HHS OIG Compliance News

HHS-OIG Announces 10-Year Exclusions for Companies and Individuals

The Department of Health and Human Services Office of Inspector General (HHS-OIG) maintains an exclusion list of companies and individuals who are not permitted to participate in federal healthcare programs, including indirectly participating by providing goods or services to entities that are billed to federal healthcare programs.

Exclusion is the most severe civil sanction that can be imposed by HHS-OIG and is most commonly due to conviction of a felony or misdemeanor related to a federally funded healthcare program, although individuals and entities can be added to the exclusion list for a variety of reasons. The duration of the exclusion depends on several factors and can range from months to permanent exclusion.

For permissive exclusions, HHS-OIG has discretion over how long the exclusion period lasts. That could be until an individual who has defaulted on a repayment addresses the default, although most permissive exclusions fall in the range of 1 to 3 years. Mandatory exclusions, such as those for misdemeanor and felony convictions, have minimum exclusion periods of 5 or 10 years, although three convictions will result in permanent exclusion.

If an individual is excluded, they are not permitted to work within the healthcare industry for any company that accepts federal funds, which can severely limit work opportunities. Since excluded individuals may still seek employment in the healthcare field, it is vital for employers to regularly check the exclusion list to ensure that new hires can be employed, and also to conduct regular checks of all employed individuals to ensure they can continue to be employed. Employing or continuing to employ an excluded individual risks civil monetary penalties.

HHS-OIG has recently announced new additions to its exclusion list, all of which see the individuals and entities excluded from federally funded healthcare programs for 10 years. In August, HHS-OIG entered into a settlement agreement with Ideal Health Diagnostics, Inc. (Ideal Health) and Svetlana Dizik (Dizik), of Glenview, Illinois, that requires a payment of $227,193.28 in addition to the 10-year exclusion. HHS-OIG alleged that Ideal Health and Dizik solicited and received improper remuneration from Perry Rudich, MD, in exchange for referrals for radiological interpretative services. Ideal Health and Dizik also caused claims to be submitted to Medicare that falsely identified Dr. Rudich as the rendering provider of items and services that he did not perform. Ideal Health and Dizik were not enrolled in Medicare, so they could not bill Medicare for those services themselves or receive payment for those services from Medicare.

In September, HHS-OIG announced 10-year exclusions for Optimum Faith Lab Corp. and its owner, Opal Mullings. Opal Mullings and Optimum had submitted claims for mileage under HCPCS Code P9603 that were improperly inflated, in excess of the actual mileage driven by phlebotomists, not properly prorated, or both. Further, claims were submitted for travel allowance, when only a fingerstick blood draw was performed, when Medicare rules do not permit travel allowance to be claimed for that purpose, and travel allowance was also claimed for laboratory services that were never rendered.

The post HHS-OIG Announces 10-Year Exclusions for Companies and Individuals appeared first on The HIPAA Journal.

Hospitals Settle EMTALA Violations After Failing to Screen and Treat Patients With Emergency Mental Health Conditions

The Department of Health and Human Services Office for Inspector General (HHS-OIG) has announced two settlements with healthcare providers to resolve alleged violations of the Emergency Medical Treatment and Labor Act (EMTALA) due to the failure to provide adequate medical screening examinations and stabilizing treatment to patients with emergency mental health complaints.

EMTALA requires Medicare-participating hospitals to provide a medical screening examination to anyone seeking treatment for a potential emergency medical condition, regardless of their ability to pay. Stabilizing treatment must be provided to the patient, or the patient may be transferred to another facility if the hospital is unable to provide stabilizing treatment within its capabilities.

North Carolina Baptist Hospital (NCBH) was investigated by HHS-OIG and was found to have violated EMTALA on two occasions in August 2021. A patient presented at the Emergency Department requesting a psychiatric evaluation, a psychotropic medication refill, and complained of back pain at an 8/10 level. The patient was triaged and found to have abnormal vital signs. Around four hours later, NCHB’s records showed that the patient left the facility without being seen. Two days later, the patient returned to the ED two days after jumping off a bridge and being hit by a truck, and later died from the injuries.

The same month, a patient with a history of schizoaffective disorder, bipolar disorder, and depression presented to the hospital with psychological issues, having arrived by ambulance due to a psychiatric disturbance. In the ED, the patient experienced auditory hallucinations and made bizarre, illogical statements. The patient was given intravenous fluids and was discharged home the following day, without having been given a detailed psychiatric evaluation. At the time of discharge, the patient refused to leave and claimed she could not walk or see. After speaking with a doctor, she was given a bus token and was escorted off the premises by a security guard. After her mother called the hospital to inquire about her whereabouts, the patient was found in a hospital robe at a bus stop. Around one week later, the patient was involuntarily committed to a psychiatric facility.  NCBH settled the alleged EMTALA violations and paid a $200,000 financial penalty.

Swedish American Hospital (SAH) in Rockford, Illinois, was investigated over an alleged EMTALA violation in 2024 when a patient was not provided with appropriate medical screening after presenting at the hospital’s Emergency Department, complaining of suicidal ideation. The previous day, SAH referred the patient to a mental health professional at an outpatient facility, who signed a petition for involuntary admission. The patient presented at the hospital with the petition; however, the patient did not receive an appropriate medical screening examination, was not provided with stabilizing treatment, and was discharged two hours after presenting at the hospital.  SAH settled the alleged violation with HHS-OIG and paid a $100,000 financial penalty.

The post Hospitals Settle EMTALA Violations After Failing to Screen and Treat Patients With Emergency Mental Health Conditions appeared first on The HIPAA Journal.

HHS-OIG Imposes Three Penalties for EMTALA Violations

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has agreed to settle alleged violations of the Emergency Medical Treatment and Labor Act (EMTALA) patient dumping statute with UAB Medical West, Frankfort Regional Medical Center, and Flowers Hospital.

EMTALA is a federal law that ensures universal access to emergency medical care. EMTALA requires Medicare-participating hospitals to provide a medical screening examination to determine if a patient presenting at the hospital has an emergency medical condition, and provide stabilizing treatment for that condition or arrange an appropriate transfer to another facility if the hospital cannot provide the necessary treatment. Hospitals with specialized capabilities must accept transfers of patients with specialized needs if they have the capacity to provide treatment. These requirements apply to all individuals presenting at a hospital, regardless of their insurance status or ability to pay.

Frankfort Regional Medical Center

Frankfort Regional Medical Center (FRMC) was investigated by HHS-OIG after self-reporting a potential EMTALA violation that occurred in June 2022. A patient presented at the FRMC emergency department via ambulance, complaining about heat exhaustion after working in a hot factory for seven hours. The patient complained about a severe frontal headache, nausea, and had projectile vomited in the ambulance en route to the hospital. The patient rated his headache as an 8 on the 1-10 scale, had clammy skin, and had vomiting/dry heaving. Diagnostic blood work revealed the patient had hyponatremia (low blood salt), hypokalemia (low blood potassium), and mild dehydration, and the physician’s notes stated he was tachycardic.

The ED physician went to speak with the patient, who was upset, and he was allowed to go back to sleep. Two hours later, the patient was difficult to arouse, lethargic, and bradycardic, and his respiration rate was slowing. The ED staff were unsuccessful in trying to arouse the patient with ammonia salts. The patient was provided with Narcan by the ED physician, who suspected a possible drug overdose. The patient then got upset and started to walk around the ED. The police department was called to arrest the patient for trespassing.

The patient sat down in an ED hallway with his arms crossed and head down, and was unresponsive to the ED staff and was no longer verbal. The ED physician cleared the patient to be discharged to jail with instructions for adult dehydration and a clinical note of a drug overdose. Within 24 hours, the patient was admitted to another hospital and received treatment for heat exhaustion. HHS-OIG determined EMTALA had been violated, and the case was settled with a $110,000 financial penalty.

UAB Medical West

UAB Medical West is a Birmingham, AL-based health system that operates a 200-bed UAB Medical West Hospital and numerous primary care facilities in and around Birmingham. UAB Medical West was investigated over a potential EMTALA violation following a complaint about an alleged failure to provide stabilizing treatment to a patient with an emergency medical condition.

HHS-OIG investigated and determined that in May 2023, a patient who presented at the freestanding UAB Medical West Emergency Department (ED) was discharged from the hospital without appropriate treatment, with an instruction to drive to another hospital for a consultation with a urologist and to get stabilizing treatment. The patient had presented at the ED with acute urinary retention – a medical condition that requires immediate medical attention.

Under EMTALA, UAB Medical West was required to provide stabilizing treatment. While staff at the hospital attempted to catheterize the patient, those efforts were unsuccessful, and the patient was not provided with any pain relief, despite the ED having a urologist on-call and access to urology supplies at its main ED. HHS-OIG and UAB Medical West agreed to settle the alleged EMTALA violation with a $100,000 financial penalty.

Flowers Hospital

Flowers Hospital, a 311-bed hospital in Dothan, Alabama, was investigated over an alleged failure to accept two patients who had been transferred to the hospital to receive specialized medical care, as the hospitals where the patients presented lacked the capabilities to provide appropriate care. Both refused transfers occurred in May 2021.

One patient had presented at the ED of an unrelated hospital following an assault and was determined to have multiple facial fractures, including on both sides of his lower jaw. A transfer was attempted as the hospital did not have an oral maxillofacial surgical (OMFS) specialist. The request was denied by Flowers Hospital, which claimed that its OMFS specialist only treated patients with old fractures, not patients with new traumas.

Another patient presented at the ED of a hospital with severe dental pain, which had been worsening for a week. Since the hospital did not have an OMFS specialist, a transfer was attempted, but was declined by the OMFS specialist because Flowers Hospital was not the closest facility with physicians able to provide the necessary stabilizing treatment. HHS-OIG determined that both refusals violated EMTALA, and the case was settled with a $150,000 financial penalty.

The post HHS-OIG Imposes Three Penalties for EMTALA Violations appeared first on The HIPAA Journal.

New HHS-OIG Exclusions and Financial Penalties

Before hiring any individual or onboarding a new vendor, healthcare organizations that participate in federal healthcare programs such as Medicare or Medicaid must complete due diligence and check to ensure that the individual or entity is not excluded from participating in federally funded healthcare programs.

The Department of Health and Human Services Office of Inspector General (HHS-OIG) maintains an exclusions list consisting of individuals and entities that have been prohibited from participating in federal healthcare programs. Individuals and entities are added to the List of Excluded Individuals and Entities (LEIE) after being found guilty of fraud, abuse, or neglect, although they may be added to the list for other reasons at the discretion of HHS-OIG.

Failure to check the LEIE and subsequently billing federal healthcare programs for products or services provided by an excluded individual or entity can result in a significant fine. In addition to pre-engagement checks of the database, healthcare organizations must conduct regular checks of the LEIE for existing employees, contractors, and vendors. All checks must be documented to maintain an audit trail.

Free Webinar on Sanctions and Exclusions Compliance

Readers of the HIPAA Journal are invited to attend a free webinar, where they will be able to hear from leading compliance experts who will give their expert advice about implementing and maintaining an effective screening program that goes beyond the basic requirements to include establishing and managing conflict of interest programs.

The webinar – The Complete Exclusion Screening Playbook: From Sanctions to Conflicts of Interest – will take place on Tuesday, September 9, 2025. You can find out more and register for the event here.

Recent LEIE additions and Financial Penalties

HHS-OIG has recently announced four new additions to the LEIE, and one financial penalty for a healthcare provider for employing an excluded individual and billing federal healthcare programs for products or services provided by that individual.

  • Kidspeace National Centers of New England, Inc., in Ellsworth, Maine, was discovered to have employed an excluded speech pathologist. In this case, the individual was not employed directly, but through a contractor. The alleged violation was settled with HHS-OIG on July 31, 2025, with a $44,736.78 financial penalty.
  • Brant Jolly, of Fayetteville, Arkansas, has been excluded from participating in federally funded healthcare programs for 10 years for violating the False Claims Act by causing the submission of false claims to Medicare for lab tests that were either never ordered, never rendered, or involved deceased beneficiaries.
  • Nirmal Mulye, PhD, based in Miami, Florida, was added to the LEIE by HHS-OIG for defaulting on payment obligations. Dr. Mulye had previously founded a company that was determined to have underpaid Medicaid rebates, then defaulted on his payment obligations under an active settlement agreement. Dr. Mulye will remain on the LEIE until reinstated by HHS-OIG after curing the default.
  • Andres Gomes, MD, of Puerto Rico, defaulted on his payments under a False Claims Act settlement agreement with the Department of Justice and HHS-OIG. The settlement agreement resolved allegations that Dr. Gomes did not pay proper remuneration to physicians for patient referrals to clinics for the surgical treatment of peripheral arterial disease. Dr. Gomes will remain on the LEIE until he cures the default.

The post New HHS-OIG Exclusions and Financial Penalties appeared first on The HIPAA Journal.

HHS-OIG Audit Finds Security Gaps at Large Northeastern Hospital

An audit of a large northeastern hospital by the Department of Health and Human Services Office of Inspector General (HHS-OIG) has identified cybersecurity gaps and weaknesses that are likely to be present in similarly sized hospitals across the country.

Cyberattacks on healthcare organizations have increased sharply in recent years. Between 2018 and 2022, there was a 93% increase in large data breaches reported to the HHS’ Office for Civil Rights (OCR) and a 278% increase in large data breaches involving ransomware. In 2022 alone, OCR received 64,592 reports of healthcare data breaches, across which the protected health information of 42 million individuals may have been exposed or stolen.

The HHS plays an important role in guiding and supporting the adoption of cybersecurity measures to protect patients and healthcare delivery from cyberattacks. The large number of successful cyberattacks raises questions about whether the HHS, including the Centers for Medicare and Medicaid Services (CMS) and OCR, could do more with its cybersecurity guidance, oversight, and outreach to help healthcare organizations implement robust cybersecurity controls and better protect their networks from attack.

While OCR usually conducts audits of HIPAA-regulated entities to assess cybersecurity and compliance with the HIPAA Rules, HHS-OIG’s 2025 Work Plan includes a series of 10 audits of U.S. hospitals to gain insights into healthcare cybersecurity and assess the cybersecurity measures that have been put in place. A northeastern hospital with more than 300 beds agreed to an audit to assess whether appropriate cybersecurity controls had been implemented for preventing and detecting cyberattacks, whether protocols had been developed for ensuring the continuity of care during a cyberattack, and the controls in place to protect Medicare enrollee data. The audited entity was not named due to the threat of cyberattacks.

The hospital is part of a network of providers that share protected health information for treatment, payment, and healthcare operations, and is a covered entity under HIPAA required to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information. As a provider of healthcare services under the Medicare program, the hospital is also required to comply with the CMS Conditions of Participation (CoPs). The hospital had implemented measures to comply with the CoPs and HIPAA, and had voluntarily implemented the NIST Cybersecurity Framework to reduce and better manage cybersecurity risks

The hospital was found to have implemented data security measures to protect Medicare data and had effective cybersecurity controls to ensure continuity of care in the event of a cyberattack, including appropriate network architecture, backup strategies, incident response plans, and disaster recovery controls. HHS-OIG did, however, identify several cybersecurity weaknesses and security gaps.

HHS-OIG conducted several simulated cyberattacks on Internet-facing systems and found its cybersecurity controls, which included a web application firewall (WAF), were generally effective at blocking or limiting malicious requests. Simulated phishing emails were also sent to employees, and no employee responded or interacted with the fake website HHS-OIG had set up for the phishing scam.

HHS-OIG analyzed 26 internet-accessible systems and discovered two had weaknesses in their cybersecurity controls that could potentially be exploited by threat actors to gain access to systems. HHS-OIG also identified 13 web applications with cybersecurity weaknesses related to configuration management controls, and 16 Internet-accessible systems had weaknesses in their cybersecurity controls regarding identification and authentication that left them susceptible to interactions and manipulations by threat actors

HHS-OIG explained that the weaknesses occurred due to the integration of two systems with its existing IT environment without following security best practices. Further, while there were procedures for periodically assessing web application security controls, they were not effective at identifying weaknesses before they were potentially exploited, and industry web application security best practices had not been effectively implemented.

While the systems that were susceptible to some of the HHS-OIG’s simulated attacks did not contain patient data, compromising those systems could potentially provide attackers with a launch pad for conducting additional attacks against other systems, including systems that contained patient data. A threat actor could also use information gathered in an attack on a vulnerable system to conduct more convincing social engineering campaigns on the workforce.

The hospital concurred with all five HHS-OIG recommendations:

  • Enforce and periodically assess compliance with its configuration and change management policy.
  • Periodically assess and update its identification and authentication controls.
  • Periodically assess and update its configuration management controls.
  • Establish a policy or process to periodically assess its internet-accessible systems and application security controls for vulnerabilities.
  • Ensure developers follow secure coding practices.

The post HHS-OIG Audit Finds Security Gaps at Large Northeastern Hospital appeared first on The HIPAA Journal.

The Harris Poll Survey Reveals Growing Concern About Workplace Safety in Healthcare

A recent survey by The Harris Poll has revealed that three out of five (59%) healthcare workers are concerned about safety in the workplace, and almost two out of five healthcare workers have considered leaving their employment due to safety concerns as incidents of violence in the workplace increase.

The survey was conducted between April 21 and May 7, 2025, on 1,027 U.S. healthcare workers who frequently interact with patients or their families.  The biggest concerns among healthcare workers were verbal harassment from patients (81%), aggressive behavior/threats from patients (77%), verbal harassment from non-patients (62%), and aggressive behavior/threats from non-patients (59%). More than one-fifth (21%) of healthcare workers said they worry about verbal harassment most of the time or every time they go to work.

These concerns are far from unfounded. Data from the U.S Bureau of Labor Statistics shows healthcare workers are five times more likely to experience violence in the workplace than workers in other industries, and multiple surveys suggest workplace violence is on the rise. The Harris Poll survey revealed that 85% of healthcare workers have experienced verbal harassment from patients, 79% have experienced aggressive behavior/threats from patients, and 43% have experienced physical assaults from patients.  More than half of respondents (54%) said they have felt threatened by patients or their families/visitors at work, and said their co-workers have expressed concern about safety at work (53%).

Female workers were more likely than male workers to experience or witness verbal harassment by patients (88% vs 80%), aggressive behavior from patients (81% vs 74%), and physical assaults by patients (48% vs 34%), with nurses twice as likely as doctors to be physically assaulted. Younger workers are more likely to experience or witness verbal harassment and physical assaults than older workers. There was a 41-percentage-point gap between Gen Z and Boomers for physical assaults.

The survey revealed workplace safety fears are getting worse for nurses and doctors, with 61% of nurses and 53% of doctors saying they are more concerned about physical safety at work than when they started working in healthcare, and 40% of nurses and 27% of doctors were more concerned about personal safety than a year ago. Despite these genuine concerns about workplace safety, healthcare organizations are failing to implement appropriate safeguards to protect their workers, with 41% of respondents saying they only have minimal security in their workplace. The majority of healthcare workers (77%) said safety measures haven’t improved in the past 12 months, and 82% said they wanted increased security measures at work. The measures most wanted for peace of mind were on-site security guards (63%), weapon detection technology (49%), and panic buttons (48%).

The Harris Poll survey paints a similar picture to data from other surveys exploring healthcare workplace safety. A survey conducted by National Nurses United in 2024 revealed that a majority of nurses have experienced at least one type of workplace violence in the past year, and almost half have seen an increase in rates of violence in the workplace.  A survey conducted by the American College of Emergency Physicians in January 2025 revealed 91% of healthcare workers had personally experienced violence at work or knew of a colleague who was a victim of workplace violence, and 40% of healthcare workers said they were aware of an attack on a healthcare worker in a trauma center that resulted in moderate to severe disability or death.

It is no surprise, given the stresses of the job and fears of violence, that many healthcare workers are planning on leaving the profession. NCSBN’s 2024 National Nursing Workforce Study revealed 138,000 nurses have left the workforce since 2022, and almost 40% of nurses plan to leave the workforce by 2029. While those figures include healthcare workers who will be retiring, there is concern that there will be staff shortages due to the difficulty attracting young people into healthcare and retaining them, especially since younger workers are most likely to experience verbal abuse and workplace violence.

Alana O’Grady, Vice President of Communications & Public Affairs at Verkada, said the data clearly shows an urgent need for healthcare organizations to invest in security infrastructure, but this is far from just a safety issue. “This is driving lasting impact in the industry, with workplace violence driving upwards of $18 billion in costs for the healthcare system annually and threatening to drive an even greater cost if labor shortages worsen.”

Steps are being taken to improve safety at work by the Occupational Safety and Health Administration (OSHA), and new legislation has been introduced to better protect healthcare workers. In May, the bipartisan Save Healthcare Workers Act was introduced, which aims to give healthcare workers similar protections as workers in the airline industry by making attacks on healthcare workers a felony. That said, similar legislation has been introduced in the past but has failed to be passed by Congress.

The post The Harris Poll Survey Reveals Growing Concern About Workplace Safety in Healthcare appeared first on The HIPAA Journal.

HHS-OIG Imposes Penalties on Skilled Nursing Facilities for Employing Excluded Individuals

The U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG) has recently announced enforcement actions against entities alleged to have employed excluded individuals who provided items or services that were billed to federal healthcare programs. On May 29, 2025, HHS-OIG announced a $1,565,374.11 settlement agreement with 19 skilled nursing facilities to resolve allegations that they knew or should have known that they employed individuals who were excluded from federal healthcare programs.

Sundance Creek Post Acute, California Escondido Post Acute, California
Jurupa Hills Post Acute, California Crystal Cove Care Center, California
Redwood Cove Healthcare Center, California Huntington Valley Healthcare Center, California
Houston Transitional Care, Texas Napa Post Acute, California
Norwood Towers Post Acute, Ohio Sunnyvale Post Acute Center, California
Stoney Point Healthcare, California Trellis Centennial, Nevada
San Diego Post Acute, California Mirage Post Acute, California
Crystal Ridge Care Center, California Aviara Healthcare, California
Concord Post Acute, California Westview Healthcare Center, California
Balboa Nursing & Rehabilitation Center, California

The second settlement agreement involved a $35,597.37 penalty for CareLink Home Health, LLC in Illinois for employing an excluded individual who worked as a nurse and case manager when that individual was on the exclusions list.

HHS-OIG can exclude individuals and entities from federally funded healthcare programs such as Medicare and Medicaid for a variety of reasons. The length of time an individual or entity is excluded depends on the reason for exclusion, with the longest terms typically for Medicare and Medicaid fraud convictions. For example, a Michigan man was recently excluded for 10 years for submitting false claims for pharmaceuticals that were never dispensed. For repeat offenders, exclusion may be permanent.

For some offenses, there is no minimum exclusion period; for instance, HHS-OIG may exclude an entity for defaulting on its payment obligations under a settlement agreement. The entity will remain on the list at the discretion of HHS-OIG and will not be eligible for reinstatement until the default of their payment obligations is cured.

Healthcare organizations must check the HHS-OIG List of Excluded Individuals/Entities (LEIE) before any new hire or onboarding of a new vendor, and should also regularly check the LEIE to ensure that current employees and vendors are not excluded to avoid CMP liability.

The post HHS-OIG Imposes Penalties on Skilled Nursing Facilities for Employing Excluded Individuals appeared first on The HIPAA Journal.

Healthcare Orgs Fined for Employing Nurses on the HHS-OIG Exclusion List

This month, the Department of Health and Human Services’ Office of Inspector General (HHS-OIG) agreed to settlements with two healthcare providers who employed nurses on the HHS-OIG exclusion list, who provided items or services that were billed to federally funded healthcare programs.

The exclusion list, formally known as the List of Excluded Individuals and Entities (LEIE), contains entities and individuals excluded from participating in federally funded healthcare programs. The exclusion list was established to prevent fraud, waste, and abuse in federally funded healthcare programs. If an individual or entity has been added to the list, they are not permitted to participate in federally funded healthcare programs in any capacity.

There are many different reasons for exclusion, including fraud convictions, patient abuse and neglect, felony drug convictions, submission of false claims, and participation in illegal kickback schemes. Certain violations carry a mandatory minimum exclusion period, with HHS-OIG having discretion over how long an entity or individual remains on the list. While it is possible to be removed from the list after the minimum term has expired, the excluded company/individual must complete a formal reinstatement process, which can take some time.

Prior to hiring any individual or onboarding a new supplier, healthcare organizations need to review the exclusion list to make sure the company or individual has not been excluded. The responsibilities do not end there, as if an individual or company is added to the exclusion list after hiring/onboarding, penalties can be imposed for continuing to employ that individual or the continued use of a company’s services. Regular screenings of the workforce should be conducted, along with monthly checks of vendors to ensure OIG compliance. Many companies choose to ease this compliance headache by using automated screening and other third-party compliance services.

In April 2025, two companies were discovered to have failed to conduct exclusion list checks, resulting in the employment of excluded individuals. Advancare Healthcare Services in Lombard, Illinois, was discovered to have employed a registered nurse who was on the exclusion list and had been barred from participating in federally funded healthcare programs. The nurse had provided items or services that were billed to Medicare or Medicaid. Advancare Healthcare Services agreed to settle the alleged exclusion list violation, paid a $41,596.68 penalty, and was required to terminate the nurse’s employment.

Associated Clinicians of East Texas, PLLC, which does business as Diagnostic Clinic of Longview, was discovered to have employed a licensed vocational nurse who had been added to the exclusion list. The nurse provided items or services billed to federally funded healthcare programs. Diagnostic Clinic of Longview agreed to settle the alleged violation, paid a $77,877.45 financial penalty, and was required to terminate the nurse’s employment.

The post Healthcare Orgs Fined for Employing Nurses on the HHS-OIG Exclusion List appeared first on The HIPAA Journal.

HHS-OIG Identifies Potential Misuse of HRAs and Chart Reviews by MA Companies

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has identified potential misuse of health risk assessments (HRAs) and HRA-linked chart reviews by Medicare Advantage (MA) companies, which may have resulted in millions of dollars in overpayments.

The Centers for Medicare and Medicaid Services (CMS) pays MA companies higher risk-adjusted payments for sicker enrollees to cover costlier care and each year, MA companies receive millions in overpayments based on unsupported diagnoses for MA enrollees. When diagnoses are reported only using enrollees’ HRAs and HRA-linked chart reviews and there are no follow-up visits, procedures, or tests, HHS-OIG is concerned that the diagnoses may be inaccurate and therefore the payments made by the CMS may be improper. Alternatively, the lack of follow-up visits and tests suggests that if the diagnoses are accurate, enrollees have not received the necessary care for serious health conditions.

HHS-OIG’s analysis of MA encounter data identified 1.7 million MA enrollees whose diagnoses were only reported using HRAs and HRA-linked chart reviews and did not include any follow-ups. Out of the 17 million MA enrollees, 19,028 enrollees had no other service records at all in 2022 apart from a single HRA. HHS-OIG estimates that around $7.5 billion in MA risk-adjusted payments were made for 2023 and that 80% of those payments were made to just 20 MA companies.

Almost two-thirds of those payments were based only on In-home HRAs and HRA-linked chart reviews, which have a higher risk of misuse as they are usually administered by MA companies and their third-party vendors rather than enrollees’ own providers. In fiscal year 2023, the CMS identified $12.7 billion in net overpayments due to plan-submitted diagnoses that were not supported by documentation in enrollees’ medical records and concerns have been raised by oversight entities that MA companies are using HRA and HRA-type assessments to maximize their risk-adjusted payments rather than to improve the care provided to enrollees. HHS-OIG says the risk-adjustment payment policy creates a financial incentive for MA companies to misrepresent health statuses and submit unsupported diagnoses to inflate their risk-adjusted payments.

HHS-OIG recommended the CMS take steps to identify and prevent misuse of HRAs and HRA-linked chart reviews. HHS-OIG suggested the CMS impose additional restrictions on the use of diagnoses reported only on in-home HRAs or chart reviews linked to in-home HRAs for risk-adjusted payments, conduct audits to validate diagnoses reported using only HRAs and HRA-linked chart reviews, and determine whether certain health conditions such as diabetes and congestive heart failure that drove payments on in-home HRAs and chart reviews are more vulnerable to misuse by MA companies. The CMS only concurred with the last recommendation.

The post HHS-OIG Identifies Potential Misuse of HRAs and Chart Reviews by MA Companies appeared first on The HIPAA Journal.