Seattle Plastic Surgery Practice to Pay $5 Million to Resolve False Review and Illegal NDA Lawsuit

Posted by Steve Alder

A Seattle, WA, plastic surgery practice has been ordered to pay a financial penalty of $5 million to the Office of the Washington Attorney General to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), Washington Consumer Protection Act (CPA), and the federal Consumer Review Fairness Act (CRFA).

Dr. Javad Sajan, the owner of Allure Esthetic, has offices in Washington and other states and provides surgical and non-surgical plastic and cosmetic surgery procedures operating as Allure Esthetic, Gallery of Cosmetic Surgery, Seattle Plastic Surgery, Alderwood Surgical Center, Northwest Nasal Sinus Center, and Northwest Face and Body.

Washington Attorney General, Bob Ferguson, filed a lawsuit against Allure Esthetic and Dr. Sajan alleging the practice falsified online reviews to inflate the plastic surgeon’s reputation. According to the lawsuit, between 2017 and 2019, Dr. Sajan forced patients to sign illegal non-disclosure agreements that prohibited them from posting any negative online comments about Allure Esthetic. Those non-disclosure agreements were only provided after a $100 non-refundable consultation fee was paid. The non-disclosure agreements also required some patients to waive their HIPAA rights to allow the practice to respond to negative reviews using their personal health information.

Patients who were unhappy with their treatment and posted negative reviews were offered money and free services if they agreed to take down their reviews, and were threatened with fines if they posted negative reviews in the future. Some patients were sued when they refused to take down their truthful reviews. Dr. Sajan was also accused of instructing employees to set up fake email accounts posing as patients to post fake, positive reviews on sites such as Yelp and Google, and altering before and after photographs before they were added to the company’s social media accounts. Dr. Sajan was also accused of rigging “best doctor” competitions hosted by local media outlets, and applying for and retaining tens of thousands of dollars in rebates that should have been provided to patients.

In April 2024, a federal judge ruled that Allure’s non-disclosure agreements violated the Consumer Review Fairness Act (CRFA), which protects consumers’ rights to post truthful reviews about a business, and that Allure Esthetic’s practices violated HIPAA and the CPA. The consent decree issued by the U.S. District Court for the Western District of Washington requires Allure to pay $1.5 million in restitution to around 21,000 Washington residents. Each of those individuals will receive a check for $50 or $120, based on their circumstances. If they were forced to sign a non-disclosure agreement they will receive $50, and if they paid the non-refundable fee, they will receive $120 as a refund of the fee plus interest.

Allure is required to notify all individuals by mail that they will be receiving a check as a result of the Attorney General’s lawsuit and that they have been freed from the terms of their illegal NDAs. Allure must also send them their checks along with a letter from the Attorney General’s Office. The remaining $3.5 million of the settlement will go to the Attorney General’s Office to cover attorneys’ fees, investigation and prosecution costs, future monitoring, and enforcement of the decree and Washington’s consumer protection laws.

Allure is also required to conduct an audit of all review sites and request the removal of any review that Allure was involved in creating, posting, or shaping, and must remove any misleading photographs from its social media platforms. Allure is prohibited from altering future before and after photographs and using and attempting to enforce illegal non-disclosure agreements. Allure must also pay for a third-party forensic accounting company to conduct a full audit of its consumer rebate program to identify all consumers owed rebates that were illegally claimed by Allure.

“Writing a truthful review about a business should not subject you to threats or intimidation,” said AG Ferguson. “Consumers rely on reviews when determining who to trust, especially services that affect their health and safety. This resolution holds Allure accountable for brazenly violating that trust — and the law — and ensures the clinic stops its harmful conduct. We will take action against any business that attempts to silence and intimidate honest Washingtonians.”

The post Seattle Plastic Surgery Practice to Pay $5 Million to Resolve False Review and Illegal NDA Lawsuit appeared first on The HIPAA Journal.

HIPAA Transactions and Code Sets Rules

Posted by Steve Alder

The HIPAA transactions and code sets rules have the objective of replacing non-standard descriptions of healthcare activities with standard formats for each type of activity in order to streamline administrative processes, lower operating costs, and improve the quality of data.

During the 1970s and 1980s, an increasing number of organizations in the healthcare and health insurance industries adopted Electronic Data Interchanges (EDIs) to accelerate manual healthcare processes such as eligibility checks, treatment authorizations, and remittance advices. However, many organizations developed proprietary transaction and code set formats to describe specific healthcare activities based on the formats used for internal operations.

Consequently, prior to the passage of HIPAA, it was estimated there were up to 400 proprietary formats in use. Acknowledging this would be a barrier to the objectives of the Administrative Simplification Regulations, Congress instructed the Secretary of Health and Human Services (HHS) to adopt standard HIPAA transactions and code sets rules for health plans, health care clearinghouses, and healthcare providers that transmitted health information electronically.

HIPAA Transactions and Code Sets Rules Adopted Quickly

At the time, most federal agencies and larger private organizations had adopted formats based on the ICD-9-CM and ASC X12N classification systems for diseases and medical data elements (i.e., diagnoses, procedures, and drugs). Indeed, many of the classification systems that would eventually be adopted as the HIPAA transactions and code sets rules were already mandated for use in some federal and state healthcare programs – including Medicare and Medicaid.

Because the adoption of standard formats was at an advance stage, it did not take long for proposed HIPAA transactions and code sets rules to be published (May 1998), and for the rules to be finalized (August 2000). The rules omitted code sets for health claims attachments and first report of injury transactions (which are still “deferred”), but included code sets for coordination of benefits transactions. The list of HIPAA transactions for which code sets apply are:

Payment and Remittance Advice and Electronic Funds Transfer.

Health Care Claims Status.

Health Plan Eligibility Benefit Inquiry and Response.

Claim or Equivalent Encounter Information.

Health Plan Enrollment and Disenrollment.

Referral Certification and Authorization.

Health Plan Premium Payments.

Coordination of Benefits.

The Standards for Code Sets are Updated Frequently

While the only change to the list of transactions was the addition of code sets for Medicaid pharmacy subrogation transactions in January 2009, the standards for the code sets used in HIPAA transactions are updated frequently. For example, ICD-9-CM code sets were replaced by ICD-10-CM in October 2015, Healthcare Common Procedure Coding System (HCPCS) code sets are updated quarterly, and the National Drug Code Directory is updated daily.

In addition, since January 2014, health plans have had to comply with the HIPAA Operating Rules as required by §1104 of the Patient Protection and Affordable Care Act. The HIPAA Operating Rules place additional requirements on health plans to provide quicker, more complete responses to healthcare providers when healthcare providers make inquiries about individuals’ eligibility for benefits, claim statuses, fund transfers, and remittance advices.

How Compliance with the Rules is Enforced

Compliance with the HIPAA transactions and code sets rules is enforced by HHS’ Centers for Medicare and Medicaid Services (CMS). CMS has the authority to investigate complaints made by covered entities when another covered entity is using incorrect transaction codes or HIPAA identifiers, or not complying with the HIPAA Operating Rules. Covered entities can test compliance with the HIPAA transactions and code sets rules and file complaints via CMS’ ASETT portal.

If a complaint is investigated and found to be justified, CMS has the same enforcement powers as HHS’ Office for Civil Rights. This means CMS can impose corrective action plans or civil money penalties for compliance failures. In addition, via HHS’ Office of Inspector General, CMS can also exclude healthcare providers from federal healthcare programs if the failure to comply with the HIPAA transactions and code set rules is attributable to fraud, theft, abuse, neglect, or an unlawful activity.

The post HIPAA Transactions and Code Sets Rules appeared first on The HIPAA Journal.