Facebook Google LinkedIn

May 20, 2019

Posted by: Robert Trusiak

DOJ Cooperation Credit Guidance: What is the Benefit of Cooperation?

The U.S. Department of Justice (DOJ) issued policy guidance on May 6, 2019, about providing credit in False Claims Act (FCA) settlements to corporations for “disclosure, cooperation, and remediation." See https://www.justice.gov/jm/jm-4-4000-commercial-litigation#4-4.112. While the guidance explains how the DOJ can award cooperation credit to corporate defendants who cooperate with the Department during an FCA investigation, a careful reading of the material in Justice Manual Section 4-4.112 does not reveal when and to what extent such credit is awarded. DOJ states the cooperation credit will be reflected in the form of reduced “penalties or damages multiple sought.” The lone bright line follows: the application of credit cannot result in payment of less than the sum of federal damages, interest on that loss amount, investigative costs, and the relator’s share, if applicable. Beyond that, DOJ does not specify any concrete guidelines for the quantitative reduction in “damages multiple sought” and thus retains discretion, on a case-by-case basis, about the financial value of any credit. Stated otherwise, same as it ever was.

The Justice Manual describes three areas that give FCA litigators some leeway in potential or actual false claims act situations. The first is Voluntary Disclosure; the second is Other Forms of Cooperation; and the final is Remedial Actions. Let's unpack these areas to determine real or apparent significance.

Voluntary disclosure is the proactive and timely notification to the Department about potential or actual misconduct. This approach is beneficial to the government as it enables the government to make itself whole in cases of previously unknown false claims or fraud. As a company or entity does its due diligence in determining the extent of misconduct, the company can self-disclose any additional misconduct and will receive credit from the government for these additional voluntary disclosures.

Other Forms of Cooperation are encountered when the government begins an investigation and a company or entity takes steps to cooperate. While not spelled out as to the type and extent of cooperation credit, the following non-exhaustive list are areas for potential cooperation credit:

  1. Identifying individuals substantially involved in or responsible for the misconduct;
  2. Disclosing relevant facts and identifying opportunities for the government to obtain evidence relevant to the government's investigation that is not in the possession of the entity or individual or not otherwise known to the government;
  3. Preserving, collecting, and disclosing relevant documents and information relating to their provenance beyond existing business practices or legal requirements;
  4. Identifying individuals who are aware of relevant information or conduct, including an entity's operations, policies, and procedures;
  5. Making available for meetings, interviews, examinations or depositions an entity's officers and employees who possess relevant information;
  6. Disclosing facts relevant to the government's investigation gathered during the entity's independent investigation (not to include information subject to attorney-client privilege or work product protection), including attribution of facts to specific sources rather than a general narrative of facts and providing timely updates on the organization's internal investigation into the government's concerns, including rolling disclosures of relevant information;
  7. Providing facts relevant to potential misconduct by third-party entities and third-party individuals;
  8. Providing information in native format, and facilitating review and evaluation of that information if it requires special or proprietary technologies so that the information can be evaluated;
  9. Admitting liability or accepting responsibility for the wrongdoing or relevant conduct; and
  10. Assisting in the determination or recovery of losses caused by the organization's misconduct.

The Justice Manual points out to government counsel that they may consider the following factors: (1) the timeliness and voluntariness of the assistance; (2) the truthfulness, completeness, and reliability of any information or testimony provided; (3) the nature and extent of the assistance; and (4) the significance and usefulness of the cooperation to the government.

Once misconduct is deemed to be an FCA violation, government attorneys can take into account whether an entity has taken any of the following remedial actions:

  1. Demonstrating a thorough analysis of the cause of the underlying conduct, and, where appropriate, remediation to address the root cause;
  2. Implementing or improving an effective compliance program designed to ensure the misconduct or similar problem does not occur again;
  3. Appropriately disciplining or replacing those identified by the entity as responsible for the misconduct either through direct participation or failure in oversight, as well as those with supervisory authority over the area where the misconduct occurred; and
  4. Any additional steps demonstrating recognition of the seriousness of the entity's misconduct, acceptance of responsibility for it, and the implementation of measure to reduce the risk of repetition of such misconduct including measures to identify future risks.

Finally, the Justice Manual asserts: “The maximum credit that a defendant may earn may not exceed an amount that would result in the government receiving less than full compensation for the losses caused by the defendant's misconduct (including the government's damages, lost interest, cost of investigation, and relator share).”

In the concluding section of Section 4-4.112 government attorneys are reminded of entities' and individual's legal rights including the right to reject the above listed options and forgo any potential credit consistent with the law.

Although lacking concrete quantitative benchmarks, the Guidance outlines for corporate FCA defendants the considerations for mitigation of FCA risk. If you have questions regarding potential misconduct or FCA actions, then contact Robert today!

Read the May 7, 2019 press reguidance-false-claims-act-matters-and-updates-justice-manual

May 2, 2019

Posted by: Robert Trusiak


The “Principles of Federal Prosecution of Business Organizations” in the U.S. Department of Justice (DOJ) Justice Manual describe specific factors that prosecutors should consider in conducting an investigation of a corporation, determining whether to bring charges, and negotiating plea or other agreements. Additionally, the United States Sentencing Guidelines advise that consideration be given to whether the corporation had in place at the time of the misconduct an effective compliance program for purposes of calculating the appropriate organizational criminal fine. Moreover, a memorandum entitled “Selection of Monitors in Criminal Division Matters” instructs prosecutors to consider, at the time of the resolution--

  • “whether the corporation has made significant investments in, and improvements to, its corporate compliance program and internal controls systems” and
  • “whether remedial improvements to the compliance program and internal controls have been tested to demonstrate that they would prevent or detect similar misconduct in the future” to determine whether a monitor is appropriate.

In April 2019 the DOJ issued an update to its guidance document related to the evaluation of corporate compliance programs. This document is meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).

The document reiterates that a corporate compliance program must be evaluated in the specific context of a criminal investigation. There are, however, three ”fundamental questions” a prosecutor should ask:

  1. “Is the corporation’s compliance program well designed?"
  2. “Is the program being applied earnestly and in good faith?" In other words, is the program being implemented effectively?
  3. “Does the corporation’s compliance program work in practice?"

The DOJ Guidance may be read in full at https://www.justice.gov/criminal-fraud/page/file/937501/download.

Trusiak Law can assist you in measuring the effectiveness of your corporate compliance program. It will be done under attorney client privilege to protect you.

April 16, 2019

Posted by: Robert Trusiak

2018 All-Time Record Year for HIPAA Enforcement

The Office of Civil Rights recently reminded us of the importance of HIPAA privacy and the cost of neglect. In a February 7, 2019, posting the Office for Civil Rights (OCR) concluded an all-time record year in HIPAA enforcement activity. OCR also recently issued a Report to Congress detailing the frequency of types of breaches. See Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2015, 2016, and 2017 As Required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, Public Law 111-5, Section 13402, https://www.hhs.gov/sites/default/files/breach-report-to-congress-2015-2016-2017.pdf. These OCR notifications require organizational introspection and required remedial effort in some simple, significant ways regarding your Security Risk Analysis, Business Associate Agreement Compliance and E Mail Integrity Post Separation for Former Employees.

First, Security Risk Analysis.

In 2018, OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by 22 percent. In addition, OCR also achieved the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/2018enforcement/index.html

An analysis of 2018 enforcement activity highlights some key findings.

  1. The majority of organizations OCR settled with failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). That is, they did not perform a Security Risk Analysis as required by the Security Rule or they failed to complete one that was sufficient to meet the standard of the Security Rule.
  2. Another key finding was failure to obtain a written Business Associate Agreement with contractors who performed business associate functions on their behalf.

These finding serve as a reminder that a Security Risk Assessment (SRA) is neither optional nor a “one and done” exercise. An initial SRA and regular updates must be undertaken and an active Security Risk Management Program must be in place to mitigate risks identified in the SRA.

Second, BAA Compliance.

And don't forget that Covered Entities must know who their Business Associates are, and Business Associates know who their Subcontractors are, who perform business function activities. If they do, make sure there is an executed Business Associate Agreement in place with them. The Business Associate due diligence is simple: coordinate with your accounts payable department to identify Covered Entity payments to vendors, identify the subset of vendors with access to protected health information and then ensure the relevant vendors have the required Business Associate Agreements. Or----stick your head in the sand and hope and pray there is no breach event necessitating an OCR inquiry requesting the above information.

Third, E mail Integrity Post Employment.

In the Report to Congress on Breaches of Unsecured Protected Health Information, OCR noted that from 2015-2016, unauthorized access/disclosures were the most common cause of reported breaches affecting 500 or more individuals. In 2017, they were the second most frequent cause. Additionally, for each of these years, unauthorized access/disclosures were the leading cause of reported breaches affecting less than 500 individuals. Although OCR has not yet reported 2018 numbers to Congress, a review of the OCR Breach Portal indicates that unauthorized access/disclosures remained the second most frequent cause of reported breaches, making up over a third (35%) of reported breaches affecting 500 or more individuals.

A Covered Entity must have standard policies for removing work force members protected health information access upon separation from employment to prevent unauthorized access to protected health information by former employees. This is especially important for Covered Entities with a Bring Your Own Device Policy. How does your Covered Entity wipe clean protected health information from a personal device upon separation from employment--including acrimonious separations that occur without notice?

Trusiak Law can assist you in measuring your compliance with the HIPAA Privacy, Security and Breach Notification Rules. It will be done under attorney client privilege to protect you.

January 24, 2019

Posted by: Robert Trusiak

Security Risk Analysis: Ensure Your Risk Analysis includes an assessment of the Health and Human Services Voluntary Cybersecurity Practices for the Health Industry

On Friday, December 28, 2018, the Department of Health and Human Services (HHS) released the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication. The four-volume publication aims to provide voluntary cybersecurity practices to healthcare organizations of all types and sizes. This document is a valuable resource as health care providers assess and revise their 2019 HITECH required Security Risk Analysis.

Cybersecurity and an updated Security Risk Analysis are fluid and ongoing efforts rather than a one and done calendar year exercise. The HHS Cybersecurity Practices offer valuable insight into the types of threats and protections associated with the physical, technical and administrative safeguards that comprise the gravamen of a complete Security Risk Analysis. It also is a good idea to review the breadth and value of your Cybersecurity insurance. Does it include payment for a forensic team? Does it include payment for post-breach marketing designed to salvage the reputational harm from a breach? Most importantly, does it adequately address the central point of Cyberinsurance: losses due to a data breach? Finally, how will your organization create and preserve privileged communications in the immediate aftermath and chaos of a breach--a critical consideration given the probability of post-breach lawsuits and discovery. The actual breach event is a bad time to initially respond to the above questions. Hoping never to have a mass breach is not a plan. Address these issues now to be that example exalted by Napoleon: the soldier who does the average thing while chaos reigns is a genius.

The main document of the HHS publication explores the five most relevant and current threats to the health care industry.

  1. E-mail phishing attack
  2. Ransomware attack
  3. Loss or theft of equipment or data
  4. Insider, accidental or intentional data loss
  5. Attacks against connected medical devices that may affect patient safety

It also recommends 10 Cybersecurity Practices to help mitigate these threats.

  1. E-mail protection systems
  2. Endpoint protection systems
  3. Access management
  4. Data protection and loss prevention
  5. Asset management
  6. Network management
  7. Vulnerability management
  8. Incident response
  9. Medical device security
  10. Cybersecurity policies

The publication also includes two technical volumes geared for IT and IT security professionals. Technical Volume 1 focuses on cybersecurity practices for small healthcare organizations, while Technical Volume 2 focuses on practices for medium and large healthcare organizations. The last volume provides resources and templates that organizations can leverage to assess their own cybersecurity posture as well develop policies and procedures.

For more information about cybersecurity threats and practices to mitigate these threats, download a copy of Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients at https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf.

January 11, 2019

Posted by: Robert Trusiak




New Year’s resolutions include more than losing a few pounds and going to the gym. It is time to implement your health care organization’s 2019 compliance plan----NOW! The Department of Justice just gave us a timely reminder in its False Claims Act (“FCA”) update on the need for a continued and robust commitment to compliance.

As you may know, the FCA imposes liability on any person who submits a claim to the federal government that he or she knows (or should know) is false. An example may be a physician who submits a bill to Medicare for medical services she knows she has not provided. The False Claims Act also imposes liability in those instances in which someone may obtain money from the federal government to which he may not be entitled, and then uses false statements or records in order to retain the money. An example of this so-called “reverse false claim” may include a hospital who obtains interim payments from Medicare throughout the year, and then knowingly files a false cost report at the end of the year in order to avoid making a refund to the Medicare program.

In addition, the FCA provides that private parties may bring an action on behalf of the United States. These private parties, known as “qui tam relators,” or simply whistleblowers, may share in a percentage of the proceeds from an FCA action or settlement. The FCA provides, with some exceptions, that a qui tam relator, when the Government has intervened in the lawsuit, may receive at least 15% but not more than 25% of the proceeds of the FCA action. When the Government does not intervene, the relator may receive an amount that the court decides is reasonable and will be not less than 25% or more than 30%. Stated otherwise, these are real financial incentives to be a whistleblower. I made plenty of millionaires during my tenure as an Assistant United States Attorney on whistleblower or FCA lawsuits.

In the fiscal year ending Sept. 30, 2018, the Department of Justice recently reported it obtained more than $2.8 billion in settlements and judgments from civil cases involving fraud and false claims against the government. Of that, $2.5 billion or approximately 90% involved the health care industry, including drug and medical device manufacturers, managed care providers, hospitals, pharmacies, hospice organizations, laboratories, and physicians. This is the ninth consecutive year that the Department's civil health care fraud settlements and judgments have exceeded $2 billion. (https://www.justice.gov/opa/pr/justice-department-recovers-over-28-billion-false-claims-act-cases-fiscal-year-2018) The Department of Justice also reported that there are approximately 12 new qui tam suits filed every week.

Here are some practical things to consider in order to protect your organization from an FCA lawsuit in adopting a 2019 compliance plan:

  1. Implement or update policies and procedures
  2. Conduct compliance training and document it
  3. Create a transparent and professional business environment
  4. Have a plan in place to respond to all complaints
  5. Monitor compliance on a regular basis—AUDIT, AUDIT, AUDIT
  6. What to Audit: high volume, high dollar claims; matters under review in state or federal work plans, billing areas identified as concerning by internal employees.
  7. Appoint an individual (i.e., a compliance officer) who is responsible for compliance and provide them appropriate training
  8. Seek legal counsel to help investigate contentious complaints and offer advice on difficult issues. For ex., compliance with the 60 day repayment rule.
  9. Do not ignore internal employee compliance complaints

November 11, 2018

Posted by: Robert Trusiak

Plan to Offer Free Anti-Seizure Drugs to Hospitals Could Violate Anti-Kickback Statute

On November 16, 2018, The Department of Health and Human Services Office of Inspector General posted an advisory opinion regarding a drug company's proposal to provide free product ("drug") to hospitals for the hospitals to use exclusively to treat inpatients who have been diagnosed with a form of epilepsy ("Syndrome") that may occur through the end of the second year of life.

Under the Proposed Arrangement:

  1. The drug company would give free doses of the drug to hospitals for the hospitals to use exclusively for inpatients who are diagnosed with the Syndrome and are prescribed a course of therapy with the drug.
  2. The drug company would stock the drug at participating hospitals on a consignment basis, at no cost to the hospital or any payor.
  3. If a physician diagnoses an inpatient with the Syndrome and desires to prescribe the drug, the physician would submit a referral to the drug's reimbursement hub and then would initiate therapy using the free vial(s). A single vial is equivalent to three to five days of treatment.
  4. During this initial treatment time, the reimbursement hub would complete a benefits investigation on the patient's behalf and facilitate shipment of additional vials of the drug to the patient's caregiver for the caregiver to administer at home following discharge.
  5. If the patient's caregiver is unable to secure insurance coverage for the drug, then the patient would continue to receive the drug for free until either coverage is obtained or the therapy (including, as necessary for safe treatment termination, the two-week taper period) is complete.

Based on the facts provided, OIG determined that under the Proposed Arrangement:

  1. The Arrangement could function as a seeding arrangement. This seeding arrangement seems to be the primary concern associated with the otherwise altruistic and clinically efficacious act of prescribing the drug for free. A hospital could influence or arrange for a physician to prescribe the drug for inpatients when the hospital receives the drug for free. Once patients are discharged, if their insurance covers the drug, then insurers (including Federal health care programs) and patients would be charged for the drug. Moreover, giving the drug for free to this specific patient population in the inpatient setting facilitates the drug company's high price for the drug’s other indications
  2. The free drug would be remuneration that the drug company would provide to hospitals, which could serve as referral sources for the drug.
  3. Hospitals could be direct referral sources for the drug if the hospitals' employed physicians prescribe it for inpatients or outpatients. In addition, hospitals often establish formularies that limit or influence the drugs that physicians may administer or dispense at the hospitals and thus are in a position to arrange for or recommend purchases of the drug.
  4. If a hospital refuses to stock a drug for a certain reason (e.g., if the drug is too expensive when dispensed for inpatients), then it may be difficult for a doctor to prescribe the drug for any hospital patient. Giving the drug for free to hospitals for inpatients diagnosed with the Syndrome could induce the hospitals to arrange for or recommend future purchases of the drug.
  5. The anti-kickback statute makes it a criminal offense to knowingly and willfully offer, pay, solicit, or receive any remuneration to induce or reward referrals of items or services reimbursable by a Federal health care program. Where remuneration is paid purposefully to induce or reward referrals of items or services payable by a Federal health care program, the anti-kickback statute is violated.
  6. The Proposed Arrangement therefore would violate the anti-kickback statute.
  7. Takeaways: 1. Free + clinically efficacious is no defense to conduct that implicates the kickback statute; and 2. Free product (DME, drugs, med-surg) that plants the seed for near term and necessary future purchases implicating federal health care programs must be carefully assessed in light of this OIG opinion.

Violation of the anti-kickback statute constitutes a felony punishable by a maximum fine of $100,000, imprisonment up to ten years, or both. Conviction will also lead to automatic exclusion from Federal health care programs, including Medicare and Medicaid.

Read the entire OIG Advisory Opinion

October 16, 2018

Posted by: Department of Health and Human Services, Office for Civil Rights

OCR and ONC Bolster the Security Risk Assessment (SRA) Tool with New Features and Improved Functionality

Patients expect not only quality health care to keep them healthy, but also trust that their most sensitive health information will be protected from threats and vulnerabilities that could lead to the compromise of one’s health information. An enterprise-wide risk analysis is not only a requirement of the HIPAA Security Rule, it is also an important process to help healthcare organizations understand their security posture to prevent costly data breaches. What is an enterprise-wide risk analysis? It is a robust review and analysis of the risks to the confidentiality, integrity, and availability of electronic health information -- across all lines of business, in all facilities, and in all locations.

The HHS Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have updated the popular Security Risk Assessment (SRA) Tool to make it easier to use and apply more broadly to the risks to health information. The tool is designed for use by small to medium sized health care practices – those with one to 10 health care providers – covered entities, and business associates to help them identify risks and vulnerabilities to ePHI. The updated tool provides enhanced functionality to document how such organizations can implement or plan to implement appropriate security measures to protect ePHI.

ONC and OCR conducted comprehensive usability testing of the SRA tool (version 2.0) with health care practice managers. Analysis of the findings across the user base informed the development of the content and the requirements for the SRA Tool 3.0. ONC and OCR then conducted testing of the SRA tool 3.0 to compare the user experience in completing the same tasks presented in the first round of testing. You’ll find the tool to be more user friendly, with helpful new features such as:

  • Enhanced User Interface
  • Modular workflow with question branching logic
  • Custom Assessment Logic
  • Progress Tracker
  • Improved Threats & Vulnerabilities Rating
  • Detailed Reports
  • Business Associate and Asset Tracking
  • Overall improvement of the user experience

Using a Windows operating system? Download the Windows version of the tool at http://www.HealthIT.gov/security-risk-assessment. The iOS iPad version was not updated, but the previous version is available at the Apple App Store exit disclaimer icon (search under “HHS SRA Tool”).

And don’t forget to explore the SRA Tool’s website, which provides a revised User Guide to help you get started.

Remember: All HIPAA covered entities and business associates are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by their organization. If you haven’t conducted a recent enterprise-wide risk analysis, now is the time to download the HHS SRA Tool to help with this foundational element upon which the security activities necessary to protect ePHI are built.

September 5, 2018

Posted by: Robert Trusiak

CMS Finalizes Changes to Empower Patient EMR Access and Reduce Administrative Burden

On August 02, 2018, the Centers for Medicare & Medicaid Services (CMS) issued final rules related to the Inpatient Prospective Payment System (IPPS) and the Long-Term Care Hospital (LTCH) Prospective Payment System. Finalized changes will support patient-centered care by reinforcing the MyHealthEData and Patients Over Paperwork initiatives.

These final rules, alongside other updates made earlier in the week, will help empower patients to access their own health data while granting providers more time to spend with their patients through administrative simplification, according to CMS Administrator Seema Verma.

The fiscal year 2019 Inpatient Prospective Payment System (IPPS) and the Long-Term Care Hospital (LTCH) Prospective Payment System (PPS) rules mandate price transparency for patients, health data exchange between patients and providers, and the reduction of administrative burden that CMS says prevents providers from building strong patient-provider relationships. Ultimately, these moves aim to empower patients with the information necessary to make decisions about their own care.

Price transparency mandates will require hospitals to list their prices online in a “machine-readable format.” Previously, hospitals were required to make their prices publicly available, but not necessarily in a digital format. Digital price transparency will enable patients to more easily access this information, CMS explained.

The final rules also begin implementation of the MyHealthEData initiative, announced earlier this year. Specifically, the rules call for overhauls of the meaningful use programs, including:

  • Making the program more flexible and less burdensome
  • Emphasizing measures that require the exchange of health information between providers and patients
  • Incentivizing providers to make it easier for patients to obtain their medical records electronically

In addition to promoting the notion of “patients over paperwork,” CMS has introduced the Patient-Driven Payment Model (PDMP) to the Skilled Nursing Facility Prospective Payment System (SNF PPS). This model will offer reimbursements based on treatment of the whole patient instead of the volume of services rendered.

Also, as a part of the new SNF payment model, CMS says patients will have more flexibility in choosing a skilled nursing facility that fits their specific care needs.

June 20, 2018

Posted by: Robert Trusiak

New Guidance on HIPAA and Individual Authorization of Uses and Disclosures of PHI for Research

On June 18, 2018, the Office for Civil Rights issued new guidance on HIPAA and individual authorization of uses and disclosures of protected health information (PHI) for research. The guidance explains certain requirements for an authorization to use or disclose PHI for future research and clarifies aspects of the individual's right to revoke an authorization for research uses and disclosures of PHI.

Authorization General Requirements

With few exceptions, HIPAA requires individual authorization from patients prior to using patients’ PHI for research. A HIPAA-compliant authorization for use of PHI for research:

  • must be in plain language
  • must contain specific information regarding:
    - a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion,
    - the names or other specific identification of the persons authorized to disclose and receive the information,
    - a description of each purpose of the requested use or disclosure, and
    - an expiration date or expiration event that relates to the individual or the purpose of the use or disclosure.
  • must also include statements adequate to place the individual on notice of all of the following:
    1. the individual’s right to revoke the authorization in writing, any exceptions to the right to revoke the authorization and a description of how the individual may revoke the authorization;
    2. the ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization; and
    3. the potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by the HIPAA Privacy Rule.

Authorizations for Future Research

Authorizations for the use or disclosure of PHI for future research must include a description of each purpose of the requested use or disclosure. “Each purpose” means that such authorizations do not need to specify each specific future study if the particular studies to be conducted are not yet determined; rather, the authorization must sufficiently describe the purposes such that it would be reasonable for the individual to expect that the protected health information could be used or disclosed for such future research.

Expiration of Authorization for Future Research

Authorizations for the use or disclosure of PHI for future research must include and expiration date or event. The statement “end of the research study,” “none,” “until it is revoked by the individual” or similar language is sufficient.

Right to Revoke Authorization

Individuals should be aware that revocation of an authorization does not always mean that the individual’s information may no longer be used in the research study. A covered entity may continue to use and disclose PHI that was obtained before the individual revoked authorization to the extent that the entity has taken action in reliance on the authorization.

Read the entire guidance.

May 18, 2018

Posted by: Robert Trusiak


Measuring compliance program effectiveness is recommended by several authorities, including the United States Sentencing Commission (see, Chapter 8 of the United States Sentencing Guidelines). The Compliance Department is not permitted to perform these audits. Audits must be performed independently, to avoid self-policing. https://www.cms.gov/Medicare/Compliance-and-Audits/Part-C-and-Part-D-Compliance-and-Audits/Downloads/Element-VI-Focused-Training-Power-Point-.pdf. However, it has been reported that only 25 percent of surveyed organizations reported using outside experts to evaluate their program, and nearly 66 percent of organizations claimed that they rely upon self-assessment tools and checklists to evidence their compliance program effectiveness.

On January 17, 2017, the Department of Health and Human Services, Office of Inspector General (OIG) addressed ways to measure the effectiveness of compliance programs. https://oig.hhs.gov/compliance/compliance-resource-portal/files/HCCA-OIG-Resource-Guide.pdf. The critical review necessary to ensure compliance programs address the fluid nature of health care risk is the best means to promote effective compliance and mitigate the opportunity for a state or federal audit.

Trusiak Law can assist you in measuring the effectiveness of your compliance program. It will be done under client/attorney privilege to avoid unnecessary disclosure. If you are interested in learning more about the way in which Trusiak Law may assist you, please contact us.

February 11, 2018

Posted by: Robert Trusiak


On February 9, 2018, Congress enacted a permanent solution to the hard cap on outpatient therapy services under Medicare Part B, ending a cycle of short-term fixes that have been necessary since its introduction in 1997 as part of the Balanced Budget Act.

The legislation that has been enacted provides a fix for the therapy cap by permanently extending the current exceptions process. Among the provisions included in the new policy:

  • The therapy cap limits for 2018 remain at $2,010 for physical therapy (PT) and speech-language pathology (SLP) services combined and $2,010 for occupational therapy (OT) services.
  • Claims that go above $2,010 (adjusted annually) still will require the use of the KX modifier for attestation that services are medically necessary.
  • The threshold for targeted medical review will be lowered from the current $3,700 to $3,000 through 2027; however, CMS will not receive any increased funding to pursue expanded medical review, so the overall number of targeted medical reviews is not expected to increase.
  • Claims that go above $3,000 will not automatically be subject to targeted medical review. Instead, only a percentage of providers who meet certain criteria will be targeted, such as those who have had a high claims denial percentage or have aberrant billing patterns compared with their peers.

Physical, speech and occupational therapists need to be cautioned that by affixing the KX modifier, the therapist is making an attestation to the Federal government that the therapy is medically necessary and that there is documentation in the medical record to support the medical necessity.

The legislation also directs CMS to create a modifier for tracking use of Medicare services provided by physical therapy and occupational therapy assistants in 2019 in an effort to collect enough data in 2020 to come up with a Medicare fee schedule rate that’s 85% of the fees paid to physical, speech and occupational therapists by 2022.

February 6, 2018

Posted by: Robert Trusiak


On February 2, 2018, CMS issued Transmittal 3971 revising Pub. 100-04, Medicare Claims Processing Manual, Chapter 12, Section 100.1.1, B, that allows the teaching physician to verify in the medical record any student documentation of components of evaluation and management (E/M) services, rather than redocumenting the work. The policy change applies to all students who teaching physicians supervise, including advance practice professionals. The revised policy reads as follows:

E/M Service Documentation Provided By Students

Any contribution and participation of a student to the performance of a billable service (other than the review of systems and/or past family/social history which are not separately billable, but are taken as part of an E/M service) must be performed in the physical presence of a teaching physician or physical presence of a resident in a service meeting the requirements set forth in this section for teaching physician billing.

Students may document services in the medical record. However, the teaching physician must verify in the medical record all student documentation or findings, including history, physical exam and/or medical decision making. The teaching physician must personally perform (or re-perform) the physical exam and medical decision making activities of the E/M service being billed, but may verify any student documentation of them in the medical record, rather than re-documenting this work.

Teaching physicians cannot simply co-sign the medical student’s notes; that is not enough for billing. The teaching physician has a responsibility to read and edit the student’s notes and obtain clarification from the student if needed. Teaching physicians along with the teaching hospitals should consider the level of skill and competency that their medical students need in order to accomplish the essential elements of the E/M service.

Although the policy change is specific to E/M services, it does not address documentation of procedures performed by students. A future MLN Matters from CMS may address the expectations of medical student skill and competency as well as documentation of procedures performed by students.

February 4, 2018

Posted by: Robert Trusiak


My comments follow and generally address the legal and compliance considerations associated w/ the set aside of a jury verdict for $347M due to FCA violations determined by a jury related to the absence of nursing home care. These views were generally addressed in an interview by me appearing in the Report on Medicare Compliance, V. 27, #3, Jan. 22, 2018. See (United States ex rel. Ruckh v Salus Rehabilitation, LLC, 2018 US Dist LEXIS 5148 [MD Fla Jan. 11, 2018, No. 8:11-cv-1303-T-23TBM].) The case was filed in 2011. DOJ declined intervention. The case commenced trial on Jan 17, 2017 w/ a jury verdict returned on February 15, 2017.

The court granted on Jan 11, 2018 the defendants motion for judgment as a matter of law overturning the jury verdict that found 446 false claims submitted to the government. A review of the opinion offers several points worthy of discussion as providers and their counsel assess risk and develop 2018 compliance strategies.

The Ruckh court determined the actual, not alleged, violations by the nursing home system were immaterial deficiencies unable to support False Claims Act liability. A review of the opinion reveals there is something for everyone—compliance officers, hospital counsel, nursing home counsel, whistleblowers and defense counsel--as Escobar continues to mature through judicial development at the district court and appellate level. The points follow:

  1. Go it alone cases continue the trend of creating law unfavorable to the govt and favorable to the defense bar. The government declined intervention in this case. The materiality discussion by the court is unhelpful for whistleblowers and government counsel; however, beneficial to the defense bar given the court’s characterization of fundamental nursing home clinical care coordination and plan of care documents as a “record-keeping deficiency”.
  2. Nursing home cases pose significant False Claims Act challenges. The federal government has a keen interest in protecting the vulnerable residents of a nursing home. The enforcement efforts thru the FCA, however, have been checkered due to the system-wide approaches occasioned by use of the FCA to redress specific incidents of neglect and abuse. The compliance takeaway is obviously not that nursing homes are insulated from anything other than CMS and state audit oversight with the modest remedial tool of a deficiency citation. The compliance takeaway should be that Medicaid Fraud Control Units probably are the most significant law enforcement risk and best equipped to redress neglect and abuse thru the use of granny cams and other covert techniques serving to support criminal, not civil, actions against abusive staff.
  3. Too big to fail. Although the opinion is ostensibly about materiality in light of the Supreme Court’s Escobar decision, a critical review of the opinion and prior filings demonstrates the case result is more about money than materiality. Quite simply, the defendants — the owners and operators of fifty three specialized nursing facilities in several states —were too big to fail. The district court in March 2017 issued a stay against enforcing the $347M judgment based on a litany of defense claims concerning the draconian consequences of enforcing the judgment; namely, the judgment enforcement will "trigger the collapse of scores of skilled nursing facilities in 17 states." Additionally, a Salus facility’s failure to pay a judgment over $500,000 will trigger a default on a loan from Midcap Financial (MidCap) totaling about $168 million, in the event that a judgment creditor begins collection or if the judgment exists for over 20 days without being stayed. MidCap provides operating capital twice a week for payroll and rent, and the facilities and their receivables are pledged as collateral. If a default is triggered, MidCap will halt lending and accelerate the loan. The court noted that halting operations will result in the closure of over 80 SNFs in Florida, jeopardizing patient health.
    Money, profits, cash calls, defaults are all irrelevant to the Escobar materiality analysis; however, the court’s opinion vacating the judgment of the jury expressly noted the “slim profit margin” of nursing home providers. Too big to fail was successfully used in 2008 during the financial crisis. Ruckh demonstrates it remains a viable defense strategy today.
  4. Hobson’s Choice. The Ruckh court, like many courts, struggled with the complexity of the Medicare system. Medicare is unique and the failure to critically understand the multifaceted complexities results in curious conclusions. For ex., the court indicated that continued payment impedes materiality apparently based on the inference that continued payment is somehow an implicit substantive government position on the allegations of wrongdoing since “the federal and state governments regard the disputed practices with leniency or tolerance “ based on continued payment.
    CMS possesses the statutory and regulatory power to suspend payments. CMS, in my govt experience, chooses to exercise or withhold the exercise of that power based on a number of legal reasons, financial reasons and clinical reasons related to patient care. For ex., is there immediate jeopardy to nursing home patients; is the provider without assets to satisfy a downstream judgment; or will the suspension jeopardize the wellbeing of patients? CMS could logically conclude in this type of case that allegations of wrongdoing, not involving immediate jeopardy to residents (e.g., stage 4 bed sores and poor nutrition and hydration throughout the system, patient death, chemical restraints) require it to balance factors and forbear from immediate suspension pending a resolution. The Ruckh decision would force the government to make the Hobson’s choice of suspending payments now, and create immediate jeopardy for residents, to preserve the ability to litigate an FCA case months or years away from trial. The law does not require such a Hobson’s choice. The irony follows: if CMS would have suspended payments, then the same defense arguments in the stay motion on the judgment would have been used to support a claim for injunctive relief by defendants against CMS to lift the suspension for the same alleged financial calamities expressed in the stay motion.
    Allegations of wrongdoing, government decisions to decline intervention, suspension of payments and continued payments are decisions based on resource constraints, harm to patients and the unremarkable and august agency view of requiring facts, not allegations, to support action. Stated otherwise, continued payment is not easily reducible to the singular notion that payments estop the government or a relator from later pursuing FCA relief based on the immateriality of the alleged fraud.
    The compliance takeaway should not be, and never be, that continued payment by Medicare, Medicaid or Tricare constitutes some type of implicit approval of the questioned practice. Compliance officers all struggle with the incantation by staff that Medicare has always paid the claim, therefore, it must be “OK”. It was important before Escobar, and remains so today, for providers of all types to ensure their claim submissions support the claim. If the underlying documentation does not support a level 5 E&M, then Escobar provides no relief to the provider. If the underlying documentation does not support the medical necessity for the admission, procedure or drug, then Escobar provides no relief to the misrepresenting provider.
  5. Complexity is not simple. Health care cases require a fluency in the complexities of Medicare and medicine. Nursing home care, or the lack thereof, is demonstrated through documentation provided to patients on certain dates and consistent with care plans to ensure the government receives—the taxpayer—the benefit of the bargain. A nursing home documents care thru a CCP—comprehensive care plan. CMS has defined the CCP as the essential communication tool to be used by the interdisciplinary team to provide coordinated services. The judicial characterization of the failure to sign and date and complete this fundamental document determining and defining nursing home care as “administrative non-compliance” or a “record-keeping deficiency” is difficult to reconcile against the basic mantra known to every medical practitioner: if it is not documented, then it didn’t happen. The compliance takeaway should be that mantra continues unabated. Complete documentation of care, prepared in accordance with state and federal rules, including signed and dated, will always be the best means to mitigate risk.
  6. The government possesses multiple non-exclusive remedies. The court also suggests the failure to exhaust administrative remedies is somehow a prerequisite to seeking FCA relief (“My guess is that under these circumstances no government answerable to the people would refuse to pay, especially in Florida and especially in the pertinent patient population, unless every administrative and other remedy was exhausted….”). The FCA obviously contains no such administrative exhaustion requirement. The government may pursue an administrative remedy to redress fraud. The govt may pursue a statutory remedy to redress fraud. The government may choose to contemporaneously exercise regulatory and statutory remedies. The FCA contains no implicit or explicit provision requiring remedy by turns.
    The compliance takeaway remains simple and straightforward: Risk due to coding, deficient care, off label promotion, physician compensation and other areas remains a multifaceted exercise due to FCA risk, Stark risk, Kickback risk, state enforcement risk and administrative risk.
  7. Same as it ever was.

What does all this mean to the health care or compliance professional?

Nothing. Stay on Task.

The federal appellate courts will fashion appropriate and legitimate factors to define materiality under Escobar and weed out outlier materiality claims. DOJ and the whistleblower bar will respond to Escobar and file complaints addressing materiality sufficient to avoid dismissal and permit discovery. Remember, providers bill imperfectly everyday despite their best efforts. Remember, no investigation ends where it starts—it generally expands to include other areas. The purpose of compliance efforts, in general, includes the avoidance of whistleblower suits and keep at bay state and federal law enforcement risks to avoid the detection and action against those risks that occur despite your best efforts.

The FCA in general, and whistleblowers in particular, will continue to be an omnipresent and significant risk to health care providers. DOJ recently reported that 12 whistleblower cases are filed every week. See https://www.justice.gov/opa/pr/justice-department-recovers-over-37-billion-false-claims-act-cases-fiscal-year-2017. The FCA will continue to be the primary govt fraud weapon to attempt to address the many and varied fact fraud and procurement fraud theories historically cognizable and successfully prosecuted by the govt or relators, including Stark, physician compensation, kickback, off label, medical necessity, overutilization and upcoding. Although Escobar will rightly continue to affect certain FCA matters, for example, licensure or ministerial approvals; Ruckh by no means portends a reduction in FCA risk for providers based on the above rationale.

January 8, 2018

Posted by: Robert Trusiak


The Substance Abuse and Mental Health Services Administration (SAMHSA), part of the U.S. Department of Health and Human Services (HHS), has finalized proposed changes to the Confidentiality of Substance Use Disorder Patient Records regulation, 42 CFR Part 2, aimed at supporting payment and healthcare operations activities while protecting the confidentiality of patients.

The finalized rule, posted to the Federal Register on Tuesday, January 3, 2018, builds on changes to 42 CFR Part 2 made last year. In a final rule published last January, SAMHSA updated 42 CFR Part 2 rules by allowing patients to provide a general disclosure for substance abuse information, rather than limiting authorization to a specific provider.

The Confidentiality of Substance Use Disorder Patient Records, 42 Code of Federal Regulations Part 2 (Part 2) protects the confidentiality of records relating to the identity, diagnosis, prognosis, or treatment of any patient records that are maintained in connection with the performance of any federally assisted program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research. Under Part 2, a federally assisted substance use disorder program may only release patient identifying information with the individual’s written consent, pursuant to a court order, or under a few limited exceptions.

The 42 CFR Part 2 regulations previously required the patient to consent every time their data was shared or accessed, which health information exchanges (HIEs) and healthcare organizations found difficult to implement. The final rule will permit healthcare providers, with patients’ consent, to more easily conduct such activities as quality improvement, claims management, patient safety, training, and program integrity efforts.

Major provisions of the final rule include:

  • Additional disclosures of patient identifying information are permitted, with patient consent, to facilitate payment and healthcare operations such as claims management, quality assessment, and patient safety activities.
  • Additional disclosures of patient identifying information are permitted to certain contractors, subcontractors, and legal representatives for the purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation.
  • Users of electronic health records (EHRs) are permitted to use of an abbreviated notice of prohibition on re-disclosure that is more easily accommodated in EHR text fields.

December 30, 2017

Posted by: Robert Trusiak


In a memorandum issued December 28, 2017, the Centers for Medicare & Medicaid Services (CMS) clarified its position related to texting. In its memo, CMS stated that it “recognizes that the use of texting as a means of communication with other members of the healthcare team has become an essential and valuable means of communication among the team members.” In order to comply with existing regulations, “all providers must utilize and maintain systems/platforms that are secure, encrypted, and minimize the risks to patient privacy and confidentiality.”

In summarizing their position, CMS stated that:

  • Texting patient information among members of the health care team is permissible if accomplished through a secure platform.
  • Texting of patient orders is prohibited regardless of the platform utilized.
  • Computerized Provider Order Entry (CPOE) is the preferred method of order entry by a provider.

December 22, 2017

Posted by: Robert Trusiak


First and foremost, initially look backward before looking forward and look inward before looking outward and always be mindful of the goal of any work plan.

The goal of a work plan is twofold: the obvious goal of addressing risk areas to advance fraud and abuse and HIPAA compliance as well as providing a credible narrative to regulatory and law enforcement authorities of the provider’s demonstrated commitment to compliance evidenced by audits and remittances, as appropriate. I regularly received an inconsistent message from provider’s under investigation in my former capacity as an AUSA—"we are committed to compliance.” The proof, however, was often lacking after requesting and reviewing the previous annual work plans. I often heard other projects delayed compliance efforts. I translated that to mean the provider was not actually committed to compliance and the resulting FCA settlement was intended to partly elevate the importance of compliance consistent, of course, with the facts and law.

The initial step in compiling a 2018 work plan is to critically assess your organization’s 2017 work plan, including the following areas:

  1. Look inward before looking outward. Did you completely address the 2017 deliverables? If not, then address the incomplete matters thru either inclusion in the 2018 work plan or retiring the risk area for appropriate reasons to avoid the above perception.
  2. Look inward before looking outward. Complete outstanding audits.
  3. Look inward before looking outward. Ensure hotline complaints have been addressed in a reasonable manner.
  4. Look inward before looking outward. OIG and state work plans offer valuable opportunities to assess 2018 compliance risk; however, your provider’s billing conduct is probably the best resource for addressing 2018 risk. Track high volume or high dollar private payer denials and crosswalk them into Medicare, Medicaid AND Tricare in 2018 as audit areas.
  5. Look inward before looking outward. Finalize your 2017 Security Risk Analysis as required by HITECH.
  6. Make any required regulatory year end attestations.

As far as my 2018 observations, they include the following:

  1. Be dynamic and not static. If you are auditing high risk areas on an annual basis --level 5 CPT codes, incident to, modifier 25, PATH notes, short inpatient stays—then change the audit profile to advance the opportunity to identify risk. For ex., audit different physicians or NPs, time periods, clinics.
  2. Change your mindset. Try to find the problems rather than auditing to validate the incorrect perception that all is well. For ex., when was the last time you tested the FMV valuation for relevant physician contracts to assure Stark and AKA compliance? Set it and forget it creates risk. Do you have appropriate licensure for sites? Just because you are providing services does not mean such services are authorized. For ex., outpatient therapies.
  3. Brainstorm before creating the 2018 work plan. Meet, do not have an e mail dialogue, with the relevant Directors or project managers—the foot soldiers—for purchasing, IT, the chargemaster, coding and other areas to secure their input on compliance areas. Who is no longer here? What compliance function did they perform? Who is doing it now? For ex., secure signatures for annual contracts involving physician compensation and implicating Stark.
  4. Benchmark your organization. There are public resources to address compliance deficiencies. Review and address, as appropriate. For ex., The Bureau of Compliance (BOC) in the New York State Office of the Medicaid Inspector General (OMIG) conducts assessments of Required Providers’ compliance programs. The chart below identifies the frequency (on a percentage basis) of Insufficiencies that were cited by BOC during compliance program reviews completed from January 2015 through June 30, 2017. The higher the percentage the more frequent the Insufficiency was observed. (https://omig.ny.gov/compliance/compliance-program-assessment-results)
  5. You might want to consider touching base on the issue of harassment since this topic has been so much in the news lately. Although this area may not rank high on the list of fraud and abuse concerns, it requires attention based on recent publicity. Under the OIG compliance guidance, all programs with high risks should be subject to ongoing monitoring and auditing. Human Resources (HR) is a program, and therefore should be included when considering regulatory and legal risks.
  6. Considering the number of disasters the US has had in 2017, you might want to considers stressing the need to develop a disaster plan and conduct routine drills of the plan; especially w/ a HIPAA and HITECH focus.
  7. And, as always, cybersecurity in healthcare will continue to be an issue in 2018. Do the simple before the complex. For ex., secure a list of vendors from Accounts Payable, determine who has access to phi, then cross reference against BAAs. You will find gaps. Remediate them. Regularly assess your security risk analysis in 2018. I have regularly reviewed an SRA provided by the IT vendor used by small to medium providers outsourcing their IT. I often find the vendor addresses technical safeguards, however, wholly omits the required administrative and physical safeguard assessments.

April 24, 2017

Posted by: HHS Office for Civil Rights

$2.5 million settlement shows that not understanding HIPAA requirements creates risk

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI). CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan. This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.

In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

The Resolution Agreement and Corrective Action Plan may be found on the OCR website.

April 20, 2017

Posted by: HHS Office for Civil Rights

No Business Associate Agreement? $31K Mistake

The Center for Children’s Digestive Health (CCDH) has paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and agreed to implement a corrective action plan. CCDH is a small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois.

In August 2015, the HHS Office for Civil Rights (OCR) initiated a compliance review of the Center for Children’s Digestive Health (CCDH) following an initiation of an investigation of a business associate, FileFax, Inc., which stored records containing protected health information (PHI) for CCDH. While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015. Additionally, neither party could produce a signed BAA prior to Oct. 2015.

The Resolution Agreement and Corrective Action Plan may be found on the OCR website.

April 3, 2017

Posted by: Robert Trusiak


On March 27, 2017, the Department of Health and Human Services, Office of Inspector General (OIG) issued a new resource titled, Measuring Compliance Effectiveness: A Resource Guide. The intent of this guide is to provide numerous ideas for measuring the various elements of a compliance program.

A large number of individual compliance program metrics are listed in the guide. The purpose of the list is to give health care organizations as many ideas as possible, be broad enough to help any type of organization, and let the organization choose which ones best suit the organization's needs. The list is not a "checklist" to be applied in its entirety. An organization may choose to use only a small number of them in any given year. The OIG states that using them all or even a large number of them is impractical and not recommended. The frequency of use of any measurement should be based on factors such as the organization's risk areas, size, resources, etc.

March 3, 2017

Posted by: Robert Trusiak

HHS OIG Provides Short Compliance Presentations for Health Care Providers

The Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) provides short video and audio presentations for health care providers on top health care compliance topics. These free videos and audio podcasts - averaging about four minutes each - cover major health care fraud and abuse laws, the basics of health care compliance programs, and what to do when a compliance issue arises.

The presentations can be found at https://oig.hhs.gov/newsroom/video/2011/heat_modules.asp. The topics covered include:

  • Compliance Program Basics
  • Tips for Implementing an Effective Compliance Program
  • Guidance for Health Care Boards
  • OIG’s Self-Disclosure Protocol
  • Physician Self-Referral Law
  • False Claims Act
  • Federal Anti-kickback Statute
  • How to Report Fraud to the OIG
  • Exclusion Authorities and Effects of Exclusion

February 19, 2017

Posted by: Robert Trusiak

ONC Releases Guide to Electronic Health Record Contracting

Selecting and negotiating the acquisition of an electronic health record system (EHR) is a challenging but important undertaking for any health care provider organization. The guide issued by the Office of the National Coordinator for Health Information Technology (ONC) is intended to help the health care provider understand how to manage risks via an EHR contract in order to maximize the value of a health IT investment, whether acquiring the first EHR or upgrading or replacing existing technology. It offers strategies and recommendations for negotiating best practice EHR contract terms and illustrates how legal issues might be addressed in a contract by providing example contract language.

The guide, entitled EHR Contracts Untangled, can be found at https://www.healthit.gov/sites/default/files/EHR_Contracts_Untangled.pdf

January 22, 2017

Posted by: Robert Trusiak

Significant Points for Physicians and Hospitals from the FY 2017 OIG Work Plan




  • Hyperbaric Oxygen Therapy Services – Provider Reimbursement in Compliance with Federal Regulations
  • Incorrect Medical Assistance Days Claimed by Hospitals
  • Inpatient Psychiatric Facility Outlier Payments
  • Case Review of Inpatient Rehabilitation Hospital Patients Not Suited for Intensive Therapy


  • Intensity-Modulated Radiation Therapy


  • Outpatient Outlier Payments for Short-Stay Claims
  • Comparison of Provider-Based and Freestanding Clinics
  • Reconciliations of Outlier Payments
  • Hospitals’ Use of Outpatient and Inpatient Stays Under Medicare’s Two-Midnight Rule
  • Medicare Costs Associated with Defective Medical Devices
  • Payment Credits for Replaced Medical Devices That Were Implanted
  • Medicare Payments for Overlapping Part A Inpatient Claims and Part B Outpatient Claims
  • Selected Inpatient and Outpatient Billing Requirements
  • Duplicate Graduate Medical Education Payments
  • Indirect Medical Education Payments
  • Outpatient Dental Claims
  • Nationwide Review of Cardiac Catheterizations and Endomyocardial Biopsies
  • Payments for Patients Diagnosed with Kwashiorkor
  • Review of Hospital Wage Data Used to Calculate Medicare Payments
  • CMS Validation of Hospital-Submitted Quality Reporting Data
  • Long-Term-Care Hospitals – Adverse Events in Postacute Care for Medicare Beneficiaries
  • Hospital Preparedness and Response to Emerging Infectious Diseases



  • Medicare Payments for Transitional Care Management
  • Medicare Payments for Chronic Care Management
  • Data Brief on Financial Interests Reported Under the Open Payments Program


  • Review of Financial Interests Reported Under the Open Payments Program
  • Payments for Medicare Services, Supplies, and DMEPOS Referred or Ordered by Physicians – Compliance
  • Anesthesia Services – Noncovered Services
  • Anesthesia Services – Payments for Personally Performed Services
  • Physician Home Visits – Reasonableness of Services
  • Prolonged Services – Reasonableness of Services



  • Medicare Payments for Service Dates After Individuals’ Dates of Death
  • Management Review: CMS’s Implementation of the Quality Payment Program


  • Accountable Care Organizations: Beneficiary Assignment and Shared Savings Payments
  • Accountable Care Organizations: Savings, Quality, and Promising Practices
  • Use of Electronic Health Records to Support Care Coordination through ACOs
  • Medicare Payments for Incarcerated Beneficiaries – Mandatory Review



  • Accountable Care in Medicaid
  • Ongoing:

    • Physician-Administered Drugs for Dual Eligible Enrollees
    • Medicaid Payments for Multiuse Vials of Herceptin
    • Health-Care-Acquired Conditions – Prohibition on Federal Reimbursements


    • Medicare Incentive Payments for Adopting Electronic Health Records
    • Security of Certified Electronic Health Record Technology Under Meaningful Use

    December 9, 2016

    Posted by: Robert Trusiak

    Preventing Ransomware Attacks

    Ransomware is a type of malicious software designed to block access to computer data and systems until a sum of money is paid. There is no one technology solution that can be deployed to prevent ransomware attacks from occurring, although preventive measures can be taken to limit vulnerability.

    The United States Government Interagency Guidance Document, How to Protect Your Networks from Ransomware, includes the following recommendations:

    • Implement an awareness and training program. Because end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.
    • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies to prevent email spoofing.
    • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
    • Configure firewalls to block access to known malicious IP addresses.
    • Patch operating systems, software, and firmware on devices.
    • Set anti-virus and anti-malware programs to conduct regular scans automatically.
    • Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary.
    • Configure access controls with least privilege in mind.
    • Disable macro scripts from office files transmitted via email.
    • Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations.
    • Consider disabling Remote Desktop protocol (RDP) if it is not being used.
    • Use application whitelisting, which only allows systems to execute programs known and permitted by security policy.
    • Execute operating system environments or specific programs in a virtualized environment.
    • Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units.

    October 17, 2016

    Posted by: Robert Trusiak

    HHS OCR Guidance on HIPAA & Cloud Computing

    1. On October 7, 2016, the HHS Office for Civil Rights (OCR) issued new guidance to assist HIPAA-regulated cloud service providers (CSPs) and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain, or transmit electronic protected health information using cloud products and services.
    2. The new guidance can be found on OCR’s website at: http://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html
    3. When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA.
    4. Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.
    5. A HIPAA covered entity or business associate may use a cloud service to store or process ePHI provided the covered entity or business associate enters into a HIPAA-compliant business associate contract or agreement (BAA) with the CSP that will be creating, receiving, maintaining, or transmitting electronic protected health information (ePHI) on its behalf, and otherwise complies with the HIPAA Rules.
    6. In addition, a Service Level Agreement (SLA) is commonly used to address more specific business expectations between the CSP and its customer, which also may be relevant to HIPAA compliance. For example, SLAs can include provisions that address such HIPAA concerns as:
      • System availability and reliability;
      • Back-up and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation);
      • Manner in which data will be returned to the customer after service use termination;
      • Security responsibility; and
      • Use, retention and disclosure limitations.
    7. If a covered entity or business associate enters into a SLA with a CSP, it should ensure that the terms of the SLA are consistent with the BAA and the HIPAA Rules. For example, the covered entity or business associate should ensure that the terms of the SLA and BAA with the CSP do not prevent the entity from accessing its ePHI in violation of 45 CFR §§ 164.308(b)(3), 164.502(e)(2), and 164.504(e)(1). (See OCR FAQ regarding impermissible blocking of covered entity access to ePHI by a business associate http://www.hhs.gov/hipaa/for-professionals/faq/2074/may-a-business-associate-of-a-hipaa-covered-entity-block-or-terminate-access/index.html.)
    8. If a CSP stores only encrypted ePHI and does not have a decryption key it is still a HIPAA business associate because the CSP receives and maintains (e.g., to process and/or store) electronic protected health information (ePHI) for a covered entity or another business associate. Lacking an encryption key for the encrypted data it receives and maintains does not exempt a CSP from business associate status and associated obligations under the HIPAA Rules. An entity that maintains ePHI on behalf of a covered entity (or another business associate) is a business associate, even if the entity cannot actually view the ePHI.
      • While encryption protects ePHI by significantly reducing the risk of the information being viewed by unauthorized persons, such protections alone cannot adequately safeguard the confidentiality, integrity, and availability of ePHI as required by the Security Rule.
      • Encryption does not maintain the integrity and availability of the ePHI, such as ensuring that the information is not corrupted by malware, or ensuring through contingency planning that the data remains available to authorized persons even during emergency or disaster situations.
      • Further, encryption does not address other safeguards that are also important to maintaining confidentiality, such as administrative safeguards to analyze risks to the ePHI or physical safeguards for systems and servers that may house the ePHI.
    9. Generally, a CSP cannot be considered a “conduit” like the postal service, which would exempt the CSP from business associate status.
      • The conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission.
      • Any access to PHI by a conduit is only transient in nature. In contrast, a CSP that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.
    10. If a covered entity (or business associate) uses a CSP to maintain (e.g., to process or store) electronic protected health information (ePHI) without first entering into a BAA with the CSP, the covered entity (or business associate) is in violation of the HIPAA Rules. 45 C.F.R §§164.308(b)(1) and §164.502(e).
    11. Health care providers, other covered entities, and business associates may use mobile devices to access electronic protected health information (ePHI) in a cloud as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third party service providers for the device and/or the cloud that will have access to the e-PHI.
    12. The HIPAA Rules require covered entity and business associate customers to obtain satisfactory assurances in the form of a business associate agreement (BAA) with the CSP that the CSP will, among other things, appropriately safeguard the protected health information (PHI) that it creates, receives, maintains or transmits for the covered entity or business associate in accordance with the HIPAA Rules. HIPAA Rules do not require CSPs that are business associates to provide documentation, or allow auditing, of their security practices by their customers who are covered entities or business associates.

    Medicare Compliance Journal

    Call and schedule your meeting today! Contact

    Facebook Google LinkedIn

    Upcoming Events

    There are currently no upcoming events.

    Click here to see past events

    Get Directions

    Get Directions

    Office Location

    Buffalo Office

    300 International Dr
    Williamsville, NY 14221

    Phone: +1 (716) 352-0196
    Fax: +1 (716) 626-3001
    Email: robert@trusiaklaw.com