An audit of the Department of Veterans’ Affairs Spokane Healthcare System in Washington state by the Department of Health and Human Services Office of Inspector General (HHS-OIG) identified deficiencies in all three control areas inspected: configuration management, security management, and access controls. The audit was conducted on the Mann-Grandstaff VA Medical Center between January 29 and February 6, 2025, which has approximately 1,300 employees and provided care to 27,000 patients in fiscal year 2024.

There were several instances where staff failed to remediate critical and high-severity vulnerabilities within the 60-day time frame stipulated by the VA, and in some cases had failed to develop the required action plans to remediate those vulnerabilities within that time frame. HHS-OIG also identified systems that were running unsupported software, and several devices were identified that had not been configured to VA-approved security baselines. These deficiencies increased the risk of unauthorized access and operational disruption, especially the failure to meet the security baselines on databases and core network devices.

One deficiency was identified in security management regarding the protection of personally identifiable information (PII). A screen with unredacted PII in the federal electronic health record (EHR) could be viewed by volunteers and scheduling clerks, who did not require access to that information. The failure to restrict access puts PII at risk, which could potentially be misused to cause harm to veterans.

Four access control deficiencies were identified related to physical and logical access to IT resources. There was a lack of proper segregation of duties for key distribution, unsecured network equipment was identified in two locations, eleven communications sockets did not have proper electrical grounding, and perimeter protection measures for fuel storage did not meet VA guidelines.

HHS-OIG made 7 recommendations in the areas of configuration management, security management, and access controls, which HHS-OIG said are also applicable to other VA facilities. The VA has already implemented some of the recommendations and has planned to address the remaining issues.

The post HHS-OIG Identifies Security Deficiencies in Audit of VA Spokane Healthcare System appeared first on The HIPAA Journal.

Two hospitals have entered into settlement agreements with the Department of Health and Human Services (HHS) Office of Inspector General (OIG) to resolve alleged violations of the Emergency Medical Treatment and Labor Act (EMTALA).

EMTALA requires Medicare-participating hospitals with emergency departments to provide a medical screening examination and stabilizing treatment for any patient, regardless of the patient’s ability to pay. Patients must not be transferred unless they have first been provided with stabilizing treatment, unless the patient requests a transfer in writing, the benefits outweigh the risks, and if the receiving hospital agrees to accept the patient. Transfers are also permitted if the hospital does not have the capabilities to stabilize the patient, in which case, the patient can be transferred to a hospital with specialized capabilities.

Cordell Memorial Hospital in Oklahoma was investigated by HHS-OIG after an alleged failure to provide a medical screening examination to a pregnant patient in active labor, who presented at the hospital on January 27, 2026. The woman arrived at the hospital in a private vehicle and was having contractions every 1-2 minutes. Staff at Cordell Memorial Hospital’s Emergency Department met the patient outside the facility and asked if the patient’s waters had broken and if there was an immediate need to push. When the patient responded in the negative to both questions, the ED staff recommended that the patient travel to an alternative facility 15 miles away.

The patient did not receive a pelvic examination, and her vital signs were not checked; therefore staff could not make an accurate determination about whether there was time to travel to the other healthcare facility or if the transfer posed a threat to the health and safety of the patient or their unborn child. The child was delivered within approximately 40 minutes of arriving at the other hospital. HHS-OIG determined that the failure to provide a medical screening examination was in violation of EMTALA, and the case was settled with a $40,000 financial penalty.

Holmes Regional Medical Center in Melbourne, Florida, was similarly investigated over an incident involving a pregnant patient, who presented at the Emergency Department 30 weeks pregnant seeking an examination and treatment for high blood pressure. The patient was accompanied by a minor child of approximately 4-6 years of age. As the patient was completing the intake form, a security guard told the patient that the minor child was not permitted to be present in the triage area. As a result, the patient left the ED without having an appropriate medical screening examination. HHS-OIG determined that the failure to provide the MSE was in violation of EMTALA. The alleged violation was settled, with Holmes Regional Medical Center agreeing to pay a $113,407 financial penalty.

The post Failure to Provide a Medical Screening Examination Results in HHS-OIG Penalty appeared first on The HIPAA Journal.

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has agreed to a $20,000 settlement with AccuCare Home Health Services to resolve allegations that the home healthcare provider employed an individual on the HHS-OIG exclusions list and billed services provided by that individual to federally funded healthcare programs.

AccuCare Home Health Services is a Mesa, Arizona-based provider of home health care services, specializing in skilled nursing, physical therapy, occupational therapy, speech therapy, and medical social services. According to HHS-OIG, AccuCare Home Health Services was discovered to have employed a home healthcare aide who was not permitted to participate in any federally funded healthcare program, and billed products or services provided by that individual to federal health care programs. The alleged violation was settled with a $20,000 financial penalty.

Healthcare organizations must ensure that a check is conducted of the HHS-OIG List of Excluded Individuals and Entities (LEIE) prior to onboarding a new employee. Regular checks must also be conducted on all employees, since individuals may be added to the LEIE after their employment commences. The HHS’ Office for Civil Rights imposes relatively few financial penalties for HIPAA violations; however, when it comes to HHS OIG compliance, there is a much greater risk of a financial penalty if violations are identified. HHS-OIG regularly imposes significant financial penalties for claiming for items and services provided by excluded individuals and companies, submitting false claims, and violations of the Stark Law and the Anti-Kickback Statute. In addition to a financial penalty, there is a risk of being added to the HHS exclusion list, which will prohibit an individual or company from participating in federally funded health care programs.

On November 12, 2025, HHS-OIG announced that William Mangan, DO (Dr. Mangan) of Okemos, Michigan, had agreed to be excluded from participating in federally funded healthcare programs for a period of 10 years in connection with False Claims Act violations. Dr. Mangan was investigated by HHS-OIG in connection with allegations that he ordered genetic tests, durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) that were not reasonable or medically necessary and submitted claims to federally funded health care programs. Dr. Mangan claimed that he had evaluated patients and falsely certified that the ordered products were medically necessary when he failed to perform an adequate review.

Individuals can face severe penalties for knowingly causing products or services to be billed to federally funded healthcare programs when they are on the HHS-OIG exclusion list. Erik X. Alonso, 55, of Miami, Florida, had been convicted of conspiracy to commit health care fraud in 2015 for offenses in the Southern District of Florida. As a result of the conviction, Alonso was placed on the exclusion list and was fully aware that he was prohibited from participating in work that was billed to federally funded healthcare programs. In March 2022, Alonso started working for a telehealth mental health provider in New Hampshire and provided services to patients in the state that he knew would be billed to Medicaid. Alonso caused New Hampshire Medicaid to pay approximately $173,998.83 based on false and fraudulent claims. The healthcare fraud was discovered, and Alonso entered a guilty plea to one count of healthcare fraud and is awaiting sentencing. He now faces up to 10 years in jail.

The post AccuCare Home Health Services Pays $20,000 Fine for Employing Excluded Individual appeared first on The HIPAA Journal.

An audit of the National Institutes of Health (NIH) All of Us Research Program has uncovered privacy and security weaknesses that put the health information of more than 1 million individuals at risk of compromise.

The All of Us Research Program was launched in 2015 as part of the NIH Precision Medicine Initiative to advance disease prevention and treatment by making the personal health and genomics data of more than 1 million individuals available for research purposes. Unlike research studies that focus on a specific disease or cohort of people, the All of Us Research database can be used to study a wide range of health conditions and diseases. The data is housed by the Data and Research Center (DRC) and is managed by an NIH award recipient, Vanderbilt University Medical Center. The All of Us database is one of the largest health research databases of its kind.

While general data about the entire group of participants can be viewed by anyone, only researchers approved by the All of Us Research Program are allowed to view data from individual participants. Such a large database of health information is extremely valuable; therefore, robust privacy and security measures must be implemented to protect research participants’ data from cybersecurity and national security threats.

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has recently published the findings of a 2024 audit that sought to determine whether appropriate access controls had been implemented by the DRC award recipient, if appropriate privacy and security controls were in place, and if information security and privacy weaknesses had been addressed in accordance with federal standards.

HHS-OIG determined that the DRC award recipient had implemented some cybersecurity controls, including vulnerability scanning, penetration testing, flaw remediation, system monitoring, incident response, contingency planning, disaster recovery, and security awareness training; however, controls were inadequate in some areas, which put research participants’ data at an increased risk of compromise.

HHS-OIG identified access control weaknesses. For instance, while authorized users were permitted to remotely access the information systems from foreign countries with prior approval, there were no controls in place to restrict access to only the individuals who had received approval. As such, any authorized user could access the information systems from a foreign country. While downloads of detailed participants’ data are prohibited, there were no access controls in place to prevent data downloads.

HHS-OIG also found that the DRC award recipient failed to communicate national security concerns associated with the maintenance of genomic data to NIH and did not resolve identified weaknesses and vulnerabilities within the timeframe stipulated by NIH in its award agreement. As such, there was an increased risk of research participants’ data, including genomic data, being accessed, downloaded, and misused by bad actors, including foreign adversaries.

HHS-OIG made five recommendations to NIH to improve oversight of the All of Us Research Program and address the identified privacy and security issues. NIH concurred with all five recommendations and is implementing measures to address the privacy and security weaknesses. NIH has confirmed that measures already fully implemented include controls to resolve the remote access security issues, and access from certain countries of concern has been blocked, including China, Cuba, Iran, Russia, and North Korea.

The post Audit Uncovers Security Weaknesses in the NIH All of Us Security Program appeared first on The HIPAA Journal.

The Department of Health and Human Services Office of Inspector General (HHS-OIG) maintains an exclusion list of companies and individuals who are not permitted to participate in federal healthcare programs, including indirectly participating by providing goods or services to entities that are billed to federal healthcare programs.

Exclusion is the most severe civil sanction that can be imposed by HHS-OIG and is most commonly due to conviction of a felony or misdemeanor related to a federally funded healthcare program, although individuals and entities can be added to the exclusion list for a variety of reasons. The duration of the exclusion depends on several factors and can range from months to permanent exclusion.

For permissive exclusions, HHS-OIG has discretion over how long the exclusion period lasts. That could be until an individual who has defaulted on a repayment addresses the default, although most permissive exclusions fall in the range of 1 to 3 years. Mandatory exclusions, such as those for misdemeanor and felony convictions, have minimum exclusion periods of 5 or 10 years, although three convictions will result in permanent exclusion.

If an individual is excluded, they are not permitted to work within the healthcare industry for any company that accepts federal funds, which can severely limit work opportunities. Since excluded individuals may still seek employment in the healthcare field, it is vital for employers to regularly check the exclusion list to ensure that new hires can be employed, and also to conduct regular checks of all employed individuals to ensure they can continue to be employed. Employing or continuing to employ an excluded individual risks civil monetary penalties.

HHS-OIG has recently announced new additions to its exclusion list, all of which see the individuals and entities excluded from federally funded healthcare programs for 10 years. In August, HHS-OIG entered into a settlement agreement with Ideal Health Diagnostics, Inc. (Ideal Health) and Svetlana Dizik (Dizik), of Glenview, Illinois, that requires a payment of $227,193.28 in addition to the 10-year exclusion. HHS-OIG alleged that Ideal Health and Dizik solicited and received improper remuneration from Perry Rudich, MD, in exchange for referrals for radiological interpretative services. Ideal Health and Dizik also caused claims to be submitted to Medicare that falsely identified Dr. Rudich as the rendering provider of items and services that he did not perform. Ideal Health and Dizik were not enrolled in Medicare, so they could not bill Medicare for those services themselves or receive payment for those services from Medicare.

In September, HHS-OIG announced 10-year exclusions for Optimum Faith Lab Corp. and its owner, Opal Mullings. Opal Mullings and Optimum had submitted claims for mileage under HCPCS Code P9603 that were improperly inflated, in excess of the actual mileage driven by phlebotomists, not properly prorated, or both. Further, claims were submitted for travel allowance, when only a fingerstick blood draw was performed, when Medicare rules do not permit travel allowance to be claimed for that purpose, and travel allowance was also claimed for laboratory services that were never rendered.

The post HHS-OIG Announces 10-Year Exclusions for Companies and Individuals appeared first on The HIPAA Journal.

The Department of Health and Human Services Office for Inspector General (HHS-OIG) has announced two settlements with healthcare providers to resolve alleged violations of the Emergency Medical Treatment and Labor Act (EMTALA) due to the failure to provide adequate medical screening examinations and stabilizing treatment to patients with emergency mental health complaints.

EMTALA requires Medicare-participating hospitals to provide a medical screening examination to anyone seeking treatment for a potential emergency medical condition, regardless of their ability to pay. Stabilizing treatment must be provided to the patient, or the patient may be transferred to another facility if the hospital is unable to provide stabilizing treatment within its capabilities.

North Carolina Baptist Hospital (NCBH) was investigated by HHS-OIG and was found to have violated EMTALA on two occasions in August 2021. A patient presented at the Emergency Department requesting a psychiatric evaluation, a psychotropic medication refill, and complained of back pain at an 8/10 level. The patient was triaged and found to have abnormal vital signs. Around four hours later, NCHB’s records showed that the patient left the facility without being seen. Two days later, the patient returned to the ED two days after jumping off a bridge and being hit by a truck, and later died from the injuries.

The same month, a patient with a history of schizoaffective disorder, bipolar disorder, and depression presented to the hospital with psychological issues, having arrived by ambulance due to a psychiatric disturbance. In the ED, the patient experienced auditory hallucinations and made bizarre, illogical statements. The patient was given intravenous fluids and was discharged home the following day, without having been given a detailed psychiatric evaluation. At the time of discharge, the patient refused to leave and claimed she could not walk or see. After speaking with a doctor, she was given a bus token and was escorted off the premises by a security guard. After her mother called the hospital to inquire about her whereabouts, the patient was found in a hospital robe at a bus stop. Around one week later, the patient was involuntarily committed to a psychiatric facility.  NCBH settled the alleged EMTALA violations and paid a $200,000 financial penalty.

Swedish American Hospital (SAH) in Rockford, Illinois, was investigated over an alleged EMTALA violation in 2024 when a patient was not provided with appropriate medical screening after presenting at the hospital’s Emergency Department, complaining of suicidal ideation. The previous day, SAH referred the patient to a mental health professional at an outpatient facility, who signed a petition for involuntary admission. The patient presented at the hospital with the petition; however, the patient did not receive an appropriate medical screening examination, was not provided with stabilizing treatment, and was discharged two hours after presenting at the hospital.  SAH settled the alleged violation with HHS-OIG and paid a $100,000 financial penalty.

The post Hospitals Settle EMTALA Violations After Failing to Screen and Treat Patients With Emergency Mental Health Conditions appeared first on The HIPAA Journal.

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has agreed to settle alleged violations of the Emergency Medical Treatment and Labor Act (EMTALA) patient dumping statute with UAB Medical West, Frankfort Regional Medical Center, and Flowers Hospital.

EMTALA is a federal law that ensures universal access to emergency medical care. EMTALA requires Medicare-participating hospitals to provide a medical screening examination to determine if a patient presenting at the hospital has an emergency medical condition, and provide stabilizing treatment for that condition or arrange an appropriate transfer to another facility if the hospital cannot provide the necessary treatment. Hospitals with specialized capabilities must accept transfers of patients with specialized needs if they have the capacity to provide treatment. These requirements apply to all individuals presenting at a hospital, regardless of their insurance status or ability to pay.

Frankfort Regional Medical Center

Frankfort Regional Medical Center (FRMC) was investigated by HHS-OIG after self-reporting a potential EMTALA violation that occurred in June 2022. A patient presented at the FRMC emergency department via ambulance, complaining about heat exhaustion after working in a hot factory for seven hours. The patient complained about a severe frontal headache, nausea, and had projectile vomited in the ambulance en route to the hospital. The patient rated his headache as an 8 on the 1-10 scale, had clammy skin, and had vomiting/dry heaving. Diagnostic blood work revealed the patient had hyponatremia (low blood salt), hypokalemia (low blood potassium), and mild dehydration, and the physician’s notes stated he was tachycardic.

The ED physician went to speak with the patient, who was upset, and he was allowed to go back to sleep. Two hours later, the patient was difficult to arouse, lethargic, and bradycardic, and his respiration rate was slowing. The ED staff were unsuccessful in trying to arouse the patient with ammonia salts. The patient was provided with Narcan by the ED physician, who suspected a possible drug overdose. The patient then got upset and started to walk around the ED. The police department was called to arrest the patient for trespassing.

The patient sat down in an ED hallway with his arms crossed and head down, and was unresponsive to the ED staff and was no longer verbal. The ED physician cleared the patient to be discharged to jail with instructions for adult dehydration and a clinical note of a drug overdose. Within 24 hours, the patient was admitted to another hospital and received treatment for heat exhaustion. HHS-OIG determined EMTALA had been violated, and the case was settled with a $110,000 financial penalty.

UAB Medical West

UAB Medical West is a Birmingham, AL-based health system that operates a 200-bed UAB Medical West Hospital and numerous primary care facilities in and around Birmingham. UAB Medical West was investigated over a potential EMTALA violation following a complaint about an alleged failure to provide stabilizing treatment to a patient with an emergency medical condition.

HHS-OIG investigated and determined that in May 2023, a patient who presented at the freestanding UAB Medical West Emergency Department (ED) was discharged from the hospital without appropriate treatment, with an instruction to drive to another hospital for a consultation with a urologist and to get stabilizing treatment. The patient had presented at the ED with acute urinary retention – a medical condition that requires immediate medical attention.

Under EMTALA, UAB Medical West was required to provide stabilizing treatment. While staff at the hospital attempted to catheterize the patient, those efforts were unsuccessful, and the patient was not provided with any pain relief, despite the ED having a urologist on-call and access to urology supplies at its main ED. HHS-OIG and UAB Medical West agreed to settle the alleged EMTALA violation with a $100,000 financial penalty.

Flowers Hospital

Flowers Hospital, a 311-bed hospital in Dothan, Alabama, was investigated over an alleged failure to accept two patients who had been transferred to the hospital to receive specialized medical care, as the hospitals where the patients presented lacked the capabilities to provide appropriate care. Both refused transfers occurred in May 2021.

One patient had presented at the ED of an unrelated hospital following an assault and was determined to have multiple facial fractures, including on both sides of his lower jaw. A transfer was attempted as the hospital did not have an oral maxillofacial surgical (OMFS) specialist. The request was denied by Flowers Hospital, which claimed that its OMFS specialist only treated patients with old fractures, not patients with new traumas.

Another patient presented at the ED of a hospital with severe dental pain, which had been worsening for a week. Since the hospital did not have an OMFS specialist, a transfer was attempted, but was declined by the OMFS specialist because Flowers Hospital was not the closest facility with physicians able to provide the necessary stabilizing treatment. HHS-OIG determined that both refusals violated EMTALA, and the case was settled with a $150,000 financial penalty.

The post HHS-OIG Imposes Three Penalties for EMTALA Violations appeared first on The HIPAA Journal.