SCGhealth Blog

Electronic HIPAA Violations

Thursday, July 20, 2017

Written by Nasir Abbas


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is pretty ancient. It passed through Congress in 1996, but the first regulation didn’t come out until 2003. The federal law established mandates the security and protection of sensitive patient information: protected health information (PHI) and personally identifiable information (PII). Two separate regulations cover how to keep this info private and secured.


We’ve published several blogs in the past discussing appropriate disposal of physical information and the risks associate with carelessness. Now let’s look at the electronic side of HIPAA. According to Joseph Mutlu, former Executive Vice President of Information Technology at SCG Health, two of the most often overlooked security safeguards pertain to inventory management. “Currently we are utilizing more and more removable storage options. These devices are easily lost and/or stolen, so it is wise to always keep a running inventory of these devices if they contain any sensitive information” observed Mutlu. The second issue is related to the systems themselves. “CPU cases contain the hard drive to your computer and can/should be locked. Anyone with the technical skills and know-how can effortlessly remove the hard drive in a matter of seconds, without the use of any tools.” If computers are left unattended, especially with distracted staff, one could slip out the hard drive and easily go weeks – maybe even months – undetected. By the time anyone realizes what has happened, whatever information was being stored on that hard drive would have been long gone.

Though these tips are highly beneficial and interesting, there are two procedures that should be followed to a T if you wish to protect yourself and your practice as best as possible. These two steps, if taken appropriately, make sure that even if your device is stolen or lost, your information remains hidden. Those measures are encryption and deletion.


With that being said, it is unfortunate that the protocols that most businesses are improperly executing are encryption and deletion. Encryption is the scrambling of data files, only legible to those with the decryption key. This ensures that if sensitive information were to fall into the wrong hands, said information would still be protected. “Always make sure that when sending encrypted files via email that you send two separate emails – one with the encrypted file and another with the key. Doing so protects you and the recipient in the case that one email was to be intercepted, it would be useless without the other,” says SCG Health CEO Jennifer Searfoss.

Deletion refers to the APPROPRIATE removal of information from networks and devices. Believe it or not, there is more to deletion than just emptying the recycling bin. If that is your method of electronic disposal, you are in dangerous territory. The truth is that information is still there and is far from gone. Anyone with the time and patience can retrieve that information. Just by simply Google searching “retrieving deleted information,” you will find numerous sites containing step-by-step instructions on how to do just that.

So, what can one do to make sure they are protecting themselves from all sides?

Steps to Take

Firstly, make sure you are familiar with your state’s regulations on the retention of medical records. The HIPAA Security Rule states that clinicians must keep any documents containing PHI for six years from the creation date or last known use date, whichever is later Again, double check with your specific state as the laws from state to state are different

Make sure you perfect your encryption protocols. Encryption is your first layer of defense and should not be taken lightly. Make sure files are correctly coded, and make sure to always send two emails (the encrypted file and the decoder key). Deletion is the next layer of defense, but is still extremely important and should always be performed to the highest level of completion. To completely and appropriately destroy data files, disks must either be magnetically wiped or completely reformatted and rewritten (minimum of three times through). Companies, such as Dell, offer destruction services, but you must always make sure they are HIPAA compliant before taking any action.

Overall, HIPAA violations can be avoided with a little training, education, attention and discipline. There are plenty of ways to protect your electronic information, but by following the procedures mentioned in this article, you will undoubtedly be on the right path to being HIPAA compliant.


Retention Laws Infographic

DOJ files amicus brief to correct misinterpretation of Stark and Anti-Kickback Statutes

Wednesday, February 11, 2015

by Marla Durben Hirsch

Don’t be surprised if the federal government starts fighting fraud on a whole new front. The Department of Justice (DOJ) has taken the unusual step of filing an amicus curiae (friend of the court) brief in a civil lawsuit between two competing laboratory companies in order to assert that the defendant did indeed violate the Stark and Anti-Kickback statutes.

The issue involved Millennium Laboratories, Inc.’s practice of providing point of care testing (POCT) cups, which have testing strips embedded in them. Millennium gave the cups to physicians free of charge so long as the doctors agreed not to bill any insurer for the cups and to return the specimen samples in each cup to Millennium for additional, often more expensive lab testing. If the doctors didn’t return the cup for further testing, Millennium charged the doctor for the cup, so it created a financial incentive for the doctor to return the cup for testing even when such testing wasn’t medically necessary.

Ameritox LTD, a competitor of Millennium, sued in federal court, claiming that Millennium was engaged in unfair competition and false advertising in violation of federal laws, and was also violating the Stark and Anti-Kickback statutes. A judge and the jury sided with Ameritox and awarded Ameritox $14.8 million, which was reduced to $11.26 million.

Millennium appealed to the Court of Appeals of the Eleventh Circuit, arguing, among other things that it didn’t violate the Stark and Anti-Kickback laws because its activities fell within an exception to the prohibitions in the laws, which allowed labs to provide free items to doctors in the following circumstances:

“[t]he provision of items, devices, or supplies that are used solely to (I) collect, transport, process or store specimens for the entity providing the item, device, or supply, or (II) order or communicate the result of tests or procedures for such entity.”

Millennium also argued that the court should have used the higher “beyond the reasonable doubt” standard used in criminal cases, not the “preponderance of evidence” standard used in civil cases, because the Anti-Kickback statute is a criminal statute.

DOJ acts to ‘set the record straight’

The DOJ, in its brief filed January 21, 2015, told the court that it was entering the fray even though it was not a party in the lawsuit in order to correct “erroneous” statements that Millennium made in its appeal about the Stark and Anti-Kickback law.

The DOJ informed the court that Millennium’s actions do not fall within the above-noted exception because the test strips had nothing to do with collecting, transporting, processing or storing specimens; they were there to help the physicians make treatment decisions more quickly at no cost. If Millennium prevailed in this argument, the DOJ warned, an “enormous” loophole in the Stark law would be created, enabling labs to attach anything, even five dollar bills, to cups and fall within the Stark exception.

The DOJ further explained that the Anti-Kickback law doesn’t even have such an exception, and that Millennium was trying to parse one out by “misinterpreting” isolated comments in Office of Inspector General Advisory Opinions and guidance.

“The “cup agreements” Millennium entered into with certain physicians create exactly the sort of intertwined financial relationships in the health care system that the Stark Law and the AKS are designed to prohibit. …The purpose and effect of this arrangement was to give doctors a significant financial incentive to obtain laboratory testing of each sample collected in a POCT cup and to obtain such testing from Millennium rather than a competitor. That is precisely the sort of inducement that the Stark Law and the AKS forbid,” the DOJ said.

The DOJ also stated that the court was correct in applying the civil “preponderance of the evidence” standard because this was a civil lawsuit, and the DOJ also uses that standard in civil False Claims Act lawsuits even when the criminal Anti-Kickback statute is implicated.

Fall out unknown

It is too early to tell if the DOJ will use this kind of “intervention” more often to fight fraud and “set the record straight.” That may hinge on how the Court here rules.

But considering that enforcing the Stark and Anti-Kickback laws is a priority to the DOJ, educating courts about the government’s position on these laws may become yet another - relatively inexpensive - tool in the DOJ’s arsenal.

Blog post:

Amicus brief:

Enforcement of supervision rules increasing

Tuesday, February 03, 2015

by Marla Durben Hirsch

Expect to see more scrutiny from the government regarding physician supervision, now that the Medical College of Wisconsin (MCW) has agreed to pay the federal government $840,000 to settle claims that it violated the False Claims Act. MCW was accused of knowingly billing Medicare and TRICARE for neurosurgeries performed by residents that were not adequately supervised by teaching physicians, according to the Department of Justice’s Jan 9 press release.

The False Claims Act lawsuit was originally brought by whistleblower Dr. Ganesh Elangouan, a resident physician at MCW, who according to his complaint, “directly experienced this fraud because he, like other medical residents, actually performed the surgeries for which Defendants billed the Government as if they had been performed by qualified teaching physicians.” The government then intervened in the lawsuit.

The government typically joins to take over the management of a whistleblower lawsuit only when it believes that the lawsuit has merit.

Medicare’s billing rules state that if a resident physician helps perform a surgery, Medicare will pay for a teaching physician’s services only if he or she was present for the surgery’s critical and key parts and either remained immediately available throughout the surgery or else arranged for a back-up surgeon to be available. If these requirements are not met, then the claim submitted is false. It’s possible for a teaching physician to be involved in two surgeries at the same time, but the requirements still need to be met; for example, the key parts of each surgery cannot overlap.

According to the complaint, a group of three neurosurgeries regularly scheduled simultaneous surgeries to be performed by one individual teaching physician without arranging for a backup teaching physician, enabling them to bill for more surgeries than the rules would otherwise allow. Sometimes three surgeries were scheduled at the same time. MCW was complicit in the fraud by allowing the physicians to schedule surgeries this way and creating false and misleading documentation to justify it. The residents, including Dr. Elangouan, were required to falsely certify in their operative reports that the teaching physicians were there for the key parts of the surgeries and immediately available as required by the billing rules when they were not. Elangouan also claimed that often there was no backup available when he performed surgery.

The fraudulent activity allegedly occurred from 2006 to 2013. MCW has denied the allegations.

Case representative of wider concern about supervision
Note that this is not an isolated incident. In another recent case, Pennsylvania-based Albert Einstein Healthcare Network and Fornance Physicians Services agreed to settle claims under the False Claims Act in the amount of $348,854 for improper billing by a teaching physician who, among other things, submitted bills allegedly performed by him but actually performed by residents when he was not providing teaching supervision services, according to the Department of Justice’s Aug. 15, 2014 announcement. Einstein and Fornance voluntarily disclosed the improper billings when they were discovered.

Moreover, the government has other types of supervision billing on its radar, cracking down on physicians who don’t follow the supervision rules involving physician assistants (PAs) and nurse practitioners (NPs). There are three levels of supervision billing (general, direct and personal), each with different requirements. A number of physician practices have in recent months settled False Claims Act allegations for violating these supervision rules.

And in a more egregious example, Virginia dermatologist Amir Bajoghli, MD, was indicted August 12, 2014 on 60 counts of fraud, aggravated identity theft and obstruction of justice, for, among other things, directing unlicensed and unqualified medical assistants to perform wound closures, some complex, on Mohs surgery patients while he was seeing patients at other office locations and that critical decisions regarding patient care were left to the medical assistants’ judgment, according to the FBI’s press release. He was also charged with obstruction of justice for instructing his medical assistants to lie to patients and tell them that he had performed the procedures when he had not.

If convicted, Bajoghli faces a maximum penalty of ten years in prison on each health care fraud count, a mandatory two-year consecutive sentence for each of the aggravated identity theft counts, and a maximum penalty of 20 years in prison on the obstruction of justice count.

How to protect yourself
While some of these supervision cases involve deliberate fraud, others involve billing mistakes regarding the level and type of supervision needed or actually provided. To reduce the risk of running into trouble with Medicare’s supervision rules, physicians should make sure that they understand the applicable rules, bill correctly, and document appropriately.

Read the MCW press release.
Read the MCW complaint
Read Dr. Bajoghli's press release
Read the Einstein, Fornance Settlement.

Burden of finding excluded people lies with entities; failure may prove costly

Tuesday, January 13, 2015

by Scott Kraft

When a health care entity ends up hiring an employee who is on the HHS’s Office of Inspector General (OIG) excluded list, it can end up being a costly error. Brookdale Senior Living, the Nashville, Tenn.-based home health and assisted living company, recently learned that lesson the hard way.

The company agreed to pay an OIG fine of more than $350,000 when it was revealed that one of its management employees, Lisa Meyer, an occupational therapist by trade, had been excluded from federal health care programs after being convicted of a program-related crime. The details were recently reported in the Report on Medicare Compliance.

As high as that fine sounds, consider that Meyer was not even billing health care programs at the time she worked for Brookdale. That would typically keep her off of the OIG’s radar screen, except for the fact that she had applied to have her exclusion term ended early. She was turned down, but the background information she submitted to OIG led them back to Brookdale, which was subsequently fined for employing her while excluded.

A subsequent review of its workforce uncovered one additional employee who was excluded from health care programs, yet was employed by Brookdale.

Regardless of whether or not the person is actually seeing patients or is able to directly or indirectly influence how an entity bills or gets paid by federal health care programs, the OIG’s position has long been clear. Entities that accept payments from federal health care programs are not allowed to employ people who are actively on the OIG’s exclusion list.

Typically, one lands on the list for committing some type of crime or impropriety involving federal health care programs. The exclusion period is for a specific term and, in some cases, relief can be sought before the end of that term.

The exclusions list, as noted in the story, typically holds about 50,000 names, with 3,000-5,000 names added and removed each year.

In the grand scheme of things, 50,000 is a relatively small number of names for a company to search against when going through the hiring process, especially considering the stakes at hand.

Brookdale failed because it did not match Meyer’s name to her current address, because her address in the OIG exclusions database was not current. Not good enough, says the OIG.

What you’re expected to do is search the exclusions database any time you hire someone, and use the person’s Social Security number to validate that you have the right, excluded person. In truth, what you’re expected to do is not higher excluded people.

Given the amount of money that Brookdale, which is a big company, paid for just one non-billing employee, that ought to motivate all health care entities to do Social Security number searches for all employees.

You should always use multiple identifiers when verifying an identity against the exclusions database. The Social Security number is the best prospect as a unique identifier. It’s also a good idea to use an outside background check firm that specializes in health care to be on the safe side.

Self-disclose when possible

You’re also better off coming clean to the OIG when you discover an excluded employee has been hired by your organization. Fines and penalties are much lower for self-disclosures than when it is the OIG that makes the discovery.

The same rules apply for hospitals extending privileges to physicians. Even when the physician is not an employee of the entity, it’s still responsible to now allow the physician to order tests or generate services at the entity.

The burden of proof essentially always lands with the health care entity to do its homework and not employ or contract with excluded employees.

One unique suggestion in the story is to have employees sign an affidavit that they are not on the excluded list as a condition of employment. Don’t do it routinely and don’t use it as a substitute for your other background work, but expect it to have a chilling effect on the person accepting the job. And if it somehow doesn’t, it’s another way to signal to the OIG that you are making a complete, good-faith effort to spot excluded employees.

FFS Error rate climbs in 2014; billing errors top challenge for HHS

Monday, December 08, 2014
Medicare’s payment error rates for the Medicare fee-for-service (FFS) program have inched up for the second year in a row – and the Department of Health and Human Services (HHS) is hasn’t indicated why it’s occurring.

According to HHS annual Fiscal Year (FY) 2014 Agency Financial Report, published November 13, the payment error rate rose from 8.5 percent in FY 2012 to 10.1 percent in FY 2013 and to 12.7 percent in 2014.  The rates had been decreasing between 2009 and 2012.  HHS says in the report that documentation and administrative errors account for 67 percent of the improperly paid claims; the remaining 33% are due to authentication and medical necessity errors. 

HHS states that one of The Centers for Medicare & Medicaid Services’ (CMS) key goals is to pay claims properly the first time they are submitted and that efforts are underway to investigate and resolve this issue. 

The trade association that represents the recovery auditors (formerly known as recovery audit contractors), The American Coalition of Healthcare Claims Integrity, blames the increase in payment errors in large part on CMS’ pause of the recovery audit program. CMS had temporarily halted the recovery auditors’ activities in anticipation of awarding new contracts; the agency has since restarted the program on a limited basis after one contractor, CGI Federal, filed a pre-bid protest, which puts awarding new contracts on hold.   

However, it’s unclear whether the pause of the recovery audit program is the culprit behind the increase in the FFS error rate. The temporary halt in the recovery auditor program didn’t begin until February 2014, in the middle of the 2014 FY, was fully phased in as of June 2014, and then restarted in August 2014.  The FFS error rate had already started to climb in FY 2013.  The recovery auditors also rely on post-payment audits of claims, and while they may catch payment errors on the back end, they don’t stop them from occurring when the claims are first submitted.  

HHS itself points to other factors that may be in play, such as the implementation of the home health face to face documentation requirements that providers have been struggling with since they went into effect in 2011. HHS also states in its report that it is taking a number of steps to reduce the number of payment errors, including softening the face to face narrative requirement for 2015, allowing hospital rebilling for certain services, requiring prior authorization for durable medical equipment and prosthetics/orthotics suppliers, and a prior authorization demonstration project for certain non-emergeny series, such as ambulance transport.   

Improper payments a top management issue

HHS’ Office of Inspector General (OIG) also flagged errors in Part A and Part B billing as a top performance and management issue for HHS for the coming year in its annual top challenges report, issued November 18.  The OIG identified several billing issues that HHS and CMS should focus on, including: 
  • The transition to ICD-10, which may bring implementation challenges and result in improper billing
  • Issues in moving towards value based reimbursement, such as ensuring that the data and metrics are correct
  • Fighting waste as well as fraud and abuse
  • Oversight of contractors that process claims as well was those who recover overpayments
  •   The backlog in provider appeals
  • The difference in costs of procedures in hospital outpatient departments compared to those in ambulatory surgical centers, which are generally less expensive.

Other top challenges that directly and indirectly impact physicians that OIG has flagged include HHS’ oversight of the health insurance marketplaces, diversion of prescription drugs, the secure and meaningful use of electronic health records, and reducing fraud and abuse in the expanding Medicaid program.

HHS financial report

OIG top challenges

SCG Health blog by Email

Recent Posts



SCG Health is a tradename of the Searfoss Consulting Group, LLC. You may reproduce materials available on this site for your own personal use and for noncommercial distribution. For more information, please read the Content Sharing Policy. Art & design by SCG Health. DISCLAIMER: You should consult an attorney for individual advice regarding a particular set of facts and circumstances. SCG Health reserves the right to change the information on this website without notice.