Insurance Fraud Case Against Physician-Owned Pharmacies Over Alleged “Kickbacks” Dismissed

On September 13, 2019, a Pennsylvania judge dismissed a lawsuit brought by Liberty Mutual Insurance Companies against nine (9) pharmacies and their minority physician owners over allegations that the physicians were receiving unlawful kickbacks when they prescribed compounded cream medications to workers’ compensation program beneficiaries, which prescriptions were filled by pharmacies in which the physicians held minority ownership interests.

The Philadelphia Court of Common Pleas granted summary judgment to the pharmacies in Liberty Mutual Group, v. 700 Pharmacy, LLC,, finding that the plaintiffs failed to show that the pharmacies’ ownership structure or the physicians’ “self-referrals” were unlawful. The ruling dismissed the case entirely and cleared the pharmacies and the physician owners of any liability.

Liberty Mutual argued that the ownership of the pharmacies by the physicians provided a means for the defendant physicians to be paid illegal kickbacks for the prescriptions. As stated in the Judge’s opinion, “Physician ownership is not prohibited by the Pharmacy Act as long as the practitioner holding a proprietary or beneficial interest in the pharmacy does not exercise supervision or control over the pharmacist in his professional responsibilities and duties…. The evidence shows that the interest owned by the physicians is not more than 49%, a percentage which has been approved by the Pharmacy Board.” He also noted that the physicians referring patients to pharmacies they partly owned disclosed their ownership interests to their patients.

It is important to note that the pharmacies sold prescription drugs only to workers’ compensation and auto-accident patients, and not to patients who were beneficiaries of the Medicare or Medicaid programs. Physician-owned pharmacies, even with minority physician ownership, are generally prohibited under the federal physician self-referral prohibitions, which are commonly known at the “Stark Law”. The Stark Law defines outpatient pharmacies as a “designated health service” and physicians are strictly prohibited from have ownership interests in entities that provide “designated health services”, unless an exception is satisfied. The pharmacy ownership structures in Liberty Mutual Group vs. 700 Pharmacy, LLC, as described in court documents, do not appear to be able to satisfy the requirements of any exception under the Stark Law and would be considered illegal.

George W. Bodenger, Esquire
Law Offices of George W. Bodenger, LLC
40 E. Montgomery Avenue, 4th Floor
Ardmore, PA 19003
Office (610) 212-5031
Fax – (484) 416-0229

Continue Reading

HHS Office for Civil Rights Reports $28.7M in Payments for Record HIPAA Enforcement Year

The Department of Health and Human Services – Office for Civil Rights (“OCR”) had a record year for settlements from its enforcement of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy rule.

In 2018, OCR settled ten (10) cases and secured one (1) judgment, resulting in a total of $28.7 million in HIPAA fines and penalties. This amount is approximately twenty-two percent (22.0%) higher than the previous record of $23.5 million in 2016.

OCR’s 2018 record was due primarily to the single largest HIPAA settlement in history of $16 million with health insurer, Anthem, Inc. The previous record settlement was $5.5 million in 2016. The insurer agreed to pay OCR the settlement in October 2018 for a major 2015 breach that affected nearly 79 million consumers. The OCR investigation found that Anthem failed to conduct an enterprise-wide risk analysis. In addition, Anthem was found deficient in terms of regular and consistent system review activity and the identification of and response to known security threats.
The following is a summary of other noteworthy cases that led to the record for total settlements in 2018:

* The University of Texas MD Anderson Cancer Center was ordered to pay a $4.3 million penalty over three data breaches dating back to 2012 and 2013, when an unencrypted laptop was stolen from an MD Anderson employee and two unencrypted USB thumb drives containing information on 33,500 patients were lost.

* Fresenius Medical Care, which operates more than 2,200 dialysis clinics, along with outpatient cardiac and vascular labs and urgent care centers, agreed to a $3.5 million settlement after an OCR investigation revealed that the company failed to perform an accurate and thorough risk assessment, which led to five separate data breaches over a five-month period in 2012.

* Cottage Health agreed to pay $3 million to OCR and to adopt a substantial corrective action plan after OCR received two notifications from Cottage Health regarding breaches of unsecured electronic protected health information affecting over 62,500 individuals in 2013 and 2015. Cottage Health operates Santa Barbara Cottage Hospital, Santa Ynez Valley Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital in California.

Health care providers and their business associates can expect continued enforcement of HIPAA by OCR. 2019 may also bring changes to the HIPAA regulations. In December 2018, HHS issued a Request for Information on ways to modify HIPAA to facilitate care coordination and promote transformation to value-based care.

Continue Reading


An administrative law judge (“ALJ”) recently ruled that the University of Texas MD Anderson Cancer Center (“MD Anderson”) in Houston must pay a $4.3 million fine to HHS Office of Civil Rights (“OCR”) for HIPAA data privacy and security violations. It is the fourth largest HIPAA-related settlement ever paid to the OCR. The ALJ fines included daily fines for MD Anderson’s non-compliance over a 22-month period and annual fines of $1.5 million for each of two calendar years. With respect to the $4.3 million penalty, the ALJ noted that MD Anderson is a “multi-billion dollar per year business” and “remedies in this case need to be more than a pinprick in order to assure that [MD Anderson] and similarly situated entities comply with HIPAA’s non-disclosure requirements.” MD Anderson plans to appeal this decision.

In 2012 and 2013, a series of data breaches occurred at MD Anderson: (i) an employee’s laptop was stolen; (ii) a company trainee lost a thumb drive; and (iii) a visiting researcher lost another thumb drive. Altogether, these devices contained records of approximately 33,800 patients. The OCR’s investigation revealed that at the time of these breaches, MD Anderson had written policies requiring encryption. Notwithstanding the policies, MD Anderson did not begin encrypting laptops for multiple years thereafter and the ALJ noted in his written opinion that MD Anderson “made only half-hearted and incomplete efforts at encryption.” MD Anderson recognized the need to encrypt data in 2006. The ALJ opinion noted that as of November 2013 more than 4,400 MD Anderson computers were not encrypted and that as of January 2014 more than 2,600 MD Anderson computers were not encrypted. Further, an MD Anderson 2011 risk analysis had identified the lack of an enterprise-wide encryption solution as a “high risk” area. Because the lost health records were not encrypted, the OCR determined that MD Anderson violated the HIPAA privacy and security rules.

The MD Anderson ruling demonstrates the importance of an effective HIPAA security program and the importance of timely efforts to ensure full compliance. In particular, (i) areas identified as “high risk” in HIPAA risk analyses should be addressed as quickly as possible; and (ii) covered entities and business associates should develop and implement their policies. The amount of penalties in this matter serves as an important reminder of the costly impact of HIPAA non-compliance.

Continue Reading

U.S. Office of Personnel Management Accuses Health Net of California of Obstructing Federal Data Security Audit

The Office of the Inspector General (“OIG”) at the U.S. Office of Personnel Management (“OPM”) alleged in a report dated February 12, 2018 that Health Net of California (“Health Net”) obstructed a federal IT audit, thereby violating its contract with the OPM.

In the report, OIG refers to Health Net’s refusal to comply with the planned testing as “unprecedented”. The report further states that Health Net, on February 7, 2018, responded to a formal request from OPM, indicating that it would not provide the requested documentation, nor would it allow the agency to conduct testing. OPM stated that Health Net’s refusal to permit this “standard audit” testing leaves multiple questions about Health Net’s vulnerability and configuration management programs unanswered. In particular, OPM is not able to perform testing related to Health Net’s ability to effectively remove information system access to terminated employees and contractors.

It appears from the OIG report that OPM’s level of security scrutiny of Health Net is due to vendor requirements for participating in government programs (in this case, Federal Employee Health Benefit Programs). Vendor requirements for security controls in these government programs are far more stringent that the HIPAA Security Rule. (Hard to believe!)

It is not uncommon for similar disputes to arise, in the context of HIPAA, when healthcare organizations attempt to evaluate the security practices of their business associate vendors. Since HIPAA was enacted, covered entities have found it challenging to get business associates to cooperate in security testing, risk assessments and program audits, or even just viewing the business associates’ information security and privacy policies. Business associates often offer some type of poor excuse for failing to comply with such requests, including that such assessments would take too much time and be disruptive to normal business operations, or even pose a security threat in and of themselves. It is speculated that BA’s refusal to cooperate in such matters can be due to the potential of the BA’s belief that the CE is dependent upon them and cannot terminate them.

In the private sector, it is not common for CEs to technically test their BAs’ security. Most CEs focus, at a first level of oversight, on improving their own security and assuring they have BA contracts in place. The next step in such oversight activities is for CEs to perform desk audits of their BAs, using a survey tool, as well as reviewing policies and procedures. CEs may also ask for evidence of the BA having passed a “penetration test” from an established third-party testing company. These greater levels of scrutiny have become more common, especially with large CEs such as health plans and pharmacy benefit managers.

Most healthcare providers, however, except perhaps large health systems and for-profit hospital chains, do not reach this level of sophistication in security testing, due primarily to resource constraints. Regrettably, federal requirements for data privacy and security are predominantly “one size fits all”, rather than being scaled to accommodate different sized organizations. This creates significant challenges, particularly in compliance and enforcement matters, for smaller providers.

Health Net claims that it has fully cooperated in this OPM audit, and continues to deny that it failed to satisfy OPM’s documentation requests. In a recent public statement, Health Net claims that it has fully cooperated with the OPM’s IT audit. Furthermore, Health Net claims that the OIG report contains grossly inaccurate statements about the security of Health Net’s IT systems. Finally, in this statement, Health Net claims to have been advised by legal counsel that complying with certain audit requests would risk violation of Health Net’s contractual obligations to protect its PHI.

It is not yet clear what type of action OPM will take. We will post further information as it becomes available.


GWB, LLC is a boutique law firm specializing in health care law. The Firm has significant background and experience in HIPAA data privacy and security matters in the areas of compliance and enforcement.

Continue Reading

Tax Cuts and Jobs Act – Implications for Healthcare Industry

The recent enactment of the Tax Cuts and Jobs Act (the “Act”) represents the most sweeping reform of tax laws in over 30 years. It also represents, by far, the most significant legislative accomplishment of the Trump administration in 2017. The following paragraphs highlight the Act’s impact on the healthcare industry:

1. Starting in 2019, the Act repeals the Obamacare “individual mandate” that requires all Americans under 65 to have health insurance or pay an annual penalty, $695 per person or 2.5 percent of income—whichever is higher. Per the Congressional Budget Office’s November 2017 analysis, “Repealing the Individual Health Insurance Mandate: An Updated Estimate,” the repeal of the individual mandate in 2019 would increase the number of uninsured Americans by approximately 4 million in 2019. This figure is expected to grow to 13 million in 2025 and remaining at that level thru 2027.

An increase in the number of uninsured Americans would contribute to increased uncompensated care (charity care and bad debt) for hospitals and health systems. As a result, hospitals may want to consider adjusting their charity care policies to limit or exclude assistance for patients who qualify for subsidized Affordable Care Act, Medicaid or other coverage but choose not to seek to obtain it.

2. Tax-exempt health systems will now be liable for a new 21% excise tax on employee compensation exceeding $1 million paid to their five (5) highest-paid employees. This new provision could be particularly problematic for larger systems with multiple tax-exempt entities, because they could have to pay this excise tax on the highest-paid employees in each entity.

The new excise tax on high-earning employees does not apply to compensation for the direct provision of professional medical services (i.e., physicians providing patient care services). These organizations, however, will need to report the portion of compensation for physician executives that relates to patient care services versus management duties and responsibilities.

3. For-profit health systems are now more limited in their ability to deduct False Claims Act settlements. For a portion of such settlements to be deductible, defense attorneys must identify the portion to be deductible in settlement documents or court orders.

4. For-profit health care organizations’ ability to deduct interest payments is capped at 30% of adjusted taxable income starting in 2018. As a result, such companies may consider taking steps to reduce their outstanding debt obligations.

5. Tax-exempt health systems will no longer will be able to offset income from unrelated business activities with losses from other unrelated business activities.

6. Publicly traded hospital companies will have to take the tax law changes into account for their 2017 financial statement audits. The Securities and Exchange Commission recently said companies can provide reasonable estimates in their audited statements of the impact of the Act and will be provided extensions to complete these 2017 audits.

Continue Reading

Appeals Court Affirms Breach of Recruitment Agreement Against Physician

The U.S. Court of Appeals (8th Circuit) recently affirmed the grant of summary judgment by the District Court for the Western District of Arkansas to Johnson Regional Medical Center (“JRMC”) in a breach of contract action against Dr. Robert Halterman, a former employee physician.  Halterman was ordered to pay JRMC $64,931.81 in principal, interest, attorney fees, and additional costs for breaching a recruitment agreement (including an employment agreement and a promissory note) entered into with JRMC.

JRMC and Halterman entered into a recruitment agreement in which JRMC provided Halterman with a $50,000.00 signing bonus, payable in monthly installments. The monthly payments were to be forgiven so long as Halterman remained an employee of JRMC and remained in full compliance with the terms of the recruitment agreement.  Under their terms, the recruitment agreement and the promissory note obligations were to remain in effect until the final payment on the note was either made or forgiven.

Halterman worked for JRMC for a short period prior to resigning, due to an alleged shoulder injury and an alleged misrepresentation by JRMC regarding on-call obligations of the position.  Upon his resignation, JRMC informed Halterman that the monthly forgiveness of the promissory note would cease and that he was obligated to begin making payments on the principal amount of the note ($37,894).   Halterman did not make any payments toward this obligation and JRMC brought a lawsuit against him for breach of contract. The trial court ruled in favor of JRMC and issued a judgment in the amount of $64,931.82 (principal, interest, attorney fees and additional costs) against Halterman.

Halterman appealed the trial court’s decision, alleging that JRMC fraudulently induced him into signing the agreements by misrepresenting the on-call requirements of the OB-GYN position. He also claimed that his performance under the agreements was excused due to his shoulder injury, which impaired his ability to perform his duties as an OB-GYN.  The latter claim was contradicted by the fact that he accepted employment as an OB-GYN shortly after resigning from JRMC.

The Eighth Circuit rejected Halterman’s arguments, holding that he was contractually obligated to return the remainder of the principal amount of $37,894. The court also affirmed the lower court’s award of attorney fees and costs against Halterman, based on the promissory note provision allowing JRMC to collect reasonable costs and expenses incurred in collecting the balance due thereunder.

Continue Reading

Revenue Recognition Rule Changes Could Trigger Increased in Fraud Inquiries

A new accounting rule, known as ASC 606, was adopted recently by the U.S. Financial Accounting Standards Board and the International Accounting Standards Board.  This new rule requires fundamental changes to the manner in which health care organizations will report revenue.  The rules go into effect for public companies in 2018 and for all other companies in 2019.  These changes to revenue recognition rules could create an increase in healthcare fraud investigations and prosecutions, as various healthcare industry sectors (including hospitals, physician practices, skilled nursing facilities etc.) transition from fee-for-service to value-based payments.

Upon the effective date of ASC 606, virtually all of the revenue recognition guidance previously applied by health care organizations is superseded.

Industry observers are concerned that health care organizations, in seeking to report on various quality measures under value-based payment methods (i.e., bundled payment arrangements, shared savings arrangements) would be potentially violating the Federal False Claims Act were they to misstate their achievement of certain performance obligations.  Any claim that is submitted with an overestimation of a quality index resulting in  excess reimbursement could be construed as a false claim.  To be sure, processes will need to be agreed upon by providers and payors that will allow for periodic reconciliation of any such estimating errors.

In the recent past, attestations used to garner incentive payments from CMS for the “meaningful use” of electronic health records have been challenged by government enforcement agencies as false claims because the attestations themselves were found to be inaccurate.  It is expected that similar problems could arise for health care organizations in financial reporting for value-based payments under these revenue reporting rules.

These new revenue recognition rules will have a dramatic effect on the already complex world of governmental and non-governmental reimbursements.  Health care organizations will need to evaluate the nature and scope of the changes required to comply with current revenue and financial reporting processes and systems to minimize the risk of false claim allegations.

Continue Reading

New York Hospital Management Company Agrees to $4 Million False Claims Act Settlement

Arising from Stark Law Improprieties

On September 13, 2017 the Justice Department announced that MediSys Health Network Inc. (“MHS”) agreed to pay $4 million to settle allegations that it violated the False Claims Act by engaging in improper financial relationships with referring physicians. MHS owns and operates Jamaica Hospital Medical Center and Flushing Hospital and Medical Center in Queens, New York.

The settlement resolves allegations that the MHS hospitals submitted false claims to the Medicare program for services rendered to patients referred by physicians with whom the MHS hospitals had compensation arrangements that did not comply with the requirements of the Stark Law. The claims settled by this agreement are allegations only, and there has been no determination of liability.

The lawsuit was filed by Dr. Satish Deshpande under the qui tam, or whistleblower, provisions of the False Claims Act, which permit private citizens to bring suit on behalf of the United States and share in the resultant recovery. Dr. Deshpande will receive $600,000 as his share of the recovery.

The case, United States ex rel. Deshpande, et al. v. The Jamaica Hospital Medical Center, et al., Case No. 13-cv-4030 (E.D.N.Y.), was handled by Senior Trial Counsel David T. Cohen of the Civil Division’s Commercial Litigation Branch, Assistant U.S. Attorney Kenneth M. Abell of the U.S. Attorney’s Office for the Eastern District of New York and Associate Counsel David Fuchs from HHS-OIG.

This settlement demonstrates that Stark Law prosecutions and resultant False Claims Act fines and penalties, remain an important weapon in the Justice Department’s enforcement arsenal.

The Bodenger Law Firm is a boutique legal practice providing specialty legal services to a wide range of healthcare providers.

Our extensive experience and comprehensive understanding of the healthcare delivery system makes us unique in our ability to assist clients in achieving their business objectives while ensuring compliance with relevant healthcare laws and regulations.

Our Firm mission is to provide legal services at least equal to “big firm” quality standards, at a fraction of the cost through extremely competitive hourly rates, as well as fixed fee, retainer-based and other creative billing arrangements.

Continue Reading

CMS Launches New Fraud Audit Initiative

Earlier this month, the Centers for Medicare & Medicaid Services (“CMS”) introduced plans to implement a new strategy for fraud audits used by Medicare administrative contractors (“MACs”). Under the new program, MACs will target only those providers and suppliers with the highest claim error rates or billing practices that vary significantly from their peers. Current processes permit MACs to largely flag and challenge claims at random, which has led to a crushing backlog of pending appeals. The new program is designed to address such concerns.

It is expected that this new audit strategy will result in fewer providers and suppliers being subject to Medicare investigations for improper billing practices. This new audit process augments CMS efforts started in 2014 for “probe and educate reviews”, which combined a claims review with education to help reduce errors in billing practices. CMS has found that claim errors tend to decrease after providers and suppliers received education.

CMS plans to launch the audits in all MAC jurisdictions before the end of 2017.

Continue Reading

Bipartisan Efforts to Address Healthcare Issues

On Tuesday, August 1, 2017, the Senate Health Committee (the “Committee”) announced hearings, to take place in September, on the issue of stabilizing the individual health insurance market. The announcement of these hearings is in response to continued legislative efforts to repeal Obamacare and President Trump’s threats to stop paying insurance companies cost-sharing subsidies, currently availed under Obamacare, that reduce out-of-pocket expenses for low-income policyholders.

Republican Senator Lamar Alexander, Chair of the Committee, is working with Democratic Senator Patty Murray to make the hearings bipartisan. Congress must develop a solution before September
27th, when insurers enter into contracts with the federal government over what insurance plans to sell on the exchange for 2018. If these subsidies are eliminated, then insurance companies will likely stop offering individual products through the exchange,
which is likely to affect a large number of the 18 million Americans who obtain their insurance in this manner.

In addition, a group of around 40 Republicans and Democrats, known as the “Problem Solvers Caucus” (“PSC”), have endorsed a white paper outline of ideas directed toward making some major Obamacare
improvements. While there is no formal legislative text at this time, PSC members are moving rapidly to garner broader support for their proposals in light of the most recent defeat of the Senate bill to repeal Obamacare and to force Republicans, once and
for all, to stop trying to get rid of Obamacare.

The PSC proposal includes mandatory funding for the cost-sharing subsidies for low income policyholders; repeal of the medical device tax; and raising the threshold of the “employer mandate”,
so that companies with 500 employees or more, rather than 50, are required to provide employee health insurance. PSC leadership has acknowledged that this initial proposal is an attempt to fix only certain pieces of Obamacare and should not be viewed as a
“cure all” to its shortfalls

The Committee and the PSC face a number of challenges. First, conservative legislators have made it clear that they are still favor of repeal. In addition, House Speaker Paul Ryan’s office
has stated that a bipartisan healthcare proposal would not be approved by the House anytime soon. At the same time, however, other GOP members are insisting that it is time to leave “repeal and replace” behind and devote their efforts to reaching accord with
the Democrats on smaller fixes before September 27th.

Continue Reading

Attorney George W. Bodenger


  • Member, American Bar Association, Health Law Section
  • Member, American Health Lawyers Association
  • Member, American Health Lawyers Association Accountable Care Organization Task Force.


  • J.D., Temple University James E. Beasley School of Law
  • M.B.A., Drexel University, summa cum laude
  • B.S., Pennsylvania State University

Bar Admission(s)

  • Pennsylvania
  • New Jersey


October 2019
« Sep