HHS’ Office for Civil Rights Settles Second Ever Ransomware Cyber-Attack

From HHS Press Release:

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), reached a settlement with Green Ridge Behavioral Health, LLC under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) due to potential violations identified during an investigation following a ransomware attack, which affected over 14,000 individuals’ protected health information.

This incident marks the second settlement that OCR has reached with a HIPAA-regulated entity following a ransomware attack. The OCR’s investigation revealed that Green Ridge Behavioral Health had failed to accurately assess potential risks and vulnerabilities to electronic protected health information, implement adequate security measures, and monitor its health information systems effectively to guard against cyber-attacks.

As part of the settlement, Green Ridge Behavioral Health agreed to pay a fine and implement a corrective action plan, which will be monitored by OCR for three years, to address potential violations of the HIPAA Privacy and Security Rules. The CAP includes conducting a thorough risk analysis, developing a risk management plan, revising policies and procedures as needed to comply with HIPAA rules, providing workforce training, auditing third-party arrangements for proper business associate agreements, and reporting non-compliance by workforce members to the OCR.


NIST Publishes SP 800-66 Revision 2, Implementing the HIPAA Security Rule

From NIST Computer Security Resource Center:

The National Institute of Standards and Technology (NIST) has released the final version of Special Publication (SP) 800-66r2 (Revision 2), “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide”.

SP 800-66 provides guidance for entities regulated by HIPAA on evaluating and managing risks associated with electronic Protected Health Information (ePHI). It outlines typical activities for an information security program and offers advice to improve cybersecurity posture and assist with HIPAA Security Rule compliance.

NIST’s Cybersecurity and Privacy Reference Tool (CPRT) includes mappings of the HIPAA Security Rule’s standards and implementation specifications to NIST Cybersecurity Framework Subcategories and SP 800-53r5 security controls. It also lists NIST publications relevant to each HIPAA Security Rule standard, which can be used as additional resources for implementing HIPAA Security Rule standards and implementation specifications.


Houston Dental Clinic Operator Convicted in $6M Pediatric Fraud Scheme

From Press Release, United States Attorney’s Office, Southern District of Texas:

  • Rene Gaviola, operator of Floss Family Dental Care clinic in Houston, admitted to submitting fraudulent claims to Medicaid for pediatric dental services that were not provided.
  • Gaviola confessed to employing unlicensed individuals to practice dentistry on Medicaid-insured children and operating the clinic without any licensed dentists, billing Medicaid as if licensed professionals provided the services.
  • He further admitted to paying kickbacks to marketers and caregivers of Medicaid-insured children for bringing them to Floss, and to laundering Medicaid funds from the clinic’s business account to his personal account in transactions exceeding $100,000.
  • From 2019 to 2021, Floss billed Medicaid nearly $6.9 million for pediatric dental services, of which Medicaid paid approximately $4.9 million.
  • Gaviola pleaded guilty and awaits sentencing on April 16, facing potential penalties including up to 10 years for conspiracy to commit health care fraud, payment of kickbacks, and money laundering, as well as potential fines in the hundreds of thousands.

Physician’s Assistant Convicted at Trial of Amniotic Fluid Scam

From Press Release, United States Attorney’s Office, Northern District of Texas:

  • A 36-year-old physician’s assistant at a Fort Worth pain management clinic has been convicted of conspiracy to commit health care fraud and 12 counts of healthcare fraud.
  • The PA submitted claims to Medicare for injections of unapproved amniotic fluid for pain management.
  • Although some amniotic products are FDA-approved for wound care, they are not approved for pain management, making the injections medically unnecessary and non-reimbursable by Medicare.
  • He used an amniotic product called “Cell Genuity,” which was not covered by Medicare for either wound care or pain management. He initially asked patients to pay out of pocket for the injections, but many refused due to the high cost and questionable efficacy.
  • The PA identified another product, “Fluid Flow,” that he believed could be reimbursed by Medicare. Instead of purchasing this more expensive product, he continued to use Cell Genuity but billed Medicare under Fluid Flow’s unique code. This resulted in significant profits for the clinic and himself.
  • The PA now faces up to 240 years in federal prison – 20 years per count.

OIG Publishes a New Guidance Resource and a Report

OIG released our General Compliance Program Guidance (GCPG). The GCPG is a reference guide for the health care compliance community and other health care stakeholders. The GCPG provides information about relevant Federal laws, compliance program infrastructure, OIG resources, and other items useful for understanding health care compliance. The GCPG is voluntary guidance that discusses general compliance risks and compliance programs. The GCPG is not binding on any individual or entity. Download the guide in whole or access individual sections.


Texas Attorney General’s Medicaid Fraud Control Unit Helps Secure 49-Month Sentence and Over $5 Million Restitution in Orthopedic Supplies Fraud Case

This is a common tale. It seems like most of my time is spent explaining to clients why you cannot pay marketers a percentage of the revenue derived from patients they refer to them. Press Release from Texas Attorney General:

Griffin obtained patients by offering and paying kickbacks to marketers as well as disguising illegal payments as marketing services and outsourced business services. Griffin then submitted false claims to both Medicaid and Medicare for orthopedic equipment that was never provided, not medically necessary, and not authorized by a physician.


HHS Office of Civil Rights Requiring Healthcare Providers to Use HIPAA-compliant Telehealth Platforms by August 10

HHS Office of Civil Rights is requiring all healthcare providers to use HIPAA-compliant telehealth platforms by Aug. 10. When the Public Health Emergency ended in May, CMS provided a transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth.

The transition period will expire at 11:59 p.m. on August 9, 2023.

Per CMS, the list below includes some vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA.

  • Skype for Business / Microsoft Teams
  • Updox
  • VSee
  • Zoom for Healthcare
  • Google G Suite Hangouts Meet
  • Cisco Webex Meetings / Webex Teams
  • Amazon Chime
  • GoToMeeting
  • Spruce Health Care Messenger

Note: OCR has not reviewed the BAAs offered by these vendors, and this list does not constitute an endorsement, certification, or recommendation of specific technology, software, applications, or products. There may be other technology vendors that offer HIPAA-compliant video communication products that will enter into a HIPAA BAA with a covered entity. Further, OCR does not endorse any of the applications that allow for video chats listed above.

Also note, Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.


Period of Enhanced Oversight for New Hospices in Arizona, California, Nevada, & Texas

CMS is placing newly enrolling hospices located in Arizona, California, Nevada, and Texas in a provisional period of enhanced oversight. Over the last 12 months, we’ve received numerous reports of hospice fraud, waste, and abuse. The number of enrolled hospices has also increased significantly in these states, raising serious concerns about market oversaturation.

“New hospices” include those 1) newly enrolling in the Medicare Program (starting July 13, 2023); 2) submitting a change of ownership (CHOW) that meets all the regulatory requirements under 42 CFR 489.18; and 3) undergoing a 100% ownership change that doesn’t fall under 42 CFR 489.18.

This enhanced oversight can be from 30 days to 1 year.


Artificial Intelligence, Cybersecurity and the Health Sector

HHS Health Sector Cybersecurity Coordination Center (HC3) has published a report (PDF) detailing cybersecurity concerns for healthcare providers. In particular, what can be done to remain secure, given AI-enhanced cyberthreats. The report provides an educational overview of regenerative IA, particularly ChatGPT and the difference between machine learning and neural networks.

More importantly, the report discusses how IA can threaten healthcare and ways the healthcare sector can defend against AI-enabled threats.


Texas Lawyer Convicted of Conspiracy and Perjury for Laundering Kickbacks

This was intentional criminal conduct of conspiracy and perjury related to Anti-Kickback Statute violations. From a U.S. Attorney’s Office for the Eastern District of Texas Press Release:

“By facilitating kickbacks, this defendant knowingly enabled theft from Medicare and Medicaid, putting personal profit before legitimate patient needs and ultimately costing taxpayers millions of dollars,” said Jason E. Meadows, Special Agent in Charge at the U.S. Department of Health and Human Services, Office of Inspector General (HHS-OIG). …

According to information presented in court, [Peter J. Bennett] created sham trusts and shell corporations through which he laundered at least $2,724,080.41 in healthcare kickback proceeds. Bennett used his law firm’s Interest on Lawyers Trust Account (IOLTA), operating account, and a personal bank account to launder and transmit the kickback proceeds. The perjury charges arose out of false statements Bennett made in response to interrogatories propounded in Civil Investigative Demands issued by the Department of Justice as part of a False Claims Act (FCA) investigation. Bennett was indicted by a federal grand jury in February 2022.