise eligible for covered home health services.
Viju also allegedly falsified and exaggerated patients’ health conditions to increase the amounts billed to Medicare and Medicaid, and thereby boost payments to Dallas Home Health. The indictment says she paid kickbacks to Medicare beneficiaries as well to recruit and retain them as patients of Dallas Home Health.
Viju’s co-conspirator—a co-owner of Dallas Home Health—wasn’t named in the indictment, but in a news release from the U.S. Attorney’s Office for the Northern District of Texas, that person was identified as her husband Viju Mathew. He’s a former registration specialist at Parkland Hospital in Dallas and pleaded guilty in November 2014 to one count of fraud and related activity in connection with identity theft.
Prosecutors say he used his position to obtain PHI, including names, phone numbers, birthdates, Medicare information, and government-issued health insurance claim numbers, so he could use it to contact prospective patients for his home health care business. He is due to be sentenced in August 2015.
In another case in Maryland, Harry Crawford—owner of RX Resources and Solutions—and two of his employees—Elma Myles and Matthew Hightower—are all charged with aggravated identity theft in addition to healthcare fraud and conspiracy to commit healthcare fraud.
An indictment from a federal grand jury accuses Crawford, Myles, and Hightower of fraudulently using actual names, addresses, and unique insurance identification numbers of numerous Medicaid beneficiaries to submit fraudulent claims totaling approximately $900,000 between 2010 and 2014.
The alleged scheme used Crawford’s durable medical equipment and disposable medical supply company to bill insurers for equipment and supplies that were never provided to beneficiaries, bill for amounts far in excess of the services delivered, and bill for supplies that weren’t needed and were never prescribed by a physician.
These are just two examples of the criminal fraud uncovered by the strike force.
In other cases, defendants face similar fraud and conspiracy charges for fraudulent billing schemes as well as charges for cash kickbacks, and money laundering, according to the Department of Justice (DOJ). The DOJ says more than 40 defendants are accused of defrauding the Medicare prescription drug program.
This was the largest coordinated takedown, in terms of defendants and money, in the history of the Medicare Fraud Strike Force, according to the DOJ. CMS also suspended licenses for several healthcare providers with authority granted to the agency under the Affordable Care Act.
No comment yet.

HIPAA Privacy and Security Guidance Updated

HIPAA Privacy and Security Guidance Updated | HIPAA Compliance for Medical Practices | Scoop.it

The Office of the National Coordinator for Health IT this week released an updated version of its privacy and security guidance to help healthcare providers better understand how to integrate federal health information privacy and security requirements into their practices. The guidance was last published in 2011.

The new version of the guidance provides updated information about compliance with the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs’ privacy and security requirements as well as the HIPAA Privacy, Security, and Breach Notification Rules.

Some of the areas covered in the new guidance include real-world application of how the HIPAA Privacy and Security Rules apply to a practice and the rules surrounding use and disclosure of private health information. The guidance also addresses “Meaningful Use” programs in more detail. Meaningful Use programs encourage health care organizations to adopt EHRs through a staged approach. Each stage contains core requirements that providers must meet.

Unlike the first guidance, which focused on Stage 1 privacy and security objectives, the updated version adds in core objectives for Stage 2 of the Meaningful Use program. Under Stage 2, providers must respond to patient requests regarding how their electronic health information is being handled.

The guidance also provides examples designed to assist providers in understanding whether someone is a business associate. These examples reflect changes made under the Health and Human Services Department’s Omnibus Rule, which makes contractors, subcontractors, and other business associates of healthcare entities that process health insurance claims liable for the protection of private patient information.

Additionally, the guidance outlines a seven-step approach for providers looking to create a security management process. Steps include selecting a team, documenting the process, developing an action plan, and managing and mitigating risk.

No comment yet.

Health providers lack awareness of cyberthreats

Health providers lack awareness of cyberthreats | HIPAA Compliance for Medical Practices | Scoop.it

In a three-month review of cyber risk management practices in healthcare, the Health Information Trust Alliance (HITRUST) has found that the industry's approach is reactive, inefficient and labor intensive.

HITRUST says one of the key concerns revealed by the review is that organizations are not aware of the threats they face, according to an announcement.

The providers "acknowledged they had minimal understanding as to the impact of cyberthreats on their current cybersecurity products," the review says. In addition, because of that lack of awareness, health entities put a lot of emphasis on indicators of compromise (IOCs) to uncover breaches, which is a "retrospective" approach that "introduces inefficiencies," HITRUST says.

Organizations also need to improve communcation about how effective their security measures are, especially with senior management, according to the review.

In reaction to the findings, HITRUST is rolling out a new component to its cyber risk strategy--HITRUST CyberVision--a "real-time situational awareness and threat assessment tool tailored to the healthcare industry." It plans to have the service available by March 9.

The push to get the healthcare industry to be more proactive when it comes to security and privacy is nothing new. Professionals in the industry remain too reactive and compliant-focused, Mark Ford, principle of Deloitte Cyber Risk Services, said in November. "There's a pretty significant gap between where they are today and where they ultimately need to be," he said.

No comment yet.

VoIP Phones and HIPAA Compliance

VoIP Phones and HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

So, what about your VoIP phone system? Many organizations have migrated to VoIP service.  VoIP (or “Voice over Internet Protocol”) is a method for taking analog audio signals and turning them into digital data that can be transmitted over the Internet instead of traditional analog phone lines. Does patient information stored and processed by these phone systems constitute electronic Protected Health Information?

By definition, electronic PHI is data which is transmitted or maintained on electronic media. Electronic media is defined as either:

  1. Electronic storage material, which includes, for example, computer hard drives, or
  2. Transmission media, which includes, for example, the internet. Note that part of this definition changed with the 2013 Omnibus Rule changes, and states “Certain transmissions, including of paper, via facsimile, and of voice, via the telephone, are not considered to be transmissions via electronic media, if the information being exchanged did not exist in electronic form immediately before the transmission”.

Note the words in red which were represent changes made to the rule in 2013. For VoiP systems that do not include voice mail (this eliminates just about all VoiP systems) there might be opportunity for debate whether the information in VoiP systems met the definition of ePHI.  However, voice mails are clearly stored on computer hard drives or other electronic storage material.

What features does HIPAA look for with VoIP software that processes ePHI?   The implementation specifications in the HIPAA rule that apply to software include:

  1. Unique User ID & authentication. Phones identify themselves with the phone number or serial number on the phone. A certificate installed on the phone is used for authentication using PKI.
  2. Access Controls. Certain users may have additional privileges beyond making phone calls so the system should support different classes of users.
  3. Audit logs. The system should record call meta data, as well as any details regarding any administrative activities performed by an authenticated user.
  4. Encryption. TLS and or VPNs can be employed between IP Phones and the Communications Manager Software. For data at rest, for example, voicemails, other encryption technologies can be used.
  5. Business Associate Agreement (for cloud providers). When cloud-based VoIP solutions are used, an essential ingredient is the HIPAA Business Associate agreement. The cloud provider has an additional set of compliance obligations including their own physical, technical and administrative controls.

It is not surprising that some cloud VoiP vendors offer interpretations of HIPAA which claim that their services and VoiP phone technology falls under the so-called “conduit exception”. The “conduit exception” excludes organizations that provide mere courier services including the U.S Postal Service, or internet service providers.  For an excellent post regarding this narrow exception.

The takeaway – include your VoIP phone system in application inventory, assess risks during your risk assessment, conduct the appropriate security evaluation and document compliance.

No comment yet.

Think Your Practice is HIPAA Compliant? Think Again.

Think Your Practice is HIPAA Compliant? Think Again. | HIPAA Compliance for Medical Practices | Scoop.it

You may think you know HIPAA inside and out, but experts say many practices and physicians are making mistakes regarding protected health information (PHI) that could get them into big trouble with the law. Here are nine of the most common compliance missteps they say practices and physicians are making.


For most physicians, texting is an easy, convenient, and efficient way to communicate with patients and colleagues. But if a text contains unencrypted PHI, that could raise serious HIPAA problems.

"One of the big things people are doing these days is texting PHI, and people seem to be ignoring the fact that text messages can be read by anyone, they can be forwarded to anyone, [and] they're not encrypted in any fashion when they reside on a telecommunications provider's server," says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC. "People really need to understand that [short message service (SMS)] text messaging is inherently nonsecure, and it's noncompliant with HIPAA."

That's not to say that texting PHI is never appropriate, it just means that physicians must find a way to do so securely. While the privacy and security rules don't provide explicit text messaging guidelines, they do state that covered entities must have "reasonable and appropriate safeguards to protect the confidentiality, availability, and integrity of protected health information," says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC. As a result, Caswell, who formerly worked for HHS' Office for Civil Rights, says physicians must consider, "What would I put on my [smart] phone to reasonably and appropriately safeguard that information?" Most likely, the answer will be a secure messaging service with encryption, she says, adding that many inexpensive solutions are available to providers.


Similar to text messaging, many physicians are e-mailing unencrypted PHI to patients and colleagues. As Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association says, e-mailing is becoming ubiquitous in our society, and healthcare is no exception.

If your providers are e-mailing PHI, consider implementing a secure e-mail application; for instance, one that recognizes when content included in the e-mail contains sensitive information and therefore automatically encrypts the e-mail. Your practice could use the application to specify certain circumstances in which e-mails should be encrypted; such as the inclusion of social security numbers or credit card numbers. The application would then filter e-mails for that specified content, and when it finds that content, encrypt those e-mails automatically, says Caswell.

Another option is to use a secure e-mail application to set up filters to automatically encrypt e-mails sent with attachments, or encrypt e-mails when senders include a word like "sensitive" or "encrypt" in the subject line, she says. An added benefit of encrypting e-mail is if a potential breach occurs, like the theft of a laptop containing e-mails with PHI, that is not considered a reportable breach if the e-mails stored on the laptop are encrypted, says Tennant. "You don't need to go through all of the rigmarole in terms of reporting the breach to the affected individual, and ultimately, to the government," he says. "So it's sort of a get out of jail free card in that sense."

If your practice would rather prohibit the use of e-mail altogether, a great alternative might be a patient portal that enables secure messaging.

Finally, if patients insist on having PHI e-mailed to them despite the risks, get their permission in writing for you to send and receive their e-mails, says Tennant.


If your practice has not conducted a security risk analysis — and about 31 percent of you have not, according to our 2014 Technology Survey, Sponsored by Kareo — it is violating HIPAA. The security rule requires any covered entity creating or storing PHI electronically to perform one. Essentially, this means practices must go through a series of steps to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of their electronic protected health information (ePHI).

Though the security risk analysis requirement has been in place since the security rule was formally adopted in 2003, it's been pretty widely ignored by practices, says Hook. Part of the reason, he says, is lack of enforcement of the requirement until recently. Since conducting a security risk analysis is now an attestation requirement in the EHR incentive program, auditors are increasingly noting whether practices are in compliance.


If your practice has not updated its Notice of Privacy Practices (NPP) recently, it could be violating HIPAA. The HIPAA Omnibus Rule requires practices to update these policies and take additional steps to ensure patients are aware of them, says Tennant.

Some of the required updates to the NPP include:

• Information regarding uses and disclosures that require authorization;

• Information about an individual's right to restrict certain disclosures of PHI to a health plan; and

• Information regarding an affected individual's right to be notified following a privacy or security breach.

In addition to updating the NPP, a practice must post it prominently in its facility and on the website, and have new patients sign it and offer a copy to them, says Tennant. "I'd say of every 10 practices, hospitals, dental offices I go into, nine of them don't have their privacy notice in the waiting room," he says.


Don't hesitate to take action when patients request an amendment to information in their medical records, cautions Cindy Winn, deputy director of consulting services at The Fox Group, LLC. Under the HIPAA Privacy Rule, patients have the right to request a change to their records, and providers must act on those requests within 60 days, she says.

If you disagree with a patient's requested change, you must explain, in writing, why you are not making the requested change, says Hook. Then, share that reasoning with the patient and store a copy of it in the patient's medical record, as well as a copy of the patient's written request for the amendment.


The privacy and security rules require formal HIPAA education and training of staff. Though the rules don't provide detailed guidance regarding what training is required, Hook recommends training all the members of your workforce on policies and procedures that address privacy and security at the time of hire, and at least annually thereafter.

The HIPAA Security Rule also requires practices to provide "periodic security reminders" to staff, says Caswell, adding that many practices are unaware of this. Actions that might satisfy this requirement include sending e-mails to staff when privacy and security issues come up in the news, such as information about a recent malware outbreak; or inserting a regular "security awareness" column in staff e-newsletters.

Finally, be sure to document any HIPAA training provided to staff.


With few exceptions, the privacy rule requires practices to provide patients with copies of their medical records when requested. It also requires you to provide access to the record in the form requested by the individual, if it is readily producible in that manner.

While practices can charge for copies of records, some practices may be getting into trouble due to the fee they are charging, says Tennant. "HIPAA is pretty clear that you can only charge a cost-based fee and most of those are set by the state, so most states have [limits such as] 50 cents a page up to maybe $1 a page ... but you can't charge a $50 handling fee or processing fee; at least it's highly discouraged," says Tennant.

To ensure you are following the appropriate guidelines when dealing with record copy requests, review your state's regulations and consult an attorney. Also, keep in mind that though the privacy rule requires practices to provide copies within 30 days of the request, some states require even shorter timeframes.


If your practice does not have security controls in place regarding who can access what medical records and in what situations, it's setting itself up for a HIPAA violation. The privacy rule requires that only those who have a valid reason to access a patient's record — treatment purposes, payment purposes, or healthcare operations — should do so, says Caswell. "If none of those things exist, then a person shouldn't [access] an individual's chart."

Caswell says practices need to take steps to ensure that staff members do not participate in "record snooping" — inappropriately accessing a neighbor's record, a family member's record, or even their own record.

She recommends practices take the following precautions:

• Train staff on appropriate record access;

• Implement policies related to appropriate record access; and

• Run EHR audits regularly to determine whether inappropriate access is occurring.


Similar to providing too much access to staff, some practices provide too much access to outside entities, says Caswell. For instance, they release too much PHI when responding to requests such as subpoenas for medical records, requests for immunization information from schools, or requests for information from a payer.

"If there's, say, for instance, litigation going on and an attorney says, 'I need the record from December 2012 to February 2014,' it is your responsibility to only send that amount of information and not send anything else, so sort of applying what's called the minimum necessary standard," says Caswell. "When you receive outside requests for PHI, pay close attention to the dates for which information is requested, as well as the specific information requested."

No comment yet.

Why Understanding HIPAA Rules Will Help With ONC Certification

Why Understanding HIPAA Rules Will Help With ONC Certification | HIPAA Compliance for Medical Practices | Scoop.it

Understanding HIPAA rules will have far reaching benefits for covered entities. Not only will they be compliant in terms of keeping patient PHI secure, but it will also ensure that those facilities are able to adhere to other federal certification programs. With the push for nationwide interoperability, it is extremely important that organizations of all sizes understand how they can exchange information in a secure and federally compliant way.

Earlier this year, the Office of the National Coordinator (ONC) released its proposal for the 2015 Health IT Certification Criteria. The ONC said that it will “ensure all health IT presented for certification possess the relevant privacy and security capabilities.” Moreover, certified health IT will be more transparent and reliable through surveillance and disclosure requirements.

ONC Senior Policy Analyst Michael Lipinski spoke with HealthITSecurity.com at HIMSS last week, and broke down why understanding HIPAA rules will help covered entities on their way to compliance and with ONC certification.

The ONC certification program has certain capabilities that it certifies to, Lipinski explained, and the way the ONC set up its approach depends on what a facility is bringing forward to be certified.

“What we’ve always said about our privacy and security criteria is that it helps support compliance, but it doesn’t guarantee compliance with the HIPAA Privacy or Security rules,” Lipinski said. “Or even with meeting your requirements under the EHR incentive program.”

One complaint that the ONC has received in terms of information sharing is that covered entities claim they cannot exchange data because of HIPAA rules. However, that likely stems from a lack of understanding what the HIPAA Privacy and Security Rules actually entail, Lipinski said. If that misunderstanding of what HIPAA compliance actually is exists, it can make it more difficult for healthcare organizations to move forward.

“I think that issue is not so much a certification issue, because it’s about payment, treatment, and operations, and you can exchange for those reasons,” Lipinski said. “I think maybe what they found is that there are those instances where they could do it, and they’re making the misinterpretation that they could have done that for treatment and exchange that information.”

Healthcare facilities are using that as an excuse not to exchange, when under HIPAA they could have done so for payment, treatment or operations options, he added.

“It’s not so much in the wheelhouse of certification, but more like we said in the report that we would work with OCR and make sure there’s appropriate guidance and understanding of the HIPAA Privacy and Security rules so that hopefully that will enable more free flow of the information.”

That sentiment echoes what ONC Chief Privacy Officer Lucia Savage said about interoperability and the future of information sharing for healthcare. In a HIMSS interview Savage explained that HIPAA supports information sharing, but that support depends on the decisions made by healthcare providers.

However, a difficult aspect of creating nationwide interoperability will be in relation to state law and state policies on health IT privacy, Savage said, mainly because states have diverse rules.

“That’s a very long dialogue, and has a very long time frame in where we can accomplish what we want to accomplish,” Savage said. “I think people are concerned about that.”

No comment yet.

Getting the balance right with privacy and e-health

Getting the balance right with privacy and e-health | HIPAA Compliance for Medical Practices | Scoop.it
Recent advances in data management and analysis, such as the introduction of Electronic Health Records (EHRs) have the potential to save lives – and on a huge scale. However, it is increasingly clear that such innovations will only be realised if we can overcome a significant hurdle: the public’s concern that private medical data could fall into the wrong hands. To do that, we must convince people to play a more active role in establishing which information they want to keep private and which they are willing to share.

EHRs and the transformation of patient outcomes

Before we look at privacy, it is worth discussing just how transformative EHRs promise to be for the prevention and treatment of illnesses.

EHRs are much more than just a digital version of the paper-based health records of the past. In fact, EHRs embody a totally new approach to healthcare in which the wider ecosystem expands the centre of gravity beyond hospital borders. In this ecosystem, care becomes more distributed, with the burden shared by an extended family of health providers – GPs; physiotherapists; pharmacists; home-carers; family members; private health clinics; gyms; etc.

The patient is at the centre of a network bound together by his or her data, which in turn is shared and managed across all members of the healthcare web through the EHR. The EHR therefore is the main source of a comprehensive view of patient information.

> See also: Tackling the scourge of paper-based patient data

The advantages of this approach are compelling: primary care givers are provided with an unprecedented view of the patient, allowing them to come to more accurate decisions in shorter timeframes and improving patient outcomes.

The empowered patient

Importantly, however, the same data innovations that are driving connected healthcare are also empowering patients to play a much more direct role in managing their own health. This is due in great part to the proliferation of wireless health devices and apps as well as social media platforms.

In the IDC/EMC Whitepaper ‘Taking-On the Chronic Disease Burden in the Hyper-Connected Patient Era’ the analysts Massimiliano Claps and Nino Giguashvili discuss how through smartphones and tablets, patients can monitor their daily activities, such as exercise and diet, and share results with their healthcare network. They can also, if they choose to, share their results through social networks, using gamification to drive health benefits.

It is not just through smartphones that such data can be shared; today a wide range of wearable devices such as smart watches, wristbands and even clothing can track wearers’ physical activity, calorie intake and other vital statistics. These data sources can be used by the wearer to manage their lifestyle, helping to prevent illness. Through EHRs moreover, this data can be shared with the user’s healthcare web, enabling their healthcare providers to deliver the best possible treatments over the course of the patient’s life.

As IDC puts it: 'The vast amount, wide variety, and velocity of data that is pushed to and pulled from the hyper-connected patient ecosystem represents an unprecedented opportunity to generate insights that can enhance the appropriateness of prevention and care.'

This is, of course, only if the patient is willing to share such information.

Privacy – a stumbling block to integrated healthcare?

EMC’s recent Privacy Index revealed that when it comes to privacy in the healthcare sector people have some major worries. In fact, a full 72% of people around the world are concerned about the future of the privacy of their medical data. While this figure is less than for other sectors – such as finance or retail – it is still intolerably high.

People do not, it appears, trust healthcare organisations with their data. This is largely understandable. People have a natural anxiety about organisations collecting too much data about them – it has a whiff of ‘big brother’ about it. With a news agenda that is full of stories of privacy breaches, data loss and the misuse of data by businesses it is understandable why people may wish to keep their medical data private.

The digital world is still very new and it is evolving rapidly. The evolution of what we can do with data is moving so fast that many people have been caught unprepared. Fundamentally, allowing a select group of medical professionals to access data in order to help you is a very different proposition to businesses or governments accessing/using your data without your consent. Unfortunately at present the two things are often conflated.

As we grow used to our digital world however we will soon begin to understand that we can both ensure privacy while also enjoying the full benefits that a free flow of information promises. Technologies already exist to make digital records more secure than paper – it is now our behaviours that need to change.

Taking control of digital privacy

The change will come when people take more control of their online selves and take more steps to protect their own privacy.

People are already able to protect their privacy on social media sites through privacy settings, although far too few currently choose to do so. This needs to change.

When it comes to EHRs, privacy settings can easily be enabled. Patients need to select exactly who can access what portions of their health record. To that extent they will make decisions on how much of their privacy they are willing to trade off in order to receive better treatment. They will in short be empowered to use their own data as a discretionary tool.

> See also: How big data can turn around our National Health Service

This has implications beyond the health sector too. For example, if I am a fitness fanatic who exercises every day and only eats the healthiest of foods, I will be able to input this information into my EHR via my smart devices. Then, if I so chose, I could allow my life insurance company access to this data in order to help lower the premiums I pay each month. The key here is that it would be my choice to do so. I would have made a conscious and positive choice to trade a small portion of privacy for a clear benefit.

The future is in our hands

The promise of EHRs is not illusory. Already today innovative projects are improving the lives of people worldwide. Take Finland where its ePrescription service allows doctors to dispense with paper prescriptions and instead communicate electronically with pharmacies. Crucially, Finland has also implemented consent management and patients are therefore able to filter exactly what information is viewed by whom.

Implementations such as these will gather in pace and as they do so patients will better understand why the controlled sharing of private information benefits them – as long as the control rests firmly with them.

Secure EHRs really do have the power to transform healthcare, but it is important patients are aware and ready to make decisions about who has access to their data. Part of these decisions will be made on how secure the systems are that hold their data. Part will be based on what benefit they can receive from allowing access to this data. Through this process patients will be empowered to take greater ownership of their data and given the chance to improve their wellbeing through a more efficient approach to healthcare. While a new concept, we would argue that this is something patients should embrace rather than be concerned about.
No comment yet.