Facebook  LinkedIn

January 8, 2018

Posted by: Robert Trusiak


The Substance Abuse and Mental Health Services Administration (SAMHSA), part of the U.S. Department of Health and Human Services (HHS), has finalized proposed changes to the Confidentiality of Substance Use Disorder Patient Records regulation, 42 CFR Part 2, aimed at supporting payment and healthcare operations activities while protecting the confidentiality of patients.

The finalized rule, posted to the Federal Register on Tuesday, January 3, 2018, builds on changes to 42 CFR Part 2 made last year. In a final rule published last January, SAMHSA updated 42 CFR Part 2 rules by allowing patients to provide a general disclosure for substance abuse information, rather than limiting authorization to a specific provider.

The Confidentiality of Substance Use Disorder Patient Records, 42 Code of Federal Regulations Part 2 (Part 2) protects the confidentiality of records relating to the identity, diagnosis, prognosis, or treatment of any patient records that are maintained in connection with the performance of any federally assisted program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research. Under Part 2, a federally assisted substance use disorder program may only release patient identifying information with the individual’s written consent, pursuant to a court order, or under a few limited exceptions.

The 42 CFR Part 2 regulations previously required the patient to consent every time their data was shared or accessed, which health information exchanges (HIEs) and healthcare organizations found difficult to implement. The final rule will permit healthcare providers, with patients’ consent, to more easily conduct such activities as quality improvement, claims management, patient safety, training, and program integrity efforts.

Major provisions of the final rule include:

  • Additional disclosures of patient identifying information are permitted, with patient consent, to facilitate payment and healthcare operations such as claims management, quality assessment, and patient safety activities.
  • Additional disclosures of patient identifying information are permitted to certain contractors, subcontractors, and legal representatives for the purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation.
  • Users of electronic health records (EHRs) are permitted to use of an abbreviated notice of prohibition on re-disclosure that is more easily accommodated in EHR text fields.

December 30, 2017

Posted by: Robert Trusiak


In a memorandum issued December 28, 2017, the Centers for Medicare & Medicaid Services (CMS) clarified its position related to texting. In its memo, CMS stated that it “recognizes that the use of texting as a means of communication with other members of the healthcare team has become an essential and valuable means of communication among the team members.” In order to comply with existing regulations, “all providers must utilize and maintain systems/platforms that are secure, encrypted, and minimize the risks to patient privacy and confidentiality.”

In summarizing their position, CMS stated that:

  • Texting patient information among members of the health care team is permissible if accomplished through a secure platform.
  • Texting of patient orders is prohibited regardless of the platform utilized.
  • Computerized Provider Order Entry (CPOE) is the preferred method of order entry by a provider.

December 22, 2017

Posted by: Robert Trusiak


First and foremost, initially look backward before looking forward and look inward before looking outward and always be mindful of the goal of any work plan.

The goal of a work plan is twofold: the obvious goal of addressing risk areas to advance fraud and abuse and HIPAA compliance as well as providing a credible narrative to regulatory and law enforcement authorities of the provider’s demonstrated commitment to compliance evidenced by audits and remittances, as appropriate. I regularly received an inconsistent message from provider’s under investigation in my former capacity as an AUSA—"we are committed to compliance.” The proof, however, was often lacking after requesting and reviewing the previous annual work plans. I often heard other projects delayed compliance efforts. I translated that to mean the provider was not actually committed to compliance and the resulting FCA settlement was intended to partly elevate the importance of compliance consistent, of course, with the facts and law.

The initial step in compiling a 2018 work plan is to critically assess your organization’s 2017 work plan, including the following areas:

  1. Look inward before looking outward. Did you completely address the 2017 deliverables? If not, then address the incomplete matters thru either inclusion in the 2018 work plan or retiring the risk area for appropriate reasons to avoid the above perception.
  2. Look inward before looking outward. Complete outstanding audits.
  3. Look inward before looking outward. Ensure hotline complaints have been addressed in a reasonable manner.
  4. Look inward before looking outward. OIG and state work plans offer valuable opportunities to assess 2018 compliance risk; however, your provider’s billing conduct is probably the best resource for addressing 2018 risk. Track high volume or high dollar private payer denials and crosswalk them into Medicare, Medicaid AND Tricare in 2018 as audit areas.
  5. Look inward before looking outward. Finalize your 2017 Security Risk Analysis as required by HITECH.
  6. Make any required regulatory year end attestations.

As far as my 2018 observations, they include the following:

  1. Be dynamic and not static. If you are auditing high risk areas on an annual basis --level 5 CPT codes, incident to, modifier 25, PATH notes, short inpatient stays—then change the audit profile to advance the opportunity to identify risk. For ex., audit different physicians or NPs, time periods, clinics.
  2. Change your mindset. Try to find the problems rather than auditing to validate the incorrect perception that all is well. For ex., when was the last time you tested the FMV valuation for relevant physician contracts to assure Stark and AKA compliance? Set it and forget it creates risk. Do you have appropriate licensure for sites? Just because you are providing services does not mean such services are authorized. For ex., outpatient therapies.
  3. Brainstorm before creating the 2018 work plan. Meet, do not have an e mail dialogue, with the relevant Directors or project managers—the foot soldiers—for purchasing, IT, the chargemaster, coding and other areas to secure their input on compliance areas. Who is no longer here? What compliance function did they perform? Who is doing it now? For ex., secure signatures for annual contracts involving physician compensation and implicating Stark.
  4. Benchmark your organization. There are public resources to address compliance deficiencies. Review and address, as appropriate. For ex., The Bureau of Compliance (BOC) in the New York State Office of the Medicaid Inspector General (OMIG) conducts assessments of Required Providers’ compliance programs. The chart below identifies the frequency (on a percentage basis) of Insufficiencies that were cited by BOC during compliance program reviews completed from January 2015 through June 30, 2017. The higher the percentage the more frequent the Insufficiency was observed. (https://omig.ny.gov/compliance/compliance-program-assessment-results)
  5. You might want to consider touching base on the issue of harassment since this topic has been so much in the news lately. Although this area may not rank high on the list of fraud and abuse concerns, it requires attention based on recent publicity. Under the OIG compliance guidance, all programs with high risks should be subject to ongoing monitoring and auditing. Human Resources (HR) is a program, and therefore should be included when considering regulatory and legal risks.
  6. Considering the number of disasters the US has had in 2017, you might want to considers stressing the need to develop a disaster plan and conduct routine drills of the plan; especially w/ a HIPAA and HITECH focus.
  7. And, as always, cybersecurity in healthcare will continue to be an issue in 2018. Do the simple before the complex. For ex., secure a list of vendors from Accounts Payable, determine who has access to phi, then cross reference against BAAs. You will find gaps. Remediate them. Regularly assess your security risk analysis in 2018. I have regularly reviewed an SRA provided by the IT vendor used by small to medium providers outsourcing their IT. I often find the vendor addresses technical safeguards, however, wholly omits the required administrative and physical safeguard assessments.

April 24, 2017

Posted by: HHS Office for Civil Rights

$2.5 million settlement shows that not understanding HIPAA requirements creates risk

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI). CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan. This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.

In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

The Resolution Agreement and Corrective Action Plan may be found on the OCR website.

April 20, 2017

Posted by: HHS Office for Civil Rights

No Business Associate Agreement? $31K Mistake

The Center for Children’s Digestive Health (CCDH) has paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and agreed to implement a corrective action plan. CCDH is a small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois.

In August 2015, the HHS Office for Civil Rights (OCR) initiated a compliance review of the Center for Children’s Digestive Health (CCDH) following an initiation of an investigation of a business associate, FileFax, Inc., which stored records containing protected health information (PHI) for CCDH. While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015. Additionally, neither party could produce a signed BAA prior to Oct. 2015.

The Resolution Agreement and Corrective Action Plan may be found on the OCR website.

April 3, 2017

Posted by: Robert Trusiak


On March 27, 2017, the Department of Health and Human Services, Office of Inspector General (OIG) issued a new resource titled, Measuring Compliance Effectiveness: A Resource Guide. The intent of this guide is to provide numerous ideas for measuring the various elements of a compliance program.

A large number of individual compliance program metrics are listed in the guide. The purpose of the list is to give health care organizations as many ideas as possible, be broad enough to help any type of organization, and let the organization choose which ones best suit the organization's needs. The list is not a "checklist" to be applied in its entirety. An organization may choose to use only a small number of them in any given year. The OIG states that using them all or even a large number of them is impractical and not recommended. The frequency of use of any measurement should be based on factors such as the organization's risk areas, size, resources, etc.

March 3, 2017

Posted by: Robert Trusiak

HHS OIG Provides Short Compliance Presentations for Health Care Providers

The Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) provides short video and audio presentations for health care providers on top health care compliance topics. These free videos and audio podcasts - averaging about four minutes each - cover major health care fraud and abuse laws, the basics of health care compliance programs, and what to do when a compliance issue arises.

The presentations can be found at https://oig.hhs.gov/newsroom/video/2011/heat_modules.asp. The topics covered include:

  • Compliance Program Basics
  • Tips for Implementing an Effective Compliance Program
  • Guidance for Health Care Boards
  • OIG’s Self-Disclosure Protocol
  • Physician Self-Referral Law
  • False Claims Act
  • Federal Anti-kickback Statute
  • How to Report Fraud to the OIG
  • Exclusion Authorities and Effects of Exclusion

February 19, 2017

Posted by: Robert Trusiak

ONC Releases Guide to Electronic Health Record Contracting

Selecting and negotiating the acquisition of an electronic health record system (EHR) is a challenging but important undertaking for any health care provider organization. The guide issued by the Office of the National Coordinator for Health Information Technology (ONC) is intended to help the health care provider understand how to manage risks via an EHR contract in order to maximize the value of a health IT investment, whether acquiring the first EHR or upgrading or replacing existing technology. It offers strategies and recommendations for negotiating best practice EHR contract terms and illustrates how legal issues might be addressed in a contract by providing example contract language.

The guide, entitled EHR Contracts Untangled, can be found at https://www.healthit.gov/sites/default/files/EHR_Contracts_Untangled.pdf

January 22, 2017

Posted by: Robert Trusiak

Significant Points for Physicians and Hospitals from the FY 2017 OIG Work Plan




  • Hyperbaric Oxygen Therapy Services – Provider Reimbursement in Compliance with Federal Regulations
  • Incorrect Medical Assistance Days Claimed by Hospitals
  • Inpatient Psychiatric Facility Outlier Payments
  • Case Review of Inpatient Rehabilitation Hospital Patients Not Suited for Intensive Therapy


  • Intensity-Modulated Radiation Therapy


  • Outpatient Outlier Payments for Short-Stay Claims
  • Comparison of Provider-Based and Freestanding Clinics
  • Reconciliations of Outlier Payments
  • Hospitals’ Use of Outpatient and Inpatient Stays Under Medicare’s Two-Midnight Rule
  • Medicare Costs Associated with Defective Medical Devices
  • Payment Credits for Replaced Medical Devices That Were Implanted
  • Medicare Payments for Overlapping Part A Inpatient Claims and Part B Outpatient Claims
  • Selected Inpatient and Outpatient Billing Requirements
  • Duplicate Graduate Medical Education Payments
  • Indirect Medical Education Payments
  • Outpatient Dental Claims
  • Nationwide Review of Cardiac Catheterizations and Endomyocardial Biopsies
  • Payments for Patients Diagnosed with Kwashiorkor
  • Review of Hospital Wage Data Used to Calculate Medicare Payments
  • CMS Validation of Hospital-Submitted Quality Reporting Data
  • Long-Term-Care Hospitals – Adverse Events in Postacute Care for Medicare Beneficiaries
  • Hospital Preparedness and Response to Emerging Infectious Diseases



  • Medicare Payments for Transitional Care Management
  • Medicare Payments for Chronic Care Management
  • Data Brief on Financial Interests Reported Under the Open Payments Program


  • Review of Financial Interests Reported Under the Open Payments Program
  • Payments for Medicare Services, Supplies, and DMEPOS Referred or Ordered by Physicians – Compliance
  • Anesthesia Services – Noncovered Services
  • Anesthesia Services – Payments for Personally Performed Services
  • Physician Home Visits – Reasonableness of Services
  • Prolonged Services – Reasonableness of Services



  • Medicare Payments for Service Dates After Individuals’ Dates of Death
  • Management Review: CMS’s Implementation of the Quality Payment Program


  • Accountable Care Organizations: Beneficiary Assignment and Shared Savings Payments
  • Accountable Care Organizations: Savings, Quality, and Promising Practices
  • Use of Electronic Health Records to Support Care Coordination through ACOs
  • Medicare Payments for Incarcerated Beneficiaries – Mandatory Review



  • Accountable Care in Medicaid
  • Ongoing:

    • Physician-Administered Drugs for Dual Eligible Enrollees
    • Medicaid Payments for Multiuse Vials of Herceptin
    • Health-Care-Acquired Conditions – Prohibition on Federal Reimbursements


    • Medicare Incentive Payments for Adopting Electronic Health Records
    • Security of Certified Electronic Health Record Technology Under Meaningful Use

    December 9, 2016

    Posted by: Robert Trusiak

    Preventing Ransomware Attacks

    Ransomware is a type of malicious software designed to block access to computer data and systems until a sum of money is paid. There is no one technology solution that can be deployed to prevent ransomware attacks from occurring, although preventive measures can be taken to limit vulnerability.

    The United States Government Interagency Guidance Document, How to Protect Your Networks from Ransomware, includes the following recommendations:

    • Implement an awareness and training program. Because end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.
    • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies to prevent email spoofing.
    • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
    • Configure firewalls to block access to known malicious IP addresses.
    • Patch operating systems, software, and firmware on devices.
    • Set anti-virus and anti-malware programs to conduct regular scans automatically.
    • Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary.
    • Configure access controls with least privilege in mind.
    • Disable macro scripts from office files transmitted via email.
    • Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations.
    • Consider disabling Remote Desktop protocol (RDP) if it is not being used.
    • Use application whitelisting, which only allows systems to execute programs known and permitted by security policy.
    • Execute operating system environments or specific programs in a virtualized environment.
    • Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units.

    October 17, 2016

    Posted by: Robert Trusiak

    HHS OCR Guidance on HIPAA & Cloud Computing

    1. On October 7, 2016, the HHS Office for Civil Rights (OCR) issued new guidance to assist HIPAA-regulated cloud service providers (CSPs) and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain, or transmit electronic protected health information using cloud products and services.
    2. The new guidance can be found on OCR’s website at: http://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html
    3. When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA.
    4. Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.
    5. A HIPAA covered entity or business associate may use a cloud service to store or process ePHI provided the covered entity or business associate enters into a HIPAA-compliant business associate contract or agreement (BAA) with the CSP that will be creating, receiving, maintaining, or transmitting electronic protected health information (ePHI) on its behalf, and otherwise complies with the HIPAA Rules.
    6. In addition, a Service Level Agreement (SLA) is commonly used to address more specific business expectations between the CSP and its customer, which also may be relevant to HIPAA compliance. For example, SLAs can include provisions that address such HIPAA concerns as:
      • System availability and reliability;
      • Back-up and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation);
      • Manner in which data will be returned to the customer after service use termination;
      • Security responsibility; and
      • Use, retention and disclosure limitations.
    7. If a covered entity or business associate enters into a SLA with a CSP, it should ensure that the terms of the SLA are consistent with the BAA and the HIPAA Rules. For example, the covered entity or business associate should ensure that the terms of the SLA and BAA with the CSP do not prevent the entity from accessing its ePHI in violation of 45 CFR §§ 164.308(b)(3), 164.502(e)(2), and 164.504(e)(1). (See OCR FAQ regarding impermissible blocking of covered entity access to ePHI by a business associate http://www.hhs.gov/hipaa/for-professionals/faq/2074/may-a-business-associate-of-a-hipaa-covered-entity-block-or-terminate-access/index.html.)
    8. If a CSP stores only encrypted ePHI and does not have a decryption key it is still a HIPAA business associate because the CSP receives and maintains (e.g., to process and/or store) electronic protected health information (ePHI) for a covered entity or another business associate. Lacking an encryption key for the encrypted data it receives and maintains does not exempt a CSP from business associate status and associated obligations under the HIPAA Rules. An entity that maintains ePHI on behalf of a covered entity (or another business associate) is a business associate, even if the entity cannot actually view the ePHI.
      • While encryption protects ePHI by significantly reducing the risk of the information being viewed by unauthorized persons, such protections alone cannot adequately safeguard the confidentiality, integrity, and availability of ePHI as required by the Security Rule.
      • Encryption does not maintain the integrity and availability of the ePHI, such as ensuring that the information is not corrupted by malware, or ensuring through contingency planning that the data remains available to authorized persons even during emergency or disaster situations.
      • Further, encryption does not address other safeguards that are also important to maintaining confidentiality, such as administrative safeguards to analyze risks to the ePHI or physical safeguards for systems and servers that may house the ePHI.
    9. Generally, a CSP cannot be considered a “conduit” like the postal service, which would exempt the CSP from business associate status.
      • The conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission.
      • Any access to PHI by a conduit is only transient in nature. In contrast, a CSP that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.
    10. If a covered entity (or business associate) uses a CSP to maintain (e.g., to process or store) electronic protected health information (ePHI) without first entering into a BAA with the CSP, the covered entity (or business associate) is in violation of the HIPAA Rules. 45 C.F.R §§164.308(b)(1) and §164.502(e).
    11. Health care providers, other covered entities, and business associates may use mobile devices to access electronic protected health information (ePHI) in a cloud as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third party service providers for the device and/or the cloud that will have access to the e-PHI.
    12. The HIPAA Rules require covered entity and business associate customers to obtain satisfactory assurances in the form of a business associate agreement (BAA) with the CSP that the CSP will, among other things, appropriately safeguard the protected health information (PHI) that it creates, receives, maintains or transmits for the covered entity or business associate in accordance with the HIPAA Rules. HIPAA Rules do not require CSPs that are business associates to provide documentation, or allow auditing, of their security practices by their customers who are covered entities or business associates.

    Medicare Compliance Journal

    AVVO Rating

    Call and schedule your meeting today! Contact

    Facebook  LinkedIn

    Stay Up To Date

    Keep up to date on current legal matters from medical rules to new laws that are passed. Sign up below to receive our valuable free newsletter.

    Upcoming Events

    Robert will be participating in a web conference on January 11, 2018

    Topic: The New FMV/CR Enterprise Risk Management Paradigm for Hospital-Physician Deals

    Click here for details >>

    Get Directions

    Get Directions

    Office Location

    Buffalo Office

    300 International Dr
    Williamsville, NY 14221

    Phone: +1 (716) 352-0196
    Fax: +1 (716) 626-3001
    Email: robert@trusiaklaw.com