logo - Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations.

What is Aggravated Identity Theft?

January 1, 2021 by  
Filed under

Download PDF

Have you been charged with a violation of “Identity Theft” or “Aggravated Identity Theft”?  Is so, it is essential that you engage experienced legal counsel to represent your interests and help safeguard your liberty.  The highly-ranked attorneys at Liles Parker can assist you in mounting an aggressive defense to these Federal criminal charges.   An overview of these statutes is set out below.

I.  What is Aggravated Identity Theft?

On July 15, 2004, President Bush signed into law the “Identity Theft Penalty Enhancement Act,” Public Law 108-275.  The law is codified at 18 U.S.C. §1028A.  Under this statute it is a crime to knowingly transfer, possess, or use, without lawful authority, a means of identification of another person, during and in relation to any felony violation of certain enumerated Federal felony offenses.

While there are cases where the government’s primary focus in identity theft and it is completely reasonable for these violations to be pursued, that isn’t always the situation. Charges of Aggravated Identity Theft are now routinely included in health care fraud related indictments, where one or more of the allegations is that the defendant has knowingly, and without a lawful purpose, used the insurance identification information of a beneficiary when committing fraud against a Medicare, Medicaid or private insurance benefit program.

II.  What is the Difference Between “Identity Theft” and “Aggravated Identity Theft”?

Simply stated, “Identity Theft” occurs when an individual knowingly steals or uses the identification of another person with the intent of later committing a crime.[1]  In comparison, “Aggravated Identity Theft” involves the theft of another person’s identity “during an in relation” to the commission of an enumerated Federal felony offense.

III.  Aggravated Identity Theft Charges Fall Into Two Categories:

Aggravated Identity Theft can only occur when the identity theft takes place “during and in relation” to one of a number of specified other Federal crimes.  What are these specified Federal crimes? The predicate Federal felony offenses that may give rise to a charge of Aggravated Identity Theft fall into two categories.

Category #1: Approximately 60 Federal felony white collar predicate offenses. 

The first category of Aggravated Identity Theft involves situations where identity theft allegedly takes place during and in relation to one of approximately 60 Federal felony white collar  offenses, a violation of which is punishable by a mandatory minimum of two years imprisonment.  Examples of the 60 predicate offenses[2] include:      

            18 U.S.C. § 1001 (relating to false statements or entries generally),

            18 U.S.C. § 1035 (relating to false statements relating to health care matters),

            18 U.S.C. § 1347 (relating to health care fraud)

            18 U.S.C. § 1343 (relating to wire fraud)

            18 U.S.C. § 1341 (relating to mail fraud)

 Category #2: Approximately 50 Federal felony terrorism-related predicate offenses. 

The second category of Aggravated Identity Theft involves situations where identity theft allegedly takes place during and in relation to one of approximately 50 Federal felony terrorism-related offenses, [3]  a violation of which will result in a mandatory minimum of five years imprisonment. To date, the government has not been very aggressive in pursuing these charges in terrorism-related prosecutions

The story is quite different when the underlying predicate offense is an enumerated white collar offense.  In recent years, we have seen a significant increase in the number of “Aggravated Identity Theft” charges included in indictments for health care fraud, mail fraud, wire fraud, and violations of the Anti-Kickback Statute.

III. Why Would a Prosecutor Include an Aggravated Identity Theft Charge in a Health Care Fraud Prosecution?

Why would a prosecutor bother to include an Aggravated Identity Theft in a health care fraud related indictment?  Leverage.

By including this charge in the indictment, should the case go to trial and a defendant be found guilty of violating 18 U.S.C. §1028A(1), the defendant will be sentenced to a mandatory minimum of two years in jail. In fact, by statute, a Court is not permitted to place anyone convicted of a violation of 18 U.S.C. §1028A on probation.[4]  Even more troubling is the fact that in cases where multiple violations of identity theft have been charge, if found guilty, these additional two-year terms of imprisonment must run consecutively, not concurrently.[5]  As a final point, a sentencing judge may not reduce a defendant’s term of imprisonment for the underlying predicate offense in order to account for the mandatory two-year minimum terms that must be imposed for each Aggravated Identity Theft violation.[6]

Collectively, these factors effectively place an enormous amount of pressure on health care fraud defendants to plea bargain in exchange for the dismissal of identity theft charges.

IV.  Defending Charges of Aggravated Identity Theft:

When representing a client in an Aggravated Identify Theft case, there are a number of elements to the statute that should be analyzed and may present opportunities to mount an effective defensive strategy.  For example:

Has a proper defendant been named? Under 18 U.S.C. §1028A, only an individual may be charged. Additionally, a conviction under this statute can only result in imprisonment, not in a fine. Since corporate entities and organizations cannot be imprisoned and no fine may be imposed, this provision is only able to punish individuals.

Did the Aggravated Identity Theft violation occur “during and in relation to” the commission of a predicate offense? You may ask, “What does this mean”?  The U.S. Supreme Court has carefully examined this requirement and held that the phrase “during and in relation to” describes the connection, necessary for a violation under the section, between the predicate offense and the other identity theft elements. [7]   

Has a proper predicate offense been cited? Remember, in order bring an Aggravated Identity Theft charge, the government has to show that one of the 60 white collar qualifying predicate offense was committed.

Can the government show that the conduct was committed “knowingly”? Knowledge is an essential element of the statute.  In order to prove a violation of the Aggravated Identity Theft statute, the government must show that the defendant had knowledge that he or she transferred, possessed or used, without legal authority, the identity of another person.  If the government cannot show that the knowledge element is met, the charge cannot be sustained.

Can the government show that the defendant transferred, possessed or used the identity of another person? Unfortunately, it is often difficult to successfully dispute this element of the statute due to the broad scope of the terms “transfer,” “possess” and “use.”  Nevertheless, you should examine this argument carefully to determine whether you have a basis to challenge this element.

Can the government show that a defendant’s use of another individual’s identification “without legal authority”? This element of the statute does not turn on whether the defendant has the permission of an individual to use his or her identification.  Rather, it depends on whether or not the defendant’s use of someone else’s identification was for an unlawful purpose.

Was the unlawful use of identification information related to a real person? You can’t violate the Aggravated Identity Theft statute if you used the identification of a fictitious person.


Several of our firm’s attorneys are former Federal prosecutors who held significant positions at the U.S. Department of Justice.  Our team of former Federal prosecutors and  white collar defense attorneys will aggressively work to protect your financial interests and, most importantly, help safeguard your liberty.  Do you need help?  Give us a call for a complimentary consultation.  We can be reached at:  1 (800) 475-1906.

[1] In 1998, Congress passed the “Identify Theft and Assumption Deterrence Act,” Public Law 105-318.  The Identity Theft statute is codified at: 18 U.S. Code § 1028 – Fraud and related activity in connection with identification documents, authentication features, and information.

[2] A listing of the broad categories of felony violations that may serve as a predicate offense are outlined in 18 U.S.C. § 1028A(c)(1) through (11).

[3] A listing of the types of terrorism-related crimes that may serve as a predicate offense are outlined in 18 U.S.C. § 2332b(g)(5)(B).

[4] 18 U.S.C. §1028A(b)(1).

[5] 18 U.S.C. §1028A(b).

[6] 18 U.S.C. §1028A(b)(3).

[7] Smith v. United States, 508 U.S. 223 (1993).


White Collar Defense Representation Practice

January 1, 2021 by  
Filed under

Download PDF

The White Collar Defense Team at Liles Parker Can Safeguard Your Interests. Call us: 1 (800) 475-1906.What is “White Collar Crime”?  Great question, as white collar defense attorneys, we are sometimes asked about the origins of this term.  The term has been around for quite some time. Edwin H. Sutherland first used the phrase “White Collar Criminality” as the title of his Presidential Address to the American Sociological Society at the organization’s annual meeting in Philadelphia in December 1939.  At that time, he described White Collar Criminality in business as:

“. . . expressed most frequently in the form of misrepresentation in financial statements of corporations, manipulation in the stock exchange, commercial bribery, bribery of public officials directly or indirectly in order to secure favorable contracts and legislation, misrepresentation in advertising and salesmanship, embezzlement and misapplication of funds, short weights and measures and misgrading of commodities, tax frauds, misapplication of funds in receiverships and bankruptcies.” [1]  

I.  What is Considered as White Collar Crime Today?

Since this phrase was first coined, the concept of white collar crime has evolved over the last 80 years.  Today, the Federal Bureau of Investigation (FBI) describes white collar crime as:

“. . . white-collar crime is now synonymous with the full range of frauds committed by business and government professionals. These crimes are characterized by deceit, concealment, or violation of trust and are not dependent on the application or threat of physical force or violence. The motivation behind these crimes is financial—to obtain or avoid losing money, property, or services or to secure a personal or business advantage.”[2] (emphasis added).   

Which Federal criminal statutes are considered to be white collar offenses? That’s a tough question to answer when you consider the fact that no one even knows how many Federal criminal statutes are currently in effect.  The most recent estimate available placed the number at around 4,500.  Many years ago, the U.S. Department of Justice attempted to compile a complete list.  As one Justice official put it at the time, “You will have died and resurrected three times,” and still be trying to figure out the answer.[3]

 II.  Liles Parker’s Team of Attorneys Include Former Federal Prosecutors, Experienced Litigators and Subject-Matter Experts:

Liles Parker white collar defense attorneys actively represent corporations and individuals in connection with the defense of financial crimes, government audits and investigations.  A number of our attorneys have served in key positions in the Department of Justice and have served as Federal prosecutors in U.S. Attorney’s offices in Texas, California, Louisiana, Virginia and the District of Columbia. While most of our work is Federal, one of our attorneys built his early career handling complex state criminal defense cases, representing defendants against a wide variety of felony charges.

Regardless of whether the allegations necessitating white collar defense relate to alleged Federal or State violations of law, our team will aggressively work to address the government’s concerns in an effort to defuse the current case so that our client will not be subjected to criminal indictment or civil suit. If white collar defense litigation is necessary, our attorneys are prepared to present the strongest defense possible for our clients. Our attorneys have extensive experience conducting internal investigations, gap analyses and risk assessments for our clients, providing guidance and counsel in connection with any statutory or regulatory concerns or deficiencies that may be identified. We regularly counsel corporate clients concerning corporate compliance implementation and monitoring issues, assisting our clients with their efforts to comply with all applicable statutory and regulatory requirements.


As former Federal and / or State prosecutors and white collar defense attorneys,[4] we will aggressively work to protect your financial interests and, most importantly, help safeguard your liberty.  Do you need help?  Give us a call for a complimentary consultation.  We can be reached at:  1 (800) 475-1906.

White Collar Defense Matters and Cases We Handle Include: 

  • Aiding and Abetting (18 U.S.C. § 2)
  • Aggravated Identity Theft (18 U.S.C. § 1028A)
  • Bank Fraud (18 U.S.C. § 1344)
  • Bankruptcy Fraud (18 U.S.C. § 157)
  • Bribery and Violations of the Anti-Kickback Statute (42 U.S.C. § 1320a-7b(b))
  • Bribery of Public Officials (18 U.S.C. § 201)
  • Civil Fraud Actions
  • Computer Fraud and Abuse Act Violations (18 U.S.C. §1030)
  • Conspiracy Crimes (18 U.S.C. § 371)
  • Counterfeiting and Forgery (18 U.S.C.§§ 470 — 513)
  • Currency Structuring (31 U.S.C. § 5313)
  • Eliminating Kickbacks in Recovery Act (EKRA) Violations (18 U.S.C. § 220)
  • Embezzlement and Theft (18 U.S.C. § 641)
  • Extortion – Blackmail (18 U.S.C. § 873)
  • False Claims Act – Qui Tam Actions (31 U.S.C. §§ 3729 – 3733)
  • False or Fraudulent Claims (18 U.S.C. § 287)
  • False Statements Involving Health Care Programs (18 U.S.C. § 1035)
  • False Statements Involving Federal Health Care Programs (42 U.S.C. §1320a–7b(a))
  • Fraud and False Statements (18 U.S.C. § 1001)
  • Federal Appeals
  • Federal Investigations
  • Foreign Corrupt Practice Act (FCPA) Violations (15 U.S.C. §§ 78dd-1, et seq.)
  • Fraudulent Identification of Documents (18 U.S.C. § 1028)
  • Grand Jury Representation
  • Health Care Fraud (18 U.S.C. § 1347)
  • Import – Export Fraud
  • Insurance Fraud
  • Internal Investigations
  • International Crimes
  • International Extradition
  • Interstate and Foreign Travel or Transportation in Aid of Racketeering Enterprises (Travel Act) (18 U.S.C. § 1952)
  • Internet Fraud
  • Mail and Wire Fraud (18 U.S.C. § 1341, 1343)
  • Misprision of a Felony – 18 U.S.C. § 4
  • Money Laundering (18 U.S.C. § 1956)
  • Obstruction of Criminal Investigations (18 U.S.C. § 1510)
  • Obstruction of a Federal Audit (18 U.S.C. § 1516)
  • Obstruction of a Criminal Investigation into Health Care Offenses (18 U.S.C. § 1518)
  • Obstruction of Justice (18 U.S. Code §?1503)
  • Obstruction of Proceedings Before Departments, Agencies and Committees (18 U.S. Code §?1505)
  • Prescription Drug Fraud
  • Prohibition Against Kickbacks (Anti-Kickback Statute) (42 U.S.C. §1320a–7b(b))
  • Public Corruption
  • Responding to Federal and State Law Enforcement Concerns
  • Securities and Investment Fraud (18 U.S.C. §1348)
  • Tax Fraud
  • Telemarketing Fraud
  • Theft or Bribery Related to Federally Funded Programs (18 U.S.C. § 666)
  • Theft or Embezzlement Involving Healthcare Programs (18 U.S.C. § 669)

[1] American Sociological Review, White Collar Criminality.” Volume 5, Number 1, February 1940.

[2] https://www.fbi.gov/investigate/white-collar-crime#Major-Threats%20and%20Programs

[3] Wall Street Journal. “Many Failed Efforts to Count Nation’s Federal Criminal Laws.” By Gary Fields and John R. Emshwiller (July 23, 2011).

[4] For an overview of the Liles Parker team, please see our attorneys page.



DOJ is Aggressively Investigating Allegations of Wrongdoing Related to COVID-19 Fraud and the Current National Emergency

Download PDF

DOJ is aggressively prosecuting instances of COVID-19 fraud and related wrongdoing.(March 27, 2019):  We live in trying times.  As the coronavirus disease (COVID-19) has spread both globally and throughout the United States, the government has taken a number of steps to address the current pandemic.  On March 13, 2020, President Donald Trump officially declared that the COVID-19 outbreak constitutes a national emergency.[1]  Within 72 hours of the issuance of President Trump’s declaration,  William Barr, the Attorney General of the United States, determined it was necessary to issue a memorandum to the 94 U.S. Attorney’s Offices around the country stressing the fact that Department of Justice (DOJ) prosecutors must remain diligent in their efforts to detect, investigate and prosecute wrongdoing related to the COVID-19 crisis.  This article examines the various COVID-19 fraud concerns that DOJ has already raised and sets out steps you can take to reduce your level of regulatory risk.

I.   Overview of DOJ Guidance of COVID-19 Fraud and Related Wrongdoing:

As mentioned above, on March 16, 2020, the Attorney General issued guidance[2] to the 94 U.S. Attorney’s Office around the country noting that it is essential that the justice system remain functioning throughout the national emergency.  It is also worth noting that U.S. Attorney’s Offices has been directed to prioritize the detection, investigation, and prosecution of all criminal conduct related to the current pandemic.”

Less than a week after issuing this initial guidance, the DOJ announced on Sunday, March 22, 2020, that it had filed its first enforcement action in the Western District of Texas related to COVID-19 fraud.  As set out in the Civil Complaint filed by the government, the defendants have been alleged to have engaged in a “wire fraud scheme seeking to profit from the confusion and widespread fear surrounding COVID-19” through the company’s sale of World Health Organization (WHO) vaccine kits.  As the government notes, at this time, there are no legitimate COVID-19 vaccines and the WHO is not distributing such a vaccine.  As Assistant Attorney General Jody Hunt of the Department of Justice’s Civil Division stated at the time:

“The Department of Justice will not tolerate criminal exploitation of this national emergency for personal gain . . . We will use every resource at the government’s disposal to act quickly to shut down these most despicable of scammers, whether they are defrauding consumers, committing identity theft, or delivering malware.”[3]

Even more recently, on March 25, 2020, the U.S. Attorney’s Office for the Central District of California announced that it had filed a criminal complaint against an individual who allegedly solicited investments in a company that was marketing pills that would prevent coronavirus infections.  The defendant’s company was also supposedly marketing an injectable cure for individuals battling COVID-19. The complaint charges the individual with a single count of attempted wire fraud. [9]

II.   Specific Guidance Issued by Deputy Attorney Rosen on COVID-19 Fraud:

Shortly thereafter, on March 25, 2020, Deputy Attorney General, Jeffrey A. Rosen issued guidance titled “Department of Justice Enforcement Actions Related to COVID-19.” [4]  As the guidance notes, there are a number of specific statutory authorities that Federal prosecutors may find applies to assert if COVID-19 fraud or wrongdoing is identified.  These statutory authorities include, but are not limited to:

Federal Statutory Authority 
15 U.S.C. § 1 — Trusts, etc. in Restraint of Trade Illegal; Penalty
15 U.S.C. § 2 – Monopolizing Trade a Felony; Penalty
15 U.S.C. § 14 – Sale etc., on Agreement not to Use Goods of Competitor
15 U.S.C. § 1263 Prohibited Acts (Introduction of Misbranded or Banned Hazardous Substances into Interstate Commerce)
15 U.S.C. § 2068 – Prohibited Acts (Sale, Manufacture, Distribution or Import of a Consumer Product or other Product that is not in Conformity with Consumer-Product-Safety Regulations)
18 U.S.C. § 175Prohibitions with Respect to Biological Weapons
18 U.S.C. § 875 — Interstate Communications
18 U.S.C. § 876 – Mailing Threatening Communications
18 U.S.C. § 1030Fraud and Related Activity in Connection with Computers
18 U.S.C. § 1038 — False Information and Hoaxes
18 U.S.C. § 1040 — Fraud in Connection with Major Disasters and Emergencies
18 U.S.C. § 1341 – Frauds and Swindles (Mail Fraud)
18 U.S.C. § 1343 – Fraud by Wire, Radio or Television (Wire Fraud)
18 U.S.C. § 1347 — Healthcare Fraud
18 U.S.C. § 1349 — Conspiracy to Commit Fraud
18 U.S.C. §§ 1028-1028A — Fraud and Related Activity in Connection with Identification Documents, Authentication Features, and Information (Identification Fraud and Aggravated Identity Theft)
18 U.S.C. § 2320 –Trafficking in Counterfeit Goods
18 U.S.C. § 2332a — Use of Weapons of Mass Destruction
21 U.S.C. § 333 — Violation of the Food, Drug, and Cosmetic Act

Specific examples of possible COVID-19 fraud schemes that might be perpetrated were set out in Deputy Attorney General Rosen’s memorandum.  These examples included:

  • Robocalls making fraudulent offers to sell respirator masks with no intent of delivery. 18 U.S.C. § 1343 (Wire Fraud). The crime of “wire fraud” occurs when someone voluntarily and intentionally uses makes an interstate telephone call or another electronic communication (such as e-mail) in furtherance of a fraud scheme. Notably, the elements of wire fraud are very similar to those of mail fraud statute except that it speaks of communications transmitted by wire.
  • Fake COVID-19-related apps and websites that install malware or ransomware. 18 U.S.C. § 1343 (Wire Fraud) or 18 U.S.C. § 1030 (Computer Fraud). The crime of wire fraud is described above.  The crime of computer fraud occurs when someone knowingly causes the transmission of a “program, information, code or command” and intentionally damages (without authorization) a protected computer.   
  • Phishing emails asking for money or presenting malware. 18 U.S.C. § 1030 (Computer Fraud). One of the forms of computer fraud is set out above. Additional examples are also discussed under 18 U.S.C. § 1030.[5]  
  • Social media scams fraudulently seeking donations or claiming to provide stimulus funds if the recipient enters his or her bank account number. 18 U.S.C. §§ 1028-1028A (Identity Theft) or 18 U.S.C. § 1343 (Wire Fraud).  Notably, the government has extensive experience prosecuting individuals and entities who are alleged to have set up fake charities and have effectively taken advantage of a national disaster or tragedy.  The perpetrators of this type of fraud are almost always caught and the courts have levied heavy jail sentences and fines on bad actors found guilty of engaging in this type of wrongdoing.
  • Sales of fake testing kits, cures, “immunity” pills, and protective equipment. 21 U.S.C. 333 (Introduction of Misbranded or Adulterated Drug or Device Into Interstate Commerce) or 15 U.S.C. § 2068 (Violation of the Consumer Product Safety Act). Federal prosecutors and regulators for the Food and Drug Administration (FDA) handle these types of cases on an ongoing basis and are experienced in shutting down fraudsters hawking fake cures and treatments.
  • Fraudulent offers for free COVID-19 testing in order to obtain Medicare beneficiary information that is used to submit false medical claims for unrelated, unnecessary, or fictitious testing or services. 18 U.S.C. §§ 1028-1028A (Identification Fraud and Aggravated Identity Theft)This type of fraud has been occurring law before the inception of the COVID-19 fraud cases we are now seeing.  Most recently, Medicare beneficiary information has been misused by a number of telemarketing companies and durable medical equipment companies.  Federal prosecutors are currently in the middle of several prosecutions involving this type of conduct. 
  • Prescription drug schemes involving the submission of medical claims for unnecessary antiretroviral treatments or other drugs that are marketed as purported cures for COVID19. 18 U.S.C. § 1347 (Healthcare Fraud) or 15 U.S.C. § 2068 (Violation of the Consumer Product Safety Act). These common schemes are now being seen in connection with COVID-19 fraud cases around the country.  Health care providers should exercise caution before entering into business relationships with laboratories, pharmacies  and other ancillary service providers who are marketing purported cures or treatment regimens for COVID-19.
  • Robberies of patients departing from hospitals or doctor offices. 18 U.S.C. § 2118 (Robberies and Burglaries Involving Controlled Substances). Although not discussed in Deputy Attorney General Rosen’s memorandum, it is a Federal crime to take, or attempt to take, by force or violence or by intimidation, any quantity of a controlled substance from any person (including a patient) on the business premises or property of a person registered with the Drug Enforcement Administration.  In addition, to this Federal statute, there are a host of robbery statutes that would implicated under State law. 
  • Threats of violence against mayors and other public officials. 18 U.S.C. § 875 (Interstate Communications) or 18 U.S.C. § 876 (Mailing Threatening Communications). Using the internet to convey an interstate threat of violence or injury to any person would be a crime under 18 U.S.C. § 875.  Similarly, using the mails to threaten someone with violence or injury would be a crime under 18 U.S.C. § 876.  
  • Threats to intentionally infect other people. 18 U.S.C. § 2332a (Use of Weapons of Mass Destruction). Of the examples discussed in Deputy Attorney General Rosen’s guidance, this is perhaps the most interesting.  As the memorandum reflects, Federal prosecutors may view “Threats or attempts to use COVID-19 as a weapon against Americans”  as a violation of 18 U.S.C. § 2332a since COVID-19 arguably meets the statutory definition of a “biological agent” [6]and therefore could implicate our country’s terrorism-related statutes.

III.   Reducing Your Level of Regulatory Risk During the Current National Emergency:

Although the health, societal and business impact of the current COVID-19 emergency is unprecedented (at least in our lifetime), the fact that bad actors will readily take advantage of this situation is to be expected.  In fact, with the exception of the terroristic threat conduct discussed above, the types of wrongdoing encountered in COVID-19 fraud cases is pretty run-of-the-mill.  In addition to the concerns raised in Deputy Attorney General Rosen’s memorandum, several additional areas of risk to be considered by health care providers and suppliers include the following:

  • Exercise Due Diligence Before Accepting the Assertions of Medicare Coverage by a Vendor’s Sales Representative. There are a wide variety of medical devices and pharmaceutical products that have not been properly vetted through the FDA approval process in order to qualify for coverage and payment by Medicare.  Don’t assume that sales pitches asserting that a medical device or pharmaceutical product is correct.   In recent years, we have represented multiple providers who were talked into buying expensive equipment and other products based on a sales representatives promises that the item or service to be billed qualifies for Medicare coverage and payment.  In once case we handled, when our client was audited, the company that sold the medical device at issue had long since gone out of business and had been sued by other providers for misrepresenting that the services performed with the medical device could be properly billed to Medicare.
  • Take Care if You Seek a Bank or Small Business Administration (SBA) Loan as a Result of the COVID-19 Crisis. In an effort to help businesses deal with the current national emergency, the government has streamlined the SBA loan process for small businesses. Two recent articles[7]covering these developments have been placed on our website.  Should you decide to seek a bank or SBA backed business loan, you must exercise care when completing these applications.  While the documentation and approval timeframes may have been simplified, should you make a misstatement on the application or fail to disclose relevant information, your actions may constitute a crime.
  • Government Waivers of Certain Requirements (Such as those Associated with Telehealth / Telemedicine Services) are Always Limited. To its credit, the Centers for Medicare and Medicare Services (CMS) have been quick to address many of the patient access, diagnostic and treatment concerns expressed by health care providers and patients alike that have arisen because of the current COVID-19 outbreak.  For example, CMS maintains a list of services that are normally furnished in-person that it will now permit providers to furnish by Medicare telehealth.  As CMS wrote in recent guidance[8] it issued on March 17, 2020:  “Under the emergency declaration and waivers, these services may be provided to patients by professionals regardless of patient location.”  Don’t assume that the relaxation of Medicare’s telehealth / telemedicine rules are an indication that this area is no longer under extreme scrutiny by law enforcement and by CMS program integrity contractors such as Unified Program Integrity Contractors (UPICs).  Once our country has effectively dealt with the current national emergency, government investigators and CMS contractors will undoubtedly resume their review and audit of these historically-problematic claims.  For a more detailed discussion of the government’s enforcement efforts in this regard, please see our article from February 17, 2020, titled “Telemedicine Audits of Evaluations by Referring Physicians are Increasing.”

While CMS is continuing to identify additional ways that it can better facilitate the provision of patient care, health care providers need to remember that specific waivers recently approved by CMS are likely to be short-term in nature.  More importantly, all other coverage and payment requirements remain in effect.  First and foremost, were the services medically necessary?  Were the services properly documented (in accordance with CMS, State Medical Board and Industry Standards)?  Were the services properly coded and billed?  And finally, was the reimbursement you received accurate?

Once the current national emergency is over, health care providers and suppliers should expect to see significant upswings in program integrity audits by Unified Program Integrity Contractors (UPICs), Supplemental Medical Review Contractors (SMRCs) and Comprehensive Error Rate Testing (CERT) contractors.  As this health crisis continues, it is also important to keep in mind that State and Federal law enforcement agencies are actively soliciting reports of COVID-19 fraud and other related wrongdoing.  Attorney General Barr has urged the public to report any and all COVID-19 fraud schemes that are identified to the National Center for Disaster Fraud (NCDF) hotline.  As a result, it is imperative that you continue to ensure that your regulatory compliance efforts are both ongoing and up-to-date (in terms of your obligations under the law).

Have you received a document request from the OIG, a UPIC, a SMRC or another CMS contractor?  Are you currently facing a government audit or investigation of your claims billed to Medicare, Medicaid or another Federal health benefit program?  Call us for a free consultation.  We can be reached at: (202) 298-8750 or toll-free 1 (800) 475-1906.

Robert W. LilesRobert W. Liles serves as Managing Partner at the health law firm, Liles Parker, Attorneys and Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with claims audits and investigation.  Is your health care practice, home health agency or hospice being audited? Give us a call.  For a free initial consultation regarding your situation, call Robert at: 1 (800) 475-1906.

[1] Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak,”dated March 13, 2020.  A copy of the declaration can be found the following link.

[2] DOJ’s Memorandum, “COVID-19 – Department of Justice Priorities,” March 16, 2020.  A copy can be found at the following link.

[3] A copy of DOJ’s Press Release is available at this link.

[4] DOJ’s Memorandum, “Department of Justice Enforcement Actions Related to COVIF-19,” March 24, 2020. A copy can be found at the following link.

[5] 18 U.S.C. § 1030 (Fraud and Related Activity in Connection with Computers). A link to the statute can be found here.

[6] See 18 U.S.C. § 175.

[7] Our article titled Small Business Administration Releases Express Bridge Loan Pilot Program for COVID-19,” dated March 26, 2020, can be found here.   An earlier article titled “COVID-19 SBA Loan Support May be Available for Qualified Health Care Providers,” dated March 25, 2020, can be found here.

[8] CMS guidance titled “Medicare Telehealth Frequently Asked Questions (FAQs),” dated March 17, 2020, can be found here.

[9]  A copy of the Press Release can be found here.

Pain Management Prescribing Practices and Audits.

Download PDF

(August 16, 2017): Earlier this summer, the U.S. Department of Justice (DOJ) executed its most extensive “health care fraud takedown” to date, initially arresting 412 licensed healthcare providers, doctors, and nurses alleged to have engaged in fraudulent conduct (additional arrests were made in the days following the takedown).  As Attorney General Jeff Sessions stated at that time, We are sending a clear message to criminals across this country: We will find you. We will bring you to justice. And you will pay a very high price for what you have done.” Of the 412 individuals arrested, approximately 120 of the defendants, including doctors, were charged for their roles in prescribing and distributing opioids and other dangerous narcotics. The charges aggressively targeted pain management providers billing Medicare, Medicaid, and TRICARE for medically unnecessary prescription drugs and compounded medications that often were never even purchased and / or distributed to beneficiaries. Many of the charges brought against pain management professionals have alleged that these individuals have contributed to the nation’s current opioid epidemic through the unlawful distribution of opioids and other prescription narcotics.

I.  Pain Management Providers Around the Country are Being Targeted by DOJ:

To be clear, there is, in fact, a significant problem with prescription opioid abuse and diversion.  In the first six months of 2017, there have been a number of federal enforcement cases brought against pain management physicians, practices and clinics for a wide variety of opioid-related violations.  Several of these include:

February 2017:  In this Pennsylvania case, a pain management physician pleaded guilty to selling prescriptions for controlled substances in exchange for cash payments.  The government further alleged that many of the customers who went to the clinic were drug dealers or addicts who sold the medications they were prescribed.  It was further alleged that neither the defendant nor the other pain management professionals charged in the case conducted medical or mental health examinations as required by law. The government alleged that during the period that this conspiracy took place, the defendant physician illegally sold over $5 million worth of controlled substances.

March 2017:  Two Michigan physicians providing care to pain management patients were found guilty by a jury for allegedly running a “pill mill” supplying narcotics to drug-seeking individuals.  More specifically, the government argued that the evidence showed that the physicians wrote prescriptions for Schedule II narcotics to individuals outside of the course of professional medical practice and for no legitimate purpose.  The government further claimed that the clinic’s physicians prescribed over 1.5 million oxycodone pills and charged customers $250 cash for a 30-day supply of narcotics.

April 2017:  In this Louisiana case, a physician and former co-owner of a pain management practice pleaded guilty to several criminal counts.  The physician was alleged to have run a “pill mill” where he prescribed controlled substances to drug abusers and seekers for a flat fee, even though there no legitimate medical purpose for the prescriptions.

May 2017:  In this Missouri case, a medical resident pleaded guilty to writing over 70 false prescriptions.  The government reported that the defendant wrote opioid prescriptions using the names of six separate persons, despite the fact that he did not have a physician-patient relationship with any of them.

June 2017:  In this New York case, a criminal complaint was unsealed against a family practice physician with no specialized training in pain management, who is alleged to have written more than 14,000 prescriptions, totaling more than 2.2 million oxycodone pills, between approximately 2012 and 2017.  The government has alleged that thousands of illegal prescriptions were written that did not have a legitimate medical purpose.

July 2017:  This Tennessee-based pain management practice settled False Claims Act violations for $312,000.  The pain practice was alleged to have caused the submission of false claims to Medicare and TennCare for medically unnecessary urine drug tests. The settlement also resolves allegations that the [pain practice] caused the submission of false claims to Medicare and TennCare for non-Food & Drug Administration. . . approved pharmaceuticals. . . “The United States’ investigation was initiated after extensive data analysis identified [the practice] as a potential outlier in the provision of urine drug testing to Medicare patients.”

II.  Typical Criminal Violations Charged in Pain Management Diversion and / or Trafficking Cases:

As you will notice, the standard that DOJ repeatedly cites is that a prescription is illegal if it has no “legitimate medical purpose” and / or is outside the “usual course of his professional practice.”  From a practical standpoint, if your prescribing practices fall into one of these categories, DOJ is likely to argue that your practices are below the applicable standard of care and are indicative of a crime. Typical statutory offenses charged in criminal pain management diversion and / or trafficking cases include:

Drug Trafficking (21 U.S.C. §§ 84l).  Typically charged when alleging that a party knowingly and intentionally, prescribed controlled substances, not for a legitimate medical purpose and not in the usual course of professional practice.

Health Care Fraud (18 U.S.C. § 1347).  It is unlawful for any person to knowingly: (1) defraud any health care benefit program; or (2) obtain by false pretenses any money or property owned or under the control of a health care benefit program.   Any person convicted under this statute could be fined and/or imprisoned for a maximum of 10 years.  If the offense resulted in serious bodily injury, then the eligible term of imprisonment is increased to 20 years.  If the offense resulted in death, then the maximum term of imprisonment is increased to life.

Aggravated Identity Theft (18 U.S.C. § 1028A).  Under this statute, whoever during and in relation to any felony enumerated in subsection (c) [predicate offense], . . . knowingly transfers, possesses, or uses without lawful authority a means of identification of another person, shall, in addition to the punishment provided for such [predicate offense], be sentenced to a term of imprisonment of 2 years. . .

Examples of the 60 predicate offenses include:

18 U.S.C. 1001 (relating to false statements or entries generally),

18 U.S.C. 1035 (relating to false statements relating to health care matters),

18 U.S.C. 1347 (relating to health care fraud)

18 U.S.C. 1343 (relating to wire fraud)

18 U.S.C. 1341 (relating to mail fraud)

Obstruction of a Federal Audit (18 U.S.C. § 1516).  It is illegal to intentionally influence, or obstruct a federal auditor in the course of performing his or her official duties relating to any person or organization receiving more than of $100,000 from the federal government in any one-year period.  The penalty for violating this section is the imposition of a fine and/or a maximum of five years imprisonment.  A federal auditor is any person employed for the purpose of conducting an audit or quality assurance inspection on behalf of the federal government.

Obstruction of a Criminal Investigation into Health Care Offenses (18 U.S.C. § 1518).  It is unlawful to prevent, obstruct, or delay the communication of information relating to a federal health care offense to a criminal investigator. Any person convicted for violating this statute could face a fine and / or up to five years imprisonment. 

Prohibition Against Kickbacks (Anti-Kickback Statute) (42 U.S.C. § 1320a–7b(b)). The federal Anti-Kickback Statute makes it a crime to knowingly and willfully offer, pay, solicit, or receive remuneration, directly or indirectly, overtly or covertly, in cash or in kind, to purposefully induce or reward referrals of items or services payable by a federal health care program. Simply put, it is against the law to pay or provide anything of value in an effort to induce referrals or business related to a federal health care program.

III.  What is Behind the Current Crackdown on Improper Opioid Prescribing Practices?

The DOJ currently believes that these pain management medications are a large contributing factor to the ongoing opioid epidemic. Essentially, federal prosecutors contend that opioid medications are being over prescribed and are not being used for the intended purposes, but are ending up on the streets for illegal sale and use. From 1999 to 2015, more than 183,000 patients died from overdoses related to prescription opioids with over 30,000 of those deaths occurring in 2015. Almost half of those deaths from 2015 being from prescription opioid overdose. With nearly 2 million Americans either abusing or dependent on opioids, the Center for Disease Control and Prevention (CDC) took significant steps last year to address the growing problem of opioid abuse in this country. In March 2016, the agency published its CDC Guideline for Prescribing Opioids for Chronic Pain (CDC Guideline). Since the issuance of the CDC Guideline, a growing number of states have either adopted this voluntary guidance or implemented similar restrictions on the prescribing practices of physicians, nurse practitioners and physician assistants in their respective states.

IV.  The Role of Medicare Part D:

Medicare Part D is an optional prescription drug program for Medicare beneficiaries. As of 2016 it covered more than 40 million individuals. While Medicare Part D can be very beneficial when it comes to helping its beneficiaries handle their pain management it can also easily be taken advantage of. While Medicare part D was aimed at providing medication for beneficiaries, it has substantially contributed to the opioid crisis through over prescription as well as the redirection of prescriptions for unlawful and abusive purposes, such as recreational use and the sale of opioids.

The CDC recently posted guidelines for medical prescription providers on how to prescribe opioids to patients with chronic pain. The CDC cautions providers on prescribing patients more than 90mg or more of morphine per day, any higher dosage and the patient becomes at risk for overdose or fatality.  A result of over prescription of opioids was one-third of all beneficiaries receiving at least one prescription opioid through Medicare Part D in 2016. In total, approximately 14 and a half million people received opioid prescriptions, out of a total of 43.6 million Part D beneficiaries. These 14.4 million prescriptions totaled $4.1 billion for nearly 80 million prescriptions.

Several states such as Alabama and Mississippi have significantly higher proportions of opioid prescriptions for Medicare Part B beneficiaries, 46% and 45% respectively. Approximately 10% of Medicare Part B recipients received one or more opioids on a regular basis, with 5 million beneficiaries receiving opioids for three months or more in 2016.  More than half a million beneficiaries received high amounts of opioids through Part D in 2016. All of these beneficiaries received a morphine equivalent dose (MED) of greater than 120mg per day for at least 3 months[1].

V.  Both Patients and Legitimate Pain Management Professionals are in a No-Win Situation:

From a patient standpoint, many individuals suffering from chronic pain report that it’s a bad time to be in pain.  Patients suffering from chronic pain are increasingly finding it more difficult to obtain care and treatment.  A recent survey by the Pain News Network and International Pain Foundation found that more than 90% of the respondents did not think that the 2016 CDC Guideline improved the quality of pain care in the United States.  Additionally, more than 80% reported that their level of pain had increased and their quality of life had decreased over the past year since the CDC Guideline had been issued. These increases in patient dissatisfaction are due, in large part, to the growing reluctance of non-specialists to prescribe opioids and other controlled substances. This is a result of the ever-increasing level of scrutiny that is being given to a physician’s opioid and controlled substance prescribing practices. Patients suffering from chronic pain are now often referred to pain management clinics and centers for specialized pain care and toxicology monitoring.

Unfortunately, legitimate pain management physicians, practices and clinics around the country are now finding themselves at the center of an ongoing effort by state and federal regulators to address opioid dependence, diversion and abuse.  As they diligently work to alleviate the painful conditions of their patients they must also worry about their medical decision-making and opioid prescribing practices being second-guessed by well-meaning federal and state investigators, regulators and prosecutors. Regretably, legitimate pain management professionals, practices and clinics are inadvertently being swept-up in the government’s current enforcement efforts targeting opioid abuse and diversion.

VI.  Conclusion:

While the government’s interest in opioid and controlled substance prescribing practices isn’t new, there is no question that this area is currently the subject of heightened enforcement.  The number of opioid-related administrative investigations initiated by state medical and  dental boards has significantly grown over the last year.  During this same period, the opioid prescribing practices of physicians, nurse practitioners, physician assistants, podiatrists and dentists have been carefully assessed (primarily through data mining) by state and federal law enforcement in an effort to identify and prosecute providers engaging in illegal conduct.  Now, more than ever, it is essential that you review your care and treatment practices to ensure that your documentation accurately reflects the medical necessity of any pain medications prescribed.  Despite the fact that the CDC March 2016 guidance is “voluntary,” we recommend that pain management professionals review their prescribing practices and verify whether their particular practices are consistent with the recommendations set out in the CDC’s March 2016 guidance.  Additionally, you should ensure that your opioid prescribing practices also comply with any requirements established by your state legislature and any state licensing authorities.

Pain Management

[1] United States of America. U.S. Department of Health & Human Services. Office of Inspector General. HHS OIG Data Brief OEI-02-17-00250.

Are your opioid prescribing practices currently being investigated or audited by the state medical board, state AG’s office, DEA or DOJ?  If so, give us a call.  Liles Parker attorneys represent health care providers around the country in regulatory audits and investigations.  For a free consultation, please call Robert: 1 (800) 475-1906.

Medicare Fraud Enforcement Efforts Are Rising in Texas

Download PDF

xray fraud gavel(October 27, 2015):  Over the past year, Medicare fraud enforcement efforts throughout Texas have resulted in multiple convictions.  These increased enforcement efforts should serve as a reminder to all Texas health care providers and suppliers that full compliance with applicable statutory and regulatory requirements is not an option — it is a necessity.

I. Medicare Fraud Enforcement Efforts are Accelerating in Texas:

In Houston earlier this year, one couple pled guilty to Medicare fraud and Medicaid fraud out of more than $9 million dollars. The owner was alleged to have violated the federal Anti-Kickback Statute by paying Medicare beneficiaries to visit the clinic and also billed for services that were supposedly never performed, despite the fact that they were billed to Medicare and Medicaid.  The owner’s wife, a registered nurse who ran the clinic, was convicted of misprision (knowing concealment) of a felony.  The couple also agreed to pay restitution to Medicare and Medicaid as part of their plea agreements.

A recent ambulance Medicare fraud case out of the Rio Grande Valley was prosecuted against the owner of the company alleging that documentation had been forged and that hundreds of thousands of dollars worth of false claims had been billed to the Medicare and Medicaid programs.  In addition to charging the defendant with charged with conspiracy to commit health care fraud, he was also charged with aggravated identity theft.

In another fairly recent example of fraud, a Gulf Coast physician practice entered into a settlement with the Department of Health and Human Services, Office of Inspector General (HHS-OIG) for allegedly submitting medical claims for services that were performed by unqualified technicians.

II. Exclusions are on the Rise:

The improper employment of “excluded” parties are another hot area of litigation you should consider. Last year, the general partner if a multi-facility set of skilled nursing homes was penalized for employing individuals who had been previously excluded from participation in federal health benefit care programs. The sad part is these violations were not only expensive, but also completely preventable. Providers should be acutely aware that government enforcement efforts are increasingly turning to Permissive Exclusion under the Social Security Act, where HHS-OIG has wide discretion to bar participants from federally funded programs from 1 to 5 years. Reinstatement cannot be requested until the exclusion term is completed. Each program must be reapplied for individually and could take another 6-12 months to receive the paperwork and complete, making the effective term 18-24 months. Further, every state, including Texas, has its’ own exclusionary statutes that must be complied with for purposes of re-enrollment in Medicare or Medicaid. State law cannot do less than federal law, but it could be even more restrictive, such as the Texas HIPAA law.

III. Checking the Exclusion Lists – Just Do It:

The simplest and most effective thing you can do to protect your healthcare practice or business is to check the exclusion lists religiously. Texas requires that exclusion lists to be checked on a monthly basis. Checking the exclusions list on a monthly basis may not be easy, but it is required. For larger entities it can also be costly and time consuming.  Nevertheless, it must be regarded as part of the essential cost of running your health care business.  Need exclusion screening assistance, check out one of the many vendors who provide these services.  Personally, I recommend you check out the services offered by “Exclusion Screening LLC” at www.exclusionscreening.com.  The company was started by Robert W. Liles and Paul Weidenfeld, two colleagues of mine. It simply has to be done, not only to be in compliance with federal and state law, but to prevent the risks and much more expensive penalties associated with the filing of false or tainted claims by these individuals. The result could not only lead to extremely large overpayments, but unnecessarily risk your exclusion from all federally funded programs, as well.

Pecore, RichardRichard Pecore, Esq., serves as an Associate at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits by RACs, ZPICs and other CMS-engaged specialty contractors.  The firm also represents health care providers and medical billers in regulatory compliance reviews, HIPAA Omnibus Rule risk assessments, privacy breach matters, and State Medical Board inquiries.  For a free consultation, call Robert at:  1 (800) 475-1906

HEAT Strike Force Update: Prosecutions in Texas Increased in March 2010

Download PDF

The Texas HEAT Strike Force is actively investigating Medicare fraud throughout the state.(April 3, 2010):  The Federal government is taking considerable steps to stop Medicare fraud and abuse. Notably, the number of publicly-disclosed HEAT Strike Force investigations and prosecutions in Texas significantly increased last month.  Two of the cases disclosed involved mental health professionals:



  • A Psychologist was convicted of health care fraud and money laundering, in connection with various claims fraudulently billed to Medicare.  Instances of improper conduct included billing for more than twenty-four hours of services in a single day; billing for services in a single day which amounted to more than double the normal business hours of the Psychologist’s practice; billing for services allegedly rendered during weekends, holidays, and times that the Psychologist was known to be out-of-town and away from the practice; and, submitting claims for services and evaluations not actually performed by the Psychologist, as required by law.
  • An unlicensed Behavioral Health Counselor was charged with Medicaid fraud for allegedly engaging in aggravated identity theft.  The defendant allegedly improperly acquired Medicaid beneficiaries’ information, including names, addresses and Medicaid numbers, then used the information to file false claims through a behavioral counseling service the defendant owned.  These behavioral counseling services were billed to Medicaid but allegedly not provided to the beneficiaries for which they were billed.

Since being established approximately a year ago, Texas’ HEAT Strike Force has significantly increased both investigations and prosecutions throughout the State.  Both enforcement efforts and the frequency of Medicare audits are anticipated to increase throughout 2010 and following years.  In addition to the increasing number of civil and criminal cases brought by the Texas HEAT Strike Force, the number of administrative overpayment cases is anticipated to grow as well.  It is essential that Texas providers continue their efforts to ensure that both business operations and billing practices fully comply with applicable statutory and regulatory requirements.

Liles Parker PLLC includes a number of attorneys with extensive former experience as Federal and / or State prosecutors.  Should your organization find itself under investigation, call us today for a complimentary consultation at: 1 (800) 475-1906.

A HIPAA Risk Assessment is Essential to Avoid Liability

Download PDF

Covered entities and business associates must perform a HIPAA risk assessment.(August 23, 2014):  Almost all health care providers and suppliers qualify as a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Together with the business associateswith whom they work, these entities are responsible for ensuring that any protected health information (PHI) under their control has been properly secured and remains confidential.  Let’s face it, the regulations governing a health care provider’s obligations under HIPAA are both extensive and complex.

Many small and mid-sized health care providers and suppliers have found it difficult to fully comply with their many statutory obligations under HIPAA’s privacy and security mandates.  Nevertheless, it is important to keep in mind that the government is actively investigating allegations of breach, regardless of the size of provider or supplier that may be involved.

I.   The Importance of Conducting a HIPAA Risk Assessment:

A recent federal criminal indictment of an individual for a HIPAA violation should serve as a reminder to all health care providers of the importance of fully complying with HIPAA’s security requirements.  While most health care providers and suppliers have diligently worked to comply with HIPAA’s privacy requirements, their compliance with HIPAA’s security and risk assessment mandates remains a challenge.  A recent case out of the U.S. Attorney’s Office for the Eastern District of Texas provides a stark reminder of why all health care providers must remain diligent in their efforts to secure and protect the medical records that have been entrusted to their care by their patients.

Last month, federal prosecutors announced that a former employee of an unnamed hospital in East Texas had been arrested in Georgia the previous year on charges unrelated to the theft of PHI.  At the time of his arrest, he was discovered to be in possession of patient medical records from Texas.  The subsequent investigation indicated that from December 1, 2012, through January 14, 2013, the individual had obtained PHI while he was employed at an East Texas hospital.  The defendant allegedly took the patient records with the intent to use the patient’s PHI for personal gain.  The defendant is currently in jail, awaiting trial.  If convicted, he could be sentenced to prison for up to 10 yearsThere are two main points that all covered entities and business associates should keep in mind:

1.  The theft of PHI is a serious crime.  Both federal and state prosecutors are actively pursing individuals who illegally steal or improperly use patient PHI for personal gain.  Under 18 U.S.C.A. § 1028A(a)(1), the federal “Aggravated-Identity-Theft” statute prohibits an individual’s knowing use of another person’s identifying information without a form of authorization recognized by law. 

2.  While the government’s Press Release does not discuss whether the East Texas hospital had previously conducted a proper HIPAA risk assessment, it would not be surprising to later learn that the Office of Civil Rights (OCR) has initiated its own audit of the organization to verify that it has, in fact, previously conducted a HIPAA risk assessment.    

II.  HIPAA’s Security Rule Requires that a Risk Assessment be Conducted:

While details regarding what security provisions and precautions the East Texas hospital may have implemented are not available, one wonders if the hospital conducted a risk analysis as required by HIPAA’s Security Rule provisions.  The Security Rule states that all covered entities must implement policies and procedures “to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).)   A risk analysis is one of four required implementation specifications in the Security Rule that actually provide instructions on how to implement the requirement.  Conducting a risk analysis would likely have revealed system vulnerabilities, perhaps even the one that failed to prevent the theft of patient PHI.  Certainly a risk analysis would have revealed the necessity of various audits, any of which could have revealed the fact that the defendant was improperly accessing and taking patient records.

Unfortunately, conducting a HIPAA risk assessment is still a problem for many health care providers.  A series of audits were conducted in 2012 by federal contractors working for OCR to assess whether health care providers, suppliers, health plans and clearinghouses have been complying with HIPAA’s Privacy, Security, and Breach Notification requirements.  A number of health care providers were included in these audits.  The results showed that 60% of the deficiencies reported were related to HIPAA security requirements.  In addition, 65% of the findings were for health care providers, in particular smaller providers.  Of the 59 providers, 58 had at least one finding relating to a Security Rule deficiency.   Nearly 80% of the healthcare providers had not completed a risk assessment.[1]  OCR concluded that driving compliance with the Security Rule aspects of HIPAA would be a likely focus in the future.

III.  Meaningful Use and Risk Assessments:

Conducting a risk analysis is also a core requirement under the Meaningful Use rules. [2]  In order to receive a meaningful use incentive, providers were required to certify that they conducted a risk assessment in accordance with the HIPAA Security Rule provisions.   Over 245,000 eligible professionals received payments for usage of electronic health records for 2011 and 2012.

Yet if the statistics from OCR’s admittedly small sample of healthcare providers in 2012 is true, this could mean that a very large majority of those healthcare providers who certified to having conducted a risk assessment as part of their meaningful use certifications did so falsely. The data on which providers, including names and NPI numbers, have received a meaningful use incentive payment is publicly available.   Thus it is highly likely that as part of the soon-to-be-restarted HIPAA audits, OCR will explicitly review whether providers falsely certified that they conducted a security risk analysis, when in fact they did not.  While the amount of money that a provider might have to return for a false certification is not large, the potential penalties for having falsely certified compliance with the regulations are much larger and more serious.

IV.  Final Remarks:

While overdue, if your organization has not already conducted a HIPAA security risk assessment, it is imperative that you do so immediately.   The window to take remedial action may be closing, especially if you have received payments under the meaningful use provisions.  Need help?  Give us a call.  In Part II of  this article, we will discuss several of the considerations you should take when engaging outside assistance to conduct a security risk assessment of your organization.

Heidi Kocher Healthcare Attorney

Heidi Kocher serves as Counsel for Liles Parker and represents health care providers and suppliers in the Dallas / Fort Worth metropolitan area.  Heidi is an experienced health lawyer and is skilled in assisting clients with transactional projects, compliance issues and in fraud and abuse counseling.  Should you have any questions regarding the HIPAA security risk assessment process, please give Heidi a call.  For a free consultation, call Heidi at: 1 (800) 475-1906.


[1] HIPAA Privacy, Security and Breach Notification Audits:  Program Overview & Initial Analysis, presentation by Verne Rinker JD, MP, at 2013 NIST / OCR Security Rule Conference, May 21-22, 2013, available at http://csrc.nist.gov/news_events/hipaa-2013/presentations/day1/rinker_day1_215_hipaa_privacy_security_breach_audits.pdf

[2] See the July 28, 2010 Final Rule Notice, 75 Fed.Reg. 44314 at 44369; 42 CFR 495.6(d)(15).