TRENDING:

HITECH Act EHR Program Fraud Alleged

Former Hospital CFO Charged with Submitting False Documents Marianne Kolbasuk McGee (HealthInfoSec) • February 11, 2014    
HITECH Act EHR Program Fraud Alleged

Federal authorities are taking action to crack down on abuse of the HITECH Act electronic health record financial incentive program. They recently filed healthcare fraud charges against a former hospital chief financial officer in Texas, alleging that he falsely attested that the hospital met the program's requirements, leading to payment of $785,000.

See Also: Recovering From a Cyberattack, Responding to the OCR, and Building a Cyber Resilient Posture for the Future: A Conversation with OrthoVirginia CIO, Terri Ripley

A federal grand jury indicted Joe White, former CFO of now-shuttered Shelby Regional Medical Center, in Center, Texas, on charges of making false statements to the Centers for Medicare and Medicaid Services and aggravated identity theft, according to the U.S. Department of Justice.

An spokesman for the Department of Health and Human Services' Office of the Inspector General tells Information Security Media Group that this is "one of the first cases" to arise from an OIG investigation of submitting false HITECH Act EHR "meaningful use" attestations. He declined to discuss other HITECH Act related investigations under way. "This is an area of continuing interest" to the OIG, he says.

To obtain financial incentives from Medicare or Medicaid under the HITECH Act, hospitals and physicians must submit detailed documents that attest to meeting the requirements for the program. So far, the program has awarded about $18.8 billion worth of incentive payments to more than 4,400 hospitals and more than 320,000 eligible healthcare professionals, according to CMS.

Details of Case

On Nov. 20, 2012, White falsely attested to CMS that Shelby Regional met HITECH Act meaningful use requirements for the 2012 fiscal year by implementing EHRs, federal prosecutors allege. The hospital, in fact, relied on paper records throughout the fiscal year and only minimally used EHRs, authorities say.

"To give the false appearance that the hospital was actually using certified EHR technology, White directed [Shelby Regional's] software vendor and hospital employees to manually input data from paper records into the EHR software, often times months after the patient was discharged and after the end of the fiscal year," according to the Justice Department.

Prosecutors also allege that White falsely attested to the hospital's meaningful use of EHRs by using another person's name and information without that individual's consent or authorization.

Another Fraud Scheme

Shelby Regional was a 54-bed hospital that closed last year amidst legal issues involving its owner, Tariq Mahmood, M.D. of Cedar Hill, Texas. Mahmood was indicted by a federal grand jury on April 11, 2013, and charged with conspiracy to commit healthcare fraud and seven counts of healthcare fraud.

Mahmood owned and operated several other hospitals in Texas, including Cozby-Germany Hospital in Grand Saline, Renaissance Terrell Hospital in Terrell, Central Texas Hospital in Cameron, and Community General Hospital in Dilley. Federal prosecutors allege that from April 2010 to April 2013, Mahmood and other carried out a scheme to defraud Medicare and Medicaid through the submission of false and fraudulent claims, according to an FBI statement issued last April.

Prosecutors allege that Mahmood and others "changed, deleted, and incorrectly sequenced diagnostic codes in a way that did not reflect the actual diagnoses and conditions of the patients," according to the FBI statement. The defendant and his co-conspirators are alleged to have unlawfully submitted false claims of more than $1.1 million and obtained more than $375,000.

In total, hospitals operated by Mahmood, including Shelby Regional, were paid about $16.8 million by Medicaid and Medicare under the HITECH EHR incentive program for fiscal years 2011 and 2012, authorities say. But the federal indictment against Mahmood filed in April 2013 does not specify HITECH-related fraud. A spokeswoman for the U.S. Attorney's Office in the Eastern District of Texas would not comment on whether prosecutors are investigating HITECH fraud involving the other hospitals that Mahmood operated.

Ramped Up Enforcement

Government regulators have been signaling more intensified scrutiny of HITECH Act meaningful use attestations. For instance, in the HHS OIG's work plan for fiscal 2014 that was issued last month, OIG said it was planning audits of covered entities receiving HITECH Act EHR incentive payments. Those audits will include reviewing whether the healthcare providers, as well and their business associates, such as cloud vendors, adequately protect electronic health information created or maintained by certified EHR technology (see: OIG to Review Medical Device Security).

"I envision that the inspector general's office and HHS are going to more carefully review healthcare providers and facilities to measure the accuracy of [HITECH Act] attestations and to make sure covered entities have, in fact, put the appropriate information security protections in place and have done the HIPAA security risk assessment they attested to, as well as the other meaningful use measures," says attorney David Holtzman. He's a former senior adviser at the HHS Office for Civil Rights official who joined security consulting firm CynergisTek in December as vice president of privacy and security compliance services.

Security expert Brian Evans, a principal at Tom Walsh Consulting, expects there will be other circumstances where "we will likely see more hospitals and physicians giving back their meaningful use incentive payments as a result of auditors finding errors in their documentation."

While Evans says he's not aware of any other fraud cases, "I have found organizations simply misunderstand the meaningful use requirements or misinterpret how best to meet them. When organizations attest to meaningful use, it is a legal statement that they have met specific standards, including the protection of health information. If attestation takes place prior to actually meeting the meaningful use security requirements, then this increases your business liability for federal law violations and making a false claim."

CMS has already begun leveraging predictive modeling technology to identify fraudulent Medicare claims and could explore the feasibility of employing something similar in investigating abuse of the HITECH Act incentive program, Evans notes. CMS also could potentially use these technologies to scrutinize HITECH attestations, identify potential problems and create alerts for further investigation, he says. "This is similar to what credit card companies use to recognize suspicious activity," he says.

Meanwhile, Evans urges healthcare organizations to thoroughly document HIPAA and HITECH compliance activities.

"CMS advises to retain all relevant records that support attestation and record all practice decisions, findings and actions related to safeguarding patient information," he says. "These documents are essential if you are ever audited for meaningful use or compliance with HIPAA."

Previous
NIST Releases Cybersecurity Framework
Next
Steps to Mitigate Spear Phishing

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.



Around the Network

How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.