Welcome to the 2013 Missteps Archive!

back to Learning from Others' Missteps

  • November 25, 2013 - How Would Your Website Stack Up? The US Department of Justice has moved to intervene in a private lawsuit against H&R Block that charges its website - through which it delivers many of its services -does not do so in an accessible manner and the company is therefore discriminating against those with disabilities. If the motion is granted the DOJ's presence in the suit will make it much harder for the company to defend and costly to settle. So this possible misstep raises the question - how would your website stack up against a similar challenge? Hceak out these resources to start finding out.

  • August 16, 2013 - The price of non-disclosure - Two Oregon cardiologists recently settled a civil suit brought by the state Department of Justice over their non-disclosure of payments from device maker Biotronik for allowing the presence of "trainees" in the operating room while they were implanting pacemakers and defibrillators sold by the company. The doctors received $400-$1250 per procedure for "training" Biotronik employees - in addition to the $400-$1530 received from insurers for performing the procedure. The civil suit claimed that the physicians "misrepresented" their actions to patients by failing to disclose these payments and the effect the payments may have had on their medical decision-making. The two physicians, one now retired, did not admit wrongdoing but agreed to pay $25,000 each and to tell future patients about similar payments.

  • August 14, 2013 - Those pesky photocopiers. Affinity Health Plan, a not-for-profit managed care plan serving the New York metropolitan area, found out the hard way that it had breached the privacy of many of its members by failing to include the hard drives of leased photocopiers as part of its Risk Analysis required by the HIPAA regulations. The plan learned of the breach when CBS news contacted it as part of an investigatory report. The plan was then required to tell the Office for Civil Rights and that report has now turned into a $1.2M settlement. The Office, in turn, has used the attention this settlement will garner to also guide other covered entities to free resources from the Federal Trade Commission and NIST on how to assess and address this type of risk.

  • July 29, 2013 - A new wrinkle to the patient / physician relationship. A primary care physician and his practice in Florida have both been sued by the U.S. Department of Justice for retaliation against two deaf patients who he terminated from his practice after they filed a lawsuit against a local hospital for failure to provide interpreter services during a 2009 hospitalization. The physician admitted under oath terminating the two patients because they filed suit against the hospital and also instructing his staff to lie to the patients about the reason for the termination. But opposing violations of the Americans With Disabilities Act is "protected activity" under that law. The suit seeks injunctive relief and monetary damages.

  • July 12, 2013 - "Six people fired..." - but what about those who made the "crime" possible? Cedars-Sinai relearned a reality that many healthcare providers are grappling with - no matter how much training takes place and how many policy reminders are delivered and how many confidentiality promises get signed - curiosity snooping into the medical records of others continues. But what makes the Cedars case a bit out of the norm is that four out of the six people involved had access because a non-employee member of the hospital's medical staff "violated policy" and gave their passwords to their employees. The physicians are identified in this story from the LA Times. But there is no mention in the article and no statement on the Cedars website about what consequences they will face except "more privacy training".

  • June 17, 2013 - ATS, a Washington state based aircraft Maintenance, Repair and Overhaul (MRO), settled allegations dated back to 2006 that it did not follow FAA approved procedures in some of its work, creating "potential" safety problems. The amount of the settlement as fairly modest ($275,000) but more interesting was the requirement that the company "implement enhanced compliance policies" including one supporting voluntary reporting of safety issues. There is no statement on the ATS website about the settlement or these new procedures. But there is a press release announcing the sale of the company on June 21, 204 to its senior managers and a group of investors.

  • June 14, 2013 - "The CEO and Privacy Officer of each facility...shall submit an affidavit to OCR" - that's one of the unusual provisions of the most recent HIPAA privacy settlement between the Office for Civil Rights and Shasta Regional Medical Center and its parent organization, Prime Medical Management. The case involved several instances in which "senior leaders" of the Medical Center intentionally disclosed the protected health information of a patient in an effort to defend against charges that the organization was miscoding Medicare claims. Those leaders were not sanctioned for this conduct - which the organization still believes to have been appropriate. Hence the affidavits from the CEOS of each facility operated under the same management. The OCR press release provides a few additional details.

  • June 10, 2013 - The SEC has dropped its internal charges, reinstated an employee whistleblower and paid $580 thousand dollars to settle his retaliation suit. More details at the Washington Post.

  • April 3, 2013 - "We have learned from this experience and are a better company as a result." That was the summary of a statement by Intermountain Healthcare about its $25.5M settlement with the federal government of violations of the Stark regulations governing financial relationships between physicians and those to whom they refer. While the Intermountain statement is a bit vague about the actual nature of the settled violations, the government statement describes them as "employment agreements under which the physicians received bonuses that improperly took into account the value of some of their patient referrals; and office leases and compensation arrangements between Intermountain and referring physicians that violated other requirements of the Stark Statute." Intermountain self-disclosed the violations in 2009. The settlement agreement contains lengthy lists of physicians and the lengths of time Intermountain's relationship with each did not meet the Stark requirements.

  • March 21, 2013 - Arresting the Deaf - The City of Englewood Colorado and Arapahoe County have entered into a settlement of a private lawsuit brought under the Americans with Disabilities Act that will change their practices for working with deaf and hard of hearing detainees, victims and witnesses. Along with training, policy revisions regardin providing interpreters, etc. the two agencies have also agreed to change their handcuffing procedures for those that communicate through sign language or writing and to stock batteries for hearing aids and cochlea implants at the jails. The US Department of Justice is also a party to the settlement.

  • March 20, 2013 - "Not implementing an adequate compliance program" is one of the charges leveled against the Hospice of Arizona in the press release announcing the settlement of a a "qui tam" whistleblower suit filed against it by a former employee, who will recieve $1.8M of the $12M paid by the Hospice, and joined by the Department of Justice. The company will also enter a Corporate Integrity Agreement with the government as part of the settlement.

  • March 6, 2013 - A Week To Remember for CH2M Hill - On March 5 the company was named, for the 5th straight year, one of the "World's Most Ethical" On March 7, the Department of Justice made its own announcement - about the settlement of criminal and civil charges for long standing time card fraud committed by one of the company's subsidiaries, CH2M Hill Hanford Group Inc., at a Department of Energy hazardous waste clean-up site in Eastern Washington. The agreed statement of facts supporting the settlement describes clearly that the routine submission of fraudulent timecards overstating the amount of overtime worked was condoned by supervisory personnel whose own compensation depended on the project achieving certain time related milestones and continued after both a 2004 audit that was initiated by an anonymous hotline call and several comments on its "voluntary protection program" self assessment reports as well as specific notice to certain supervisory personnel and upper management about the practice. The parent company will pay $18.5M to settle the charges, $500.000 ftowards an "accountability system" for time reporting related to work continuing at the site and three years of independent monitoring of another related subsidiary that continues to work there. Eight individuals, including one that filed a "whistleblower" suit regarding the fraud, have also been convicted.

  • February 14, 2013 - Once the subpoena is served - it's too late to create the records it seeks. That's the lesson available to Dr. Mahmoud Yassin of Robinson Illinois, who pled guilty to obstructing a federal investigation. He will have up to ten years in prison to ponder it.

  • January 14, 2013 - Compliance Officer headed to Jail - Humberto Sanchez was the Compliance Officer at G&A Check Cashing. The Bank Secrecy Act requires financial institutions, including Check Cashers, to have an "effective" Anti-Money Laundering Compliance Program. G&A failed that requirement , failed to file appropriate reports on transactions over $10,000, and its Compliance Officer is headed to eight months in prison and two years of supervised release. No one can say being a Compliance Officer is a low stress, low risk occupation.

  • January 10, 2013 - Learning the hard way – In 2008 Kaiser Permanente hired a husband and wife team to manage the paper records of a hospital it had just purchased. The same firm, Sure File Filing, also got the nod to handle records from another acquired hospital, but in 2010 the business relationship broke down and the couple returned the records to Kaiser in exchange for a financial settlement. Well, all the hard copy records - but apparently not all the “protected health information” (PHI) shared and used during the contract. This included unencrypted emails from Kaiser employees containing patient information and an electronic index to the records once in the contractors possession. Negotiations to resolve the matter broke down and at some point the Sure File owners involved state and federal regulators. Kaiser also took the matter to state court seeking an injunction against disclosure of the information still in Sure File’s possession and forensic examination of the owners’ computers and files to verify their subsequent claims to have deleted the information. In the latest chapter Kaiser’s examination request was refused, although the Court did grant an injunction against distribution of any data still in the couple's possession.

  • January 2, 2013 - Another year, another HIPAA settlement - The new year brought news of "The First HIPAA Settlement Involving Less Than 500 Patients " But what's significant about he government's action isn't the size of the breach (441 patients), or the underlying missteps (loss of unencrypted laptop and failure to do a risk analysis for the mobile devices), but the credit apparently given to the "extensive steps" taken by the Hospice that lost the laptop to improve its HIPAA compliance program. The resulting public corrective action plan is relatively short (two years) and simply requires reporting of subsequent incidents during that time.

SHARED by Toolbox members:

  • < Click "edit" above and start typing here>