Medicare Compliance & Reimbursement

If you search your loved one’s name on the internet, the last thing you want to see is his private medical records showing up in the search results. But that’s exactly what happened to one stunned New Yorker, spurring a HIPAA investigation that would result in $4.8 million in settlements.

A physician who developed apps for two Manhattan hospitals meant to deactivate his personal computer server from the hospital network, which included electronic protected health information (ePHI), setting off one of the biggest breach settlements. 

“Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines,” a May 7 Department of Health and Human Services news release noted. “The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of the hospital, on the internet.”

But that patient wasn’t alone — in fact, 6,800 individuals were impacted by the breach, with their patient status, vital signs, medications and lab results vulnerable to public viewing. The resulting settlement of $4.8 million is the largest to date since the HIPAA laws went into effect.

To read more about the breach, visit www.hhs.gov/news/press/2014pres/05/20140507b.html.

OIG Recovers Over $3.1 Billion in First Half Of 2014

Even as Medicare slashes payments for some services, the government still has additional ways to bring in cash by recouping billions from medical practices nationwide. According to the OIG’s Semiannual Report to Congress Oct. 1, 2013 to March 31, 2014, the agency reported expected recoveries of over $3.1 billion through audit receivables, investigations, and other actions.

The report outlines common enforcements, such as those on pill mills, as well as additional crackdowns. “Our reports continue to identify vulnerabilities in, and recommendations for improving, the Centers for Medicare & Medicaid Services’ (CMS) oversight of the contractors that administer more than a half trillion dollars in benefits each year,” said Inspector General Daniel R. Levinson in the document.

“Reports generated during this reporting cycle identified Medicare Administrative Contractor performance shortcomings and highlighted issues that limit CMS’s ability to effectively oversee Part C and Part D contractors,” Levinson continued. “Many CMS contractors rely on medical records to conduct work aimed at ensuring program integrity, yet a new OIG report raises concerns about contractors’ ability to identify improper payments and fraud using electronic medical records. Our reports offer recommendations to improve contractor performance and CMS oversight.”

To read the complete 99-page report, visit oig.hhs.gov/reports-and-publications/archives/semiannual/2014/SAR-S14-Web-Final.pdf. 

OIG Puts Home Health Employee Background Checks Under The Microscope

If you’re located in a state that doesn’t require background checks or that doesn’t specify what to do with the information the checks turn up, that may soon change. 

In a new report, the HHS Office of Inspector General (OIG) notes that 10 states do not require background checks of home health workers at all: Alabama, Connecticut, Georgia, Hawaii, Montana, New Jersey, North Dakota, South Dakota, West Virginia and Wyoming.

“Of the 10 States that have no requirement for background checks, 4 States (Connecticut, Georgia, Hawaii, and West Virginia) reported that they have plans to implement such requirements in the future,” the OIG said in the report, “State Requirements for Conducting Background Checks on HHA Employees” (OEI-07-14-00131). “These States have received Nationwide Background Check Program grants from CMS to establish or improve State programs for background checks of long-term care employees.” The Centers for Medicare & Medicaid Services (CMS) has awarded 25 such grants so far, the OIG adds.

Thirty-five of the 41 states that require background checks specify which types of convictions disqualify individuals from home health employment, the OIG says. Only 15 states require HHAs to receive background check results before employment begins. Most other states specify a timeframe in which agencies must receive the results, although “six States (Kentucky, Maryland, Michigan, Nevada, New Mexico, and Washington) have no maximum timeframe during which an individual may work without a completed background check,” the report notes.

“Beneficiaries receiving care from HHAs are especially at risk of mistreatment because employees are providing services, usually unsupervised, in beneficiaries’ homes,” the OIG says in the report.

Mainstream newspapers have picked up on the OIG’s warning. No requirement for background checks is a “potential security hole,” says The Washington Times newspaper. Some states that require background checks only mandate statewide searches, which could miss convictions in other jurisdictions, points out Business Week.

Still, “states have gone from being a bit lax in applying criminal background checks to being more and more stringent,” Suzanne Crisp of the Boston College School of Social Work told Business Week. Crisp co-authored a paper on screening home care workers for AARP in 2010.

A Service Employees International Union (SEIU) rep told The Washington Times that the union supports background checks, but that potential workers shouldn’t have to pay for them.

The OIG report is online at go.usa.gov/8yW4.