Posted on August 30, 2009 by Robert Cochran

Hospital Pays $4.5 Million to Resolve False Claims Allegations

On August 25, 2009, the Department of Justice announced Covenant Medical Center in Waterloo, Iowa agreed to pay the United States $4.5 million to resolve allegations that it violated the False Claims Act. The settlement resolves allegations that Covenant submitted false claims to Medicare by having financial relationships with five physicians that violated the Stark Law. The government alleged that Covenant violated the Stark Law by paying commercially unreasonable compensation, far above market value, to five employed physicians. According to the government, these physicians were among the highest paid hospital-employed physicians not just in Iowa, but in the entire United States.

Covenant issued a press release denying any wrongdoing or illegal conduct. Covenant maintained the physician compensation was consistent with the approved compensation plan, was based on work personally performed by the physicians, and reflected their exceptionally high level or productivity. Covenant said it made a business decision to settle to avoid the uncertainty of litigation, disruption, and high expense associated with protracted litigation with the government. 

 

An article in the Des Moines Register on May 26, 2005 provides some information about the compensation. The paper reported that Covenant paid one orthopedic surgeon more than $2.1 million and a second orthopedic surgeon more than $1 million. A gastroenterologist was paid nearly $2.1 million. These figures were for the budget year ending in June 2003. 

 

DOJ's press release is here www.justice.gov/opa/pr/2009/August/09-civ-849.html

Tags: , , , , , , , ,
Posted on August 20, 2009 by Kiana Russell

HHS Security Breach Notification Rule

The American Recovery and Reinvestment Act of 2009 (ARRA) was enacted on February 17, 2009.  Section 13402 of ARRA, the Health Information Technology for Economic and Clinical Health Act, obligated the Department of Health and Human Services (HHS) to promulgate interim final regulations within 180 days of enactment to require covered entities under the Health Insurance Portability and Accountability Act of 1996 and their business associates to provide for notification in the case of breaches of unsecured protected health information. Accordingly, HHS has issued the following:

News Release
FOR IMMEDIATE RELEASE
Wednesday, August 19, 2009 
Contact: HHS Press Office
(202) 690-6343

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information

New regulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information is breached were issued today by the U.S. Department of Health and Human Services (HHS).

These “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals.  Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

“This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care.  These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information,” said Robinsue Frohboese, acting director and principal deputy director of OCR.

The regulations were developed after considering public comment received in response to an April 2009 request for information and after close consultation with the Federal Trade Commission (FTC), which has issued companion breach notification regulations that apply to vendors of personal health records and certain others not covered by HIPAA.

To determine when information is “unsecured” and notification is required by the HHS and FTC rules, HHS is also issuing in the same document as the regulations an update to its guidance specifying encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.  Entities subject to the HHS and FTC regulations that secure health information as specified by the guidance through encryption or destruction are relieved from having to notify in the event of a breach of such information.  This guidance will be updated annually.

The HHS interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period.  For more information, visit the HHS Office for Civil Rights Web site.

To track the progress of HHS activities related to ARRA, visit www.hhs.gov/recovery. To track all federal activities related to ARRA, visit www.recovery.gov.

###

The rule is posted at http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf and the press release is available at http://www.hhs.gov/news/press/2009pres/08/20090819f.html.
 

Tags: