The U.S. Attorney for the Eastern District of Texas pleaded guilty to making a false statement, in attesting to his hospital’s compliance with “meaningful use” requirements. According to the meaningful use false statement liability, the CFO:
… pleaded guilty on Nov. 12, 2014 to making a false statement and was sentenced to 23 months in federal prison today by U.S. District Judge Michael Schneider. White was also ordered to pay restitution in the amount of $4,483,089.09 to Medicare’s Electronic Health Record (EHR) Incentive Program.
According to information presented in court, White was the Chief Financial Officer for Shelby Regional Medical Center in Center, Texas, in addition to other hospitals owned and operated by Dr. Tariq Mahmood. White oversaw the implementation of electronic health records for the hospital and was responsible for attesting to the meaningful use of electronic health records in order to qualify to receive incentive payments under Medicare’s EHR Incentive Program. On Nov. 20, 2012, White knowingly made a false statement to Medicare falsely representing that the hospital was a meaningful user of electronic health records, when the hospital did not meet the meaningful use requirements. As a result, Shelby Regional Medical Center received $785,655.00 from Medicare. In total, hospitals owned by Mahmood were paid over $16 million under the Medicare and Medicaid EHR Incentive Programs. White was indicted by a federal grand jury on Jan. 22, 2014….
This case was investigated by the U.S. Department of Health and Human Services—Office of the Inspector General (HHS-OIG), the Texas Office of the Attorney General—Medicaid Fraud Control Unit (OAG-MFCU), and the Federal Bureau of Investigation (FBI). This case is being prosecuted by Special Assistant U.S. Attorney Kenneth C. McGurk and Assistant U.S. Attorney Nathaniel C. Kummerfeld.
A HIPAA security risk assessment, as part of HIPAA compliance under the HIPAA Security Rule, HIPAA security rule compliance for EHR meaningful use.
Although this case specifically involves meaningful use attestation and receipt of payments under Medicare, a broader conclusion may be that the federal government is ratcheting up healthcare compliance enforcement, including zeroing in on false representations of compliance. In other words:
All ye who take HIPAA lightly ….
Be scared … very scared …
A HIPAA risk assessment must be customized and scaled to the institution. The federal government provides a handy HIPAA compliance myths (and facts) regarding Security Rule risk analysis.
My favorites include:
1. The security risk analysis is optional for small providers.
- False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis….
3. My EHR vendor took care of everything I need to do about privacy and security.
- False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.
5. A checklist will suffice for the risk analysis requirement.
- False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.
6. There is a specific risk analysis method that I must follow.
- False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.
Contact our privacy and security lawyers with any questions about HIPAA privacy and security compliance.