Monthly Newsletter

Medical Record Phishing Scams

Addressing Malware, Phishing, and Ransomware

Utilize free cyber security tools and services from Cybersecurity & Infrastructure Security Agency (CISA) – America’s Cyber Defense Agency.  Malware, phishing, and ransomware are common forms of cyber-attacks. CISA offers the tools and services needed to protect against and rapidly respond to attacks. Featured content on the CISA Malware, Phishing & Ransomware webpage:

• StopRansomware - a whole-of-government approach that gives one central location for ransomware resources and alerts
• Shields Up – as the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyberattacks. When cyber incidents are reported quickly, they can render assistance and issue warnings to prevent attacks.
• Cybersecurity Alerts & Advisories - CISA is continually monitoring cyber space and actively shares threats and vulnerabilities.
• Joint Ransomware Task Force (JRTF) - serves as the central body for coordinating an ongoing nationwide campaign against ransomware attacks in addition to identifying and pursuing opportunities for international cooperation.

Click Here, scroll down for the featured content and most recent vulnerability alerts.

New HIPAA Privacy Rule Effective June 25, 2024

HIPAA Privacy Rule to Support Reproductive Health Care Privacy

The Office for Civil Rights (OCR), the government’s Health Insurance Portability and Accountability Act (HIPAA) enforcement agency, issued a Final Rule to modify the Privacy Rule to support reproductive health care privacy.  The Final Rule strengthens privacy protections by prohibiting the use or disclosure of protected health information (PHI) by a covered health care provider, health plan, or health care clearinghouse (Covered Entity) or their business associate for either of the following activities:

• To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
• The identification of any person for the purpose of conducting such investigation or imposing such liability.

To implement the prohibition, the Final Rule requires a covered health care provider, health plan, or health care clearinghouse (or business associates), when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. This attestation requirement applies when the request is for PHI for any of the following:

• Health oversight activities.
• Judicial and administrative proceedings.
• Law enforcement purposes.
• Disclosures to coroners and medical examiners.

The requirement to obtain a signed attestation gives a covered health care provider, health plan, or health care clearinghouse (or business associates) a way of obtaining written representations from persons requesting PHI that their requests are not for a prohibited purpose. Additionally, it puts persons making requests for the use or disclosure of PHI on notice of the potential criminal penalties for those who knowingly and in violation of HIPAA obtain individually identifiable health information (IIHI) relating to an individual or disclose IIHI to another person. There are various other implications related to complying with the Final Rule, such as updating your Notice of Privacy Practices, retraining your workforce, etc.

Effective Dates - The effective date of the Final Rule is June 25, 2024. This is the date that HIPAA covered entities and their business associates may begin implementing the new requirements. Covered entities and business associates are not required to comply with the new requirements until December 23, 2024, except for the new changes to the HIPAA Notice of Privacy Practices which has a compliance date of by February 16, 2026.  Click Here for OCR’s Fact Sheet. Click Here for the full Final Rule in the Federal Register.

For more information, read the July 1, 2024 Article "Reproductive Health & the New Final Rule".  Our HIPAA Privacy Officer and Certified HIPAA Compliance Officer courses contain training in this area as well.

Medical Centers Pay Record $15M Settlement Due to Whistleblower

Settling Allegations of Teaching Hospitals Billing for Concurrent Heart Surgeries 

The $15 million recovery is the largest settlement to date involving concurrent surgeries. In this case, the whistleblower will receive $3,075,000!

The heart surgeries involved in this case are some of the most complicated operations performed at any hospital including coronary artery bypass grafts, valve repairs and aortic repair procedures.  Hospitals involved in this joint settlement are Baylor St. Luke’s Medical Center (BSLMC), Baylor College of Medicine (BCM) and Surgical Associates of Texas P.A. (SAT).

The whistleblower alleged that three heart surgeons engaged in a regular practice of running two operating rooms at once and delegating key aspects of extremely complicated and risky heart surgeries to unqualified medical residents.  Medicare regulations dictate when teaching physicians can leave the operating room for any operation, no matter how complex. The three heart surgeons failed to attend the surgical “timeout”— a critical moment where the entire team would pause and identify key risks to prevent surgical errors, according to the allegations. Learn more about this interesting case.

OIG Cracks Down on Global Surgery Compliance

Surgery Billed Without Appropriate Payment Modifiers

In November of 2022, the Office of the Inspector General (OIG) published a report that Medicare has been improperly paying physicians for co-surgery and assistant-at-surgery billed without complying to federal requirements. In December of 2023, CMS published the Global Surgery (PDF) booklet.

In June 2024, CMS sent a reminder to providers to comply with these rules.  AIHC recommends downloading the MLN907166 booklet to learn or refresh your compliance knowledge on coding, billing and payment requirements for surgical services.  Also reference the Medicare Claims Processing Manual 100-04 , Chapter 12, Section 40 through 40.1 as well. AIHC offers 4 short free Global Surgery educational videos covering the basics of the surgical package.

How to Conduct an Ethical Investigation

Thursday, July 18, 2024

1:00 pm ET/12:00 pm CT/11:00 am MT/10:00 am PT

AIHC is hosting a free, live webinar featuring speaker Meric Craig Bloch, J.D., attorney and Principal of Winter Investigations, a consulting firm specializing in workplace investigations design, implementation, and training. This webinar will cover the following key topics:

• The common mistakes investigators make in planning the investigation and understanding their role.
• The common mistakes investigators make when dealing with the employee who raised the concern about actual or suspected misconduct.
• The common mistakes investigators make when interviewing the investigation participants.
• The common mistakes investigators make when documenting the investigation, especially the investigation report.

Reserve your virtual seat today for this 60-minute interactive webinar.  AIHC certified professionals earn 1 CEU! If you miss this live event, a recording will be posted to the AIHC YouTube Channel within the Corporate Compliance Playlist and check out the online Corporate Compliance certification course.