Health Care Law Blog

Advocate Health Care Network (Advocate), one of the nation’s largest health care systems, recently reached a $5.55 million settlement with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The $5.55 million settlement is the largest HIPAA settlement in history against a single entity.

OCR's investigation arose after Advocate reported three separate data breaches to OCR that occurred between July and November of 2013. The first breach occurred when four desktop computers were stolen from an Advocate administrative building. Another breach occurred when an unencrypted laptop was stolen from an Advocate employee's unlocked vehicle. A third breach occurred when an unauthorized third party accessed the network of a company that provides billing services to Advocate. A total of more than 4 million patient records were affected by the breaches. 

On March 31, 2016, the United States District Court for the Northern District of Alabama granted summary judgment for AseraCare in one of the largest False Claims Act (FCA) lawsuits against a hospice provider. In this whistleblower case, the government sought over $200 million, alleging that defendant AseraCare overbilled Medicare for hospice services by falsely certifying that patients were eligible for hospice care.

The litigation began when six AseraCare employees in Alabama, Wisconsin and Georgia (the "relators") filed whistleblower cases under the FCA. The employees alleged that AseraCare knowingly submitted false claims to Medicare by falsely certifying that patients met the Medicare eligibility requirements for the hospice benefit. In order to be eligible for the Medicare hospice benefit, a patient's physician must certify that "the individual's prognosis is for a life expectancy of 6 months or less if the terminal illness runs its normal course." 42 C.F.R. § 418.22(b)(1). The Department of Justice (DOJ) intervened in January 2012.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced that it reached resolution agreements and corrective action plans with two health care entities - a health system and a research institution - in connection with alleged violations of the Health Insurance Portability and Protection Act of 1996 (HIPAA). These cases underscore the importance of ongoing HIPAA compliance vigilance by covered entities and business associates, particularly in light of OCR’s recent announcement that it has commenced Phase 2 of its audit program.

Hospitals are required to report certain adverse clinical privileging actions and medical malpractice payments to the National Practitioner Data Bank (NPDB).  Since the NPDB was established by the Health Care Quality Improvement Act (HCQIA) in 1986, compliance with these reporting obligations has been largely entrusted to hospitals with little enforcement action by the United States Department of Health and Human Services.  There are now reports that the federal government has begun auditing compliance by hospitals with the NPDB reporting requirements.