Archives

CFO Gets Prison Time for HITECH Fraud

June 22, 2015

Hospital Executive Falsified ‘Meaningful Use’ Attestation

By , June 19, 2015.

A former Texas hospital CFO has been sentenced to 23 months in federal prison for submitting false documents so a medical center could receive payments under the HITECH Act electronic health records financial incentive program.

In addition to his prison sentence, Joe White, former CFO of the now-shuttered Shelby Regional Medical Center in East Texas, was ordered to pay restitution of nearly $4.5 million to the HITECH incentive payment program.

Court documents indicate that to help pay the restitution, White has been ordered to liquidate an IRA account and an annuity, which as of November 2014, had respective balances of about $115,000 and $2,500.

White, 68, of Cameron, Texas, pleaded guilty on Nov. 12, 2014, to making false statements in November 2012 to the Centers for Medicare and Medicaid Services that Shelby Regional Medical Center was a meaningful user of EHRs, when the hospital actually was primarily using paper records, according to the Department of Justice (see CFO Pleads Guilty to HITECH Act Fraud).

To obtain financial incentives from Medicare or Medicaid under the HITECH Act, hospitals and physicians must submit detailed documents that attest to meeting the requirements for the program, including conducting a HIPAA security risk assessment.

Case Details

In a statement issued by the FBI on June 18, U.S. attorney John Bales said, “The EHR incentive program was designed to enhance the delivery of excellent medical care to all Americans and especially for those citizens who live in underserved, rural areas like Shelby County. There is no doubt that Mr. White understood that purpose and yet, he intentionally decided to steal taxpayer monies and in the process, undermine and abuse this important program.”

According to information presented in court, White was CFO for Shelby Regional as well as other hospitals owned and operated by Tariq Mahmood, M.D., of Cedar Hill, Texas.

The 54-bed Shelby Regional closed last year amidst legal issues involving Mahmood, who was indicted by a federal grand jury on April 11, 2013. He was charged with conspiracy to commit healthcare fraud and seven counts of healthcare fraud.

Court documents indicate that Mahmood was sentenced on April 14 to 135 months in federal prison, and also ordered to pay restitution totaling nearly $100,000 to CMS, the Texas Department of Health and Human Services and Blue Cross Blue Shield.

White oversaw the implementation of EHRs for Shelby Regional and was responsible for attesting to the meaningful use of the EHRs to qualify to receive HITECH incentive payments from Medicare, according to the FBI.

As a result of White’s false attestation, Shelby Regional Medical Center received nearly $786,000 from Medicare, the FBI statement says. In total, hospitals owned by Mahmood were paid more than $16 million under the Medicare and Medicaid EHR incentive program, the FBI says.

A Justice Department spokeswoman tells Information Security Media Group that the $4.5 million restitution that White was ordered to pay represents the EHR incentive money Shelby Regional received from CMS under false attestation, as well as EHR incentive money that other hospitals owned by Mahmood, for which White was also CFO, received from CMS. While White did not personally receive the incentive money from CMS, “restitution is mandatory pursuant to the Mandatory Victim Restitution Act of 1996,” she explains, citing 18 USC 3663A(a)(1), which says, “Notwithstanding any other provision of law, when sentencing a defendant convicted of an offense described in subsection (c), the court shall order, in addition to…any other penalty authorized by law, that the defendant make restitution to the victim of the offense. …”

More Cases to Come?

Healthcare attorney Brad Rostolsky of the law firm Reed Smith says that although most healthcare professionals and organizations participating in the HITECH meaningful use incentive program are trying to play by the rules, federal regulators must be on the look-out for potential fraudsters, considering the billions of dollars in incentives being paid. “My sense is that the large majority of institutional and small/solo practice providers appreciate the context in which these meaningful use attestations are being made, and they focus on ensuring that the attestations are true and accurate,” he says. “That said, in situations where the facts are as they are [in the Joe White case], it would not surprise me if the government continues to be aggressive in its enforcement.”

Attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says he expects federal authorities will file more HITECH criminal cases. “The sense we have gotten from public statements by OIG and others involved in prosecuting healthcare fraud violations is that there are a number of investigations ongoing to determine if there has been fraud in obtaining funds through the EHR incentive payment program,” he says.

Holtzman suggests that those organizations that have received HITECH incentives must keep thorough documentation to prove they met all the requirements.

“The key is to keep detailed documentation of the information that was used to support the representations in the attestation for seven years,” he says. “An individual or organization can avoid criminal culpability through showing that a reasonable effort was made to support a belief that the provider or hospital had met the meaningful use requirements and was therefore eligible for receiving EHR incentive payments.”

HITECH Audits

While criminal cases related to the HITECH Act EHR incentive program have been rare, federal regulators have been ratcheting up their audits of healthcare entities attesting to “meaningful use” of EHRs.

Among those selected was Temple University Health System in Philadelphia, which recently passed an audit for meaningful use compliance at one of its hospitals, says CISO Mitch Parker. The area of attestation most closely scrutinized by CMS auditors was Temple’s HIPAA security risk assessment, he says.

“You can’t skimp on the risk assessment. That’s the first and foremost item that they look for,” he says. “And it can’t be one of those cut-and-dry ones. You have to be very detailed about it. We had about 300 categories in ours.”

At $1.2M, photocopy breach proves costly

August 14, 2013

The U.S. Department of Health and Human Services has settled with Affinity Health Plan, a New York-based managed care plan, for HIPAA violations to the tune of $1,215,780 after a photocopier containing patient information was compromised.

Affinity filed a breach report with the HHS Office for Civil Rights on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health Act, say HHS officials. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information.

Affinity officials were informed by CBS Evening News that, as part of an investigatory report, the television network had purchased a photocopier, previously leased by Affinity, that contained confidential medical information on its hard drive. Affinity estimated that up to 344,579 individuals may have been affected by this breach.

An HHS Office for Civil Rights investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.

Moreover, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

“This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent,” said OCR Director Leon Rodriguez. “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.” In addition to the $1,215,780 payment, the settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all PHI.