New HHS-OIG Exclusions – The HIPAA Journal
New HHS-OIG Exclusions The HIPAA Journal
New HHS-OIG Exclusions
The Department of Health and Human Services Office of Inspector General (HHS-OIG) has announced new additions to its List of Excluded Individuals and Entities (LEIE). The LEIE, often referred to as the HHS-OIG exclusion list, is a centralized registry for individuals and entities that have been prohibited from participating in federally funded healthcare programs, including Medicare and state healthcare programs.
There are mandatory exclusions for individuals and entities convicted of criminal offenses such as Medicare or Medicaid fraud, patient abuse or neglect, and for felony convictions for other health care-related fraud, theft, or other financial misconduct, and felony convictions related to the unlawful manufacture, distribution, prescription, and dispensing of controlled substances. HHS-OIG also has the authority to exclude individuals and entities on other grounds, termed permissible inclusions. Reasons for permissive inclusions include misdemeanor convictions, engaging in unlawful kickbacks, suspension or revocation of a healthcare license, and defaulting on health education loans or scholarship obligations.
If an excluded individual or entity continues to work in the healthcare industry and participates in a federally funded healthcare program, they can face criminal prosecution, fines, permanent loss of licensure, or disbarment. An employer can face substantial civil monetary penalties, triple damages for all items and services claimed in connection with that individual or entity, and potentially loss of all federal funding or costly and highly intrusive ongoing monitoring by HHS-OIG.
Each healthcare entity is responsible for ensuring that no new hires or existing employees are excluded. The LEIE must be checked prior to any hire, and routine checks should be conducted to ensure that no current employee has been added to the LEIE.
The following entities and individuals have recently been added to the LEIE:
Myers Southern – Myers Southern, LLC, of Bartow, Florida, was excluded for a period of 7 years from participation in federally funded health care programs for failing to respond to an HHS-OIG subpoena that was necessary to determine whether Medicare payments were due, and the amounts associated with those payments.
Dr. Nathan Hanflink and Pain Management Institute – Dr. Nathan Hanflink and Pain Management Institute in Florida, have been excluded from participation in federally funded healthcare programs for 5 years following an HHS-OIG investigation that determined they submitted claims to Medicare Part B for chronic care management services that were never rendered.
Sunshine Care Partners and Rusty McMurray – Sunshine Care Partners, and owner Rusty McMurray have been excluded from participation in healthcare programs for 10 years after knowingly submitting claims for complex chronic care management services for individuals who were never provided with those services. According to HHS-OIG, those complex care management services only involved having employees take the temperature of all individuals entering the facility, sanitizing and cleaning front desk areas, and organizing paperwork.
The post New HHS-OIG Exclusions appeared first on The HIPAA Journal.
Multi-million-dollar Settlement Agreed to Resolve MCNA Dental Data Breach Lawsuit
A settlement has been agreed to resolve class action data breach litigation against Managed Care of North America (MCNA), Inc., and MCNA Insurance Company, doing business as MCNA Dental and Healthplex, Inc. The companies were sued in response to a massive data breach in 2023 that affected almost 9 million individuals. In March 2023, the defendants identified unauthorized access to the MCNA network. The LockBit ransomware group was behind the attack and first gained access to the network on February 22, 2023. Access was maintained until March 7, 2023, when ransomware was used to encrypt files. Prior to file encryption, sensitive data was exfiltrated from the network, including personal and protected health information (PHI).
MCNA Dental is one of the largest providers of government-sponsored dental benefits to children through state Medicaid and Children’s Health Insurance Programs, and stores a vast amount of PHI. The investigation determined that the ransomware group accessed or exfiltrated the PHI of 8,923,662 individuals, including names, contact information, Social Security numbers, driver’s license numbers, government-issued ID numbers, health information, and health insurance information. When the ransom was not paid, the LockBit group proceeded to leak the stolen data. The affected individuals were notified about the data breach in late May 2023.
A data breach of this scale was certain to trigger multiple class action lawsuits, the first of which was filed on June 5, 2023. In total, the defendants were named in 25 putative class action lawsuits. The lawsuits were materially and substantively identical, with overlapping claims, and on July 13, 2023, the lawsuits were consolidated into a single action – Crowe et al. v. Managed Care of North America Inc. d/b/a MCNA Dental, MCNA Insurance Company dba MCNA Dental, and Healthplex, Inc. – in the United States District Court for the Southern District of Florida.
The consolidated lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, violations of state consumer protection act statutes, and declaratory and injunctive relief. A settlement failed to be agreed upon during court-appointed mediation, and the defendants sought to have the case dismissed. The lawsuit survived, and extensive discovery and litigation followed, along with a second failed attempt at mediation. After extensive subsequent settlement discussions, the material terms of a settlement were agreed upon.
The terms of the settlement have now been finalized, with no admission of liability or wrongdoing by the defendants. The defendants have agreed to establish a multi-million-dollar settlement fund to pay benefits to the class members, attorneys’ fees (up to $6,400,000), attorneys’ expenses (up to $1,313,000), and settlement administration costs (up to $2,000,000). The total value of the settlement has not been made public.
Class members may submit a claim for reimbursement of documented losses due to the data breach up to a maximum of $2,500 per class member; however, these claims have been capped at a total of $250,000. Class members are eligible to claim two years of medical data monitoring services, which include a $1 million identity theft reimbursement policy. These services have a retail cost of $179.40 per year for each class member who enrolls. In addition to paying the costs and benefits, MCNA has agreed to take several steps to improve security and has updated its business practices to reduce the risk of similar breaches in the future.
While all parties have agreed to the terms of the settlement, it has yet to receive preliminary approval from the court. The dates for objection, exclusion, and submitting claims will be set when and if the court approves the settlement. Class members will start to be notified directly about the settlement within 30 days of the court’s preliminary approval order. The notifications will include information on how to submit a claim and a code to activate the medical data monitoring service.
The post Multi-million-dollar Settlement Agreed to Resolve MCNA Dental Data Breach Lawsuit appeared first on The HIPAA Journal.
Spencer Gifts Pays $450,000 Penalty to Resolve HIPAA Failures – The HIPAA Journal
Spencer Gifts Pays $450,000 Penalty to Resolve HIPAA Failures The HIPAA Journal
Spencer Gifts Pays $450,000 Penalty to Resolve HIPAA Failures
The national retail company Spencer Gifts LLC has agreed to a $450,000 settlement to resolve alleged violations of the HIPAA Rules that OCR identified while investigating a data breach affecting 10,023 members of its employer-sponsored group health plan (Spencer Gifts LLC Flexible Benefits and Welfare Benefit Plans).
In November 2021, staff were prevented from connecting to the company’s virtual private network. The IT issue was investigated, and the access issues were determined to be due to a ransomware attack. A threat actor had accessed the company’s network between November 24, 2021, and November 26, 2021, and used ransomware to encrypt files, including files on servers that stored plan members’ electronic protected health information (ePHI). Data exposed and potentially stolen in the incident included names, addresses, zip codes, phone numbers, email addresses, and Social Security numbers. OCR was notified about the data breach on January 24, 2022.
OCR investigates all reported breaches affecting 500 or more individuals to determine whether they were the result of HIPAA noncompliance. Under its current enforcement initiative, OCR is laser-focused on the risk analysis provision of the HIPAA Security Rule. OCR requires evidence to demonstrate that a regulated entity has conducted a thorough and accurate risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
OCR determined that Spencer Gifts had failed to conduct a HIPAA-compliant risk analysis, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A) of the HIPAA Security Rule. Spencer Gifts was also found to have failed to implement policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules, in violation of 45 C.F.R. § 164.316(a) and 45 C.F.R. § 164.530(i)(1).
OCR determined that the HIPAA violations warranted a financial penalty. Spencer Gifts was informed of OCR’s determination and intention to impose a financial penalty, and the health plan was given the opportunity to settle the alleged violations informally. Spencer Gifts agreed to pay a $450,000 financial penalty and adopt a corrective action plan to address the alleged areas of noncompliance.
The corrective action plan requires Spencer Gifts to conduct a comprehensive and accurate risk analysis, review and update its HIPAA policies and procedures, distribute those policies and procedures to the workforce, and provide HIPAA training to its workforce.
This is the 20th OCR investigation of a ransomware attack resulting in a financial penalty for noncompliance with the HIPAA Rules, the 14th enforcement action under OCR’s risk analysis enforcement initiative, and the 7th HIPAA penalty to be announced this year. So far this year, OCR has collected $1,728,000 in penalties to resolve alleged violations of the HIPAA Rules from three healthcare providers, two health plans, and two business associates.
The post Spencer Gifts Pays $450,000 Penalty to Resolve HIPAA Failures appeared first on The HIPAA Journal.