On May 20, 2015, CareFirst BlueCross BlueShield (“CareFirst”) announced that it was the latest victim of a major cyberattack, with as many as 1.1 million plan customers affected. Current and former CareFirst members and individuals who do business with CareFirst online who registered to use CareFirst’s websites prior to June 20, 2014 are impacted by this event.
CareFirst said that although the hackers may have acquired customer names, email addresses, birthdates, customer-created user names and subscriber identification numbers, they did not obtain sensitive financial or medical information like Social Security numbers, medical claims, credit card or employment information or passwords associated with the user names. The company has stated that those affected by the cyberattack will be provided two free years of credit monitoring and identity theft protection.
As an explanation of how CareFirst learned of the breach, Chet Burrell, CareFirst’s chief executive, said that after cyber attacks on other insurers earlier this year, he created a task force to review the company’s information technology systems. CareFirst then hired Mandiant, a division of FireEye, to perform a forensic review of its systems. Last month, Mandiant determined a breach had occurred in June 2014 allowing unauthorized access to a single database with the information listed above.
Just hours after the announcement of the breach, class action law firms were already investigating the circumstances of the breach and seeking plaintiffs who may have been affected. Now that state claims may be brought based on HIPAA as a standard of care, the suits will likely consider potential harm due to the disclosure and whether CareFirst adequately protected the information and provided timely notice. These are the same types of claims brought in the numerous class action lawsuits after the Anthem cyber-attack in February 2015.
The cyber-attack and pending lawsuits should serve as a reminder for healthcare companies to review and properly implement their HIPAA privacy and security policies and procedures. For more information on HIPAA, health care compliance or related issues, please feel free to contact Daniel Meier or any member of our health care practice group for a further discussion.
On Monday, August 4, 2014, The Department of Justice announced that Community Health Systems (“CHS”), the nation’s largest operator of acute care hospitals, agreed to pay $98.15 million to settle nine whistleblower lawsuits alleging that the company violated the False Claims Act between January 2005 and December 2010. The whistleblowers alleged that CHS knowingly billed Medicare, Medicaid, and TRICARE for medically unnecessary inpatient admissions rather than the lower outpatient or observation rates at 119 hospitals. Additionally, allegations were made that services were rendered to patients at one of CHS’s hospitals in Laredo, Texas by a physician who was offered a medical directorship in violation of the physician self-referral law, known as the Stark Law.
Under the settlement, CHS entered into a five-year Corporate Integrity Agreement requiring it to retain independent review organizations to review the accuracy of the claims for inpatient services under federal health care programs, and to engage in significant compliance efforts over the next five years.
The allegations against CHS are particularly notable in light of new regulations such as the two-midnight rule, which took effect October 1, 2013. The two-midnight rule requires that physicians deem a patient’s condition as serious enough to require at least two overnight stays in order to qualify for Medicare reimbursement under inpatient rates. Patients who aren’t formally admitted may remain under outpatient or observation status. Emergency and internal medicine physicians often struggle to get the right designation and status for the patient. The federal government has delayed enforcement of the rule until March 31, 2015 at which time hospitals may face financial penalties if auditors determine the hospital could have met the patient’s needs in an outpatient setting.
For more information on the CHS settlement, the two-midnight rule, the Stark Law, the Anti-Kickback Statute, or related fraud and abuse issues, please feel free to contact Daniel Meier or any member of our health care practice group for a further discussion.
You can find a more extensive discussion about the CHS settlement, the impact of observation status on patients and the two-midnight rule in the following Client Bulletin.
Posted in Acute Care, Administration on Aging, Anti-Kickback, Compliance Programs, Corporate Integrity Agreements, DHHS, Fraud and Abuse, Health & Human Services, Health Care, Health Care Providers, Long Term Care, Medicaid, Medicare, Nursing Facility, OIG, Out-Patient Care, Regulatory Compliance, Self-Referral, Settlements, Tennessee
Tagged Admission, Investigation, Observation, Two Midnight Rule