July 2024 Monthly Newsletter
Medical Record Phishing Scams
The Centers for Medicare & Medicaid Services (CMS) sent an alert regarding phishing scams for medical records. This can include criminals faxing your office fraudulent medical records requests to get you to send patient records in response.
To Detect a Potential Scam Request, CMS states to look for:
- Instructions which direct you to send records to an unfamiliar fax number or address
- Referencing Medicare.gov or @Medicare (.gov)
- Indicating they need records to “update insurance accordingly”
- Poor grammar, misspellings, or strange wording
- Incorrect phone numbers
- Skewed or outdated logos
- Graphics that are cut and pasted
If you think you got a fraudulent or questionable request, work with your Medical Review Contractor to confirm if it’s real. Submit medical documentation through the Electronic Submission of Medical Documentation (esMD) system or CMS medical review contractor secure internet portals, when available.
Addressing Malware, Phishing, and Ransomware
Utilize free cyber security tools and services from Cybersecurity & Infrastructure Security Agency (CISA) – America’s Cyber Defense Agency. Malware, phishing, and ransomware are common forms of cyber-attacks. CISA offers the tools and services needed to protect against and rapidly respond to attacks. Featured content on the CISA Malware, Phishing & Ransomware webpage:
- StopRansomware - a whole-of-government approach that gives one central location for ransomware resources and alerts
- Shields Up – as the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyberattacks. When cyber incidents are reported quickly, they can render assistance and issue warnings to prevent attacks.
- Cybersecurity Alerts & Advisories - CISA is continually monitoring cyber space and actively shares threats and vulnerabilities.
- Joint Ransomware Task Force (JRTF) - serves as the central body for coordinating an ongoing nationwide campaign against ransomware attacks in addition to identifying and pursuing opportunities for international cooperation.
Click Here, scroll down for the featured content and most recent vulnerability alerts.
New HIPAA Privacy Rule Effective June 25, 2024
HIPAA Privacy Rule to Support Reproductive Health Care Privacy
The Office for Civil Rights (OCR), the government’s Health Insurance Portability and Accountability Act (HIPAA) enforcement agency, issued a Final Rule to modify the Privacy Rule to support reproductive health care privacy. The Final Rule strengthens privacy protections by prohibiting the use or disclosure of protected health information (PHI) by a covered health care provider, health plan, or health care clearinghouse (Covered Entity) or their business associate for either of the following activities:
- To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
- The identification of any person for the purpose of conducting such investigation or imposing such liability.
To implement the prohibition, the Final Rule requires a covered health care provider, health plan, or health care clearinghouse (or business associates), when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. This attestation requirement applies when the request is for PHI for any of the following:
- Health oversight activities.
- Judicial and administrative proceedings.
- Law enforcement purposes.
- Disclosures to coroners and medical examiners.
The requirement to obtain a signed attestation gives a covered health care provider, health plan, or health care clearinghouse (or business associates) a way of obtaining written representations from persons requesting PHI that their requests are not for a prohibited purpose. Additionally, it puts persons making requests for the use or disclosure of PHI on notice of the potential criminal penalties for those who knowingly and in violation of HIPAA obtain individually identifiable health information (IIHI) relating to an individual or disclose IIHI to another person. There are various other implications related to complying with the Final Rule, such as updating your Notice of Privacy Practices, retraining your workforce, etc.
Effective Dates - The effective date of the Final Rule is June 25, 2024. This is the date that HIPAA covered entities and their business associates may begin implementing the new requirements. Covered entities and business associates are not required to comply with the new requirements until December 23, 2024, except for the new changes to the HIPAA Notice of Privacy Practices which has a compliance date of by February 16, 2026. Click Here for OCR’s Fact Sheet. Click Here for the full Final Rule in the Federal Register.
For more information, read the July 1, 2024 Article "Reproductive Health & the New Final Rule". Our HIPAA Privacy Officer and Certified HIPAA Compliance Officer courses contain training in this area as well.
Medical Centers Pay Record $15M Settlement Due to Whistleblower
Settling Allegations of Teaching Hospitals Billing for Concurrent Heart Surgeries
The $15 million recovery is the largest settlement to date involving concurrent surgeries. In this case, the whistleblower will receive $3,075,000!
The heart surgeries involved in this case are some of the most complicated operations performed at any hospital including coronary artery bypass grafts, valve repairs and aortic repair procedures. Hospitals involved in this joint settlement are Baylor St. Luke’s Medical Center (BSLMC), Baylor College of Medicine (BCM) and Surgical Associates of Texas P.A. (SAT).
The whistleblower alleged that three heart surgeons engaged in a regular practice of running two operating rooms at once and delegating key aspects of extremely complicated and risky heart surgeries to unqualified medical residents. Medicare regulations dictate when teaching physicians can leave the operating room for any operation, no matter how complex. The three heart surgeons failed to attend the surgical “timeout”— a critical moment where the entire team would pause and identify key risks to prevent surgical errors, according to the allegations. Learn more about this interesting case.
OIG Cracks Down on Global Surgery Compliance
Surgery Billed Without Appropriate Payment Modifiers
In November of 2022, the Office of the Inspector General (OIG) published a report that Medicare has been improperly paying physicians for co-surgery and assistant-at-surgery billed without complying to federal requirements. In December of 2023, CMS published the Global Surgery (PDF) booklet.
In June 2024, CMS sent a reminder to providers to comply with these rules. AIHC recommends downloading the MLN907166 booklet to learn or refresh your compliance knowledge on coding, billing and payment requirements for surgical services. Also reference the Medicare Claims Processing Manual 100-04 , Chapter 12, Section 40 through 40.1 as well. AIHC offers 4 short free Global Surgery educational videos covering the basics of the surgical package.
How to Conduct an Ethical Investigation
Thursday, July 18, 2024
1:00 pm ET/12:00 pm CT/11:00 am MT/10:00 am PT
AIHC is hosting a free, live webinar featuring speaker Meric Craig Bloch, J.D., attorney and Principal of Winter Investigations, a consulting firm specializing in workplace investigations design, implementation, and training. This webinar will cover the following key topics:
- The common mistakes investigators make in planning the investigation and understanding their role.
- The common mistakes investigators make when dealing with the employee who raised the concern about actual or suspected misconduct.
- The common mistakes investigators make when interviewing the investigation participants.
- The common mistakes investigators make when documenting the investigation, especially the investigation report.
Reserve your virtual seat today for this 60-minute interactive webinar. AIHC certified professionals earn 1 CEU! If you miss this live event, a recording will be posted to the AIHC YouTube Channel within the Corporate Compliance Playlist and check out the online Corporate Compliance certification course.
How to Earn .25 Continuing Education Unit by reading the Monthly Newsletter
AIHC is hosting a live, interactive webinar!
July 18, 2024 - How to Conduct an Ethical Investigation with Meric Craig Bloch.
"Ask the Expert"
Medicare Cost
Report Camp
APPEALS MANAGEMENT
Online Training
with the option to certify online
AUDITING FOR COMPLIANCE
Online Training
with the option to certify online
CORPORATE COMPLIANCE
Online Training
with the option to certify online
HIPAA COMPLIANCE
Online Training
with the option to certify online
Online Training
with the option to certify online
Online Training
with the option to certify online
CLINICAL DOCUMENTATION IMPROVEMENT (CDI)
for the Medical Office
Online Training
with the option to certify online
HIPAA FOR MANAGED SERVICE PROVIDERS
Online Training provided by
Certification provided by