The Department of Health and Human Services Office of Inspector General (HHS-OIG) has agreed to a $20,000 settlement with AccuCare Home Health Services to resolve allegations that the home healthcare provider employed an individual on the HHS-OIG exclusions list and billed services provided by that individual to federally funded healthcare programs.

AccuCare Home Health Services is a Mesa, Arizona-based provider of home health care services, specializing in skilled nursing, physical therapy, occupational therapy, speech therapy, and medical social services. According to HHS-OIG, AccuCare Home Health Services was discovered to have employed a home healthcare aide who was not permitted to participate in any federally funded healthcare program, and billed products or services provided by that individual to federal health care programs. The alleged violation was settled with a $20,000 financial penalty.

Healthcare organizations must ensure that a check is conducted of the HHS-OIG List of Excluded Individuals and Entities (LEIE) prior to onboarding a new employee. Regular checks must also be conducted on all employees, since individuals may be added to the LEIE after their employment commences. The HHS’ Office for Civil Rights imposes relatively few financial penalties for HIPAA violations; however, when it comes to HHS OIG compliance, there is a much greater risk of a financial penalty if violations are identified. HHS-OIG regularly imposes significant financial penalties for claiming for items and services provided by excluded individuals and companies, submitting false claims, and violations of the Stark Law and the Anti-Kickback Statute. In addition to a financial penalty, there is a risk of being added to the HHS exclusion list, which will prohibit an individual or company from participating in federally funded health care programs.

On November 12, 2025, HHS-OIG announced that William Mangan, DO (Dr. Mangan) of Okemos, Michigan, had agreed to be excluded from participating in federally funded healthcare programs for a period of 10 years in connection with False Claims Act violations. Dr. Mangan was investigated by HHS-OIG in connection with allegations that he ordered genetic tests, durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) that were not reasonable or medically necessary and submitted claims to federally funded health care programs. Dr. Mangan claimed that he had evaluated patients and falsely certified that the ordered products were medically necessary when he failed to perform an adequate review.

Individuals can face severe penalties for knowingly causing products or services to be billed to federally funded healthcare programs when they are on the HHS-OIG exclusion list. Erik X. Alonso, 55, of Miami, Florida, had been convicted of conspiracy to commit health care fraud in 2015 for offenses in the Southern District of Florida. As a result of the conviction, Alonso was placed on the exclusion list and was fully aware that he was prohibited from participating in work that was billed to federally funded healthcare programs. In March 2022, Alonso started working for a telehealth mental health provider in New Hampshire and provided services to patients in the state that he knew would be billed to Medicaid. Alonso caused New Hampshire Medicaid to pay approximately $173,998.83 based on false and fraudulent claims. The healthcare fraud was discovered, and Alonso entered a guilty plea to one count of healthcare fraud and is awaiting sentencing. He now faces up to 10 years in jail.

The post AccuCare Home Health Services Pays $20,000 Fine for Employing Excluded Individual appeared first on The HIPAA Journal.

An audit of the National Institutes of Health (NIH) All of Us Research Program has uncovered privacy and security weaknesses that put the health information of more than 1 million individuals at risk of compromise.

The All of Us Research Program was launched in 2015 as part of the NIH Precision Medicine Initiative to advance disease prevention and treatment by making the personal health and genomics data of more than 1 million individuals available for research purposes. Unlike research studies that focus on a specific disease or cohort of people, the All of Us Research database can be used to study a wide range of health conditions and diseases. The data is housed by the Data and Research Center (DRC) and is managed by an NIH award recipient, Vanderbilt University Medical Center. The All of Us database is one of the largest health research databases of its kind.

While general data about the entire group of participants can be viewed by anyone, only researchers approved by the All of Us Research Program are allowed to view data from individual participants. Such a large database of health information is extremely valuable; therefore, robust privacy and security measures must be implemented to protect research participants’ data from cybersecurity and national security threats.

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has recently published the findings of a 2024 audit that sought to determine whether appropriate access controls had been implemented by the DRC award recipient, if appropriate privacy and security controls were in place, and if information security and privacy weaknesses had been addressed in accordance with federal standards.

HHS-OIG determined that the DRC award recipient had implemented some cybersecurity controls, including vulnerability scanning, penetration testing, flaw remediation, system monitoring, incident response, contingency planning, disaster recovery, and security awareness training; however, controls were inadequate in some areas, which put research participants’ data at an increased risk of compromise.

HHS-OIG identified access control weaknesses. For instance, while authorized users were permitted to remotely access the information systems from foreign countries with prior approval, there were no controls in place to restrict access to only the individuals who had received approval. As such, any authorized user could access the information systems from a foreign country. While downloads of detailed participants’ data are prohibited, there were no access controls in place to prevent data downloads.

HHS-OIG also found that the DRC award recipient failed to communicate national security concerns associated with the maintenance of genomic data to NIH and did not resolve identified weaknesses and vulnerabilities within the timeframe stipulated by NIH in its award agreement. As such, there was an increased risk of research participants’ data, including genomic data, being accessed, downloaded, and misused by bad actors, including foreign adversaries.

HHS-OIG made five recommendations to NIH to improve oversight of the All of Us Research Program and address the identified privacy and security issues. NIH concurred with all five recommendations and is implementing measures to address the privacy and security weaknesses. NIH has confirmed that measures already fully implemented include controls to resolve the remote access security issues, and access from certain countries of concern has been blocked, including China, Cuba, Iran, Russia, and North Korea.

The post Audit Uncovers Security Weaknesses in the NIH All of Us Security Program appeared first on The HIPAA Journal.

The Department of Health and Human Services Office of Inspector General (HHS-OIG) maintains an exclusion list of companies and individuals who are not permitted to participate in federal healthcare programs, including indirectly participating by providing goods or services to entities that are billed to federal healthcare programs.

Exclusion is the most severe civil sanction that can be imposed by HHS-OIG and is most commonly due to conviction of a felony or misdemeanor related to a federally funded healthcare program, although individuals and entities can be added to the exclusion list for a variety of reasons. The duration of the exclusion depends on several factors and can range from months to permanent exclusion.

For permissive exclusions, HHS-OIG has discretion over how long the exclusion period lasts. That could be until an individual who has defaulted on a repayment addresses the default, although most permissive exclusions fall in the range of 1 to 3 years. Mandatory exclusions, such as those for misdemeanor and felony convictions, have minimum exclusion periods of 5 or 10 years, although three convictions will result in permanent exclusion.

If an individual is excluded, they are not permitted to work within the healthcare industry for any company that accepts federal funds, which can severely limit work opportunities. Since excluded individuals may still seek employment in the healthcare field, it is vital for employers to regularly check the exclusion list to ensure that new hires can be employed, and also to conduct regular checks of all employed individuals to ensure they can continue to be employed. Employing or continuing to employ an excluded individual risks civil monetary penalties.

HHS-OIG has recently announced new additions to its exclusion list, all of which see the individuals and entities excluded from federally funded healthcare programs for 10 years. In August, HHS-OIG entered into a settlement agreement with Ideal Health Diagnostics, Inc. (Ideal Health) and Svetlana Dizik (Dizik), of Glenview, Illinois, that requires a payment of $227,193.28 in addition to the 10-year exclusion. HHS-OIG alleged that Ideal Health and Dizik solicited and received improper remuneration from Perry Rudich, MD, in exchange for referrals for radiological interpretative services. Ideal Health and Dizik also caused claims to be submitted to Medicare that falsely identified Dr. Rudich as the rendering provider of items and services that he did not perform. Ideal Health and Dizik were not enrolled in Medicare, so they could not bill Medicare for those services themselves or receive payment for those services from Medicare.

In September, HHS-OIG announced 10-year exclusions for Optimum Faith Lab Corp. and its owner, Opal Mullings. Opal Mullings and Optimum had submitted claims for mileage under HCPCS Code P9603 that were improperly inflated, in excess of the actual mileage driven by phlebotomists, not properly prorated, or both. Further, claims were submitted for travel allowance, when only a fingerstick blood draw was performed, when Medicare rules do not permit travel allowance to be claimed for that purpose, and travel allowance was also claimed for laboratory services that were never rendered.

The post HHS-OIG Announces 10-Year Exclusions for Companies and Individuals appeared first on The HIPAA Journal.

The Department of Health and Human Services Office for Inspector General (HHS-OIG) has announced two settlements with healthcare providers to resolve alleged violations of the Emergency Medical Treatment and Labor Act (EMTALA) due to the failure to provide adequate medical screening examinations and stabilizing treatment to patients with emergency mental health complaints.

EMTALA requires Medicare-participating hospitals to provide a medical screening examination to anyone seeking treatment for a potential emergency medical condition, regardless of their ability to pay. Stabilizing treatment must be provided to the patient, or the patient may be transferred to another facility if the hospital is unable to provide stabilizing treatment within its capabilities.

North Carolina Baptist Hospital (NCBH) was investigated by HHS-OIG and was found to have violated EMTALA on two occasions in August 2021. A patient presented at the Emergency Department requesting a psychiatric evaluation, a psychotropic medication refill, and complained of back pain at an 8/10 level. The patient was triaged and found to have abnormal vital signs. Around four hours later, NCHB’s records showed that the patient left the facility without being seen. Two days later, the patient returned to the ED two days after jumping off a bridge and being hit by a truck, and later died from the injuries.

The same month, a patient with a history of schizoaffective disorder, bipolar disorder, and depression presented to the hospital with psychological issues, having arrived by ambulance due to a psychiatric disturbance. In the ED, the patient experienced auditory hallucinations and made bizarre, illogical statements. The patient was given intravenous fluids and was discharged home the following day, without having been given a detailed psychiatric evaluation. At the time of discharge, the patient refused to leave and claimed she could not walk or see. After speaking with a doctor, she was given a bus token and was escorted off the premises by a security guard. After her mother called the hospital to inquire about her whereabouts, the patient was found in a hospital robe at a bus stop. Around one week later, the patient was involuntarily committed to a psychiatric facility.  NCBH settled the alleged EMTALA violations and paid a $200,000 financial penalty.

Swedish American Hospital (SAH) in Rockford, Illinois, was investigated over an alleged EMTALA violation in 2024 when a patient was not provided with appropriate medical screening after presenting at the hospital’s Emergency Department, complaining of suicidal ideation. The previous day, SAH referred the patient to a mental health professional at an outpatient facility, who signed a petition for involuntary admission. The patient presented at the hospital with the petition; however, the patient did not receive an appropriate medical screening examination, was not provided with stabilizing treatment, and was discharged two hours after presenting at the hospital.  SAH settled the alleged violation with HHS-OIG and paid a $100,000 financial penalty.

The post Hospitals Settle EMTALA Violations After Failing to Screen and Treat Patients With Emergency Mental Health Conditions appeared first on The HIPAA Journal.

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has agreed to settle alleged violations of the Emergency Medical Treatment and Labor Act (EMTALA) patient dumping statute with UAB Medical West, Frankfort Regional Medical Center, and Flowers Hospital.

EMTALA is a federal law that ensures universal access to emergency medical care. EMTALA requires Medicare-participating hospitals to provide a medical screening examination to determine if a patient presenting at the hospital has an emergency medical condition, and provide stabilizing treatment for that condition or arrange an appropriate transfer to another facility if the hospital cannot provide the necessary treatment. Hospitals with specialized capabilities must accept transfers of patients with specialized needs if they have the capacity to provide treatment. These requirements apply to all individuals presenting at a hospital, regardless of their insurance status or ability to pay.

Frankfort Regional Medical Center

Frankfort Regional Medical Center (FRMC) was investigated by HHS-OIG after self-reporting a potential EMTALA violation that occurred in June 2022. A patient presented at the FRMC emergency department via ambulance, complaining about heat exhaustion after working in a hot factory for seven hours. The patient complained about a severe frontal headache, nausea, and had projectile vomited in the ambulance en route to the hospital. The patient rated his headache as an 8 on the 1-10 scale, had clammy skin, and had vomiting/dry heaving. Diagnostic blood work revealed the patient had hyponatremia (low blood salt), hypokalemia (low blood potassium), and mild dehydration, and the physician’s notes stated he was tachycardic.

The ED physician went to speak with the patient, who was upset, and he was allowed to go back to sleep. Two hours later, the patient was difficult to arouse, lethargic, and bradycardic, and his respiration rate was slowing. The ED staff were unsuccessful in trying to arouse the patient with ammonia salts. The patient was provided with Narcan by the ED physician, who suspected a possible drug overdose. The patient then got upset and started to walk around the ED. The police department was called to arrest the patient for trespassing.

The patient sat down in an ED hallway with his arms crossed and head down, and was unresponsive to the ED staff and was no longer verbal. The ED physician cleared the patient to be discharged to jail with instructions for adult dehydration and a clinical note of a drug overdose. Within 24 hours, the patient was admitted to another hospital and received treatment for heat exhaustion. HHS-OIG determined EMTALA had been violated, and the case was settled with a $110,000 financial penalty.

UAB Medical West

UAB Medical West is a Birmingham, AL-based health system that operates a 200-bed UAB Medical West Hospital and numerous primary care facilities in and around Birmingham. UAB Medical West was investigated over a potential EMTALA violation following a complaint about an alleged failure to provide stabilizing treatment to a patient with an emergency medical condition.

HHS-OIG investigated and determined that in May 2023, a patient who presented at the freestanding UAB Medical West Emergency Department (ED) was discharged from the hospital without appropriate treatment, with an instruction to drive to another hospital for a consultation with a urologist and to get stabilizing treatment. The patient had presented at the ED with acute urinary retention – a medical condition that requires immediate medical attention.

Under EMTALA, UAB Medical West was required to provide stabilizing treatment. While staff at the hospital attempted to catheterize the patient, those efforts were unsuccessful, and the patient was not provided with any pain relief, despite the ED having a urologist on-call and access to urology supplies at its main ED. HHS-OIG and UAB Medical West agreed to settle the alleged EMTALA violation with a $100,000 financial penalty.

Flowers Hospital

Flowers Hospital, a 311-bed hospital in Dothan, Alabama, was investigated over an alleged failure to accept two patients who had been transferred to the hospital to receive specialized medical care, as the hospitals where the patients presented lacked the capabilities to provide appropriate care. Both refused transfers occurred in May 2021.

One patient had presented at the ED of an unrelated hospital following an assault and was determined to have multiple facial fractures, including on both sides of his lower jaw. A transfer was attempted as the hospital did not have an oral maxillofacial surgical (OMFS) specialist. The request was denied by Flowers Hospital, which claimed that its OMFS specialist only treated patients with old fractures, not patients with new traumas.

Another patient presented at the ED of a hospital with severe dental pain, which had been worsening for a week. Since the hospital did not have an OMFS specialist, a transfer was attempted, but was declined by the OMFS specialist because Flowers Hospital was not the closest facility with physicians able to provide the necessary stabilizing treatment. HHS-OIG determined that both refusals violated EMTALA, and the case was settled with a $150,000 financial penalty.

The post HHS-OIG Imposes Three Penalties for EMTALA Violations appeared first on The HIPAA Journal.

Before hiring any individual or onboarding a new vendor, healthcare organizations that participate in federal healthcare programs such as Medicare or Medicaid must complete due diligence and check to ensure that the individual or entity is not excluded from participating in federally funded healthcare programs.

The Department of Health and Human Services Office of Inspector General (HHS-OIG) maintains an exclusions list consisting of individuals and entities that have been prohibited from participating in federal healthcare programs. Individuals and entities are added to the List of Excluded Individuals and Entities (LEIE) after being found guilty of fraud, abuse, or neglect, although they may be added to the list for other reasons at the discretion of HHS-OIG.

Failure to check the LEIE and subsequently billing federal healthcare programs for products or services provided by an excluded individual or entity can result in a significant fine. In addition to pre-engagement checks of the database, healthcare organizations must conduct regular checks of the LEIE for existing employees, contractors, and vendors. All checks must be documented to maintain an audit trail.

Free Webinar on Sanctions and Exclusions Compliance

Readers of the HIPAA Journal are invited to attend a free webinar, where they will be able to hear from leading compliance experts who will give their expert advice about implementing and maintaining an effective screening program that goes beyond the basic requirements to include establishing and managing conflict of interest programs.

The webinar – The Complete Exclusion Screening Playbook: From Sanctions to Conflicts of Interest – will take place on Tuesday, September 9, 2025. You can find out more and register for the event here.

Recent LEIE additions and Financial Penalties

HHS-OIG has recently announced four new additions to the LEIE, and one financial penalty for a healthcare provider for employing an excluded individual and billing federal healthcare programs for products or services provided by that individual.

• Kidspeace National Centers of New England, Inc., in Ellsworth, Maine, was discovered to have employed an excluded speech pathologist. In this case, the individual was not employed directly, but through a contractor. The alleged violation was settled with HHS-OIG on July 31, 2025, with a $44,736.78 financial penalty.
• Brant Jolly, of Fayetteville, Arkansas, has been excluded from participating in federally funded healthcare programs for 10 years for violating the False Claims Act by causing the submission of false claims to Medicare for lab tests that were either never ordered, never rendered, or involved deceased beneficiaries.
• Nirmal Mulye, PhD, based in Miami, Florida, was added to the LEIE by HHS-OIG for defaulting on payment obligations. Dr. Mulye had previously founded a company that was determined to have underpaid Medicaid rebates, then defaulted on his payment obligations under an active settlement agreement. Dr. Mulye will remain on the LEIE until reinstated by HHS-OIG after curing the default.
• Andres Gomes, MD, of Puerto Rico, defaulted on his payments under a False Claims Act settlement agreement with the Department of Justice and HHS-OIG. The settlement agreement resolved allegations that Dr. Gomes did not pay proper remuneration to physicians for patient referrals to clinics for the surgical treatment of peripheral arterial disease. Dr. Gomes will remain on the LEIE until he cures the default.

The post New HHS-OIG Exclusions and Financial Penalties appeared first on The HIPAA Journal.