DOJ is Criminally Prosecuting Virginia Physician Who Improperly Disclosed Patient Health Information

June 24, 2011 by  
Filed under Compliance, Featured, Medicare Audits

(June 24, 2011): Physicians and other health care providers should take care — improprerly  disclosing a patient’s protected individual health information could land you in Federal prison. Earlier this week, Virginia osteopath was indicted in the Eastern District of Virginia on charges that he illegally disclosed a former patient’s health information to the patient’s employer.

The Virginia physician was indicted by a Federal Grand Jury for the wrongful disclosure of individually identifiable health information under the Health Insurance Portability and Accountability Act (HIPAA).  The physician reportedly faces a maximum of up to five years imprisonment if convicted.

According to the indictment, the physician practiced osteopathic medicine and served as Medical Director at a Virginia psychiatric care facility. The physician is alleged to have provided inpatient mental health treatment to a patient in 2007.  As set out in a discharge summary from 2008, the physician indicated that the patient was not considered a danger to others. Nevertheless, on three separate occasions in February 2008, the physician allegedly disclosed, without any authorization, the patient’s individually identifiable health information to an agent of the patient’s employer. In these unauthorized disclosures, the physician  falsely indicated that the patient was a serious and imminent threat to the safety of the public, when he allegedly knew that the patient was not such a threat.

CommentaryAs this case shows, the Federal government is quite serious about health information privacy.  It is essential that health care providers take affirmative steps to ensure that all of their staff – including physicians – are cognizant of both applicable statutory and regulatory requirements and their associated obligations with respect to protected health information.  Effective training on HIPAA, HITECH and the restrictions governing disclosure should represent an important component of each provider’s Compliance Plan. 

Liles Parker attorneys have extensive experience representing physicians and other health care professionals in government investigations and disciplinary actions.  Our attorneys are also knowledgeable regarding HIPAA, HITECH and provider obligations under these statutes.  Need assistance?  Call us for a complimentary initial consultation.  We can be reached at:  1 (800) 475-1006. 

CMHC Compliance Officers Should Review Their Compliance Plans to Ensure that “I-9s” are Being Properly Handled and Completed by Staff. The Failure to do so Can Result in Civil and / or Criminal Penalties.

November 28, 2010 by  
Filed under Compliance, Featured, Medicare Audits

(November 28, 2010): In 2003, the Immigration and Naturalization Service (INS) was became part of the U.S. Department of Homeland Security. Despite this change, certain functions, such as responsibility for enforcing citizenship discrimination actions remained with the U.S. Department of Justice’s Office of Special Counsel for Immigration-Related Unfair Employment Practices (DOJ-OSC).  As one large not-for–profit hospital group recently found, DOJ-OSC takes this responsibility quite seriously and is aggressively investigating allegations of “citizenship status discrimination” committed by employers (including health care providers). Most recently, DOJ-OSC has pursued violations allegedly occurring when prospective applicants were asked to show that they are eligible to work in the United States.

I.  Background

With the passage and implementation of the Immigration Reform and Control Act of 1986, employers (including health care providers) have been required to verify that applicants for jobs show that they are authorized to work in the United States.  For over 25 years, employers have been requiring that prospective applicants complete Section 1 of an “I-9 Form” (officially titled “Form I-9, Employment Eligibility Verification”).  Section 1 of the form provides various options for an applicant to show that they are eligible to work in the United States.  Employers are then required to complete Section 2 of the form within three days of the applicant starting to work.  As the government’s Employer Handbook covering the completion of the Form I-9 reflects:

“To comply with the law, you must verify the identity and employment authorization of each person you hire, complete and retain a Form I-9 for each em­ployee, and refrain from discriminating against individu­als on the basis of national origin or citizenship.”

For most prospective applicants and employers, this process has been relatively painless.  While the failure of a company to complete I-9s for its employees could subject the employer to civil and / or criminal penalties, the relative ease of completion of this form has typically been included in the pre-employment paperwork given to an applicant. 

In a recent case pursued by DOJ-OSC, the government alleged that a health care provider required that “non-U.S. citizen and naturalized U.S. citizen new hires . . . present more work authorization documents than required by Federal law, but permitted native born U.S. citizens to provide documents of their own choosing.”  Based on the fact that non-U.S. citizens and naturalized citizens were treated differently, the government investigated a complaint filed by a “charging party” against this health care provider. Ultimately, the government and the health care provider reached a settlement to the discriminatory allegations presented. 

The health care provider was required to pay $257,000 in civil penalties plus an additional $1,000 which was given to the charging party to make up for back pay that was owed due to the delay in hiring the individual.  This delay was allegedly caused by the provider’s requirement that this non-U.S. citizen (or naturalized U.S. citizen) was required to provide more extensive paperwork to prove his / her authorization to work in the United States than was required from U.S. born citizens. 

II. Compliance Plan Considerations:

Importantly, I-9 compliance considerations are not limited to only non-discrimination practices.  Both Compliance Officers and Human Resources staff should review the government’s “Handbook for Employers’ and ensure that your facility is complying with each facet of the law in this regard.  As the Handbook states, each provider must:

“Ensure that the employee fully completes Section 1 of Form I-9 at the time of hire — when the employee be­gins work. Review the employee’s document(s) and fully complete Section 2 of Form I-9 within 3 business days of the first day of work.

If you hire a person for less than 3 business days, Sections 1 and 2 of Form I-9 must be fully completed when the employee begins work.”

Importantly, I-9s do not have to be completed for some individuals.  As the government’s Handbook further states:

“You DO NOT need to complete a Form I-9 for persons who are:

1. Hired before November 7, 1986, who are continu­ing in their employment and have a reasonable expectation of employment at all times;

2. Employed for casual domestic work in a private home on a sporadic, irregular, or intermittent basis;

3. Independent contractors; or

4. Providing labor to you who are employed by a con­tractor providing contract services (e.g., employee leasing or temporary agencies).

5. Not physically working on U.S. soil.”

III. Lessons Learned:

While the Compliance Plan covering your Community Mental Health Centers (CMHCs) likely already covers a wide variety of employment-related issues, Compliance Officers should check to ensure that I-9 requirements are made a part of your overall Compliance Program if these mandates are not already covered.

As this case reflects, health care Compliance Officers should periodically conduct a comprehensive risk assessment of a provider’s operations and business relationships.  While traditional compliance reviews have focused on traditional health care statutory and regulatory responsibilities, Compliance Officers cannot ignore other risk areas (such as I-9 related responsibilities).  A good place to start would be to meet with both clinical and non-clinical supervisory and managerial employees to discuss regulated aspects of their work. 

Liles Parker attorneys have extensive experience working with health care providers, including CMHCs,  to develop and implement effective Compliance Plans and Programs.  Should you have questions, call us for a complementary consultation.  We may be reached at 1-800-475-1906.


“Medical Records Retention” Issues Continue to be Important for CMHCs

August 17, 2010 by  
Filed under Compliance, Featured, Medicare Audits

(August 17, 2010): The Centers for Medicare and Medicaid Services (CMS) recently issued MLM Matters SE1022, titled Medical Record Retention and Media Formats for Medical Records” which serves as a helpful reminder regarding a number of medical records retention issues faced by Community Mental Health Centers (CMHCs) around the country.  As reflected in the guidance, MLM Matters SE1022 directly applies to health care providers (such as CMHCs) submitting claims to Medicare contractors for services provided to Medicare beneficiaries.

 While medical record retention requirements are generally governed by State law and can vary from State to State, it is important to remember that under HIPAA’s administrative simplification rules,  “covered entities” such as CMHCs,  must retain required medical records for a period of “six years from the date of its creation or the date when it last was in effect, whichever is later.”  As CMHC providers can readily attest, this requirement can be quite difficult to apply when the care as issue involve partial hospitalization program services.  For example, the supporting documentation covering partial hospitalization services provided during a specific period may relate back, and be supported by, a Psychiatric Evaluation, Physician Orders, Hospital Discharge Orders and other documents that were have been created many months prior to the specific dates at issue.  As a result, strict adherance to the six year requirement (assuming that the State retention requirements are six years are less since  HIPAA requirements preempt State laws if the State laws require a shorter medical records retention period) could make it difficult to fully support partial hospitalization claims if an audit is conducted.    Having said that, there are opposing compliance reasons to properly cull outdated medical records when possible.  Finding an acceptable balance between these goals is often difficult and should involve the advise of your legal counsel.

As MLM Matters SE1022 further notes:

 The Centers for Medicare & Medicaid Services (CMS) requires records of providers submitting cost reports to be retained in their original or legally reproduced form for a period of at least 5 years after the closure of the cost report. This requirement is available at 42 CFR 482.24[b][1].

 CMS requires Medicare managed care program providers to retain records for 10 years. This requirement is available at 42 CFR 422.504 [d][2][iii].

 Finally, the guidance points out that the Medicare program:

“. . . does not have requirements for the media formats for medical records. However, the medical record needs to be in its original form or in a legally reproduced form, which may be electronic, so that medical records may be reviewed and audited by authorized entities. Providers must have a medical record system that ensures that the record may be accessed and retrieved promptly.”

 The issue of “records retention” can be quite complex, especially when dealing with partial hospitalization claims.  This issue is further complicated if the CMHC is being audited or under investigation by the government or a Medicare contractor.  In such a situation, we typically advise clients to curtail all document (paper and electronic) destruction activities are until the external review is resolved.  In light of these considerations, it is strongly recommended that you work with your legal counsel to better ensure that your CMHC is meeting its document retention obligations. 

 Should you have questions regarding these issues, you may call your current counsel or you may call Liles Parker for a complimentary consultation at 1 (800) 475-1906.

Counsel for HHS-OIG Discusses the Impact of Health Care Reform on Enforcement with Congress

(June 22, 2010):  In his testimony last week before the Health and Oversight Subcommittees of the House Committee on Ways and Means, Lewis Morris, Chief Counsel to the Inspector General (HHS-OIG) of Health and Human Services (HHS), emphasized the increasing speed and intensity of HHS-OIG’s multi-pronged health care fraud enforcement efforts.  Morris’ testimony reinforces the need for Community Mental Health Centers (CMHCs) and Partial Hospitalization Programs (PHPs) to aggressively prepare for a knock on the door from HHS-OIG or one of its many enforcement partners.

Morris highlighted numerous new enforcement tools available under the Patient Protection and Affordable Care Act (PPACA), paying particular attention to innovations in data access and use.  These measures include consolidating and sharing data across agencies, as well as deploying new technology that allows “investigators to complete in a matter of days analysis that used to take months with traditional investigative tools.” 

He further praised the enhanced accountability measures contained in PPACA, such as HHS-OIG’s ability to impose civil monetary penalties for “failing to grant [upon reasonable request] timely access to HHS-OIG for investigations, audits, or evaluations.”  Notably, PPACA Section 6408 provides for a penalty of $15,000 per day for failure to grant access. 

Morris’ testimony also reminded the health care community that:

  • PPACA allows the HHS Secretary to suspend payments to providers or suppliers based on credible evidence of fraud.  At the same time, it expands the types of conduct constituting Federal health care fraud offenses under Title 18.
  • HHS-OIG has improved access to information from entities directly or indirectly involved in providing medical items or services payable by any Federal program.

Perhaps most significantly: 

  • Medicare and Medicaid program integrity contractors (i.e., ZPICs and PSCs) are required to provide performance statistics, “including the number and amount of overpayments recovered, number of fraud referrals, and the return on investment of such activities.” (emphasis added).

While not surprising, it is nonetheless disconcerting that ZPICs and PSCs are essentially being “graded” based on the amount of overpayments recovered,” along with the number of enforcement actions handled and referred to law enforcement.  Based on these performance measures, is there any real difference between ZPICs and RACs?  While RACs may be compensated directly based on the amount of overpayments collected (and ZPICs are not), it is crystal clear that the government’s expectations of ZPICs are quite similar.  Now, more than ever before, it is essential that CMHCs and PHPs implement effective compliance measures.

Should you have any questions regarding these changes, don’t hesitate to contact us.  For a complementary consultation, you may call Robert W. Liles or one of our other attorneys at 1 (800) 475-1906.

The U.S. Sentencing Commission has issued proposed changes that may significantly impact compliance plans and compliance professionals.

February 21, 2010 by  
Filed under Compliance, Featured

(February 21, 2010): An effective Compliance Plan can greatly reduce the likelihood that your Community Mental Health Center (CMHC) will find itself in violation of criminal statutory and regulatory requirements.  Should a violation still occur, Federal Sentencing Guidelines have long credited an organization’s efforts to comply with the law.  Notably, on February 9, 2010, the U.S. Sentencing Commission announced that a number of changes to the Federal Sentencing Guidelines has been proposed, at least one of which should be of considerable interest to your CMHCs Compliance Officer and other members of its mangement team.  The provisions of  §8B2.1 of the Federal Sentencing Guidelines (Effective Compliance and Ethics Program) are generally regarded as the model from which effective compliance plans are based for corporations.

The proposed amendments make several understated but important changes to the structure of an “effective compliance plan.”  In particular, they focus on the increasingly important role document retention policies must play in an organization’s compliance program.  Specifically, after criminal conduct has been detected:

  • A CMHC must respond appropriately to the criminal conduct, including providing to the restitution to any vicitims (which would include repayments to the Medicare program),  self-report the violation and cooperate with authorities. 
  • The CMHC must assess its program and modify it to make the program more effective.  The use of an independent monitor to ensure implementation of these changes would be encouraged. 

In addition, as part of periodic compliance plan review, the provider should make sure (in writing) that all employees are aware of the organization’s document retention policies, and that such policies correspond to the goals of an effective compliance plan.

Dangling a carrot in front of companies for proper compliance, the proposed guidelines raise the issue of whether an organization should receive credit for an Effective Compliance plan even when Senior Executives are involved in and offense, where (1) the Compliance Officer has a direct reporting relationship to the Board of Directors (or Board Committee), (2) the Compliance Program successfully detected the offense before it was uncovered outside of the organization, and (3) the organization promptly reported the violation to the appropriate authorities.

The Sentencing Commission’s other proposals are out for comment until March 22, 2010.  A public hearing on the proposals is scheduled for March 18, 2010. The Sentencing Commission will then vote in April on whether to send any amendments to Congress. If it does, the amendments would become effective November 1, 2010, unless Congress takes action to prevent the amendements from taking effect. 

Notably, these proposed changes further highlight the issue of “self-disclosure.”  The determination of whether or not to self-disclose a potentially criminal violation can be quite complicated.  CMHCs desiring to self-disclose should consult their legal counsel prior to taking such a step.    

Should you have any questions regarding these changes, don’t hesitate to contact us.  For a complementary consultation, you may call Robert W. Liles or one of our other attorneys at 1 (800) 475-1906.