HHS-OIG Warns Consumers About Remote Patient Monitoring Scam

Posted by Steve Alder

The HHS Office of Inspector General (HHS-OIG) has issued a warning to the public about a fraud scheme that targets Medicare enrollees and involves them setting up monthly payments for medically unnecessary remote patient monitoring (RPN). Scammers are cold calling Medicare enrollees, sending unsolicited text messages, and using Internet and television ads to push RPN services, regardless of medical necessity. RPM is a legitimate service of benefit to individuals who have medical conditions such as diabetes that can deteriorate quickly, resulting in complications, hospitalization, and even death. RPN involves remotely monitoring patients to identify anomalies such as an irregular heartbeat, high blood pressure, or dangerous blood glucose levels, allowing rapid action to be taken before a condition deteriorates. RPM typically involves glucose monitors, blood pressure cuffs, and cardiac rhythm devices.

Scammers are targeting Medicare enrollees and convincing them to sign up for RPN. The scammers steal Medicare numbers and other personal information and bill Medicare for unnecessary RPN services. Those services are often not provided, and even when RPM devices are issued, patients are not monitored even though they are charged monthly for the service. HHS-OIG has advised Medicare enrollees to hang up if they receive a call offering a free brace that will be billed to Medicare and recommends that they check their Explanation of Benefits statements for services that have not been ordered or provided.

If any contact is made and free equipment is offered that requires a Medicare number to be provided, it is likely to be a scam. Any requests for requests for medical equipment should be approved by a trusted healthcare provider, who will evaluate whether the equipment is medically necessary. Medicare beneficiaries have also been advised to refuse to accept deliveries of any unordered medical equipment unless their healthcare provider has ordered it.

A few weeks ago, HHS-OIG sounded the alarm about another Medicare scam involving durable medical equipment (DME). Medicare enrollees are being contacted and offered urinary catheters at no cost by an unscrupulous DME company. “Usually, the DME company will obtain its own authorizing provider, who does not know or have a relationship with the enrollee, to sign an authorization for DME,” explained HHS-OIG. “Occasionally, the DME company may get the enrollee’s provider to sign an authorization for the DME.”

According to the National Association of Accountable Care Organizations (NAACOS), around $2.8 billion is estimated to have been fraudulently billed to Medicare for urinary catheters. Medicare payments for the billing codes used for urinary catheters increased from $153 million in 2021 to $2.1 billion in 2023.

The post HHS-OIG Warns Consumers About Remote Patient Monitoring Scam appeared first on HIPAA Journal.

Kisco Senior Living & Island Ambulatory Surgery Center Disclose Summer 2023 Cyberattacks

Posted by Steve Alder

Notification letters have been sent to more than 34,500 individuals about ransomware attacks that occurred more than 9 months ago. Kisco Senior Living experienced its attack in June 2023, and Island Ambulatory Surgery Center suffered an attack in July.

Kisco Senior Living

Kisco Senior Living is a Carlsbad, CA-based operator of 20 senior living communities in 6 U.S. States. According to the notification letters mailed to the affected individuals in April 2024, a cyberattack was detected on June 6, 2023, when its network was disrupted. A cybersecurity firm was engaged to investigate the disruption and confirmed that unauthorized individuals accessed its network and exfiltrated files containing the personal information of residents. It took more than 10 months (April 10, 2024) to determine the types of information involved and the number of individuals affected.

According to the notification sent to the Maine Attorney General, the breach included names and Social Security numbers and affected 26,663 individuals. Kisco Senior Living said additional security features have been implemented to prevent similar breaches in the future and the affected individuals have been offered 12 months of complimentary credit monitoring services, which include a $1 million identity fraud loss reimbursement policy.

Island Ambulatory Surgery Center

Island Ambulatory Surgery Center in Brooklyn, NY, has recently notified 7,900 individuals about a cyberattack that was detected on or around July 31, 2023. Cybersecurity experts were engaged to investigate the breach and determined that an unauthorized actor had access to its network and acquired certain files, some of which contained patients’ personal and health information.

The review of the affected files was completed on February 7, 2024, and confirmed some or all of the following information was compromised: name, date of birth, Social Security number, driver’s license number, medical information, and/or health insurance information. Notification letters were mailed to the affected individuals on April 5, 2024. Island Ambulatory Surgery Center said it takes privacy and security seriously and has implemented measures to prevent similar incidents in the future.

The post Kisco Senior Living & Island Ambulatory Surgery Center Disclose Summer 2023 Cyberattacks appeared first on HIPAA Journal.

OCR Issues HIPAA Reproductive Health Care Privacy Final Rule

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released its long-awaited Final Rule on reproductive healthcare privacy. The HIPAA Privacy Rule to Support Reproductive Health Care Privacy implements changes to the Health Insurance Portability and Accountability Act (HIPAA) to improve privacy protections for women, their family members, and doctors by prohibiting disclosures of protected health information when it is sought to investigate or impose liability on individuals or healthcare providers for seeking, obtaining or providing legal reproductive health care.

“Many Americans are scared their private medical information will be shared, misused, and disclosed without permission. This has a chilling effect on women visiting a doctor, picking up a prescription from a pharmacy, or taking other necessary actions to support their health,” said HHS Secretary Xavier Becerra. “The Biden-Harris Administration is providing stronger protections to people seeking lawful reproductive health care regardless of whether the care is in their home state or if they must cross state lines to get it. With reproductive health under attack by some lawmakers, these protections are more important than ever.”

Background to the HIPAA Privacy Rule to Support Reproductive Health Care Privacy

HIPAA already contains provisions that restrict and prevent certain uses and disclosures of protected health information, including information related to reproductive healthcare; however, since the overturning of Roe v. Wade, which removed the federal right to an abortion, fears have grown that the HIPAA Rules are not sufficiently strong to prevent disclosures of reproductive health care information that could prove harmful to individuals. The Privacy Rule permits, but does not require, uses and disclosures of protected health information when another law requires a regulated entity to make those uses or disclosures. In states that have implemented bans or severe restrictions on abortions, there are justifiable concerns that those states may seek access to protected health information to support investigations and prosecutions of women who travel to more permissive states to receive the care they need and the healthcare professionals that facilitate or administer lawful abortion care.

Some states have already introduced state-level legislation to better protect reproductive healthcare privacy; however, an update to the federal HIPAA law was required to ensure that women and healthcare professionals receive the same privacy protections regardless of where they live. After listening to feedback from healthcare providers, privacy advocates, and individuals, OCR proposed HIPAA updates in April 2023 to modify the HIPAA Privacy Rule to address the changes to the legal landscape in response to the fall of Roe v. Wade. The HIPAA Privacy Rule to Support Reproductive Health Care Privacy modifies certain provisions of the Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule) to better protect women and healthcare providers.

One of the main purposes of the HIPAA Privacy Rule was to limit uses and disclosures of protected health information to those that were necessary for treatment, payment, or healthcare operations. The Privacy Rule ensures that individuals can seek healthcare from and share information with their healthcare providers without fear that their sensitive information will be disclosed outside of the relationship with their healthcare provider. When the Supreme Court ruled on Dobbs v. Jackson Women’s Health Organization, a precedent was overturned that protected the constitutional right to abortion, thus overturning Roe v Wade. The Dobbs ruling made it more likely that an individual’s protected health information would be disclosed in ways that HIPAA aimed to prevent.

Since the Dobbs ruling, many states have introduced almost total bans on abortions in their respective states or have placed severe restrictions on reproductive healthcare. As such, there is a risk that those states will seek access to reproductive healthcare information that has been legally provided in a state that permits abortion care, and will attempt to use that information to conduct an investigation against or impose liability on an individual or another person that obtained, facilitated, or provided care that is not legal in an individual’s home state. According to the HHS, fear of those disclosures “is likely to chill an individual’s willingness to seek lawful health care treatment or to provide full information to their health care providers when obtaining that treatment, and on the willingness of health care providers to provide such care.”

The HIPAA Privacy Rule to Support Reproductive Health Care Privacy modifies the HIPAA Privacy Rule to limit the circumstances under which an individual’s reproductive healthcare information can be used for certain non-health care purposes, where such use or disclosure could be detrimental to the privacy of the individual or another person or the individual’s trust in their health care providers.

OCR’s notice of proposed rulemaking (NPRM) was published in the Federal Register and OCR received more than 300,000 comments from the public and healthcare stakeholders on the proposed rule. After carefully considering those comments, consulting with the Department of Justice, National Committee on Vital and Health Statistics (NCVHS), Attorney General, and Indian Tribes, holding listening sessions with healthcare industry stakeholders, and reviewing correspondence from Members of Congress and state attorneys general, OCR issued its Final Rule that implements the proposed changes. The HIPAA changes will take effect 60 days following the publication of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy in the Federal Register and the compliance date is 180 days after the effective date.

“This final rule balances the interests of society in obtaining

Member Login

for non-healthcare purposes with the interests of the individual, the Federal Government, and society in protecting individual privacy, thereby improving the effectiveness of the health care system by ensuring that persons are not deterred from seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which such health care is provided,” explained the HHS.

Summary of the HIPAA Privacy Rule to Support Reproductive Health Care

Disclosures of reproductive healthcare data to support investigationsThe HIPAA Privacy Rule to Support Reproductive Health Care prohibits a regulated entity from using or disclosing an individual’s PHI for the purpose of conducting a criminal, civil, or administrative investigation into or imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided. Lawful means that it is either 1) lawful under the circumstances in which the healthcare is provided and in the state that it is provided or 2) protected, required, or authorized by Federal law, including the United States Constitution, regardless of the state in which such health care is provided.

In the new rule, OCR has clarified the definition of “person” – A natural person (meaning a human being who is born alive), trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private – and has adopted new definitions of “public health” in the context of surveillance, investigation, or intervention, and “reproductive health care.” Reproductive health care is a subset of the term “health care,” and is defined as “health care that affects the health of the individual in all matters relating to the reproductive system and to its functions and processes.”

The Final Rule also adds a new category for prohibited uses and disclosures to clarify that a regulated entity may not decline to recognize a person as a personal representative for the purposes of the Privacy Rule because they provide or facilitate reproductive health care for an individual.

The Final Rule imposes a new requirement that, in certain circumstances, regulated entities must first obtain an attestation that a requested use or disclosure is not for a prohibited purpose, specifically that requests for protected health information potentially related to reproductive health care are not for prohibited purposes.

The Final Rule also requires modifications to covered entities’ Notices of Privacy Practices to inform individuals that their protected health information may not be used or disclosed for a purpose prohibited under the Final Rule to support healthcare privacy.

Key Compliance Dates

At the time of writing (April 23, 2024), the Final Rule has not been published in the Federal Register so the dates are estimated.

Key Dates Legal timescale Date
Effective date 60 days after publication in the Federal Register June 2024
Compliance date for persons subject to the regulation 240 days after publication in the Federal Register (180 days after the effective date) December 2024
Compliance date for persons subject to 45 CFR 164.520 (Notice of Privacy Practices)* February 16, 2026 February 16, 2026

*The extended compliance date regarding the Notice of Privacy Practices requirement of the Final Rule is to avoid a situation where entities subject to the Part 2 regulations would be required to update their notices of privacy practices twice in a short period, as a result of the extensive changes implemented by the Confidentiality of Substance Use Disorder (SUD) Patient Records Final Rule.

The full text of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy is available in a 291-page PDF file on the HHS website. The document includes the HHS’s justification for implementing the new HIPAA regulations and a discussion of the comments received from the public and healthcare stateholders.

The post OCR Issues HIPAA Reproductive Health Care Privacy Final Rule appeared first on HIPAA Journal.