HHS IG pledges focus on Medicare billing abuse involving electronic records

Inclusion in IG work plan for 2013 follows Center's 'Cracking the Codes' series

By Fred Schulte
The Center for Public Integrity
Originally published October 24, 2012


Federal officials will focus on possible Medicare overbilling by doctors and hospitals that use electronic medical records, a top government fraud investigator said  Wednesday, in announcing investigative priorities for the coming year.

“Electronic medical records can improve quality of care and efficiency and help us uncover cases of fraud and abuse. At the same time, we must guard against the use of electronic records to cover up crime,” said Daniel Levinson, the Department of Health and Human Services inspector general, in a video presentation.

The video posted on the agency’s website on Wednesday summarized the inspector general’s “work plan,” for 2013, a listing of Medicare and Medicaid fraud fighting efforts the agency plans to emphasize.

The entire article is here.

Reducing the Risk of a Breach of PHI from Mobile Devices

Latest HHS Fine Hits The Massachusetts Eye and Ear Infirmary

by Rick Kam, ID Experts
Originally published on September 26, 2012

The Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (MEEI), will pay $1.5 million to the Department of Health and Human Services (HHS) for potential violations of the HIPAA Security Rule. In the HHS release, they explain that it wasn’t just one issue or misstep that led to the fine, but rather a series of errors and inaction.

“…such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and response.”

The entire story is here.

Former Harvard professor Marc Hauser fabricated, manipulated data, US says

By Carolyn Y. Johnson
Boston Globe
Originally published September 5, 2012

Marc Hauser, a prolific scientist and popular psychology professor who last summer resigned from Harvard University, had fabricated data, manipulated results in multiple experiments, and described how studies were conducted in factually incorrect ways, according to the findings of a federal research oversight agency posted online Wednesday.

The report provides the greatest insight yet into the problems that triggered a three-year internal university investigation that concluded in 2010 that Hauser, a star professor and public intellectual, had committed eight instances of scientific misconduct. The document, which will be published in the Federal Register Thursday, found six cases in which Hauser engaged in research misconduct in work supported by the National Institutes of Health. One paper was retracted and two were corrected, and other problems were found in unpublished work.

Although Hauser “neither admits nor denies committing research misconduct,” he does, the report states, accept that federal authorities “found evidence of research misconduct.”

The entire story is here.

There are other stories related to Marc Hauser on this blog.

Missouri Psychologist Indicted for Health Care Fraud

by Staff Reporters
Kansas City InfoZine
Originally published May 27, 2012

Rhett E. McCarty, 67, of Lake Ozark, Mo., was charged in a two-count indictment returned under seal by a federal grand jury in Kansas City, Mo., on Wednesday, May 23, 2012. The indictment was unsealed and made public today upon McCarty’s arrest and initial court appearance in the U.S. District Court in Kansas City, Mo.

McCarty is a licensed psychologist and private practitioner who provided psychotherapy services to recipients of both Medicare and Medicaid in their homes in the Lebanon area. The federal indictment alleges that since Aug. 22, 2008, McCarty has submitted Medicare and Medicaid claims for at least 19 beneficiaries for which he was paid $1,276,334.

(cut)

According to the indictment, McCarty forged (or caused another person to forge) the signatures of beneficiaries on patient sign-in sheets in order to obtain $418,507 in Medicare and Medicaid payments.

The whole story is here.

U.S. Charges 107 With Defrauding Medicare

By Louise Radnofsky
Wall Street Journal
Originally published on May 2, 2012

Federal officials said Wednesday they had charged 107 people across the country in recent days for allegedly running a string of unrelated Medicare fraud schemes involving a total of $452 million in false claims.

Attorney General Eric Holder and Health and Human Services Secretary Kathleen Sebelius said that charges were being brought against defendants in seven cities, including doctors and nurses, for seeking to defraud the federal health program for the elderly and disabled. At least 83 of the defendants were arrested Wednesday morning, officials said.

Among those arrested were seven people in Baton Rouge, La., who were accused of recruiting elderly, mentally ill and drug-addicted patients from nursing homes and homeless shelters.

The entire story is here.

Cardiologists fined $100,000 for Internet privacy violations

By Ken Alltucker
The Republic - azcentral.com
Originally published April 17, 2012

The federal government has fined a Phoenix and Prescott cardiac surgeon medical practice $100,000 for posting patients' clinical and surgical appointment information on an Internet calendar that was available to the public.

The entire story is here.

Tennessee insurer to pay $1.5 million for breach-related violations

BlueCross BlueShield agrees to pay HHS for HIPAA violations tied to 2009 breach that exposed data on 1 million members

Computerworld

Originally published March 13, 2012

A 2009 data breach that has already cost BlueCross BlueShield of Tennessee nearly $17 million got a little more expensive Tuesday.

The insurer today agreed to pay $1.5 million to the U.S. Department of Health and Human Services (HHS) to settle Health Insurance Portability and Accountability Act (HIPAA) violations related to the breach.

Under the settlement, BlueCross BlueShield has also agreed to review and revise its privacy and security policies and to regularly train employees on their responsibilities under the HIPAA of 1996.

The settlement is the first resulting from enforcement action taken by the HHS under Health Information Technology for Economic and Clinical Health (HITECH) breach notification requirements.

The notification rules require all HIPAA-covered entities to notify affected individuals of any breach involving their health information. It also requires them to notify the HHS and the media in cases where the breach affects more than 500 people.

Leon Rodriguez, director of the HHS Office for Civil Rights (OCR) said the settlement underscores the department's intent to vigorously enforce HIPAA's security and privacy rules.

"This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program," Rodriguez said in a statement.

The entire story is here.

$375M health care scheme went unnoticed for years

By Norman Merchant
Associated Press
Published on March 1, 2012

DALLAS (AP) — The Texas doctor accused of "selling his signature" to process almost $375 million in false Medicare and Medicaid claims went unnoticed for half a decade by a fraud detection system that some critics say is broken.

Authorities say Jacques Roy and six others indicted for health care fraud certified 11,000 Medicare beneficiaries through more than 500 home health providers over five years. Those numbers would have made Roy's Medicare practice the busiest in the country. But an investigation into Roy and his business practices didn't begin until about a year ago, officials said.

The federal agency that administers Medicare has two sets of contractors: one to pay claims and another evaluating those claims for fraud. U.S. Health and Human Services investigators have found that health officials often have a hard time tracking the work of contractors that are supposed to detect Medicare fraud — estimated by some to reach $60 billion annually.

Federal officials who announced the indictment against Roy and six others in Dallas acknowledged the problems with the system. They contend they have improved data analysis and are working to move away from having to "pay and chase" offenders.

Others say Medicare is still very vulnerable to fraud.

"It's a trust-based system that is ripe for the picking by criminals," said Kirk Ogrosky, a Washington, D.C., attorney at the law firm Arnold & Porter and a former top health care prosecutor at the U.S. Department of Justice.

The entire story is here.

US Health Breach Tally Hits 19 Million

385 Major Incidents Reported Since 2009

Govinfosecurity.com

By Howard Anderson, January 23, 2012

With the tardy addition of the Sutter Health breach, the U.S. tally of major healthcare information breaches now includes 385 incidents affecting more than 19 million individuals since September 2009.

The Department of Health and Human Services' Office for Civil Rights recently added the Sutter Health breach, which occurred in October, to its official tally of breaches affecting 500 or more individuals. It adds incidents once it confirms the details.

Healthcare information on 943,000 individuals was on an unencrypted desktop computer that was stolen in October from a Sutter facility in California; that total is reflected in the official federal healthcare breach tally. But in announcing the breach, Sutter Health noted that two databases with information on 4.2 million patients were on the device.

A database for Sutter Physician Services, which provides billing and other administrative services for 21 Sutter units, held only limited demographic information on about 3.3 million patients collected from 1995 through January 2011. The device also contained a database with more extensive information on 943,000 Sutter Medical Foundation patients, dating from January 2005 to January 2011. This smaller database included the same demographic information as the larger database, plus dates of service and a description of diagnoses and/or procedures.

Sutter Health faces two class action lawsuits in the wake of the breach.

Breach List Update

In addition to adding the Sutter Health incident, federal officials added five much smaller incidents to the official breach tally in the past month.

Of the 385 incidents affecting 500 or more individuals that are now included in the official tally after being reported to authorities as required under the HIPAA breach notification rule, roughly 55 percent have involved lost or stolen unencrypted electronic devices or media. About 22 percent have involved a business associate.

The entire story is here.

Digital Data on Patients Raises Risk of Breaches

By Nicole Perlroth
Published 12/18/11
The New York Times: Technology

One afternoon last spring, Micky Tripathi received a panicked call from an employee. Someone had broken into his car and stolen his briefcase and company laptop along with it.

So began a nightmare that cost Mr. Tripathi’s small nonprofit health consultancy nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees. Not to mention 600 hours dealing with the fallout and the intangible cost of repairing the reputational damage that followed.

Mr. Tripathi’s nonprofit, the Massachusetts eHealth Collaborative in Waltham, Mass., works with doctors and hospitals to help digitize their patient records. His employee’s stolen laptop contained unencrypted records for some 13,687 patients — each record containing some combination of a patient’s name, Social Security number, birth date, contact information and insurance information — an identity theft gold mine.

His experience was hardly uncommon. As part of the 2009 stimulus bill, the federal government provides incentive payments to doctors and hospitals to adopt electronic health records. Some 57 percent of office-based physicians now use electronic health records, a 12 percent jump from last year, according to the Centers for Disease Control.

An unintended consequence is that as patient records have been digitized, health data breaches have surged. The number of reported breaches is up 32 percent this year from last year, according to the Ponemon Institute, a security research group. Those breaches cost the industry an estimated $6.5 billion last year. In almost half the cases, a lost or stolen phone or personal computer was responsible.

The entire story can be read here.

Database on Doctor Discipline Is Restored, With Restrictions

By Duff Wilson

The New York Times

Health

A federal health agency on Wednesday restored to its Web site a database of doctor disciplinary actions two months after removing it from the Internet in response to a doctor’s complaints.

But the return of the information came with a catch. It has a new requirement that anyone who uses it must first promise not to link information in the database with publicly available information, like court files, that would identify individual doctors.

And that was exactly the way journalists for many news organizations had used the national data bank, which masked individual doctors’ names, as material for articles about weaknesses in the oversight of doctors with dozens of malpractice cases and gaps in disciplinary actions.

(cut)

But journalists and other researchers have linked specific malpractice payments in court cases with the specific amounts reported in the Public Use file to fairly easily crack the code, add up cases against doctors, and report the results.

Dr. Sidney M. Wolfe, director of health research at the Washington nonprofit group Public Citizen, said it was “obnoxious” and “unacceptable” for the administration to impose the condition on journalists and researchers.

The entire story can be read here.

A prior blog entry on this issue can be found here.

HHS: More than 5.4M patients affected by data breaches in 2010

Written by the Editorial Staff of CMIO.net

In U.S. Department of Health and Human Services’ annual report to Congress, Secretary Kathleen Sebelius reported that between Jan. 1, 2010, and Dec. 31, 2010, breaches involving 500 or more individuals were less than 1 percent of the breaches reported, but accounted for more than 99 percent of the more than 5.4 million individuals who were affected.

As part of the Health IT for Economic and Clinical Health (HITECH) Act, the HHS secretary is required to annually report to Congress on the number and nature of data breaches, and actions taken to respond to the breaches.

The number is growing because between Sept. 23, 2009, and Dec. 31, 2009, breaches involving 500 or more individuals were less than 1 percent, but accounted for more than 99 percent of the more than 2.4 million individuals affected by a breach of protected health information. The largest breaches occurred as a result of a theft, an error or failure to adequately secure protected health information. The greatest number of incidents resulted from human or technological error and involved the protected health information of just one individual, HHS’ report said.

The largest breaches in 2010, much like 2009, occurred as a result of a theft, HHS reported. However, compared with 2009, the number of individuals affected by the loss of electronic media or paper records containing protected health information in 2010 was greater than the number of individuals affected by unauthorized access or human error.

The report said the 2010 incidents involved an additional category, improper disposal of paper records by a covered entity or business associate. The greatest number of reported incidents in 2010 resulted from small breaches involving human or technological error, with the most common incidents involving protected health information of only one or two individuals.

HHS said in its report that the breach notification requirements are achieving their objectives: Increasing public transparency of breaches and increasing accountability of the covered entities.

The secretary indicated that covered entities and business associates are providing breach notifications. Millions of affected individuals are receiving notifications, local media are being notified in the regions affected, and the secretary is receiving breach reports. To provide increased public transparency, information about breaches involving 500 or more individuals is available on the Office of Civil Rights (OCR) website. 

Also, the report said that more entities are taking remedial action to provide relief and mitigation to individuals and taking further action to prevent future breaches. In addition, OCR continues to exercise its oversight responsibility for reviewing and responding to and investigating breaches involving 500 or more individuals.

More than 250 breaches involving 500 or more individuals occurred in 2009 and 2010, and OCR has closed approximately 76 cases where it determined that the covered entity properly complied with the notification requirements, and corrective actions were taken. In the remaining cases, OCR continues to investigate and is working with the covered entities to ensure remedial action is taken to prevent future incidents.

For breaches involving less than 500 individuals, a covered entity must notify the secretary. HHS received approximately 5,521 reports of smaller breaches that occurred between Sept. 23, 2009, and Dec. 31, 2009. These smaller breaches affected approximately 12,000 individuals. HHS received more than 25,000 reports of smaller breaches occurring between Jan. 1, 2010, and Dec. 31, 2010. These smaller breaches affected more than 50,000 individuals.

The majority of the smaller breaches involved misdirected communications. Often, a clinical or claims record was mistakenly mailed or faxed to the wrong individual. In other instances, test results were sent to the wrong patient, files were attached to the wrong record, e-mails were sent to the wrong address and member ID cards were mailed to the wrong individuals. HHS said the covered entities reported fixing “glitches” in software that incorrectly compiled patient lists, revised policies and procedures, and trained or retrained employees who mishandled protected health information.

Obama Administration Removes Doctor Disciplinary Files From the Web

By Duff Wilson
The New York Times: Prescriptions - The Business of Health Care
Published September 15, 2011

Three journalism organizations on Thursday protested to the Obama administration a decision to pull a database of physician discipline and malpractice actions off the Web.

The National Practitioner Data Bank, created in 1986, is used by state medical boards, insurers and hospitals. The Public Use File of the data bank, with physician names and addresses deleted, has provided valuable information for many years to researchers and reporters investigating lax oversight of doctors, trends in disciplinary actions and malpractice awards.

On Sept. 1, responding to a complaint from Dr. Robert T. Tenny, a Kansas neurosurgeon, the Health Resources and Services Administration, an agency of the Department of Health and Human Services, removed the public use file from its Web site, said an agency spokesman, Martin A. Kramer. The agency also wrote a reporter a letter to warn he could be liable for $11,000 or more in civil fines for violating a confidentiality provision of the federal law. Both actions outraged journalism groups.

“Reporters across the country have used the public use file to write stories that have exposed serious lapses in the oversight of doctors that have put patients at risk,” Charles Ornstein, president of the Association of Health Care Journalists and a ProPublica reporter, said in an interview. “Their stories have led to new legislation, additional levels of transparency in various states, and kept medical boards focused on issues of patient safety.”

Two other national journalism organizations, Investigative Reporters and Editors and the Society of Professional Journalists, joined the health reporters’ group in the letter to Mary K. Wakefield, administrator of the federal office.

“If anything, the agency erred on the side of physician privacy,” they wrote.

The entire story can be read here.

DOD, Services Work to Prevent Suicides

By Karen Parrish
American Forces Press Service

WASHINGTON, Sept. 9, 2011 – Officials know the facts about suicide in the military services, but the causes and best means of prevention are more elusive, a senior Defense Department official said today.

In testimony before the House Armed Services committee, Dr. Jonathan Woodson, the assistant secretary of defense for health affairs and director of the TRICARE Management Activity, said DOD has invested “tremendous resources” to better understand how to identify those at risk of suicide, treat at-risk people, and prevent suicide.

“We continue to seek the best minds from both within our ranks, from academia, other federal health partners, and the private sector to further our understanding of this complex set of issues,” Woodson said.

The overall rate of suicide among service members has risen steadily for a decade, he said, and DOD and the services are taking a multidisciplinary approach in their efforts to save lives.

The Defense and Veterans Affairs Departments are developing shared clinical practice guidelines that health care providers in both agencies will use to assess suicide risk and help prevent suicide attempts, Woodson said.

DOD also is working with the Department of Health and Human Services and the Substance Abuse and Mental Health Services Administration to offer critical mental health services to National Guard and Reserve members, who often don’t live close to military medical facilities, he added.

Woodson acknowledged much work remains.

“We have identified risk factors for suicide, and factors that appear to protect an individual from suicide,” he said. “As you well understand, the interplay of these factors is very complex. Our efforts are focused on addressing solutions in a comprehensive and holistic manner.”

Defense suicide prevention research includes Army ‘STARS,’ a study to assess risk and resilience in service members, Woodson said.

“This is the largest single epidemiologic research effort ever undertaken by the Army, and is designed to examine mental health, psychological resilience, suicide risk, suicide-related behaviors and suicide deaths,” the assistant secretary said.

The study, he said, involves experts from the Uniform Services University of the Health Sciences, University of California, University of Michigan, Harvard University, and the National Institute of Mental Health.

STARS is examining past data on about 90,000 active-duty soldiers, evaluating soldiers' characteristics and experiences as they relate to subsequent psychological health issues, suicidal behavior and other relevant outcomes, he said.

DOD has added more than 200 mental health professionals from the Public Health Service to medical facilities’ staffs, and is expanding access to services in civilian communities, Woodson said.

“Within the department, we have amended medical doctrine and embedded our mental health professionals far forward … to provide care in theaters of operation,” he added.

The department also has worked to collect, analyze and share data more effectively “so that the entire care team understands the diagnosis and treatment plan,” he said.

“As important as any step, we have also made great attempts to remove stigma from seeking mental health services, a stigma that is common throughout society, and not just in the military,” Woodson continued. “This is a long-term effort, but both senior officers and enlisted leaders are speaking out with a common message.”

Defense leaders are encouraged that service members increasingly now seek professional help when it is recommended, he said.

The entire article can be found here.

Conflict disclosure plan dropped

The NIH will not require universities to create websites detailing researchers' financial ties.

Meredith Wadman

Francis Collins hailed it as a "new era of clarity and transparency in the management of financial conflicts of interest" (S. J. Rockey and F. S. Collins J. Am. Med. Assoc. 303, 2400–2402; 2010). But the director of the US National Institutes of Health (NIH) may have spoken too soon when he described a new rule, proposed last year, that would require universities and medical schools to publicly disclose online any financial arrangements that they believe could unduly influence the work of their NIH-funded researchers.

Nature has learned that a cornerstone of that transparency drive — a series of publicly accessible websites detailing such financial conflicts — has now been dropped. "They have pulled the rug out from under this," says Sidney Wolfe, director of the Health Research Group at Public Citizen, a consumer-protection organization based in Washington DC. "It greatly diminishes the amount of vigilance that the public can exercise over financially conflicted research being funded by the NIH." It will also make it more difficult for "scholars to study the effects of conflicts of interest in universities", adds Sheldon Krimsky, who studies science ethics at Tufts University School of Medicine in Boston, Massachusetts.

The NIH's parent agency, the Department of Health and Human Services (DHHS), proposed the new rule in May 2010, after congressional and media investigations revealed that prominent NIH grant recipients had failed to tell their universities or medical schools about lucrative payments from companies that may have influenced their government-funded research. The DHHS called the proposed websites "an important and significant new requirement to … underscore our commitment to fostering transparency, accountability, and public trust". Under the proposal, institutions with NIH-funded researchers would determine, grant by grant, if any financial conflicts existed for senior scientists on the grant. For example, these would include receiving consultancy fees, or holding shares in a company, "that could directly and significantly affect the design, conduct, or reporting" of the research. The institutions would post the details online, where they would stay for at least five years.

But a government official with knowledge of the ongoing negotiations on the rule says that the institutions will now be allowed to choose how to disclose this information, and will not be obliged to post it online. This is likely to make it much harder for members of the public to find these details, says Ned Feder, a senior staff scientist with the Project on Government Oversight. The watchdog group, based in Washington DC, wrote last month to the White House Office of Management and Budget (OMB) urging that the website requirement be protected. The OMB must sign off on the finalized form of the rule before it is published.

The entire story can be found here.
You may have to sign up for a free account in order to access this information.