Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

Home Health Agency Alert: The Review Choice Demonstration Project is Moving Forward in Illinois Effective June 1, 2019

April 9, 2019 by  
Filed under Home Health & Hospice

Review Choice Demonstration Project in Illinois(April 9, 2019): This article updates our article of February 19 on the lifting by the Centers for Medicare and Medicaid Services (“CMS”) of the moratorium on the enrollment of new home health agencies in Florida, Illinois, Michigan and Texas, and the announcement by CMS of the implementation of a new five year “Review Choice Demonstration Project” in three of those four states (Florida, Illinois, and Texas) as well as Ohio and North Carolina (with a possible extension to other states within the Palmetto/JM jurisdiction).

At the time of that article, CMS had announced that the project would begin in Illinois, with implementation in the other four states in the near future thereafter.  However, CMS had not specified a “start date” for Illinois because it was awaiting approval by the Office of Management and Budget (“OMB”) at that time.  CMS has now received that approval and has announced implementation in Illinois to begin on June 1, 2019.  All episodes of care beginning on or after that date during the period of the demonstration will be subject to the requirements of the project.

I.  Background of the Review Choice Demonstration Project:

As background, under the Review Choice Demonstration Project, home health agencies in the affected states will initially select from three options to have their claims reviewed:

  • Pre-claim review
  • Post-payment review, or
  • Minimal post-payment review with a 25% reduction.

After each six-month period, agencies with a 90% affirmation or approval rate under one of the first two options, above, will also be able to choose between two additional options.  Each of these options is described in our February 19 article.

II.  Illinois Home Health Agencies are Under the Microscope:

Home health agencies located in Illinois must choose and register for one of the three options, above, between the dates of April 17 and May 16 on a portal established by Palmetto GBA.  Any agency that fails to make a choice during that period will be assigned to the third option and will not be able to change that option during the entire five-year period, and thus will receive a 25% payment reduction during this entire time.

As discussed in our February 19 article, the Review Choice Demonstration is an outgrowth of the Pre-claim Review Demonstration for Home Health Services that had been initially implemented in Illinois and then “paused” and never “restarted.”  However, Illinois agencies that had met the 90% full provisional affirmation rate under that project (based on a minimal 10 request submission between August 2016 and March 2017) will be permitted to begin the Review Choice Demonstration by selecting from any of the options including the additional ones available to agencies with a 90% affirmation or approval rate during a 6-month period.

CMS has established links to both the Palmetto GBA portal described, above, and to an operational guide and Special Open Door Forum Presentation that describes the program at

III.  Is Your Home Health Agency Ready for an Audit?

Our earlier article goes into greater depth in describing the various options.  That article also emphasizes the critical nature of the choice that each agency makes in selecting an option.

Each of the options presents a separate set of risks and benefits as opposed to the others – the one exception being that the third option of a 25% payment denial does not appear to be a viable one for any agency.  Our earlier article also sets out several examples of these risks.  We thus recommend that every agency take the necessary time to consult with knowledgeable individuals, both internal and external, in making this selection during each 6-month period.

Additionally, as stated in that article, we cannot recommend strongly enough that agencies in the affected states have procedures in place to properly document coverage for all the cases that they handle, and also a process to prepare and move documentation through the system quickly and comprehensively.  They also should be updating their compliance and quality assurance programs to respond to these changes.

Liles Parker attorneys have substantial experience working with home health agencies in preparing them for the audit process which is similar to the processes that they will need to follow in responding to the Review Choice Demonstration Project, and in identifying the risks of choosing one option in relation to the others.  A number of our attorneys are also certified coders who have substantial experience in developing a format to justify coverage.  Finally, we have substantial experience working with agencies in developing and updating their compliance plans.

Healthcare LawyerAny person wishing a free consultation in the area should contact Michael Cook, the author and Co-chair of our Health Care Group.  Michael can be reached at (202) 298-8750 or


Is Your Dental Practice Prepared to Undergo a Medicaid Dental Audit?

November 25, 2013 by  
Filed under Dental Audits & Compliance

Your chances of undergoing a Medicaid dental audit are increasing.

Is Your Practice Ready for a Medicaid Dental Audit?

(November 25, 2013):  The link between oral health and overall health has been increasingly acknowledged over the years. Emphasis has been placed on children’s oral health in particular. In fact, the Children’s Health Insurance Program Re-authorization Act of 2009 (CHIPRA) mandates that “child health assistance provided to a targeted low-income child shall include coverage of dental services necessary to prevent disease and promote oral health, restore oral structures to health and function, and treat emergency conditions.”[1] The importance of good oral hygiene habits and preventive dental care cannot be overstated; yet, the federal government has not mandated even minimal dental benefits for low-income adult Americans through Medicaid. While dental coverage for low-income children is rather expansive, it is entirely up to states as to whether dental is covered for low-income adults at all. In any event, the likelihood that you will be subjected to a Medicaid dental audit by federal and / or state authorities has been increasing each year.  In this article, we discuss the current enforcement environment, along with steps you can take to reduce your dental practice’s level of risk.

I.  State Medicaid Dental Care Differs from Jurisdiction to Jurisdiction:

The range of approaches by states to low-income adult dental coverage is vast, including from no coverage to coverage of all service categories. Some states are expanding their coverage of low-income adult dental care to both reflect the increasingly recognized importance of quality dental care and the increasing costs of dental care. For example, Indiana raised its cap on adult dental services from $600 per calendar year to $1,000 per calendar year in 2011.[2] Of course, the nation’s fiscal crisis has also pushed states in the other direction, forcing states like Pennsylvania, Massachusetts, Illinois, California and Washington to cut “discretionary costs” from their Medicaid budgets, which has included dental coverage.[3]

II.  The Likelihood of Your Practice Being Subjected to a Medicaid Dental Audit:

Not surprisingly, the increased recognition of the importance of preventive and quality dental care has also led to the increased scrutiny of dental services paid for by federal-state health benefit programs. The criminal conviction of a Virginia dentist in 2008 on felony charges of racketeering, health care fraud, and structuring a financial transaction sent vibrations throughout the dental world. The Virginia dentist was a long time provider of dental services in his community (the poorest area of his state, in fact), having begun his practice in 1981. By 2008, his payor mix was 50-50 Medicaid-private pay.

An “anonymous” complaint triggered the investigation of his practice which led to his conviction, though he had also been audited by Medicaid several times prior to that. Nobody disputes that there were some mistakes in his practice’s documentation and record keeping, including the Virginia dentist himself.  Yet, as he stated in an interview:

“the government’s position was that these errors were not mistakes, but the errant claims were submitted to be paid for more than I was entitled.”

Both prior to serving his sentence and after his release, the Virginia dentist shared his story time and time again, stressing to his peers the importance of comprehensive documentation. As he stated in that same interview:

“If I can prevent this situation from happening to anyone else, airing my “dirty laundry” will have been worth the embarrassment. […] If you become a Medicaid provider, be very, very careful! Document, document, document; review, check, and recheck. Make no mistakes!”

As predicted, we’ve seen dentists across the nation come under increased scrutiny. Medicaid Integrity Contractors (MIC) in states such as Indiana and Texas have been particularly active. The MICs are requesting samples of medical documentation from as early as 2007, and are requesting the full ambit of documentation, from charts to billings.

III.  The Medicaid Documentation Quandary:

Dentists should be aware of and expect Medicaid dental audit letters from their local MICs, which are generally followed by a site-visit. Unfortunately, the letters are broad, giving dentists no real sense of what types of services, if any, are being reviewed. The lack of focus, we believe, is indicative of the contractors’ intent to review compliance with federal and state documentation guidelines in general. Many dentists document quite minimally, indicating the tooth at issue and the service that has been deemed medically necessary, with no indication or elaboration on the basis for that determination (e.g., treatment diagnosis, x-ray findings, etc.). We encourage our dental clients to ask themselves: would a peer be able to look at my documentation and come to the same conclusion as I did as to which service(s) was medically necessary? If not, the documentation is probably not sufficient for Medicaid standards. Remember that all of the dots need to be connected for the MIC reviewer in the documentation. The MIC reviewer will not make any inferences in your favor.

IV.  How Should a Dentist Respond to Medicaid Dental Audit?

In light of the increased scrutiny of dental services, dentists should review their forms and documentation procedures and update them accordingly if deficiencies are identified. Dentists should also apprise their staff of the current activity in the Medicaid dental world and establish a plan of action for how to respond in the event that the local MIC initiates an audit of their practice.

V.  Final Remarks:

Now, more than ever, it is essential that dentists participating in the Medicaid programs review both their operational and documentation practices to ensure that a third-party examining their patient treatment records years from now can readily see why certain care and treatment decisions were made and that the services billed to the Medicaid program were medically reasonable and necessary.

Healthcare LawyerLorraine Ater, Esq. is a health law attorney with the boutique firm, Liles Parker, Attorneys & Counselors at Law.  Liles Parker has offices in Washington DC, Houston TX, McAllen TX and Baton Rouge LA.  Our attorneys represent dentists, orthodontists and other health care professionals around the country in connection with government audits of Medicaid and Medicare claims, licensure matters and transactional projects.  Need assistance?  For a free consultation, please call: 1 (800) 475-1906.



[1] Title XXI of the Social Security Act, Section 2103(c)(5).
[2] On January 1, 2011, the cap on dental services for members age 21 and older was increased to $1,000 and included all covered dental services, including all emergency dental services.
[3] A more comprehensive discussion of the Medicaid dental budget cuts reflects the challenges faced by the states.

The Transition to ICD-10 is a Year Away. Will Your Practice be Ready?

The transition to ICD-10 is a year away. Is your practice ready?(November 22, 2013):  On October 1, 2014, the health care industry transitioned from ICD-9 to ICD-10 codes for diagnoses and hospital inpatient procedures. This means everyone covered by HIPAA must use ICD-10 codes for health care services provided after October 1, 2014.  ICD-10 allows more than 14,400 different codes and permits the tracking of many new diagnoses. The codes can be expanded to over 16,000 codes by using optional sub-classifications. The following is a list of topics a physician practice needs to address now to prepare your .

I.  When the Transition to ICD-10 Implementation Occurs, Will You be Able to Submit Claims?

If you use an electronic system for any of your payers, you need to contact the software vendor (if necessary) and ensure that your system can integrate ICD-10’s expanded codes. If your billing system has not been upgraded to Version 5010 for the current version of HIPAA claims standard you will not be able to submit claims. It is imperative that you verify whether your software system has been upgraded.  This step should be accomplished NOW.

II.  Will You be Able to Complete Medical Records?

If you utilize electronic health records (EHR), you need to verify that it is properly capturing ICD-10 codes. Look at how you enter ICD-9 codes (e.g., do you type them in or select from a drop down menu) and talk to your software vendor about your system’s ability to accurately implement ICD-10’s expanded code sets.

III.  Coding Your Claims Under ICD-10:

If you currently code by look up in ICD-9 books, we recommend that you purchase ICD-10 code books in early 2014. As you code services under ICD-9, try and code the same records using ICD-10’s expanded codes. Get familiar with the new ICD-10 codes you will likely be using on a daily basis.  Also, you may want to explore ICD-10 training options and determine if formal training is necessary.

IV.  Where Do You Use ICD-9 Codes? Have You Reviewed all of Your Forms?

Keep a log of everywhere you see and use an ICD-9 code as you do your job. If the code is on paper, you will need new forms (e.g., patient encounter form, superbill). If you see the code on your computer, check with your EHR or practice management system vendor to see when your system will be ready for ICD-10 codes.

V.  Are There Ways to Make Coding More Efficient?

For example, develop a list of your most commonly used ICD-9 codes and become familiar with the ICD-10 codes you will use in the future for the same case. Also, think about ways to make sure the new coding does not delay payments. Look at your most common non-visit services—do any sometimes trigger reviews or denials related to medical necessity? It is important to understand how to code these services correctly before the mandatory date of ICD-10 implementation arrives.

VI.  Final Remarks:

There’s no doubt about it, physician practices transitioning over to ICD-10 are likely to experience significant coding and billing delays when the change occurs.  In all likelihood, this will adversely impact your cash flow.  Are you prepared for these delays?  Ultimately, the best way to transition to ICD-10 is to prepare for this monumental change now, not a year from now.  Should you have questions, please feel free to call me.

Healthcare LawyerMichael Troy is a Partner at Liles Parker, Attorneys & Counselors at Law.  Michael represents health care providers around the country in audits by ZPICs and other CMS contractors.  For a free consultation, please give us a call at: 1 (800) 475-1906.


Improper Medicare Payments Are Still Being Made for Deceased Beneficiaries

Deceased Beneficiaries(November 20, 2013): While most health care providers and suppliers are diligent in their efforts to ensure that Medicare services are submitted appropriately, mistakes and other improper billings still take place.  Two areas of continuing concern involve providers and / or suppliers who submit fraudulent claims to Medicare seeking reimbursement on behalf of deceased beneficiaries or individuals who are unlawfully-present in this country.  Despite numerous safeguards put into place by the Centers for Medicare and Medicaid Services (CMS) and its various contractors to prevent these types of inappropriate payment, these problems remain.  Two recent reports published by the Department of Health and Human Services, Office of Inspector General (OIG) found that Medicare has continued to inappropriate pay for services allegedly provided to ineligible beneficiaries.  In response, a series of steps have been recommended to improve CMS’ payment safeguards in this regard.

I.  Medicare Coverage and Payment Requirements:

The federal Medicare program consists of two primary components: hospital insurance, or Part A, and supplementary medical insurance programs, which consists of Parts B and D.  Part A services are generally furnished by organizational providers, such as hospitals, home health agencies, skilled nursing facilities, and hospices.  In contrast, a majority of Part B services are provided by individual providers (e.g., physicians).

Medicare also has Part C (i.e., Medicare Advantage), which is an alternative to the traditional fee-for-service approach of Parts A and B.  For Part C, beneficiaries may enroll in Medicare Advantage plans (e.g., health maintenance organizations, preferred provider organizations), which are offered by private insurance companies.  Individuals who are eligible for Part A may enroll in Part B or join Medicare Advantage.  Additionally, beneficiaries enrolled in Part A, Part B, or Medicare Advantage are eligible for the prescription drug coverage under Part D.

For certain Part A and B services and items, providers must order, refer, or certify the service or item for the beneficiary.  To process and pay these claims, CMS heavily relies on the efforts of private sectors contractors, known as Medicare Administrative Contractors (MACs).  After receiving a claim, these Medicare contractors run each claim through a system of “edits” (system processes), which are designed to detect possible billing errors or other potential problems before authorizing a claim for payment.  Unfortunately, the edit process is far from perfect.  It may incorrectly deny a claim that should be paid.  Alternatively, it may not screen out all of the improper claims for which it was designed.

For parts C and D, CMS makes payments on behalf of beneficiaries directly to Medicare Advantage organizations and prescription drug plan sponsors.  Payment amounts may differ for each enrolled beneficiary on the basis of demographic and health status information.  CMS calculates payment amounts using the most current information available, which usually comes from the Social Security Administration (SSA).  If CMS receives demographic or health status information that would increase or decrease previous monthly Part C and / or D payments, it makes retroactive adjustments to correct the payment amount.  For deceased beneficiaries, CMS corrects the payment amount for the months in which the individuals had, before their deaths, been enrolled in the Medicare Advantage plan or prescription drug plan.

However, Medicare will not reimburse health care providers, suppliers, Medicare Advantage plans, or prescription drug plans for expenses incurred for items or services that are not reasonable and necessary for the diagnosis or treatment of illness or injury or to improve the functioning of a malformed body member.[1]  Because services can no longer be deemed medically necessary after a beneficiary has died, any payment made after this date is inappropriate.

Furthermore, Medicare benefits are generally allowable when provided to a beneficiary who is either a U.S. citizen or a U.S. national or to an alien who is lawfully present in the United States.  If an alien beneficiary is present in the United States on an unlawful basis (i.e., unlawfully present), however, Medicare benefits are not allowable.

II.  Medicare’s Safeguards Against Improper Payments to Deceased Beneficiaries:

Previous HHS-OIG studies and audit reports have discovered that the Medicare program continues to incorrectly make payments on behalf of deceased beneficiaries.  In response, the Centers for Medicare & Medicaid Services (CMS) have implemented numerous safeguards to address this liability. For example, to identify and prevent payment for Part A and B services after beneficiaries’ dates of death, CMS implemented an “informational unsolicited response” process in April 2011. This process reviews all Part A and B claims approved for payment in the claims history and identifies claims with service dates up to 3 years after the beneficiary’s date of death.[2]  Medicare’s claims processing contractors also receive a report of identified claims for deceased beneficiaries on which they are required to take action and perform additional reviews, if necessary, to determine whether payment was inappropriate.

When a beneficiary is enrolled in Parts C and D, the last payment is generally made in the month in which the beneficiary died.  CMS’s systems will then automatically dis-enroll deceased beneficiaries to prevent improper payments to Medicare Advantage organizations and prescription drug plan sponsors for the months following the deaths of enrolled beneficiaries.  CMS then recoups any payments made to those organizations and sponsors on the behalf of deceased beneficiaries for those months.

III.  Medicare Continues to Make Inappropriate Payments on Behalf of Deceased Persons:

Despite its safeguards, a recent report reflects that Medicare inappropriately paid tens of millions in 2011 for claims that occurred after beneficiaries had died.  The OIG identified Medicare beneficiaries who had passed away from 2009 to 2011.  The agency also compared the date-of-death information from SSA’s Death Master File and CMS’s Enrollment Database for each beneficiary.  The OIG then identified Medicare Part A and B claims as well as Part C and D payments from 2011 associated with these deceased individuals.  OIG also assessed paid and unpaid Part B claims with service dates after the beneficiaries’ deaths to identify providers and suppliers associated with the high numbers of these particular claims.

The study indicates that Medicare inappropriately paid $23 million in 2011 for claims with service dates after beneficiaries’ deaths.  These improper payments in 2011 only constitute less than one-tenth of a percent of total Medicare expenditures.   While the results may seem insignificant, they are still alarming given that this problem has been identified on several previous audits and CMS is supposed to have effective safeguards in place.

More specifically, the study demonstrated that 86 percent ($20 million) of the improper payments were made under Part C.  Medicare Part D accounted for an additional four percent.  As a result, 90 percent of improper payments were made to private Medicare advantage plans or prescription drug sponsors.  This is particularly troubling since, for Parts C and D, Medicare automatically dis-enrolls a beneficiary from a Medicare advantage plan upon his or her death.  The safeguards for these parts were nevertheless unable to prevent all of the improper payments.

Moreover, 11% of these improper payments resulted from missing or incorrect dates of death in CMS’ Enrollment Database in 2011.  HHS-OIG found that these dates of death were incorrect due largely to:

(1) No date of death being listed for a deceased beneficiary, or

(2) The date of death was incorrectly verified as being accurate. 

Specifically, CMS did not have the dates of death for 375 deceased beneficiaries, which resulted in $2.5 million in improper Medicare payments.

Finally, OIG identified 251 providers and suppliers that had high numbers of paid and / or unpaid Part B claims with service dates after the beneficiaries’ deaths.  For example, the report reflects that 65 providers and suppliers had 10 or more paid Part B claims with service dates after the beneficiaries’ deaths for 2011.  These claims represented over $100 thousand in inappropriate payments.  Additionally, in 2011, 190 providers and suppliers had over 100 unpaid Part B claims with services dates after the beneficiaries’ deaths.

IV.  OIG’s Recommendations for Improving Safeguards to Prevent Improper Payments:

While CMS’s safeguards have prevented or recovered a vast majority of Medicare payment made on behalf of deceased beneficiaries, they have fallen short of 100 percent prevention.  Therefore, OIG made four recommendations on how to improve payment safeguards in this area and to address providers and suppliers identified by OIG with high numbers of claims with service dates after beneficiaries’ deaths.  Specifically, OIG recommended that CMS:

  • Improve existing safeguards to prevent future improper Medicare payments after beneficiaries’ deaths, including determining why existing safeguards did not prevent all improper payments;
  • Take appropriate action on the $23 million in improper Medicare payments made on behalf of deceased beneficiaries and correct inaccurate dates of death;
  • Monitor both paid and unpaid Part B claims with service dates after beneficiaries’ deaths to identify providers and suppliers associated with high numbers of such claims; and
  • Take appropriate action on the 251 providers and suppliers that had high numbers of paid and/or unpaid Part B claims with service dates after beneficiaries’ deaths.

CMS concurred with all four of OIG’s recommendations.  CMS emphasized its ongoing commitment to prevent and recover Medicare payments made on behalf of deceased beneficiaries.

VI.  Medicare Requirements for Prescription Drug Coverage Payments:

In order to receive payment for Medicare Part D, every time a Medicare beneficiary fills a prescription covered under Part D, the sponsor must submit a “Prescription Drug Event” (PDE) record to CMS.  PDE records (which are collectively referred to as “PDE data”) include drug cost and payment information that enables CMS to administer the Part D benefit.  Sponsors are paid prospectively and must submit final PDE records to CMS within 6 months after the end of the coverage year.  CMS makes final payment determinations each year by adjusting the sponsors’ payments using information from the PDE records.

However, CMS has specifically implemented a policy that bars any payments for health care services, including covered prescription drugs, provided to unlawfully present beneficiaries in Medicare Parts A and B.  Furthermore, an individual is eligible for Part D benefits if he or she is entitled to Medicare benefits under Part A or enrolled in Part B and lives in the service area of a Part D plan. Thus, Federal law prohibits Part D payments for prescription drugs provided to unlawfully present beneficiaries.

Accordingly, CMS set forth a Program Memorandum with the following payment policy: “Make no payments for Medicare services furnished to an alien beneficiary who is not lawfully present in the United States.”[3]  CMS also implemented a system edit to automatically reject Parts A and B claims for beneficiaries who are unlawfully present, according to its Medicare Enrollment Database.  However, CMS did not have a policy addressing payments for unlawfully present beneficiaries under Medicare Part D equivalent to its policy under Parts A and B. Specifically, CMS did not have any internal controls to identify and dis-enroll unlawfully present beneficiaries and to automatically reject PDE records for those individuals.

VII.  Prescription Drugs are being Improperly Provided to “Unlawfully Present Beneficiaries”:

Because CMS did not have such a policy, CMS incorrectly determined that unlawfully present beneficiaries were eligible for Part D benefits and could not prevent payments to be made to these individuals.  In fact, a second OIG report outlines just how inadequate CMS was in not preventing Medicare Part D payments to be made to unlawfully-present beneficiaries for calendar years 2009 through 2011.   In order to conduct its review, HHS-OIG analyzed years 2009 and 2011, whereby sponsors submitted final PDE records to CMS with gross drug costs totaling approximately $227 billion.

Here, HHS-OIG’s study found that CMS inappropriately accepted 279,056 PDE records submitted by Part D sponsors with unallowable gross drug costs totaling almost $29 million on behalf of 4,139 unlawfully-present beneficiaries.  CMS then used those records to make final payment determinations to sponsors.

VIII.  HHS-OIG’s Recommendations for Preventing Improper Payments to Deceased Beneficiaries:

With regards to this problem, OIG has issued three recommendations.  Specifically, OIG has recommended that CMS:

  • Resolve improper Part D payments made for prescription drugs provided to unlawfully present beneficiaries by reopening and revising CYs 2009 through 2011 final payment determinations to remove prescription drug costs for unlawfully present beneficiaries;
  • Develop and implement controls to ensure that Medicare does not pay for prescription drugs for unlawfully present beneficiaries by preventing enrollment of unlawful  beneficiaries, dis-enrolling any currently enrolled unlawful beneficiaries, and automatically rejecting PDE records submitted by sponsors for prescription drugs provided to this population; and
  • Identify and resolve improper payments made for prescription drugs provided to unlawfully present beneficiaries by reopening and revising final payment determinations for periods after the period of this review but before implementation of policies and procedures.

In response to these recommendations, CMS concurred with the first two and described corrective actions that it planned to take.  Specifically, CMS indicated that it would first address policy and system changes and would then reopen each year to recover improper payments.  However, CMS did not concur with the third recommendation.  CMS contended that there was no effective way to fully recover the improper payments in question without first implementing the appropriate policies and procedures, including the relevant systems changes.

IX.  What do These Two OIG Reports Tell Us?

Based on the findings of these two reports, CMS has some further work to do in order to prevent unlawfully present individuals from receiving Federal health care benefits.  CMS must begin to develop and implement controls to ensure that federal health care programs do not pay for prescription drugs under Part D for unlawfully present beneficiaries.  The agency must prevent enrollment of unlawful  beneficiaries, dis-enroll any currently enrolled unlawful beneficiaries, and automatically reject PDE records submitted by sponsors for prescription drugs provided to this population

On the other hand, CMS has enacted a fairly strong safeguard system to prevent improper payments to be distributed to otherwise deceased beneficiaries.  While the system could not prevent all improper payments, these improper payments in 2011 constituted less than one-tenth of a percent of total Medicare expenditures.  The agency must continue to build upon this success and improve its safeguards even further.

X.  What Steps Should we Take?

It is imperative that all participating providers affirmatively review their practices to help ensure that all Medicare program billings are appropriately handled.  Frankly, there is no valid excuse for the billing of services for a deceased Medicare beneficiary.  While Medicare recognizes that “mistakes” happen, if your organization is audited and a Zone Program Integrity Contractor (ZPIC), Recovery Audit Contractor (RAC) or OIG finds that you have been billing for services allegedly rendered to deceased beneficiaries, the presumption will likely be that improper billings are more than a result of a mere mistake.

Unlike the first issue, you will likely find it more difficult to screen out services provided to beneficiaries that are allegedly not in this country legally.  Nevertheless, this risk area should be incorporated into your Compliance Plan so that steps can be taken to avoid the submission of these improper billings.

Ultimately, each and every Medicare provider and supplier needs to develop, implement and adhere to an effective Compliance Plan.  In doing so, you can better ensure that your continuing obligation to fully comply with applicable statutory and regulatory requirements are being met.  Need help responding to an audit of your Medicare claims or in setting up your Compliance Plan?  Give us a call.

Healthcare LawyerRobert W. Liles, Esq. serves as Managing Partner at Liles Parker, Attorneys and Counselors at Law.  Liles Parker is a boutique health law firm with offices in Washington, DC, Texas and Louisiana.  We represent health care providers and suppliers around the country in health law related matters and cases.  For a free consultation, give us a call at: 1 (800) 475-1906.     



[1] Social Security Act § 1862(a)(1)(A), 42 U.S.C. § 1395y(a)(1)(A).

[2] CMS, Change Request 7123, Transmittal 804, Pub. 100-020 One-Time Notification, November 2010. Accessed at on Nov. 19, 2013. The automatic adjustment process of the “informational unsolicited response” retroactively adjusts certain paid claims when subsequent claims or other subsequent actions are the first indicator that payment was inappropriate.

[3] CMS, Payment Denial for Medicare Services Furnished to Alien Beneficiaries Who Are Not Lawfully Present in the United States, Program Memorandum Intermediaries/Carriers, Transmittal AB-03-115 (Change Request 2825, August 1, 2003).  This payment policy was incorporated in the Medicare Claims Processing Manual in September 2004 (Chapter 1, Section

TSBDE Update: Texas State Board of Dental Examiners

November 11, 2013 by  
Filed under Dental Audits & Compliance

The TSBDE is investigating complaints against dentists and dental professionals. (November 11, 2013): TSBDE Update – The Texas Legislature first provided for licensure of dentists in 1897, whereby district judges were empowered to appoint a Board for their districts consisting of three practicing dentists living in the district. In 1905, Senate Bill 84 created the Texas State Board of Dental Examiners (TSBDE or Board). The Board consisted of six practicing dentists to serve the entire state. Between 1905 and the present, various amendments to the Dental Practice Act have been enacted.

Today, the Board consists of 15 members appointed by the Governor.  The stated mission of the Board is to safeguard the dental health of Texas by developing and maintain program to:

1. Ensure that only qualified persons are licensed to provide dental care; and

2. Ensure that violators of laws and rules regulating dentistry are sanctioned as appropriate.

The TSBDE is divided into five program functions/divisions: Executive; Administration; Licensing; Enforcement; and Legal. Each division is closely related to and depends on ready and efficient access to information from the others to assure that functions are carried out in a manner consistent with statutory requirements to ensure the dental health and safety of the public. Information about program services is shared among the divisions of the TSBDE.

I.  Introduction — Sanctions Imposed by the TSBDE:

The TSBDE has the authority to sanction dentists for inappropriate conduct.  Examples of such conduct include violations of the standard of care, impermissible delegation, dishonorable or unprofessional conduct and criminal offenses and the failure to use proper diligence in practice or the failure to safeguard patients against avoidable infections.

II.  Alleged Violation — Standard of Care Breaches:

Standard of care violations include:

  • Practice below minimum standard with a risk of harm.
  • Failure to advise patient before beginning treatment.
  • Failure to make, maintain and keep adequate dental records.
  • Misleading a patient as to the gravity, or lack thereof, of their dental needs.
  • Failure to maintain appropriate life support training.
  • Abandonment of patient.
  • Failure to report patient death or injury requiring hospitalization.
  • Act or omission that demonstrates level of incompetence such that the person should not practice without remediation and subsequent demonstration of competency.
  • Negligence in treatment.
  • Any intentional act or omission that risks or results in serious harm.
  • Failure to properly document compliance with health and sanitation requirements.
  • Office premises are not maintained in compliance with health and sanitation requirements.
  • Barrier techniques, disinfection, or sterilization techniques do not comply with health and sanitation requirements.
  • Failure to document controlled substance inventories or prescription records.
  • Failure to use reasonable diligence in preventing unauthorized persons from utilizing DEA or DPS permit privileges.

Other types of standard of care violations include a situation where the Licensee is negligent in performing dental services and that negligence causes injury or damage to a dental patient and when the Licensee is physically or mentally incapable of practicing in a manner that is safe for the person’s dental patients.

Another type of violation is impermissible delegation.  Impermissible delegation is when the Licensee holds a dental license and employs, permits, or has permitted a person not licensed to practice dentistry to practice dentistry in an office of the dentist that is under the dentist’s control or management.

III.  Alleged Violation — Dishonorable Conduct:

If a Licensee practices dentistry or dental hygiene in a manner that constitutes dishonorable conduct the activity will violate the Texas Code. These violations include:

  • Isolated dishonorable conduct resulting in no adverse patient effects.
  • Repeated acts of dishonorable conduct which impairs a person’s ability to treat a patient according to the standard of care.
  • Dispensing, administering, prescribing, or distributing drugs for a non-dental purpose.
  • Failure to meet duty of fair dealing in advising, treating, or billing a patient.
  • Diagnosis of dental disease, prescription of medication, or performance of impermissible acts by a dental hygienist.
  • Practicing dental hygiene without required supervision.
  • Sex or sexualized conduct with a patient.
  • Financial exploitation or dishonorable conduct resulting in a material or financial loss to a patient.

IV.  Alleged Violation — Criminal Behavior:

The TSBDE considers criminal behavior to be highly relevant to an individual’s fitness to engage in the practice of dentistry and will institute disciplinary actions for such conduct.  Relevant behavior can include:

  • Criminal offenses relating to the regulation of dentists, dental hygienists, or dental assistants committed in the practice of or connected to dentistry, dental hygiene or dental assistance.
  • Criminal offenses relating to the regulation of a plan to provide, arrange for, or reimburse any part of the cost of dental care services or the regulation of the business of insurance.

V.  Alleged Violation — Improper Drug Usage:

Furthermore, violations relating to chemical dependency or improper possession or distribution of drugs are also in the purview of the TSBDE’s sanctioning authority.  Specifically a violation will be found where the Licensee is addicted to or habitually intemperate in the use of alcoholic beverages or drugs or has improperly obtained possessed, used or distributed habit-forming drugs or narcotics.  Violations include:

  • Misuse of drugs or alcohol without patient interaction and no risk of patient harm or adverse patient effects.
  • Improperly distributing habit-forming drugs or narcotics.
  • Prescribing or dispensing a controlled substance for a non-dental purpose.
  • Prescribing or dispensing a controlled substance to a person who is not a dental patient, or to a patient without adequate diagnosis of the need for prescription.
  • Misuse of drugs or alcohol with a risk of patient harm or adverse patient effects.
  • Misuse of drugs or alcohol with a significant physical injury or death of a patient or a risk of significant physical injury or death.

VI.  Alleged Violation — Fraud or Misrepresentation:

The TSBDE considers fraud or misrepresentation a violation.  Infractions involving fraud or misrepresentation include instances where a licensee obtains a license by fraud or misrepresentation or engages in deception or misrepresentation in soliciting or obtaining patronage.  Specific violations include:

  • Failure to honestly and accurately provide information that may have affected the Board’s determination of whether to grant or renew a license.
  • Making an intentional misrepresentation of previous licensure, education, or professional character, including failure to disclose criminal convictions.
  • Engaging in false advertising.
  • Creating unjustified expectation.
  • Engaging in false, misleading or deceptive referral schemes.
  • Failing to comply with requirements relating to professional signs.
  • Failure to list at least one dentist practicing under a trade name in an advertisement.
  • Falsely advertising as a specialist in one of the ADA recognized specialties or advertising as a specialist in an area not recognized by the ADA.

VII.  Alleged Violation — Any Law Relating to the Regulation of Dentists or Dental Hygienists:

A violation of any law relating to the regulation of dentists or dental hygienists is also considered a violation of the Dental Practice Act.  This occurs when a Licensee violates or refuses to comply with a law relating to the regulation of dentists or dental hygienists.  Examples include:

  • Isolated failure to make, maintain and keep adequate dental records not resulting in patient harm.
  • Failure to notify patients that complaints concerning dental services can be directed to the Board.
  • Failure to post names of, degrees received by, and schools attended by each dentist practicing in office. Failure to properly exclude names of dentists not practicing in office.
  • Failure to place identifying mark on a removable prosthetic device.
  • Failure to notify the Board of maintenance of records agreement.
  • Failure to make, maintain and keep adequate dental records resulting in potential for patient harm.
  • Failure to obtain written, signed informed consent.
  • Failure to provide full dental records to the Board upon request.
  • Failure to maintain an appropriate permit for a mobile dental facility.
  • Perform treatment outside licensee’s scope of practice not resulting in patient harm.
  • Prescription of controlled substance while DPS or DEA permit is expired.
  • Failure to make, maintain and keep adequate dental records resulting in actual patient harm.
  • Violation of stipulation in a prior Board Order.
  • Perform treatment outside licensee’s scope of practice resulting in patient harm or potential for patient harm.
  • Prescription of controlled substance without DPS or DEA permit.

VIII.  Conclusion:

In recent years, the TSBDE has been particularly active.  As the number of complaints against dentists has increased, the number of disciplinary actions has also grown.  Notably, many of the complaints now handled by the TSBDE are collateral referrals from state and / or federal law enforcement agencies.  Are your dental practices fully compliant?  Call the health lawyers at Liles Parker for assistance in responding to a Dental Board investigation or a Medicaid or private payor audit.

Healthcare LawyerRobert W. Liles, J.D. serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Robert represents dentists and dental practices around the country in State Dental Board investigations and in Medicaid and private payor audits of dental claims / dental services.  For a free consultation, call Robert at:  1 (800) 475-1906.


Wake Up Sleep Labs! OIG is Concered About Questionable Billing Practices

Is your sleep lab clinic being audited? Call the health lawyers at Liles Parker for help.(October 24, 2013):  Over the next year, sleep lab / sleep medicine practices and clinics should expect to receive increased scrutiny from both the Department of Health and Human Services, Office of Inspector General (OIG) and from program integrity contractors working for the Centers for Medicare and Medicaid Services (CMS).  These contractors may include Zone Program Integrity Contractors (ZPICs), Recovery Audit Contractors (RACs) and other “specialty” contractors hired by the agency to audit these types of claims.

Are your sleep study tests being handled properly?  Do your medical necessity, documentation, coding and billing practices fully compliant with Medicare’s requirements?  Even if you believe that your sleep study practices are fully meeting all applicable statutory and regulatory mandates, we strongly recommend that you conduct an internal review to verify your adherence to the rules.

I.  Introduction to the Sleep Lab Billing Issue:

In recent years, OIG has noted a significant rise in Medicare’s spending on sleep study testing services by physician practices, clinics and hospitals. This unexpected rise, coupled with the agency’s mounting concerns about fraud and abuse, prompted OIG to conduct an in-depth review of sleep study services and reimbursement issues.  As OIG’s October 2013 report reflects, the agency analyzed  Medicare claims from hospital outpatient departments and non-hospital providers, including independent diagnostic testing facilities and physician-owned sleep laboratories.

According to the report, almost $17 million in Medicare claims for polysomnography services did not meet one or more of the three requirements for Medicare reimbursement.  Many of these incorrect claims:

  • Used inappropriate diagnostic codes;
  • Were billed under same-day duplicate claims; or
  • Were submitted for payment using an invalid national provider identifier (NPI). 

Overall, the report also reflected that many providers exhibited patterns of “questionable billing.”

Based on these findings, OIG made four recommendations to CMS.  Since CMS concurred with these recommendations, providers that administer sleep study services should expect increased CMS audit actions in the near future.

II.  What is Polysomnography?

Polysomnography is a type of sleep lab study that is used to diagnose medical conditions that affect an individual’s sleep, such as “sleep apnea,” and is typically used and to evaluate the effectiveness of continuous positive airway pressure (CPAP) devices.[1] During a polysomnography, a patient sleeps while connected to sensors that measure and record biophysical changes that occur during sleep, such as brain wave activity, eye movement, and airflow.[2]  If the polysomnography demonstrates that an individual has sleep apnea, a provider may prescribe a CPAP device for treatment.  Polysomnography services may be performed in hospital outpatient departments or nonhospital locations, such as independent diagnostic testing facilities and provider-owned sleep laboratories.

Providers may conduct a diagnostic service and fit / titrate the CPAP device (if necessary) in two separate visits.  Alternatively, providers may perform both of these services during a single visit.  This is known as a “split-night service.”  Split-night services are generally conducted when a diagnosis of sleep apnea can be made within the first few hours of the polysomnography service and the provider still has time to fit and titrate the CPAP device that same night.  However, if the provider is unable to make the diagnosis early in the polysomnography service, the patient may need to return at a later date for an additional polysomnography service to fit the CPAP device.

III.  Qualification and Reimbursement Requirements for Polysomnography under Medicare:

From the outset, how providers are reimbursed under Medicare for polysomnography services depends on where the service is performed.   Generally, if it is performed in a hospital outpatient department, Medicare pays under the Outpatient Prospective Payment System.[3]  On the other hand, if polysomnography services are performed by a non-hospital provider, Medicare will reimburse the provider under the Physician Fee Schedule.[4]

More importantly, Medicare will only cover polysomnography services that are deemed “reasonable and necessary.”[5]  Medicare also will not reimburse a provider for duplicate claims, (i.e., multiple claims submitted for a single service performed).[6]  Furthermore, for polysomnography tests, CMS requires a valid order from the provider who evaluates or treats the beneficiary.[7][8]

Once a beneficiary has qualified for this type of service and it has been provider, the health care provider must submit the claim to Medicare for reimbursement. Polysomnography service claims are processed by one of the fifteen different Medicare Administrative Contractors (MACs).  In addition to guidelines and regulations promulgated by Medicare, MACs may specify additional coverage requirements through local coverage decisions (LCDs).[9]   LCDs include details such as utilization guidelines, permissible CPT codes, and diagnosis codes that support medical necessity.[10]  In fact, all LCDs for polysomnography services list sleep apnea diagnosis codes which support the medical necessity of diagnostic polysomnography.  More importantly, all of these LCDs specify that routinely performing repeat services is not medically necessary, and that providers must have documentation that justifies the necessity of repeat tests.  However, out of the fifteen MACs who process polysomnography claims, only nine had LCDs that apply to some or all of the polysomnography claims processed in 2011.

Health care providers typically bill Medicare for polysomnography services using three CPT codes.[11]  Additionally, polysomnography services consist of two components: the administration of the test (i.e., the technical component) and the provider’s interpretation of the test (i.e., the professional component).  Generally, providers bill the technical and professional components separately if each component is performed by a different provider.   However, if a provider bills for the two components together, it is known as a “global service.” Finally, CMS requires an appropriate diagnosis code for payment for polysomnography services.[12]   Providers must list the condition that justifies the service as the primary diagnosis code.[13][14]

IV.   Why OIG Conducted a Review of Sleep Lab Billing Practices:

Notably, OIG based its decision to perform an analysis of polysomnography services on two factors.  First, the agency had seen a noticeable increase in Medicare spending on sleep lab services.  From 2005 to 2011, Medicare spending for polysomnography services rose from $407 million to $565 million, a 39% increase.  In 2011 alone, Medicare paid over one million claims for these sleep lab services.[15]

Second, OIG has also become more concerned with fraud and abuse for healthcare-related claims.  As to polysomnography services, fraud investigators and sleep medicine professionals have identified specific vulnerabilities regarding these sleep lab services and the government is now targeting these  problem areas.  For example, in January 2013, one health care provider agreed to pay more than $15 million to settle allegations of false polysomnography claims billed to Medicare and other governmental payers.

V.  How OIG Conducted its Review of Sleep Lab Claims:

In order to conduct its analysis, OIG reviewed all Medicare payments for polysomnography claims submitted for payment in 2011.  This included all paid claims for the technical component of polysomnography and global polysomnography services.[16]  These claims came from hospital outpatient departments and non-hospital providers, which include physician-owned sleep laboratories and independent diagnostic testing facilities.

To further narrow its data set, the agency identified polysomnography claims that did not meet one or more of three Medicare requirements.  These sleep lab claims were: (1) submitted with inappropriate diagnosis codes, (2) for the same service date as other polysomnography claims for the same beneficiary, or (3) submitted with invalid national provider identifiers (NPIs).

OIG then identified providers who exhibited patterns of “questionable billing.” In particular, it identified those providers that had unusually high percentages of questionable billing relative to other providers.  To do so, OIG used eleven measures of questionable billing, which included the three Medicare requirements above and eight additional measures.  All of these measures can represent services that were not medically necessary, not rendered, or otherwise inappropriate.

The additional eight measures were developed in consultation with fraud investigators and sleep medicine professionals within and outside of OIG.  The agency based these measures on Medicare coverage and billing requirements for polysomnography services, measures used in OIG questionable-billing studies for other Medicare services, and consultations with fraud investigators and sleep medicine professionals within and outside of the agency.  The eight additional measures of questionable billing include:

  1. Shared beneficiaries;
  2. Unbundling a split-night service;
  3. Double-billing for the professional component;
  4. Repeated titrations;
  5. Missing professional component;
  6. Titration with no corresponding treatment device;
  7. Missing visit with ordering provider; and
  8. Repeated polysomnography services.

Notably, OIG emphasized that the eleven measures of questionable billing it used does not provide conclusive evidence of fraudulent.  Instead, the measures were intended to simply identify questionable billing scenarios of the basis of the data set.  The agency recognized that additional investigation would be needed to determine whether a provider had, in fact, knowingly submitted incorrect or fraudulent Medicare claims for these services.

VI.  OIG’s Findings Regarding Sleep Lab Billing Practices:

The OIG’s report reportedly found that inappropriate payments for polysomnography services were more widespread than initially assumed. Health care providers who perform sleep studies should recognize the specifics that OIG identified and tailor their compliance programs accordingly.

From the outset, OIG found that Medicare inappropriately paid $16.8 million for polysomnography services that did not meet one or more of three Medicare requirements.  The majority of these improper claims came from payments for services with inappropriate diagnosis codes.  Notably, the agency did recognize the possibility that Medicare may have paid claims with inappropriate diagnosis codes because claims processing edits to prevent inappropriate payments – which are used by the MACs to process claims – did not exist or were ineffective.  The report indicated that past reviews conducted by the government work had found that MACs do not always use edits to enforce LCD requirements, including those related to diagnosis codes.[17]

In addition, 85% of claims with inappropriate diagnosis codes – or roughly $14 million of the $16 million paid for these claims – came from hospital outpatient departments.  The results were surprising because only 53% of all polysomnography claims in 2011 came from hospital outpatient departments.  From the report, it appears that HHS-OIG placed much of the blame for this problem on the MACs.  The agency noted that inappropriate payments might have been averted if the MACs had effective electronic edits that automatically denied claims or suspended them for manual review.

Furthermore, the report reflects that 180 providers exhibited patterns of questionable billing for polysomnography services in 2011.  While this represented only 3.7% of the overall population of the providers analyzed, current polysomnography should take notice of what OIG was looking at in the data.

Most of the 180 providers who exhibited the questionable sleep lab billing patterns submitted an unusually high percentage of claims for beneficiaries with another polysomnography claim on the same day. This is a questionable practice because beneficiaries can undergo only one polysomnography service in a day, as the process requires an overnight stay.  Thus, current providers should recognize that frequent billing of same-day duplicate claims raises questions about the legitimacy of a provider’s services in the eyes of OIG.

The OIG also determined that nearly half of the 180 providers had an unusually high percentage of beneficiaries who had polysomnography claims from one or more providers.  The agency noted that this may be due to providers using the same compromised beneficiary numbers as other providers to fraudulently bill for services not rendered.  Providers must therefore be on the lookout for stolen beneficiary numbers and ensure that their internal compliance measures are not allowing these numbers to be used in fraudulent billing schemes.

The report further noted that the many providers with questionable billing patterns had an unusually high percentage of diagnostic polysomnography claims with a titration claim for the same beneficiary on the following day.  The OIG believes that these providers may be performing split-night services but are submitting separate claims for diagnostic and titration services (i.e., unbundling the split-night service).  This is problematic because unbundling inappropriately increases a provider’s reimbursement – it generates payment for two separate services instead of a single service.  While there are situations in which a provider may have to perform a separate diagnostic and titration service on consecutive nights, it is generally an unusual circumstance.

Finally, the report highlighted that some questionable billing providers had an unusually high percentage of claims for beneficiaries with no evidence of a visit with the ordering provider in the preceding year.  Under Medicare guidance, an in-person evaluation is required to determine whether polysomnography services are warranted.[18]  The report noted that sleep medicine professionals contend that polysomnography should be performed within a year after the in-person evaluation; as a result, the 180 providers scrutinized may be performing these services without a valid order.  This would make their services not medically necessary.

VII.  Recommendations Made by the OIG:

As OIG noted in its report, nearly all of the nearly $17 million in inappropriate payments made by Medicare could have been prevented.  In fact, more effective claims processing edits, particularly prepayment edits to deny claims with inappropriate diagnosis codes, was its primary prevention course of action.  The OIG made four recommendations to CMS to prevent and /or reduce future inappropriate payments for polysomnography services.

  1. Implement claims processing edits or improve existing edits to prevent inappropriate payments;
  2. Recover payments for claims that did not meet Medicare requirements;
  3. Consider using measures of questionable billing from this study to identify providers for further investigations; and
  4. Take appropriate action regarding providers that exhibit patterns of questionable billing.

Upon its review of HHS-OIG’s concerns, CMS concurred with each of the agency’s  recommendations. CMS plans to re-review its systems and investigate their accuracy and effectiveness.  It has also planned to investigate, and recover if necessary, payments that did not meet Medicare’s requirements.

VIII.  Final Remarks:

So what does this report mean for providers who perform sleep study services?  Well, based on CMS’ concurrence with OIG’s recommendations, including its plans to actively respond to the report’s results, these providers should expect greater scrutiny of their polysomnography services.  This is likely to come in the form of increased and focused audits performed by CMS contractors.  While CMS did not address when review and recoupment efforts would begin, we would expect that affected sleep medicine physicians and clinics should begin to receive audit letters from CMS contractors shortly.

As a result, polysomnography providers must take a proactive approach now to review their current billing practices and strengthen their compliance policies and procedures.  Providers will then be ready if – and when – they become subject to an audit and will be able to effectively resolve any issues before they lead to legal problems and / or potentially large monetary penalties.  As a final point, should you find that your sleep study claims are problematic, don’t neglect to report and return any monies that may be owed to Medicare within 60 days.  Otherwise, your failure to do so could take what would otherwise be a mere overpayment and transform it into a violation of the False Claims Act.

Healthcare LawyerRobert W. Liles, JD, MBA, MS, serves as Managing Partner at Liles Parker, Attorneys, a health care boutique  law firm with offices in Washington, DC, Houston, TX, San Antonio, TX and Baton Rouge, LA.  Should you have any questions regarding an audit of sleep lab claims conducted at your clinic, please give us a call.  For a complimentary initial discussion regarding these issues, please call us at:  1 (800) 475-1906


[1] CPAP devices are the most common treatment devices used to help individuals who have obstructive sleep apnea breathe more easily during sleep.  A CPAP machine increases the air pressure in a patient’s throat so that the airway does not collapse when the individual breathes in.

[2] The Centers of Medicare & Medicaid Services (CMS) considers the overnight stay to be an integral part of a covered diagnostic test. CMS, Medicare Benefit Policy Manual, Pub. No. 100-02, ch. 15, § 70(B).

[3] 42 C.F.R. § 419.21.

[4] § 419.22.

[5] 42 U.S.C. § 1395y(a)(1)(A).

[6] CMS, Reminder to Stop Duplicate Billings, Medicare Learning Network Matters  No. SE0415. Available at

[7] 42 CFR § 410.32(a).

[8] CMS, Medicare Benefit Policy Manual, Pub. No. 100-02, ch. 15, § 70(A).

[9] CMS, Medicare Program Integrity Manual, Pub. No. 100-08, ch. 13, § 13.1.3.

[10] 42 CFR § 400.202.

[11] Diagnostic services are billed under CPT code 9508 or 9510; Titration/fitting services are billed under 95811; and Split-night services are billed under 95811.

[12] CMS, Medicare Program Integrity Manual, Pub. No. 100-08, ch. 3, §

[13] CMS, Medicare Claims Processing Manual, Pub. No. 100-04, ch. 25, § 75.5

[14] Id., ch. 26, § 10.4.

[15] Office of Inspector General (OIG) analysis of polysomnography claims from National

Claims History data.

[16] CPT codes 95808, 95810, 95811.

[17] See, e.g., OIG, Inappropriate Medicare Payments for Transforaminal Epidural Injection Services, OEI-05-09-00030, April 2010; OIG, Medicare Payments for Facet Joint Injection Services, OEI-05-07-00200, September 2008.

[18] CMS, Medicare Benefit Manual, Pub. No. 100-02, ch. 15, § 70.

Should You be Concerned About a Consultant Qui Tam?

A Consultant Qui Tam is merely the latest False Claims Act Your Practice May Face.(October 16, 2013):  Healthcare providers should be on guard – a new type of whistleblower may be an individual you would least expect.  Recently, the Department of Justice (DOJ) entered into a multi-million dollar settlement agreement with a Florida-based healthcare provider based on claims that the provider submitted false claims to various Federal and State healthcare programs.  While efforts to expose and combat fraudulent conduct have increasingly become the norm in recent years, this situation is remarkable because of who brought the allegations to light.   In this case, the whistleblower – someone who may well stand to gain millions for his part in uncovering the alleged fraudulent activities – is the president of a consulting company hired to perform services for the provider!  Is a consultant qui tam merely the latest False Claims Act risk your organization must address? Hopefully, this case will  motivate providers to take proactive approaches to ensure that fraudulent conduct never occurs in the first place.

I.   Introduction:

On August 19, 2013, the DOJ issued a Press Release[1] announcing that it had entered into a $26 million settlement with a private, not-for-profit health care system that operates a network of health care providers in a southern State.[2]  While most of the settlement figure would reimburse Federal healthcare programs, a portion of the settlement went to the State.

II.  Overview of the Settlement:

The purpose of the settlement agreement executed by the defendant and the government was to resolve allegations that a number of the defendant’s health care facilities had submitted false claims to the Federal Medicare, State Medicaid, and the Department of Defense’s TRICARE programs for inpatient services that should have been billed as outpatient services.  The claims against the defendant health care company specifically alleged that over a five-year period, the health care provider improperly submitted inpatient claims to Federal and State health care programs for certain services and procedures that the provider supposedly knew were correctly billable only as outpatient services or procedures.

III.  What Are the Risks of a Consultant Qui Tam?

The allegations of fraud came to the government’s attention after a Relator filed a qui tam case against the defendant under the civil False Claims Act[3].   As you will recall, the False Claims Act permits private citizens to sue on behalf of the government and receive a portion of the proceeds of any settlement or judgment awarded against a defendant. While whistleblower cases have become quite common, this case is noteworthy because the allegations of fraudulent claims were made by a Relator who had been engaged by the defendant as a healthcare consultant.  In this particular case, the defendant health care provider had engaged this consultant to review the provider’s Federal, State, and commercial insurance billing practices at a number of its facilities.  While the health care provider did not admit any wrongdoing in the settlement agreement (as is generally the case in these types of resolutions), a review of some of the more notable facts alleged in the unsealed complaint suggest that the Relator apparently felt like he had no choice but to formally levy these allegations against the defendant because the health care provider repeatedly ignored or was otherwise indifferent to the concerns that had been raised by the consultant.

IV.   The “Request for Proposal” Process – Specific Issues to be Examined by the Outside Consultant:

In this case, the defendant health care provider operated a State-wide network of facilities. In 2006, the defendant issued a “Request for Proposal” (RFP), seeking to engage a reimbursement consultant to conduct on-site reviews of the provider’s Medicare and commercial insurance billing practices for observation services and one-day inpatient stays.  Six of the provider’s facilities were to be examined by the consultant in this respect.  The proposed review of observation services specifically included assessments of the provider’s coding, billing, and documentation practices.  In contrast, the reviews of   one-day inpatient stay claims were intended to verify whether the claims met all of Medicare’s requirements for coverage and payment.

The defendant provider selected the Relator’s consulting firm through the RFP process.  At the time of the Relator’s engagement, the defendant provider’s Interim Chief Compliance Officer allegedly acknowledged that the two claims areas to be examined (observations reviews and one-day inpatient stays) were allegedly “deficient.” Specific issues to be examined by the outside consultant included, but were not limited to:

  • Documentation;
  • Medical necessity coding;
  • The number of unit charges for observation time;
  • Inpatient-to-observation-status changes; and,
  • Condition code usage issues.

V.  Internal Audit Findings:

After completing its claims review at the defendant provider’s facilities, the consultant reportedly found that a variety of problems existed in connected with the claims reviewed:

  • There was allegedly a lack of medical necessity;
  • Physician documentation in the patients’ files was supposedly lacking;
  • Admission orders were allegedly deficient;
  • There was allegedly an overbilling of observation hours;
  • Case management deficiencies were allegedly noted; and,
  • In one instance, case managers were supposedly even given the authority to change physician orders when determining a patient’s status.

 VI.  How Did the Defendant Provider React Upon Learning of these Alleged Deficiencies?

When an “Exit Conference” was conducted with managers and representatives of the defendant provider, some of the attendees did not express any surprise when hearing of the deficiencies noted.  Based on the outcome of its findings, the consulting company recommended that the provider self-disclose the billing issues to the government and refund identified overpayments made during the year in question.  The consultant also offered to provide the defendant with future medical necessity training, as well as other forms of needed coding and compliance education.

The defendant chose not to retain the consultant to conduct additional training and education at that time.  Instead, the provider advised the consultant that it would be preparing its “own corrective action plan internally.”  Moreover, the provider supposedly indicated through a “Corrective Action Plan,” it would make appropriate adjustments on its own to address any overpayments that had been identified in the audit. Despite these assertions, the consultant alleged that it had not received any notice that the defendant had refunded the overpayments to the government.

VII.  The Consultant Was Then Engaged to Perform a Second Audit:

The consultant was later engaged to perform a follow-up audit for the defendant health care provider.  At that time, the consultant continued to emphasize to the defendant’s Interim Chief Compliance Officer the importance of self-disclosure and to recognize that fraudulent billing occurred – and was continuing to occur – on a very regular basis at the health care facilities.

Notably, the follow-up audit found that the defendant’s current problems were even more serious that than those previously identified.  At the conclusion of the follow-up audit and at a later time, the consultant reportedly to contact the defendant’s new Chief Compliance Officer in order to re-emphasize his concerns regarding the two audits previously conducted. Allegedly, the defendant health care provider expressed no interest in allowing the consulting company to perform further follow-up reviews.  According to the Complaint later filed, the consultant believed that the defendant provider was simply focused on keeping the audit results internal and effecting any amount of damage control possible.

VIII.  “Hell Hath no Fury Like a Consultant Scorned.”

When the consultant became convinced that the defendant provider had not made the appropriate self-disclosures as required by law (and based on the consultant’s numerous recommendations), he filed a qui tam (or whistleblower) case against the defendant provider under the civil False Claims Act.  Approximately five and a half years later, the government settled these allegations with the defendant.  The defendant provider agreed to pay $26 million to resolve its liability to the Federal and State governments.

In a press release[4] responding to the matter, the defendant noted that it had taken an active role to improve its billing practices and that is why it had hired a consulting company to perform the audits.  “We hold ourselves accountable for the highest standards of care and service. The case in question does not involve the failure to provide high-quality patient care, but rather inconsistent billing processes,” said the CEO of one of the defendant’s facilities. “We proactively initiated an independent audit that identified some opportunities to improve billing processes…. We took immediate steps to make improvements.”

IX.  Lessons to be Learned:

What can providers learn from this case?  Clearly, providers must realize that whistleblowers can arise in a variety of ways.  Many health care providers would likely not suspect that a consulting firm hired by the provider to perform compliance audits would ever report its findings to the government.  Nevertheless, as the facts above reflect, the defendant above allegedly disregarded the auditor’s findings and recommendations over not one, but two years’ worth of audits, results that clearly indicated fraudulent activity was happening in its facilities.

Moreover, had the consultant observed his client doing the right thing after the initial audit and the follow-up review conducted, it is likely that no qui tam suit would have ever been filed.

So what should a provider do to ensure that it does not fall into the same circumstances above? First and foremost, a provider must ensure that it hires competent staff members and, more importantly, that it trains each one of them to perform their duties properly, within the four corners of the law.  Ignoring, making light of, and / or minimizing the importance of following the rules is a quick recipe for disaster for a health care organization.  As the Complaint in this case reflects, the defendant’s staff, including case managers and utilization review personnel, did not seem to know or understand the applicable Medicare rules, which likely was the initial cause of many of the errors that became systemic issues.  As a result, no remedial steps were ever taken by the provider to change to its processes and procedures.

As we have discussed in previous articles, the design, implementation and adherence to an effective compliance plan can go a long way in assisting an organization in its efforts to fully comply with the letter (and the spirit) of the law.

In contrast, an organization that knowingly ignores a problem is likely to find itself liable to the government under the False Claims Act. As one of the health lawyers in our firm, Robert W. Liles has noted – although the elements of an effective compliance plan may only act as a framework and a model, they can give a provider significant guidance and can prove invaluable when seeking to adhere to applicable statutory and regulatory requirements. Mr. Liles has outlined “The Seven Elements of an Effective Compliance Plan” that can assist you in meeting your compliance requirements.[5]

As a final lesson – it is imperative that health care providers take swift and appropriate corrective action once a medical necessity, coverage, documentation, coding or billing deficiency is identified in an organization. Any overpayment must be disclosed and returned to the appropriate government payor,  private-payor and / or patient.

RHealthcare Lawobert Saltaformaggio is a rising Associate at Liles Parker, Attorneys & Counselors at Law.  Liles Parker is a boutique health law firm with offices in Washington, DC, Houston, DC, McAllen, DC and Baton Rouge, LA.  Our attorneys represent Physicians, Practice Groups and other health care providers around the country in connection with a full-range of health law statutory and regulatory matters and cases.  For a free consultation on these and other health law issues, give us a call.  We can reached at: 1 (800) 475-1906. 


[2] The case is United States of America and the State of Florida ex rel. Terry L. Myers v. Shands Healthcare et al., Civil Action No. 3:08-cv-441-J-16HTS (M.D. Fla.).

[3] 31 USC § 3729.

Is There a Higher Risk of Audit in Chiropractor-Owned Multidisciplinary Clinics?

Is there a higher risk of audit in chiropractor-owned multidisciplinary clinics?

ZPIC Audits of Chiropractor-Owned Multidisciplinary Clinics are Increasing

(October 14, 2013):  Over the last six months, we have noted a significant increase in the number of audits initiated against Chiropractor-owned multidisciplinary clinics.  Typically, these integrated medical practices and clinics employ at least one Chiropractor (typically in an ownership or managerial capacity), along with multiple Doctors of Medicine (MDs), Doctors of Osteopathy (DOs). Physician-extenders such as Nurse Practitioners (NPs) and Physician Assistants (PAs) are also commonly employed in these multidisciplinary practices and clinics.

The purpose of this article is to examine Chiropractor-owned multidisciplinary clinics which employ MDs, DOs and physician extenders in order to provide a wide range of care and treatment services.  While there are a number of benefits to such a model, both State regulatory entities and Federally-contracted Zone Program Integrity Contractors (ZPICs) working for the Centers for Medicare and Medicaid services (CMS) have shown their concern regarding these organizations.  Depending on the jurisdiction, a number of State regulatory entities have questioned the appropriateness of the model itself.  ZPICs and other CMS Medicare contractors have initiated (or, in some cases, are in the process of initiating) a review or audit of various claims submitted to Medicare for coverage and payment.

I. Why have Chiropractors Worked to Integrate Other Medical Services Into Their Practice?

While you may disagree, it has been our observation that many Chiropractors have an entrepreneurial spirit.  This has manifested itself in a growing number of Chiropractor-owned multidisciplinary clinics which provide health care services other than merely those associated with chiropractic care.  Depending on the State, integrating other medical services into a chiropractic practice isn’t always easy – there are often a number of statutory and / or regulatory barriers to be overcome. Examples of the Chiropractor-owned multidisciplinary clinics we have recently seen have included:

  • Pain management clinics.
  • Multidisciplinary clinics which also offer complimentary and alternative medicine therapy options.
  • Industrial medicine clinics (often focusing on Workman’s Compensation cases).
  • Orthopedic clinics focusing on back injuries, spinal compression problems and victims of automobile accidents.

Chiropractic practices choosing to transition over to a multidisciplinary model have often found that they are better equipped to address the health problems of their patients.  This is often due to the fact that an integrated DC / MD practice typically greatly expands the scope of care and treatment services available to patients. This multidisciplinary approach provides patients with a convenient one-stop care and treatment option.

From a financial standpoint, Chiropractor-owned multidisciplinary clinics have also found that this business model opens up a number of previously-unavailable opportunities.  As you are aware, only a few chiropractic services qualify for coverage and payment under Medicare.  While private payor plans typically cover a somewhat wider scope of services, many Chiropractors have essentially built their business on cash-pay patients.  The addition of MDs, DOs and physician extenders has permitted integrated practices to expand their scope of medically-reimbursable services, many of which now qualify for coverage and payment by Medicare and  private payor programs.  While there are both patient-care and financial benefits to the integrated, multi-disciplinary model, there are also a number of challenges you should consider prior to setting up this type of practice or clinic.

II.  Challenges to be Considered:

A.     State Regulatory Considerations.

Depending on the State, it may be illegal for anyone other than a medical physician to own a medical practice.  For example, many jurisdictions still prohibit the “Corporate Practice of Medicine.” In such States, it is illegal for a corporation to practice medicine.  Moreover, a corporation cannot employ a physician to provide medical care and treatment services.

Although every State is different, if your State prohibits the Corporate Practice of Medicine, it may be against the law for a corporation or for a non-physician individual (including a Chiropractor) to own or control a physician practice or clinic which provides professional physician services.  Therefore, we strongly recommend that prior to setting up a Chiropractor-owned, multidisciplinary practice or clinic, you should contact a qualified health lawyer to assist you maneuvering through the myriad statutory and regulatory requirements governing this complex area of law.  Several lawyers here at Liles Parker can assist you in addressing this issue.

As a final point in this regard, should you choose to set up an integrated practice or clinic, it is essential that you have a full understanding of both your State’s Chiropractic Practice Act and the Medical Practice Act governing the physicians you intend to employ.

B.    Current Audit Challenges.

In recent months, many Chiropractor-owned multidisciplinary clinics have been advised that their organizations will be placed on prepayment review or that their prior-paid claims are being be subjected to a postpayment audit by a Zone Program Integrity Contractor” (ZPIC), such as AdvanceMed, Health Integrity, SafeGuard Services, NCI or Cahaba.[1]  As with other health care providers, most of these CMS-contractor audit actions have been generated as a result of data-mining.  Other reasons for audit and / or review have included: patient complaints, competitor complaints and referrals from State Medical Boards. A minority of cases have also included audit initiatives focusing on specific Evaluation & Management (E/M) levels and / or perennially-problematic modifiers, such as modifier 25.  Modifier 25 audits examine whether a “significant, separately identifiable E/M service” was provided by the same physician on the day that a separate, billable procedure was also provided.  Regardless of the reason for audit, if your integrated practice or clinic is audited, it is essential that you engage qualified health law counsel to advise you on your options for responding to an inquiry by a ZPIC.

Prepayment Reviews:  Unlike postpayment overpayment assessments, there is not an effective administrative overpayment process for health care providers placed on pre-payment review.  We recommend that you consult with legal counsel if your practice is placed on pre-payment review.  There are three points to keep in mind in such cases:

(1) It is often in your best interest to continue to submit claims for review and not hold them.  Even if they are denied, at least you can initiate the postpayment appeals process as soon as possible and hopefully begin to restore cash flow;

(2) It is often helpful to engage qualified health law counsel to review your claims and generate a report that can be sent to the ZPIC, pointing out that the claims do, in fact, qualify for coverage and payment.

(3) Think outside of the box—no provider can survive on prepayment review over a long period if a significant portion of their payor mix is Medicare.  Contact your health law counsel to discuss possible options for seeking remedial action to have the prepayment review lifted.

Postpayment Audits:Over the last decade, ZPICs have aggressively pursued alleged Medicare overpayments from Chiropractors, Physicians and other health care providers around the country.  Specific actions taken have included:

(1)  Using statistical sampling and extrapolationWhile the Medicare Program Integrity Manual sets out the basic requirements for a ZPIC to conduct a statistical sampling, ZPICs have been permitted to use sampling methodologies that differ from those prescribed by CMS.

(2)  ZPIC reviews have often alleged significant claims coverage concerns.  Identified error rates of 100% by ZPICs are not uncommon.  They then seek a full refund of all claims submitted by an individual provide.

(3)  Multiple errors often identified. Due to the massive amount of minute technical requirements imposed on providers, ZPICs are often able to identify and allege multiple technical and substantive errors in many of the claims which they review.

Medicare Revocation Actions:  Over the last year, we have seen a sharp increase in the number of Medicare revocation actions taken.  The reasons for revocation have varied but have typically been associated with alleged violations of a health care provider’s participation agreement.  In some cases, the ZPIC contractors found that the provider had moved addresses and had not properly notified Medicare.  In other cases, a health care provider was alleged to have not been cooperative or refused to participate in a site visit.  As a participating provider in the Medicare program, your organization must fully meet each of its obligations under the agreement in order to remain in the program.

ZPIC Referrals for Civil and Criminal Enforcement:  ZPICs are actively referring health care providers to the Department of Health & Human Services, Office of Inspector General (OIG) (which can in turn refer a case to the Department of Just (DOJ) for possible civil and / or criminal enforcement) when a case appears to entail more than a mere overpayment.  However, just because a referral is made doesn’t mean that it will be prosecuted.  In many instances, OIG and / or DOJ will decline to open a case for a variety of reasons (such as lack of evidence, insufficient damages, etc.). 

What Sources of Coding / Billing Data are used by ZPICs?  ZPICs are required to use a variety of proactive and reactive techniques to identify and confront any potentially improper or fraudulent practices.  As set out in Chapter 2 of the Medicare Integrity Policy Manual (MIPM), ZPICs have access to and utilize a wide variety of data sources. 

III.  Final Thoughts:

Chiropractor-owned multidisciplinary practices and clinics currently appear to be under the proverbial microscope While there is little, if any, action that can reduce your likelihood of being targeted for an audit due to data-mining, there are a number of effective steps that you can reduce your risk of liability if an audit or investigation is initiated.  The design, implementation and adherence to provisions set out in an effective compliance plan can greatly improve your efforts to fully meet your statutory and regulatory requirements under the law.

Healthcare LawyerRobert W. Liles, JD, MBA, MS, serves as Managing Partner at the health law firm of Liles Parker, Attorneys and Counselors at Law.  Robert represents Chiropractors, Physicians and other health care providers around the country in connection with State Medical Board actions, Medicare audits and other health law issues.  Please give Robert a call for free consultation.  He can be reached at:  1 (800) 475-1906.

[1] Zone Program Integrity Contractors (ZPICS) such as AdvanceMed, Health Integrity, SafeGuard Services, NCI or Cahaba are contracted to work for the Centers for Medicare and Medicaid Services (CMS).

[2] CMS, Medicare Program Integrity Manual, § 2, available at


Complying with an Individual’s Request to Restrict the Submission of PHI to Insurance

(October 3, 2013):  The HIPAA Omnibus Rule (Omnibus Rule) is well over 100 pages long.  When considered in the context of existing HIPAA and HITECH, health care providers are often it difficult to apply the provisions of the Omnibus Rule to privacy situations that are commonly arising in a physician’s practice.  One such situation is outlined below where a patient has asked that the practice restrict the submission of protected health information (PHI) to the patient’s insurance carrier.

Question: What do you suggest regarding the patient problem list?  For example, if a patient comes in for evaluation of a breast lump and doesn’t want that submitted to her insurance company, I would normally put the diagnosis of breast lump on her problem list since that is what I am medically evaluating.  Let’s say she needs a breast biopsy and I need to send a summary of care note to the surgeon doing the biopsy – it has to list the diagnosis of breast lump on it.  Is this a breach? Or for another example – patient comes in for cholesterol testing and doesn’t want it reported to their insurance company.  Turns out the cholesterol is too high and they need ongoing medication.  I need to keep diagnosis of hyperlipidemia on their problem list. What about then when I send their summary of care record to the orthopedist who is treating their knee pain and it lists hyperlipidemia as one of their diagnoses.  Is that a breach?

Answer:  In short, “it depends”.  As many healthcare providers are aware, the Department of Health and Human Services (HHS) recently made modifications to strengthen the HIPAA Privacy Rule under the aptly-named HIPAA Omnibus Rule.  Guidance to these questions may be found in Section 164.522(a) of  the HIPAA Privacy Rule, “The Right to Request a Restriction of Uses and Disclosures”, as well as in the many comments and responses found in that Final Rule. 

I.   Patient Requests to Restrict the Submission of PHI to Insurance:

Under Section 164.522(a), a covered entity must permit individuals to request that it restrict uses or disclosures of the patient’s protected health information (PHI) for treatment, payment, and health care operations purposes, as well as for disclosures to family members and certain others permitted under § 164.510(b) of the Privacy Rule.  While covered entities are not required to agree to these requests for restrictions, if a covered entity does agree to restrict the use or disclosure of a patient’s PHI, it must abide by that restriction.  The only exception to this requirement is in emergency circumstances when the information is required for the treatment of the individual.  Section 164.522 also includes provisions for the termination of such a restriction and requires that covered entities that have agreed to a restriction document the restriction in writing.

Complimenting §164.522(a) is § 13405(a) of the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act”).  Section 13405(a) outlines circumstances in which a covered entity now must comply with an individual’s request to restrict a disclosure of her protected health information.  In essence, § 13405(a) requires that when an individual requests a restriction on disclosure pursuant to § 164.522 of the Privacy Rule, the covered entity must agree to the requested restriction if the request for restriction is on disclosures of PHI to a health plan for the purpose of carrying out payment or health care operations and if the restriction applies to PHI that pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full.  The only exception to this requirement is if the disclosure is otherwise “required by law.”

II.  Complying with the New Restriction Request Requirements:

HHS has provided significant guidance on how to effectively comply with these requirements.  From the outset, during the Notice of Proposed Rulemaking (NPRM) period to the Final Omnibus Rule, commenters raised questions and concerns regarding how they could operationalize these requirements.  As the questions above reflect, there are several problems that may arise when providers must restrict certain pieces of PHI while ensuring that the entire healthcare process – including subsequent care processes as well as billing and notification procedures – is effectively administered.  HHS believes that it has provided thorough answers to these concerns.

From the outset, covered health care providers do not have to create separate medical records or otherwise segregate PHI subject to a restricted health care item or service.  Nevertheless, these providers must still utilize some method to either flag or annotate the restricted PHI in the patient’s medical record.  This will ensure that the restricted information is not inadvertently sent to or made accessible to a health plan for payment or health care operations purposes, such as when the health plan performs an audit.  In fact, providers should already have in place minimum compliance policies and procedures that require them to limit PHI that may be disclosed to a health plan to only the amount reasonably necessary to achieve the purpose of the disclosure.  As a result, covered entities should have familiar mechanisms in place to effectively limit any PHI that may be disclosed to a health plan.

III. Disclosures Mandated by Law:

Covered entities are excepted from abiding by a patient’s request to restrict uses or disclosures of PHI when that use or disclosure is mandated by law.  Under the HIPAA Privacy Rule, while ‘‘required by law’’ compels a covered entity to make a use or disclosure of PHI, that use or disclosure is enforceable in a court of law.  These circumstances generally arise in conditions of participation for health care providers participating in federal healthcare programs, as well as under statutes and regulations that require the production of information if payment is sought under a government program providing public benefits.  For example, a covered entity may have to disclose PHI to Medicare and Medicaid in response to an audit required by those programs.  HHS has ensured covered entities that, if they are required by law to submit PHI to a federal health plan or other government program, it may continue to do so as necessary to comply with its legal obligations.

IV.  Practical Problems Health Care Providers are Encountering:

As the questions above indicate, providers are encountering situations where a patient requests a restriction with respect to only one of several health care items or services provided during a single patient encounter.  Nevertheless, the provider may be either prohibited from unbundling or unbundling is more costly and yet must still include the services for purposes of billing a health plan.  In these situations, HHS has made it clear that providers should counsel patients on the ability of the provider to unbundle the items or services and the impact of doing so (e.g., the health plan still may be able to determine that the restricted item or service was performed based on the context).  If a provider is able to unbundle the items or services and accommodate the patient’s wishes after counseling on the impact of unbundling, it should do so. However, if a provider cannot unbundle a group of items or services, the provider should inform the individual and give him or her the opportunity to restrict and pay out of pocket for the entire bundle of items or services.

Where a provider is unable to unbundle a group of bundled items or services, HHS considers that group as one item or service for the purpose of applying § 164.522(a)(1)(v). However, HHS still expects a provider to accommodate an individual’s request for a restriction for separable and unbundled health care items or services, even if part of the same treatment encounter.  For example, this situation could occur where a patient receives treatment for both asthma and diabetes, two completely separable and unbundled services.  Unfortunately at this time, HHS has not provided health care providers with a general rule on whether an individual patient may only restrict either all or none of the health care items or services that are part of one treatment encounter.

Other concerns have centered on how to electronically (such as through an e-prescribing tool) notify a pharmacist or subsequent provider of an individual’s restriction request.  Currently, there is not a widely available method for electronically notifying a pharmacy that a patient has requested a restriction.  In fact, it is often costly, burdensome, and unworkable for a provider to attempt to notify all subsequent providers of an individual’s restriction request, particularly given the lack of automated tools to make such notifications.  Whose responsibility should it be to protect against potential breaches?

Due to these concerns, providers contend that the obligation to notify downstream providers should remain with the individual patient if that person wants to restrict PHI to a health plan.  Given the lack of automated technologies to support such a requirement, HHS essentially agrees that it would be unworkable at this time to require health care providers to notify downstream providers of the fact that a patient has requested a restriction to a health plan. However, HHS still encourages providers to counsel patients on the need to request a restriction and pay out of pocket with other providers for the restriction to apply to the disclosures by such providers.  Moreover, if an individual wants to restrict disclosures to a health plan concerning a prescribed medication, the prescribing provider can provide the patient with a paper prescription to allow the individual an opportunity to request a restriction and pay for the prescription with the pharmacy before the pharmacy has submitted a bill to the health plan. Nevertheless, while HHS does not require providers to assist individuals in alerting downstream providers of the individual’s desire to request a restriction and pay out of pocket for a particular health care item or service if feasible, providers are permitted to do so.  In fact, HHS highly encourages this assistance.

For example, consider an individual who is meeting with her primary care physician (PCP) and requests a restriction on tests that are being administered to determine if she has a heart condition.  If, after conducting the tests, the patient’s PCP refers the patient to a cardiologist, it is the patient’s obligation to request a restriction from the subsequent provider, the cardiologist, if she wishes to pay out of pocket rather than have her health plan billed for the visit.  In this example, although the PCP in would not be required to alert the cardiologist of the patient’s potential desire to request a restriction, HHS encourages providers to do so if feasible.  Or, at the very least, HHS encourages providers to engage in a dialogue with the patient to ensure that the individual is aware that it is the patient’s obligation to request restrictions from subsequent providers.  Even where a Health Information Exchange is involved, HHS still notes that it is the responsibility of the individual – and not the provider – to notify downstream providers of a restriction request.

V.     HMO Issues:

Similar rules apply to health care providers participating under an HMO setting.  For these types of contracts, HHS explains that a HMO provider should abide by a patient’s requested restriction unless doing so would be inconsistent with State or other law.  Therefore, if a provider operating under an HMO context is legally prohibited from accepting payment from an individual above the individual’s cost-sharing amount (i.e., the provider cannot accept an out of pocket payment from the individual for the service), then the provider should counsel the patient that he or she will have to use an out- of-network provider for the health care item or service in order to restrict the disclosure of protected health information to the HMO for the health care.  In addition, HMO providers who are legally able to treat the health care services to which the restriction would apply as out-of-network services should do so in order to abide by the requested restriction.  HHS does not consider a contractual requirement to submit a claim or otherwise disclose PHI to an HMO to exempt the provider from his or her obligations under this provision.  Providers under this agreement should be reminded that the Final Rule includes a 180- day compliance period beyond the effective date of these revisions to the Privacy Rule.  During this period, providers and HMOs should update their contracts as needed so that they will be consistent with these new requirements.

VI. Issues with Follow-Up Visits:

Other providers have continued to express concern for situations dealing with restrictions and follow-up care.  For example, an individual may have a restriction in place with respect to a health care service that he does not pay for out of pocket but requests a restriction with regard to follow-up treatment.  Furthermore, the provider may need to include information that was previously restricted in the bill to the health plan in order to have the service deemed medically necessary or appropriate.  Under HHS’s guidance, the provider is permitted to disclose this information so long as doing so is consistent with the provider’s minimum necessary policies and procedures.  HHS clarifies that this form of disclosure would continue to be permitted for payment purposes and thus, would not require the individual’s written authorization.  However, HHS highly encourages covered entities to engage in open dialogue with patients to ensure that they are aware that previously restricted PHI may be disclosed to the health plan unless they request an additional restriction and pay out of pocket for the follow-up care.

HHS has also been asked to clarify whether a patient’s restriction request prohibits providers from giving PHI to health plans solely for payment or health care operations purposes in such cases or all entities that may receive PHI for payment or health care operations.  In response to concerns regarding disclosure for payment or health care operations purposes to entities other than the health plan, HHS contends that Section 164.522(a) does not affect disclosures to these other entities as permitted by the Privacy Rule.  Finally, providers should be reminded of the penalties that may be incurred.  In particular, a provider who discloses restricted PHI to a health plan is making a disclosure in violation of both the Privacy Rule and the HITECH Act.  Thus, as with other impermissible disclosures, the provider would then be subject to the imposition of possible criminal penalties, civil money penalties, or corrective action.

VII.  Conclusion:

Whether the circumstances above reflect situations of a “breach” of a patient’s privacy will depend on the particular situation.  As this article summarizes, covered entities must allow individuals to request that the entity restrict uses or disclosures of the patient’s PHI for any treatment, payment, and health care operations purposes.  Providers are not required to agree to restrict this information, but if it does so, the provider must ensure that the restriction is protected.

Healthcare LawRobert L. Saltaformaggio is a rising Associate Attorney at Liles Parker, PLLC.  He is also a Certified Medical Compliance Officer (CMCO).  Robert represents and assists health care providers around the country in connection with Medicare and private payor audits, pre-payment reviews and overpayment appeals.  He also assists clients with HIPAA privacy and health care compliance projects.  Liles Parker has offices in Washington, DC; Houston, TX; San Antonio, TX; and Baton Rouge, LA.  Should you have a questions regarding this article or another health care legal or regulatory issue, please call us for a free consultation.  We can be reached at:  1 (800) 475-1906.

The HIPAA / HITECH Omnibus Final Rule is Here! Is Your Health Care Organization Complying with the Rules?

HIPAA / HITECH Omnibus Final Rule(September 23, 2013):  Effective today, all covered entities and business associates must comply with the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule. Please keep in mind, the Final Omnibus Rule is 138 pages long.

If you have not already read these new requirements, we strongly recommend that all covered entities, business associates and any affected subcontractors carefully review and adhere to these requirements.  Summaries of these modifications may not fully address specific points which apply to your organization.

I.          Overview:

The Omnibus Final Rule contains some of the most significant changes to the HIPAA Privacy and Security rules since their inception.  The new rule also strengthens the ability of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to enforce the rules and levy fines for any violations.  The following article is intended to provide a brief synopsis of this new rule and outline how covered entities (such as your Physician Practice, Home Health Agency or Hospice) need to review their actions to better ensure that they are fully complying with the privacy, security and breach notification requirements which are now required.

II.  HIPAA/HITECH Omnibus Final Rule: 

On January 25, 2013, HHS issued a final rule[1] to modify the HIPAA Privacy, Security, and Enforcement Rules.  This final rule implemented statutory amendments under the Health  Information Technology for Economic  and Clinical Health Act (HITECH) in order to strengthen the  privacy and security protection for individuals’ health information, modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act, modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA), and make other modifications to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (HIPAA Rules) to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities.

More specifically, the final rule is comprised of four individual final rules.  These rules:

1.  Modify the HIPAA Privacy, Security, and Enforcement Rules mandated by the HITECH Act, as well as certain other modifications that improve the Rules. These modifications:

  • Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements;
  • Strengthen the limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes, and prohibit the sale of PHI without individual authorization;
  • Expand individuals’ rights to receive electronic copies of their health information and restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full;
  • Require modifications to, and redistribution of, a covered entity’s notice of privacy practices (for examples, see Section VI below);
  • Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others; and
  • Adopt additional HITECH Act enhancements to the Enforcement Rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.

2.  Adopt changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act.

3.  Finalize the Breach Notification for Unsecured PHI under the HITECH Act, which replaces the breach notification rule’s ‘‘harm’’ threshold with a more    objective standard.

4.  Modify the HIPAA Privacy Rule as required by the GINA to prohibit most health plans from using or disclosing genetic information for underwriting purposes.

While the final rule took effect on March 26, 2013, all covered entities and business associates must comply with the applicable requirements of the final rule by September 23, 2013.

III.  New HIPAA Rules Apply to Covered Entities and Business Associates:

Individuals, organizations, and agencies that meet the definition of a “covered entity”[2] under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.

More importantly, if a covered entity engages a “business associate” to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate.  This agreement must specifically state the work the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of PHI.

In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.  Specifically, business associates will be directly liable for:

  • Impermissible uses and disclosures of individual PHI (including using or disclosing more information than is minimally necessary);
  • Failing to comply with the Security Rule;
  • Failing to provide breach notification to the covered entity, or, if a subcontractor, to the business associate above;
  • Failing to provide electronic access as provided in the business associate agreement;
  • Failing to disclose PHI to HHS in response to compliance and enforcement actions; and
  • Failing to provide HITECH accounting, as necessary.

IV.  What is a “Business Associate”?

A “business associate”[3] is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.  A business associate also includes any subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.

As discussed above, HIPAA Rules generally require that covered entities and business associates enter into contracts to ensure that the business associates will appropriately safeguard PHI.  These contracts also serve to clarify and limit, as necessary, the permissible uses and disclosures of PHI by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.  A business associate may use or disclose PHI only as permitted or required by its business associate contract or as required by law.

Importantly, a business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of PHI that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.

V.  Business Associate Agreements Between Covered Entities and Business Associates:

Based on the new rules, all covered entities should check to ensure that an updated business associates agreement between the covered entity and any business associates that they might have been put into place.  It is appears that an updated business associate agreement has already been put into place, check it to ensure that it includes the following provisions:

  1. Establishes the permitted and required uses and disclosures of PHI by any business associates;
  2. Provides that business associates will not use or further disclose the information other than as permitted or required by the contract or as required by law;
  3. Requires that business associates implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information;
  4. Requires that business associates report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information;
  5. Requires business associates to disclose PHI as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available PHI for amendments (and incorporate any amendments, if required) and accountings;
  6. To the extent that a business associate is to carry out a covered entity’s obligation under the Privacy Rule, the agreement must require that the business associate comply with the requirements applicable to the obligation;
  7. Requires that business associates make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;
  8. At termination of the contract, if feasible, requires that a business associate return or destroy all PHI received from, or created or received by the business associate on behalf of, the covered entity;
  9. Requires that a business associate ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and
  10. Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.  Contracts between a business associate and other business associates (that are essentially subcontractors) must also be subject to these same requirements

If an updated business associate agreement has not been implemented, please take steps to have one completed immediately.  A Sample Business Associate Agreement which incorporates the January 2013 changes has been published on OCR’s website. Furthermore, the rules allow a business associate to continue to operate under existing business associate agreements up and until 09/22/14, under conditions that:

  • Prior to the 01/25/13 publication date, the covered entity and its business associate had an existing written business associate agreement with prior HIPAA provisions; AND
  • The business associate agreement has not been renewed or modified between the 04/26/13 effective date and the 09/23/13 compliance date.

VI.  Notice of Privacy Practices (NPP):

If you have not already done so, it is imperative that you immediately update the “Notice of Privacy Practices” (45 CFR 164.520) being used by your practice or organization. To their credit, OCR recently published several examples of what they consider to be a “clear, accessible notice that. . . patients. . .can understand.”  OCR has published the following three examples that may be used by a covered entity to notify patients of their rights and the organization’s privacy practices.  These examples include:

NPP Booklet – HC Provider

NPP Layered – HC Provider

NPP Full Page – HC Provider

NPP HC Provider – Text Version

VII.       The  HIPAA Security Rule: 

The HIPAA Security Rule[4] requires that covered entities implement “administrative, technical, and physical safeguards” to ensure the confidentiality, integrity, and availability of electronic PHI.  The Rule also requires those entities to protect against anticipated disclosures and threats to the security of information.  “Electronic PHI,” or “ePHI” refers to all individually identifiable health information a covered entity or business associate creates, receives, maintains, or transmits in electronic form.

Under the new final rule, business associates are now directly liable themselves for complying with the Security Rule. Therefore, these organizations should review the Security Rule Guidance Material[5] provided by HHS and implement policies and procedures in much the same manner as a covered entity.

  • Security Risk Assessment

Like covered entities, business associates must assess their security risks. A business associate must perform its own security risk analysis[6] to determine what the organization must do to address our security policies, procedures, and workforce training under HIPAA.  The foundation for this process is compliance and is tailored to our legal practice.  Our size, complexity, capabilities, in addition to the risks and costs to conduct this analysis and take appropriate action, has all been considered.  This has allowed us to meet those standards that are “required” and determine whether an “addressable” standard applies.  For this assessment, covered entities and business associates should broadly inquire into:

  • Designing an appropriate personnel screening process;
  • Identifying specific data that must be backed up and how we can execute that process;
  • Implementing encryption methods for ePHI;
  • Classifying what data must be authenticated in particular situations in order to protect data integrity;
  • Designing written policies, procedures, and required notices; and
  • Developing requisite training tools for these purposes.

Based on this risk assessment, your organization needs to implement certain security standards that can be divided into administrative, physical, and technical safeguards.

  • Administrative Safeguards  

The Omnibus requirements mandate that business associates implement administrative safeguards in compliance with the HIPAA Security Rule.  Administrative safeguards[7] include “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”[8] Generally, these are the administrative functions that should be implemented to meet the fundamental security standards.  They focus on workforce training and contingency planning.

Business associates should keep in mind that the most important administrative safeguards are risk analysis and risk management.  Because both of these processes are “required,” a business associate should execute a critical and thorough risk analysis before undertaking subsequent regulatory compliance measures.  A business associate should also implement the following additional “required” administrative safeguards:

  • Sanction policy for employee noncompliance.
  • Tracking security “incidents” and documenting policies and procedures for dealing with incidents. Resulting harm must be mitigated.
  • Appointment of a security officer.
  • Allowing employee access to ePHI only where appropriate, and putting policies in place to prevent unauthorized persons from gaining access.
  • Training employees on security issues, scaled to our organizational size.
  • Implementing contingency plans for emergencies that damage systems with ePHI, including provisions for data backup, a recovery plan and a mode for continuing critical business processes for the protection of the security of ePHI during emergency operation.
  • Ensuring that periodic evaluations of security preparedness are conducted.

Again, these standards and implementation specifications pertain to administrative functions, such as policy and procedures that must be in place for management and execution of security measures, and are just the first set of safeguards that have been implemented.

  • Physical Safeguards  

Physical safeguards[9] incorporate mechanisms, policies, and procedures required to protect electronic systems, as well as equipment and the data contained therein, from threats, environmental hazards, and unauthorized intrusion.  These safeguards include restriction access to ePHI and retaining off-site computer backups.

Covered entities and business associates must ensure that ePHI and the computers which house that private information are protected from unauthorized access.  Covered entities and business associates should also recognize that some of the requirements to be implemented as physical safeguards can be accomplished through the use of electronic security systems.  Possible approaches include, but are not limited to:

  • Establishing a policy for the appropriate use, physical attributes of and security for workstations that access ePHI.
  • Establishing policies dictating the procedures for the addition, disposal, or reuse of hardware or electronic media that contains ePHI.

After successfully implementing these, and other, standards and protections, an organization will be able to protect those covered entities’ ePHI from natural and environmental hazards, as well as unauthorized intrusion.  

  • Technical Safeguards  

Finally, the new Omnibus Rule also requires that business associates implement technical safeguards[10].  Generally, these types of safeguards are the automated processes used to protect data and control access to data.  For example, they include using authentication controls to verify that the person signing onto a computer is authorized to access that ePHI, or encrypting and decrypting data as it is being stored and/or transmitted.

Covered entities and business associates should review and implement the following “required” technical safeguards (as appropriate):

  • Policies that limit software program access to only those with authorized access. Organizations should also provide their employees with unique log-ins and ensure that automatic log-offs cannot be utilized.  Further, they should implement procedures for obtaining necessary ePHI during an emergency.
  • Maintaining activity logs (or “audit logs”) of all systems that contain ePHI.
  • Policies to protect ePHI from alteration and destruction.
  • Procedures to verify the identity of those seeking access to ePHI.
  • Protection for the transmission of ePHI over a network through technical security policies.
  • While encryption is only an “addressable” standard, a business associate should strongly consider using encryption to encrypt ePHI..

Importantly, each covered entity and business associate must also analyze their administrative, physical, and technical factors so that safeguards can be implemented to protect the integrity of PHI.   

  • Documentation Requirements

A proper risk assessment and all subsequent compliance measures must include proper documentation procedures.  Therefore, a business associate must ensure that all compliance activities be documented accordingly and be retained for six years.  Business associates need to recognize that policies and procedures are amendable as further regulations and policies require.  Therefore, business associates should conduct periodic reviews of its policies, document those review, and take any appropriate actions when changes in the environmental security of ePHI are needed.  

VIII.  Business Associates and the Privacy Rule: 

The HIPAA Privacy Rule restricts covered entities’ use and disclosure of an individual’s PHI.  For example, providers who transmit PHI electronically in a HIPAA Standard Transaction, such as by filing electronic claims or checking eligibility electronically even if they are using a third party such as a billing service or clearinghouse, become a “covered entity”.  They are then bound by HIPAA and its requirements. Under the final rule, certain privacy changes have been enacted that impact business associates.

However, the HITECH Act does not impose all of the Privacy Rule obligations on business associates.  A business associate is subject to direct enforcement of the HIPAA Privacy obligations and penalties in the same manner as a covered entity, but only to the extent required under the HITECH Act – not the HIPAA Privacy Rule itself.

Both covered entities and business associates must ensure that any disclosure of PHI is kept to limited data sets or minimum amounts of information as necessary.  Furthermore, those covered entities that a company has a business associate agreement with must honor any and all requests by an individual to restrict disclosure of PHI to a Health Plan if the individual pays for the associated service out-of-pocket in full.  The business associate must also acknowledge that the sale of PHI is prohibited unless authorized by the individual, and certain marketing communications require additional authorizations. 

IX.  The HIPAA Breach Notification Rule: 

The Breach Notification Rule requires covered physician practices to notify affected individuals, the Secretary of HHS and, in some cases, the media when they discover a breach of a patient’s unsecured PHI.

Business associates must now comply with breach notifications procedures under the new HIPAA Omnibus Rule.  If a breach of unsecured PHI occurs, a business associate must notify the covered entity following the discovery of the breach.  Discovery of a breach is when the business associate “knew or should have known” of the incident.

Furthermore, any business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach.  To the extent possible, a business associate should also provide each covered entity with the identification of each individual affected by the breach, as well as any information required to be provided by the covered entity in its notification to the affected individual(s).

Under the new Omnibus rules, breaches are now presumed reportable unless, after an organization has completed a risk analysis, it is determined that there is a “low probability of PHI compromise.” To conduct this analysis, covered entities and business associates must consider the following four factors:

  1. The nature and extent of the PHI involved – an organization should consider issues such as the sensitivity of the information from a financial or clinical perspective and the likelihood the information can be re-identified;
  2. The person who obtained the unauthorized access and whether that person has an independent obligation under HIPAA to protect the confidentiality of the information;
  3. Whether the PHI was actually acquired or accessed, determined after conducting a forensic analysis; and
  4. The extent to which the risk has been mitigated, such as by obtaining a signed confidentiality agreement from the recipient.

Covered entities and business associates must keep in mind that this rebuttable presumption of breach and four-factor assessment of the “risk of PHI compromise” replaces HIPAA’s previous, more subjective “significant risk of financial, reputational or other harm” safe harbor analysis for establishing a breach. The organization also understands that the new rules further clarify that there is no need to have an independent entity conduct the risk assessment and indeed, no risk assessment need be conducted at all if the breach notification is made.  Nevertheless, a business associate must undertake an appropriate review and steps to mitigate the harm and reduce the likelihood of future breaches in any case as necessary.

Finally, both covered entities and business associates must implement “Breach Notification Policies and Procedures,” workforce training, and associated documentation procedures on how to document and handle breach incidents.

X.  Government Audits:

Under the new rule, HHS will be performing audits to ensure that covered entities and business associates are fully complying with the HIPAA Privacy, Security and Breach Notification requirements. Notably, HHS-OCR, the federal agency within HHS with oversight over HIPAA privacy, security and breach notification requirements, has established a comprehensive audit protocol that should be considered during reviews and updates to their HIPAA compliance plans. The OCR audit protocol contains 170 audit areas (79 Security Rule, 10 Breach Notification Rule and 80 Privacy Rule provisions) covering all of the following:

  • Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures;
  • Security Rule requirements for administrative, physical, and technical safeguards; and
  • Breach Notification Rule requirements.

The safeguards that covered entities and business associates ultimately implement should withstand the scrutiny of an HHS-OCR audit, if such an audit is ever conducted.[11]

XI.  Penalties: 

It is imperative that covered entities, business associates and their staffs understand that a failure to comply with HIPAA can result in significant civil and criminal penalties.

  • Civil Penalties

The HITECH Act established a tiered civil penalty structure for HIPAA violations. The Secretary HHS still has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.  Nevertheless, the Secretary is still prohibited from imposing civil monetary penalties (CMPs) (except in cases of willful neglect) if the violation is corrected within 30 days (a time period that may be extended).  Furthermore, HHS may waive a CMP in whole or in part in some situations.  Moreover, HHS’s authority to impose a civil money penalty is prohibited if a criminal penalty has been imposed.


HIPAA Violation



Penalty Range


Annual Maximum

Individual   did not know (and by exercising reasonable diligence would not have known)   that he/she violated HIPAA.

 $100 – $50,000 per   violation

 $1.5 million

Individual   “knew, or by exercising reasonable diligence would have known” of the   violation, but did not act with willful neglect.

 $1,000 – $50,000 per   violation

 $1.5 million

HIPAA   violation due to willful neglect but violation is corrected within the   required time period.

 $10,000 – $50,000 per violation

 $1.5 million

HIPAA   violation is due to willful neglect and is not corrected.

 $50,000 per violation

 $1.5 million

Under the new HIPAA Omnibus Rule, HHS must conduct a formal investigation and impose civil monetary penalties in cases involving willful neglect.  HSS may also provide PHI to other government agencies for enforcement activities. The assessment of penalties must be based on five principal factors:

  1. The nature and extent of the violation, including the number of individuals affected,
  2. The nature and extent of the harm resulting from the violation, including reputational harm,
  3. The history and extent of prior compliance,
  4. The financial condition of the covered entity or business associate, and
  5. Such other matters as justice may require.

The number of violations may be based on the number of individuals affected or by the number of days of non-compliance. Finally the HIPAA Omnibus Rule clarifies that the 30-day cure period begins when the individual knew or should have known of the violation.

  • Criminal Penalties 

Both covered entities and business associates must recognize that criminal penalties under the new Omnibus Rule are quite severe.  Covered entities and specified individuals, as outlined below, whom “knowingly” obtain or disclose individual PHI in violation of the HIPAA requirements face a fine of up to $50,000, in addition to imprisonment up to one year. Furthermore, offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to 10 years.

  • Covered Entity and Specified Individuals

The DOJ has determined that the criminal penalties for a violation of HIPAA are directly applicable to covered entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the covered entity, where the covered entity is not an individual, may also be directly criminally liable under HIPAA in accordance with principles of “corporate criminal liability.” Where an individual of a covered entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting.

  • Knowingly

The DOJ interprets the “knowingly” element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that constitute an offense.  Specific knowledge of an action being in violation of the HIPAA statute is not required.

  • Exclusion

HHS has the authority to exclude from participation in Medicare any covered entity that was not compliant with the transaction and code set standards by October 16, 2003 (where an extension was obtained and the covered entity is not small.[12]

  • Enforcing Agencies

The HHS OCR enforces the privacy and security rules, while the Centers for Medicare & Medicaid Services (CMS) enforces the transaction and code set standards.

  • No Private Cause of Action

While HIPAA protects the health information of individuals, it does not create a private cause of action for those aggrieved (meaning an individual cannot take legal action against a covered entity for a HIPAA violation based on the HIPAA law). State law, however, may provide other theories of liability.

XII.  Conclusion: 

The new HIPAA Omnibus Rule includes a set of final regulations modifying the HIPAA Privacy, Security, and Enforcement Rules to implement various provisions of the HITECH Act. These rules are quite complex and mandate numerous new policies, procedures, and safeguards that both covered entities and business associates must implement in order to safeguard individuals’ PHI.  Both covered entities and business associates must thoroughly analyze the risks involved with maintaining and protecting the PHI they receive from patients (in the case of covered entities) and from covered entities (in the case of a business associate), so that they can fully comply with applicable statutory and regulatory requirements.

Healthcare LawyerRobert W. Liles is Managing Partner at the health law firm of Liles Parker PLLC.  Our firm represents physicians, home health agencies, hospices, skilled nursing facilities and other health care providers around the country in connection with HIPAA, compliance and a full range of other health care transactional projects.  Should you have a question, please feel free to give us a call.  For a complimentary initial consultation, please call Robert at: 1 (800) 475-1906.



[2] See 45 CFR 160.103 for the definition of a “covered entity”.

[3] See Id.

[4] See 45 CFR 160 and 164.


[6] A business associate may utilize NIST SP 800-30 as an initial starting point.

[7] See 45 CFR § 164.308 for more detailed information on administrative safeguards.

[8] 45 CFR § 164.304

[9] See 45 CFR § 164.310 for more detailed information on physical safeguards.

[10] See 45 CFR § 164.312 for more detailed information on technical safeguards.

[11] HHS OCR’s HIPAA Audit Program Protocol is available at 

[12] 68 FR 48805

Next Page »