OCR Settles HIPAA Violations with Small Physician Practice

In 2012, on the heels of its $1.5 million settlement with a large payor, Blue Cross Blue Shield of Tennessee, the Department of Health and Human Services Office for Civil Rights (OCR) announced on April 17, 2012, that it settled with a small physician practice for HIPAA safeguard violations. Phoenix Cardiac Surgery, P.C., a practice owned by two physicians, entered into a settlement agreement and agreed to pay $100,000 after OCR found the practice posted unsecured calendar appointments and sent unsecured emails.

Over a year-and-a-half period, the practice posted 1,000 entries of ePHI on a publically accessible, Internet-based calendar. In addition, over three years the practice transmitted ePHI on a daily basis over an Internet-based email account to workforce members’ personal Internet- based email accounts.

OCR, after investigation of a complaint, found that the physician practice failed to:

  • Implement adequate policies and procedures to appropriately safeguard patient information
  • Document that it trained any employees on its policies and procedures on the HIPAA Privacy Rule and Security Rule
  • Identify a security officer and conduct a risk analysis
  • Obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of it ePHI and access to its ePHI

Along with the $100,000 payment to OCR, the practice also agreed to enter into a corrective action plan (CAP) requiring that it develop, maintain and revise written HIPAA policies and procedures and submit them to OCR for approval prior to implementation.  Within 30 days of OCR approval, the practice must implement these policies and procedures and distribute them to its workforce members.  Within 60 days of OCR approval, the practice must provide training to all workforce members.  The CAP also requires that the practice assess, review and revise its HIPAA polices and procedures at least annually or more frequently, as appropriate.  Should any additional violations occur related to its HIPAA polices and procedures, the practice must submit a report directly to OCR within 30 days from its determination of a violation, including: a description of the events, persons involved, actions taken to mitigate any harm and any further steps the practice plans to take to address the matter and prevent the violations from happening again.

In a press announcement, Leon Rodriguez, Director of OCR emphasized, “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” Small physician practices should take note that they are not immune to OCR investigation.

As a result of a qui tam action commenced pursuant to the whistleblower provisions of the False Claims Act, pharmaceutical company Sanofi US Agreed this week to Pay $109 Million to resolve False Claims Act Allegations of free product kickbacks to physicians.  Pursuant to the allegations, Sanofi agreed to give free units of Hyalgan, a knee injection, to physicians who agreed to purchase and prescribe the product.  By giving these free units, and by throwing the physicians lavish parties, all of which constitutes a kickback pursuant to the anti-kickback statutes, Sanofi enticed physicians to choose its product over another lower priced competitor.

As set forth in the Press Release issued by the Department of Justice, “Kickback schemes subvert the health care marketplace and undermine the integrity of public health care programs.”  Further, patients expect their health providers to be concerned solely with their best medical interests. … Kickbacks undermine that all-important patient trust, and taxpayers’ expectation that government health dollars be put only to the wisest of uses.”

This resolution is part of the government’s emphasis on combating health care fraud and another step for the Health Care Fraud Prevention and Enforcement Action Team (HEAT) initiative;, an initiative between the offices of the U.S. Attorney General and the Health and Human Services to reduce and prevent Medicare and Medicaid financial fraud through enhanced cooperation.  One of the most powerful tools in that effort is the False Claims Act, which the Justice Department has used to recover $10.1 billion since January 2009.

N.B. Many drug and biologic companies provide physicians with free samples that the physicians may give to patients free of charge.  It is legal to give these samples to your patients for free, but it is illegal to sell the samples.  The Federal Government has prosecuted physicians for billing Medicare for free samples.  If you choose to accept samples, you will need reliable systems in place to safely store the samples and ensure that samples are not commingled with your commercial stock.

“The New York State Office of the Medicaid Inspector General (OMIG) will present “The OMIG Exclusion and Reinstatement Process.” The webinar will take place On December 19, 2012, from 2-3:30 pm, and will provide an overview of the exclusion process that takes place whenever OMIG considers a provider or individual person for exclusion from the program. To register click here.