Facebook  LinkedIn

April 24, 2017

Posted by: HHS Office for Civil Rights

$2.5 million settlement shows that not understanding HIPAA requirements creates risk

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI). CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan. This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.

In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

The Resolution Agreement and Corrective Action Plan may be found on the OCR website.

April 20, 2017

Posted by: HHS Office for Civil Rights

No Business Associate Agreement? $31K Mistake

The Center for Children’s Digestive Health (CCDH) has paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and agreed to implement a corrective action plan. CCDH is a small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois.

In August 2015, the HHS Office for Civil Rights (OCR) initiated a compliance review of the Center for Children’s Digestive Health (CCDH) following an initiation of an investigation of a business associate, FileFax, Inc., which stored records containing protected health information (PHI) for CCDH. While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015. Additionally, neither party could produce a signed BAA prior to Oct. 2015.

The Resolution Agreement and Corrective Action Plan may be found on the OCR website.

April 3, 2017

Posted by: Robert Trusiak


On March 27, 2017, the Department of Health and Human Services, Office of Inspector General (OIG) issued a new resource titled, Measuring Compliance Effectiveness: A Resource Guide. The intent of this guide is to provide numerous ideas for measuring the various elements of a compliance program.

A large number of individual compliance program metrics are listed in the guide. The purpose of the list is to give health care organizations as many ideas as possible, be broad enough to help any type of organization, and let the organization choose which ones best suit the organization's needs. The list is not a "checklist" to be applied in its entirety. An organization may choose to use only a small number of them in any given year. The OIG states that using them all or even a large number of them is impractical and not recommended. The frequency of use of any measurement should be based on factors such as the organization's risk areas, size, resources, etc.

March 3, 2017

Posted by: Robert Trusiak

HHS OIG Provides Short Compliance Presentations for Health Care Providers

The Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) provides short video and audio presentations for health care providers on top health care compliance topics. These free videos and audio podcasts - averaging about four minutes each - cover major health care fraud and abuse laws, the basics of health care compliance programs, and what to do when a compliance issue arises.

The presentations can be found at https://oig.hhs.gov/newsroom/video/2011/heat_modules.asp. The topics covered include:

  • Compliance Program Basics
  • Tips for Implementing an Effective Compliance Program
  • Guidance for Health Care Boards
  • OIG’s Self-Disclosure Protocol
  • Physician Self-Referral Law
  • False Claims Act
  • Federal Anti-kickback Statute
  • How to Report Fraud to the OIG
  • Exclusion Authorities and Effects of Exclusion

February 19, 2017

Posted by: Robert Trusiak

ONC Releases Guide to Electronic Health Record Contracting

Selecting and negotiating the acquisition of an electronic health record system (EHR) is a challenging but important undertaking for any health care provider organization. The guide issued by the Office of the National Coordinator for Health Information Technology (ONC) is intended to help the health care provider understand how to manage risks via an EHR contract in order to maximize the value of a health IT investment, whether acquiring the first EHR or upgrading or replacing existing technology. It offers strategies and recommendations for negotiating best practice EHR contract terms and illustrates how legal issues might be addressed in a contract by providing example contract language.

The guide, entitled EHR Contracts Untangled, can be found at https://www.healthit.gov/sites/default/files/EHR_Contracts_Untangled.pdf

January 22, 2017

Posted by: Robert Trusiak

Significant Points for Physicians and Hospitals from the FY 2017 OIG Work Plan




  • Hyperbaric Oxygen Therapy Services – Provider Reimbursement in Compliance with Federal Regulations
  • Incorrect Medical Assistance Days Claimed by Hospitals
  • Inpatient Psychiatric Facility Outlier Payments
  • Case Review of Inpatient Rehabilitation Hospital Patients Not Suited for Intensive Therapy


  • Intensity-Modulated Radiation Therapy


  • Outpatient Outlier Payments for Short-Stay Claims
  • Comparison of Provider-Based and Freestanding Clinics
  • Reconciliations of Outlier Payments
  • Hospitals’ Use of Outpatient and Inpatient Stays Under Medicare’s Two-Midnight Rule
  • Medicare Costs Associated with Defective Medical Devices
  • Payment Credits for Replaced Medical Devices That Were Implanted
  • Medicare Payments for Overlapping Part A Inpatient Claims and Part B Outpatient Claims
  • Selected Inpatient and Outpatient Billing Requirements
  • Duplicate Graduate Medical Education Payments
  • Indirect Medical Education Payments
  • Outpatient Dental Claims
  • Nationwide Review of Cardiac Catheterizations and Endomyocardial Biopsies
  • Payments for Patients Diagnosed with Kwashiorkor
  • Review of Hospital Wage Data Used to Calculate Medicare Payments
  • CMS Validation of Hospital-Submitted Quality Reporting Data
  • Long-Term-Care Hospitals – Adverse Events in Postacute Care for Medicare Beneficiaries
  • Hospital Preparedness and Response to Emerging Infectious Diseases



  • Medicare Payments for Transitional Care Management
  • Medicare Payments for Chronic Care Management
  • Data Brief on Financial Interests Reported Under the Open Payments Program


  • Review of Financial Interests Reported Under the Open Payments Program
  • Payments for Medicare Services, Supplies, and DMEPOS Referred or Ordered by Physicians – Compliance
  • Anesthesia Services – Noncovered Services
  • Anesthesia Services – Payments for Personally Performed Services
  • Physician Home Visits – Reasonableness of Services
  • Prolonged Services – Reasonableness of Services



  • Medicare Payments for Service Dates After Individuals’ Dates of Death
  • Management Review: CMS’s Implementation of the Quality Payment Program


  • Accountable Care Organizations: Beneficiary Assignment and Shared Savings Payments
  • Accountable Care Organizations: Savings, Quality, and Promising Practices
  • Use of Electronic Health Records to Support Care Coordination through ACOs
  • Medicare Payments for Incarcerated Beneficiaries – Mandatory Review



  • Accountable Care in Medicaid
  • Ongoing:

    • Physician-Administered Drugs for Dual Eligible Enrollees
    • Medicaid Payments for Multiuse Vials of Herceptin
    • Health-Care-Acquired Conditions – Prohibition on Federal Reimbursements


    • Medicare Incentive Payments for Adopting Electronic Health Records
    • Security of Certified Electronic Health Record Technology Under Meaningful Use

    December 9, 2016

    Posted by: Robert Trusiak

    Preventing Ransomware Attacks

    Ransomware is a type of malicious software designed to block access to computer data and systems until a sum of money is paid. There is no one technology solution that can be deployed to prevent ransomware attacks from occurring, although preventive measures can be taken to limit vulnerability.

    The United States Government Interagency Guidance Document, How to Protect Your Networks from Ransomware, includes the following recommendations:

    • Implement an awareness and training program. Because end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.
    • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies to prevent email spoofing.
    • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
    • Configure firewalls to block access to known malicious IP addresses.
    • Patch operating systems, software, and firmware on devices.
    • Set anti-virus and anti-malware programs to conduct regular scans automatically.
    • Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary.
    • Configure access controls with least privilege in mind.
    • Disable macro scripts from office files transmitted via email.
    • Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations.
    • Consider disabling Remote Desktop protocol (RDP) if it is not being used.
    • Use application whitelisting, which only allows systems to execute programs known and permitted by security policy.
    • Execute operating system environments or specific programs in a virtualized environment.
    • Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units.

    October 17, 2016

    Posted by: Robert Trusiak

    HHS OCR Guidance on HIPAA & Cloud Computing

    1. On October 7, 2016, the HHS Office for Civil Rights (OCR) issued new guidance to assist HIPAA-regulated cloud service providers (CSPs) and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain, or transmit electronic protected health information using cloud products and services.
    2. The new guidance can be found on OCR’s website at: http://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html
    3. When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA.
    4. Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.
    5. A HIPAA covered entity or business associate may use a cloud service to store or process ePHI provided the covered entity or business associate enters into a HIPAA-compliant business associate contract or agreement (BAA) with the CSP that will be creating, receiving, maintaining, or transmitting electronic protected health information (ePHI) on its behalf, and otherwise complies with the HIPAA Rules.
    6. In addition, a Service Level Agreement (SLA) is commonly used to address more specific business expectations between the CSP and its customer, which also may be relevant to HIPAA compliance. For example, SLAs can include provisions that address such HIPAA concerns as:
      • System availability and reliability;
      • Back-up and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation);
      • Manner in which data will be returned to the customer after service use termination;
      • Security responsibility; and
      • Use, retention and disclosure limitations.
    7. If a covered entity or business associate enters into a SLA with a CSP, it should ensure that the terms of the SLA are consistent with the BAA and the HIPAA Rules. For example, the covered entity or business associate should ensure that the terms of the SLA and BAA with the CSP do not prevent the entity from accessing its ePHI in violation of 45 CFR §§ 164.308(b)(3), 164.502(e)(2), and 164.504(e)(1). (See OCR FAQ regarding impermissible blocking of covered entity access to ePHI by a business associate http://www.hhs.gov/hipaa/for-professionals/faq/2074/may-a-business-associate-of-a-hipaa-covered-entity-block-or-terminate-access/index.html.)
    8. If a CSP stores only encrypted ePHI and does not have a decryption key it is still a HIPAA business associate because the CSP receives and maintains (e.g., to process and/or store) electronic protected health information (ePHI) for a covered entity or another business associate. Lacking an encryption key for the encrypted data it receives and maintains does not exempt a CSP from business associate status and associated obligations under the HIPAA Rules. An entity that maintains ePHI on behalf of a covered entity (or another business associate) is a business associate, even if the entity cannot actually view the ePHI.
      • While encryption protects ePHI by significantly reducing the risk of the information being viewed by unauthorized persons, such protections alone cannot adequately safeguard the confidentiality, integrity, and availability of ePHI as required by the Security Rule.
      • Encryption does not maintain the integrity and availability of the ePHI, such as ensuring that the information is not corrupted by malware, or ensuring through contingency planning that the data remains available to authorized persons even during emergency or disaster situations.
      • Further, encryption does not address other safeguards that are also important to maintaining confidentiality, such as administrative safeguards to analyze risks to the ePHI or physical safeguards for systems and servers that may house the ePHI.
    9. Generally, a CSP cannot be considered a “conduit” like the postal service, which would exempt the CSP from business associate status.
      • The conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission.
      • Any access to PHI by a conduit is only transient in nature. In contrast, a CSP that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.
    10. If a covered entity (or business associate) uses a CSP to maintain (e.g., to process or store) electronic protected health information (ePHI) without first entering into a BAA with the CSP, the covered entity (or business associate) is in violation of the HIPAA Rules. 45 C.F.R §§164.308(b)(1) and §164.502(e).
    11. Health care providers, other covered entities, and business associates may use mobile devices to access electronic protected health information (ePHI) in a cloud as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third party service providers for the device and/or the cloud that will have access to the e-PHI.
    12. The HIPAA Rules require covered entity and business associate customers to obtain satisfactory assurances in the form of a business associate agreement (BAA) with the CSP that the CSP will, among other things, appropriately safeguard the protected health information (PHI) that it creates, receives, maintains or transmits for the covered entity or business associate in accordance with the HIPAA Rules. HIPAA Rules do not require CSPs that are business associates to provide documentation, or allow auditing, of their security practices by their customers who are covered entities or business associates.

    Medicare Compliance Journal

    AVVO Rating

    Call and schedule your meeting today! Contact

    Facebook  LinkedIn

    Stay Up To Date

    Keep up to date on current legal matters from medical rules to new laws that are passed. Sign up below to receive our valuable free newsletter.

    Upcoming Events

    There are currently no upcoming events.

    Click here to see past events

    Get Directions

    Get Directions

    Office Location

    Buffalo Office

    300 International Dr
    Williamsville, NY 14221

    Phone: +1 (716) 352-0196
    Fax: +1 (716) 626-3001
    Email: robert@trusiaklaw.com