Tag Archives: corrective action plan (CAP)

HIPAA Fines, Mobile Devices and Risk Assessments: Follow the Steps or Pay the Price

Lance Leider headshotBy Lance O. Leider, J.D., The Health Law Firm

Two separate entities have agreed to pay the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) $1,975,220 in fines collectively. The settlements resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules involving stolen, unencrypted laptops. These two actions shine a light on the significant risk unencrypted laptops and other mobile devices pose to the security of patient information.

To read the press release from the HHS OCR, published on April 22, 2014, click here.

Concentra Received Risk Assessments, But Did Not Act on Findings.

According to the OCR, an investigation of Concentra Health Services, a subsidiary of Humana, was conducted after a laptop was stolen from a Missouri physician therapy center. This investigation revealed that Concentra had previously received multiple risk analyses that stated the company lacked encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information. Concentra’s efforts to remedy the risk were incomplete and inconsistent, leaving patients’ health information vulnerable. Concentra agreed to pay $1,725,220 to settle potential security violations and adopt a corrective action plan.

QCA Investigation.

The QCA Health Plan, Inc., investigation began in February 2012, after an unencrypted laptop containing the medical records of 148 individuals was stolen from an employee’s car. The investigation revealed that QCA failed to comply with multiple requirements of the HIPAA privacy and security rules. According to Modern Healthcare, the company is required to pay $250,000, as well as provide HHS with an updated risk analysis and corresponding risk-management plan.

Click here to read the entire article from Modern Healthcare.

Encrypt Laptops and Other Equipment or Pay the Price.

Encryption is one of your best defenses against incidents. These two settlements highlight the need for all entities to encrypt their laptops and other devices. Failing to do so may put that entity at risk for paying a large fine to the OCR and possible fines for state law violations.

HIPAA-covered entities are responsible for making sure all personal information is protected.

The following are some practical tips to use when handling protected health information. Share them with others in your organization:

1. Ensure that all types of electronic media by which you transfer patient health information of any kind are encrypted. This includes thumb drives, CD ROMs, DVDs, backup tapes, mini hard drives and anything else.
2. Try not to remove any patient information from your work site. If you need to work on it remotely, use a secure, encrypted internet connection to access your work database. Avoid saving the work or data onto your laptop hard drive or other removable media.
3. Never leave your laptop or other media in a car you are having worked on by a mechanic, having an oil change, having the car washed, or while you run into a store. Thieves stake out such locations and are waiting for careless individuals to do this.
4. Never leave your laptop, thumb drive or other electronic media from work in your car. What can be worse than having your car stolen? Having your car stolen with your laptop in it with patient information on it.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at http://www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

Are the laptops and other mobile devices at your practice encrypted? Does your practice regularly perform HIPAA risk assessments? Please leave any thoughtful comments below.

Sources:

Conn, Joseph. “Unencrypted-Laptop Thefts at Center of Recent HIPAA Settlements.” Modern Healthcare. (April 23, 2014). From: http://www.modernhealthcare.com/article/20140423/NEWS/304239945/unencrypted-laptop-thefts-at-center-of-recent-hipaa-settlements

U.S. Department of Health and Human Services Press Office. “Stolen Laptops Lead to Important HIPAA Settlements.” U.S. Department of Health and Human Services. (April 22, 2014). From: http://www.hhs.gov/news/press/2014pres/04/20140422b.html

About the Author: Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. http://www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone: (407) 331-6620.

The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

Advertisements

Dermatology Practice Settles with Government After Stolen USB Drive Results in HIPAA Breach

10 Indest-2008-7By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and Adult & Pediatric Dermatology (APDerm), reached a $150,000 settlement for privacy and security violations of the Health Insurance Portability and Accountability Act (HIPAA). The alleged violations related to an unencrypted USB drive that was stolen. The thumb drive contained the protected health information (PHI) of around 2,200 patients, according to a press release posted December 26, 2013, on the HHS website.

According to the HHS, this is the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

To read the entire press release from the HHS, click here.

APDerm delivers dermatology services to patients in Massachusetts and New Hampshire.

Alleged Violations Stemmed from Stolen, Unencrypted USB Drive.

According to the HHS, the OCR initiated its investigation after being tipped off that an unencrypted thumb drive containing the PHI of about 2,200 patients was stolen from a vehicle of an APDerm staff member. According to Healthcare IT News the thumb drive was never recovered.

The investigation allegedly revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of PHI as part of it security management process. It’s also alleged that APDerm failed to fully comply with the HITECH Breach Notification Rule, which requires organizations to have written policies and procedures in place and to train staff members.

According to Healthcare IT News, the settlement also includes a corrective action plan (CAP). The CAP requires the dermatology company to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities. Click here to read the entire article on Healthcare IT News.

Warning to HIPAA Covered Entities Regarding Risk Assessments.

This settlement is an important reminder about equipment designed to retain electronic information. HIPAA covered entities are responsible for making sure all personal information is protected. Entities are also required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have safeguards in place to protect this information.

HIPAA laws have most likely changed since you last edited your privacy forms and procedures. Many health providers simply do not have the time to re-review their policies and revise documents. In a perfect practice, this would be done every six months.

To learn more on HIPAA risk assessments, click here.

Be Sensitive to Technical Equipment Containing Internal Memory.

In today’s technological society everyone must be continually vigilant about the machines and equipment used. Many different types of devices now contain internal memory chips and hard drives that may store data that is difficult to erase. These may include photocopiers, scanners and fax machines, in addition to computers and servers. Security videos and communications monitoring systems may also maintain such information. Backup tapes and modern cell phones are other possible examples. These should be professionally cleaned of all data or destroyed before discarding them, selling them or trading them in on newer models.

To read a previous blog on Affinity Health Plan settling with government in photocopier HIPAA breach incident, click here.

Practical Tips.

The following are some lessons learned from this case. Share them with others in your organization:

1. Ensure that all types of electronic media by which you transfer patient health information of any kind are encrypted. This includes thumb drives, CD ROMs, DVDs, backup tapes, mini hard drives and anything else.
2. Try not to remove any patient information from your work cite. If you need to work on it remotely, use a secure, encrypted internet connection to access your work data base. Avoid saving the work or data onto your laptop hard drive or other removable media.
3. Never leave your laptop or other media in a car you are having worked on by a mechanic, having an oil change, having the car washed, or while you run into a store. Thieves stake out such locations and are waiting for careless individuals to do this.
4. Never leave your laptop, thumb drive or other electronic media from work in your car. What can be worse than having your car stolen? Having your car stolen with your laptop in it with patient information on it.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at http://www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What do you think of this settlement? Does your office and/or practice have an annual security risk assessment? Do you think risk analyses are important? Please leave any thoughtful comments below.

Sources:

Millard, Mike. “Lost Thumb Drive Leads to $150K Fine.” Healthcare IT News. (December 30, 2013). From: http://www.healthcareitnews.com/news/lost-thumb-drive-leads-150k-fine

U.S. Department of Health and Human Services “Dermatology Practice Settles Potential HIPAA Violations.” HHS.gov. (December 26, 2013). From: http://www.hhs.gov/news/press/2013pres/12/20131226a.html

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. http://www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

Two Laptops Containing Information of 729,000 Patients Stolen from California Hospital Group

6 Indest-2008-3By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The personal health information of around 729,000 patients has been compromised following the theft of two laptops. The password-protected computers were taken from an administration building of AHMC Healthcare Inc., a hospital group in Alhambra, California. According to the Los Angeles Times, the laptops contain data from patients treated at six different AHMC Healthcare hospitals. Surveillance video shows that the theft occurred on October 12, 2013, but hospital officials did not discover the laptops were missing until two days later.

To read the article from the Los Angeles Times, click here.

Laptops Contain Patient Information, But No Evidence Information Has Been Hacked.

According to the hospital group, the laptops contain data including patients’ names, Medicare/insurance identification numbers, diagnosis/procedure codes, and insurance/patient payment records. Some of the files allegedly contain the Social Security numbers of Medicare patients.

So far, there is no evidence the information has been accessed or used, according to the CBS affiliate in Los Angeles. Click here to read the article from the CBS affiliate.

However, given that this just occurred a few days ago, it is probably too early to tell, anyway.

Breach Must Be Reported to the Department of Health and Human Services.

Hospitals are required, under federal law, to report potential medical data breaches involving more than 500 people to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The OCR is responsible for investigating all allegation of violations of HIPAA Privacy and Security Regulations.

According to the Los Angeles Times, AHMC Healthcare has already asked for an auditing firm to perform a security risk assessment. Hospital administrators are also expediting a policy to encrypt all laptops.

HIPAA Omnibus Final Rule Effective September 23, 2013–Get a Risk Assessment.

The HIPAA Omnibus Final Rule went into effect on September 23, 2013. By now, hospitals, physicians and all covered entities must comply with the HIPAA Omnibus Final Rule. The amendments to the rule are available on the HHS OCR website. I previously wrote a blog series about the HIPAA Omnibus Final Rule. Click here for part one, click here for part two and here for part three.

Covered entities should be performing HIPAA risk assessments to identify their security risks and implement protections before a data breach occurs. HIPAA has always required covered entities to perform HIPAA risk assessments. Very often, the first question the OCR asks when investigating a possible HIPAA violation is what risk assessment the health care provider has performed.

The objectives of an adequate HIPAA risk analysis are:

1. Identify the scope of the analysis – the analysis should include all the risks and vulnerabilities to the confidentiality, availability and integrity of all electronic health information regardless of its location.
2. Gather data – the covered entity must identify every location where electronic data is stored.
3. Identify and document potential threats and vulnerabilities – the covered entity should consider natural threats, human threats and environmental threats.
4. Assess current security measures – the covered entity must examine and assess the effectiveness of its current measures.
5. Determine the likelihood of threat occurrence – the covered entity should evaluate each potential threat and prioritize its plan to address each threat.
6. Determine the potential impact of threat occurrence – the covered entity should assess the possible outcomes of each identified threat such as unauthorized disclosure of confidential information.
7. Determine the level of risk – the covered entity should categorize each risk and plan its procedures to mitigate any damage cause by each risk.
8. Identify security measures and finalize documentation – the covered entity should thoroughly document all the steps it used in its risk assessment process.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What do you think if this alleged HIPAA violation? Do you have policies and procedures in place to protect your patients’ right to privacy? Have you received a HIPAA risk assessment lately? Please leave any thoughtful comments below.

Sources:

Winton, Richard. “Laptop Thefts Compromise 729,000 Hospital Patient Files.” Los Angeles Times. (October 21, 2013). From: http://www.latimes.com/local/la-me-hospital-theft-20131022,0,1936078.story#axzz2iRg6Rh3Y

Los Angeles CBS. “Laptops Containing Patient Information Stolen from Alhambra Hospital.” Los Angeles CBS. (October 22, 2013). From: http://losangeles.cbslocal.com/2013/10/22/laptops-containing-patient-information-stolen-from-alhambra-hospital/

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.

Affinity Health Plan Settles with Government in Photocopier HIPAA Breach Incident Involving Patient Medical Information

8 Indest-2008-5By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The U.S. Department of Health and Humans Services (HHS) Office of Civil Rights (OCR), and Affinity Health Plan, Inc. (Affinity), reached a settlement for more than $1.2 million for potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The alleged violations related to a photocopier previously leased by Affinity. The photocopier had an internal hard drive which stored copies of documents, including medical records, which had been photocopied by Afinity. The photocopier was returned to the leasing company and then later purchased from that same company by CBS Evening News. Apparently CBS Evening News then discovered the medical records on the photocopier hard drive.

According to the HHS, Affinity filed a breach report with the HHS OCR on April 15, 2010. This is required under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

To read the entire press release from the HHS, click here.

Affinity is a not-for-profit managed care plan serving the New York metropolitan area.

Alleged Violations Stemmed from Failing to Clear Photocopier Hard Drive.

Affinity was allegedly informed by a representative of CBS Evening News, that as part of an investigation, CBS purchased a photocopier previously leased by Affinity. CBS allegedly informed Affinity that the photocopier still contained medical information on its hard drive. The OCR estimated that up to 344,579 individuals may have been affected by the breach. The OCR’s investigation found that Affinity impermissibly disclosed the protected health information of these individuals when it returned multiple photocopiers to leasing agents without deleting the data stored on the hard drives.

Affinity Must Try to Retrieve All Hard Drives in Previously Used Photocopiers.

According to HealthIT Security, on top of the $1,215,780 payment, Affinity must also try to recover all its previously used photocopiers that are still in the custody of the leasing company. Affinity must also conduct a risk analysis of its electronic protected health information for security risks and vulnerabilities.

Click here to read the article from HealthIT Security.

Warning to HIPAA Covered Entities Regarding Risk Assessments.

This settlement is an important reminder about equipment designed to retain electronic information. HIPAA covered entities are responsible for making sure all personal information is wiped from the hardware before it is recycled, thrown away or sent back to a leasing agent. Entities are also required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have safeguards in place to protect this information.

HIPAA laws have most likely changed since you last edited your privacy forms and procedures. Many health providers simply do not have the time to re-review their policies and revise documents. In a perfect practice, this would be done every six months.

To learn more on HIPAA risk assessments, click here.

Be Sensitive to Technical Equipment Containing Internal Memory.

In today’s technological society everyone must be continually vigilant about the machines and equipment used. Many different types of devices now contain internal memory chips and hard drives that may store data that is difficult to erase. These may include, for example, photocopiers, scanners and fax machines, in addition to computers and servers. Security videos and communications monitoring systems may also maintain such information. Backup tapes and modern cell phones are other possible examples. These should be professionally cleaned of all data or destroyed before discarding them.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What do you think of this settlement? Does your office and/or practice have an annual security risk assessment? Do you think risk analyses are important? Please leave any thoughtful comments below.

Sources:

Office of Civil Rights. “HHS Settles with Health Plan in Photocopier Breach Case.” U.S. Department of Health and Human Services. (August 14, 2013). From: http://www.hhs.gov/news/press/2013pres/08/20130814a.html

Ouellette, Patrick. “OCR, Affinity Health Plan Reach HIPAA Violation Agreement.” HealthIT Security. (August 14, 2013). From: http://healthitsecurity.com/2013/08/14/ocr-affinity-health-plan-reach-hipaa-violation-agreement

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.

Federal Jury Convicts South Florida Doctors of Medicare Fraud

 

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Two South Florida doctors, one Miami-area therapist, and two other individuals were convicted by a federal jury for their participation in a Medicare fraud scheme. The scheme allegedly involved more than $205 million in fraudulent billings by American Therapeutic Corporation (ATC), a corporation which provided mental health care services. The jury reached a decision on June 1, 2012. To see the Department of Justice press release, click here.

The two doctors and the therapist were each found guilty of one count of conspiracy to commit health care fraud. The other two individuals were each found guilty of one count of health care kickbacks. Sentencing has not yet been scheduled. The maximum penalty for each conspiracy count and each count of health care fraud is ten years in prison plus a fine. The maximum penalty for each count of health care kickbacks is five years in prison plus a fine.

Doctors, Therapist, and Others Allegedly Created False Documents for Medicare Reimbursements.

One of the federal indictments charged more than 14 separate defendants with criminal violations. To see this indictment click here.

Allegedly, ATC billed Medicare for hundreds of millions of dollars in services, for thousands of patients who were not qualified. The charges alleged fraudulent documents were created by the doctors and others associated with ATC. The doctors allegedly would sign patient documents without having seen or treated the patients.

ATC operated partial hospitalization programs (PHPs) throughout Florida and would allegedly bill Medicare for PHP treatments for patients in the names of the doctors. Included in these submissions to Medicare were claims for patients who were allegedly ineligible for PHP treatments. ATC allegedly did not provide legitimate PHP treatment, but illegally changed patient medical records to justify claims that were submitted.

ATC Executive Sentenced to 50 Years in Prison.

Since ATC was shut down nearly two years ago, 35 defendants have faced charges relating to the alleged fraud scheme. The majority of the defendants have pleaded guilty. Last year a third doctor pleaded guilty, accepting responsibility for more than $19 million of false claims submitted by the clinics.

Four ATC executives were sentenced to 50 years, 35 years, 35 years, and 91 months in prison, respectively, for their roles in the fraud scheme.

Contact Health Law Attorneys Experienced in Handling Medicare and Medicaid Fraud Cases.

The Health Law Firm’s attorneys routinely represent physicians, medical groups, clinics, pharmacies, durable medical equipment (DME) suppliers, home health agencies, nursing homes and other healthcare providers in Medicare and Medicaid investigations, audits and recovery actions. They also represent them in preparing and submitting corrective action plans (CAPs), requests for reconsideration, and appeal hearings, including Medicare administrative hearings before an administrative law judge.

To contact The Health Law Firm please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

Sources Include:

U.S. Department of Justice, Office of Public Affairs. “Doctors, Therapist, and Recruiters from Miami-Area Mental Health Care Corporation Convicted for Participating in $205 Million Medicare Fraud Scheme.” FBI. (June 01, 2012). Press Release. From:
http://www.fbi.gov/miami/press-releases/2012/doctors-therapist-and-recruiters-from-miami-area-mental-health-care-corporation-convicted-for-participating-in-205-million-medicare-fraud-scheme

Weaver, Jay. “Two South Florida Doctors, 3 Others Convicted on Medicare Fraud Charge.” Miami Herald. (June 01, 2012). From
http://www.miamiherald.com/2012/06/01/2827660/miami-medicare-fraud-jurors-tell.html#storylink=misearch/

About the Author:  George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

Update All of Your Addresses with Medicare Immediately!

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Have You Checked Your Addresses on File with CMS/Medicare Recently?

Do you remember the last time you checked all four of the addresses you should have on file for any individual or any group/company Medicare number you may have?  The consequences of not updating these addresses can be severe.  In addition to your mailing (or correspondence address), and your billing address, you also should have a physical address that is complete, accurate and timely.  The telephone number for that physical address should also be in the system.  You must ensure that not only is the street address accurate, but also that any suite, office or apartment number on it is accurate.  Check the zip code, too, just to be certain you did not transpose digits when you entered it.

Auditors, surveyors, inspectors and investigators are often sent out by Medicare and its contractors, including the Medicare Administrative Contractors (or “MACs”) and the Zone Program Integrity Contractors (or “ZPICs”), to the physical address on file.  This is done as a fraud prevention tool to make sure that medical practices, durable medical equipment companies (DMEs), home health agencies (HHAs), and other businesses that receive payments from Medicare are legitimate and are actually operating.

Termination of Medicare Billing Privileges Often Results From Incorrect Addresses.

Site inspections and audits are also conducted by sending auditors on short notice or no notice to the physical address on file.  If your physical address is incomplete (e.g., no suite number) or wrong (e.g., incorrect street address) or is not up to date (e.g., you moved and forgot to update it), the consequences could be severe.  What we have seen most often recently is an action that terminates the Medicare billing privileges.  The provider then is not allowed to reapply for a period of two (2) years from the date of termination.

Update All of Your Addresses with Medicare Immediately.

I urge you to personally and immediately go into the Medicare Provider Enrollment, Chain and Ownership System (PECOS) and the National Plan & Provider Enumeration System (NPPES) NPI Registry and print out a copy of the existing information to check it.  If your address is incorrect or incomplete, immediately submit a correction or have your administrator practice manager do this.

If anything is incorrect, including an incorrect or incomplete name for your medical group, corporation or business, immediately have this corrected, as well.  Everything should be consistent, and all of your state licenses and corporation/company information on file with your Secretary of State should also contain the same information, as well.

What to Do if You Receive a Notice of Termination of Your Medicare Provider Number.

Have you received a notice of termination of your Medicare provider number? Medicare has been revoking the Medicare billing privileges of many different Medicare providers including physicians, medical groups, home health agencies (HHAs), pharmacies, and durable medical equipment (DME) providers, based on returned mail sent to old addresses which have not been updated or based on inspection team site visits to old, incorrect addresses.

Often the termination is retroactive to an earlier date when the change or move may have been determined to have occurred. Even if the mailing address is correct or was changed, the physical address of the business must have been updated, as well. It is usually an incorrect or old physical address which causes this to occur.

The effect of this termination includes:

1. You are prohibited from reapplying to Medicare for at least two (2) years.

2. You may have to pay back any monies received from the Medicare Program since the effective date of the termination (often many months prior to the notification letter).

3. Other auditing agents may be notified such as the Medicare Zone Program Integrity Contractors (ZPIC) and the state Medicare Fraud Control Unit (MFCU).

4. You may no longer contract with Medicare or anyone who does.

5. You may and probably will be terminated from the approved provider panels of health insurance companies with which you are currently contracted.

6. You may and probably will be terminated from skilled nursing facilities (SNFs) and home health agencies (HHAs) with which you have contracts.

7. You may and probably will have your clinical privileges terminated by hospitals or ambulatory surgical centers (ASCs) where you have them.

What you should not do includes:

1. Don’t bother to write letters or start e-mailing anyone, including CMS or the Medicare Administrative Contractor (or MAC) (previously called the “carrier” or “fiscal intermediary”).

2. Don’t bother to call the Centers for Medicare & Medicaid Services (CMS) or the MAC.

3. Don’t bother to file a new CMS Form 855 (application) or a CMS Form 855C (change).

4. Don’t bother to start communicating with CMS or the MAC about your situation and what you need to do about it.

5. Don’t bother to complete and file the short, one-page Corrective Action Plan (CAP) form that is on the CMS or Carrier/MAC website (unless you are close to the deadline and don’t have representation; then you must.)

What we recommend is:

1. Immediately go into the Medicare Provider Enrollment, Chain and Ownership System (PECOS) and the National Plan & Provider Enumeration System (NPPES) NPI Registry and print out a copy of the existing information. Then update or correct any incorrect information on you or your company, if you can. Print out the information as it existed before and print out the information after you have corrected it. (Note: Medicare will act shortly after the letter to you to terminate your access to this, so it may be too late).

2. Hire an experienced health attorney immediately to assist you in putting together and submitting a comprehensive Corrective Action Plan (CAP), a Request for Reconsideration (RFR) and a request for an Appeal Hearing.

3. Note that there is a thirty (30) day deadline for submitting the CAP and a sixty (60) day deadline for requesting an appeal hearing. Do not miss these.

4. Implement formal, written internal policies and procedures to prevent a recurrence of the type of error, oversight or event that caused the termination.  Train your management and staff on these.

The CAP should address every element of the applicable conditions of participation (COP) contained in the Code of Federal Regulations (CFR). It should include and be supported by all relevant documents, including but not limited to:

1. Documents showing how the error occurred or past efforts to comply.

2. Surety bond guarantees and documents (where required).

3. Insurance coverage documents showing current coverage (general liability, professional liability, vehicle/auto liability).

4. Current licenses and permits.

5. Certificates of good standing and latest annual reports for any corporation or limited liability company.

6. Print-outs from PECOS/NPPES Registry discussed above.

7. Accident reports, insurance claims, police reports, fire reports or other documentation showing why a relocation was required (if this was an issue).

8. Certificates of compliance training for you and your staff, if available.

9. Copies of policies and procedures that you have adopted to keep there from being a recurrence of the situation that led to the termination.

10. An authorization form for your consultant or attorney to represent you in the matter.

All copies should be clear, legible, complete, straight, no corners cut off and no handwriting on them, to the greatest extent possible.

Organize, Label and Index Professionally.

Everything should be professionally assembled, typed, indexed and labeled. It should include a table of contents or an index. Number every page. It should be submitted to the MAC (or the agency/address given in the termination letter) by two (2) reliable means that document both sending and receipt. Keep copies of everything, including postal receipts, airbills, Federal Express labels, courier receipts, etc. It must be received at the address given in the termination letter you received (usually MAC) by the deadline given above. Keep copies of online tracking reports and return receipts.

In most instances, should you show a legitimate reason for the error, show you are currently in compliance, and show what remedial measures you have taken to keep there from being a repeat, the MAC will accept your corrective action plan (CAP) and will reinstate your Medicare number, as things stand currently.

Don’t Wait Too Late; Consult with a Health Law Attorney Experienced in Medicare and Medicaid Issues Now.

The lawyers of The Health Law Firm routinely represent physicians, medical groups, clinics, pharmacies, durable medical equipment (DME) suppliers, home health agencies, nursing homes and other healthcare providers in Medicare and Medicaid investigations, audits and recovery actions.  They also represent them in preparing and submitting corrective action plans (CAPs), requests for reconsideration, and appeal hearings, including Medicare administrative hearings before an administrative law judge.  Attorneys of The Health Law Firm represent health providers in actions initiated by the Medicaid Fraud Control Units (MFCUs), in False Claims Act cases, in actions initiated by the state to exclude or terminate from the Medicaid Program or by the HHS OIG to exclude from the Medicare Program.

Call now at (407) 331-6620 or (850) 439-1001 or visit our website www.TheHealthLawFirm.com.

About the Author:  George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

Disclaimer:  Please note this article is for general education and information purposes only and does not constitute legal advice or solicitation for clients.  Our opinions stated herein are just that, our opinion.