An administrative law judge (“ALJ”) recently ruled that the University of Texas MD Anderson Cancer Center (“MD Anderson”) in Houston must pay a $4.3 million fine to HHS Office of Civil Rights (“OCR”) for HIPAA data privacy and security violations. It is the fourth largest HIPAA-related settlement ever paid to the OCR. The ALJ fines included daily fines for MD Anderson’s non-compliance over a 22-month period and annual fines of $1.5 million for each of two calendar years. With respect to the $4.3 million penalty, the ALJ noted that MD Anderson is a “multi-billion dollar per year business” and “remedies in this case need to be more than a pinprick in order to assure that [MD Anderson] and similarly situated entities comply with HIPAA’s non-disclosure requirements.” MD Anderson plans to appeal this decision.

In 2012 and 2013, a series of data breaches occurred at MD Anderson: (i) an employee’s laptop was stolen; (ii) a company trainee lost a thumb drive; and (iii) a visiting researcher lost another thumb drive. Altogether, these devices contained records of approximately 33,800 patients. The OCR’s investigation revealed that at the time of these breaches, MD Anderson had written policies requiring encryption. Notwithstanding the policies, MD Anderson did not begin encrypting laptops for multiple years thereafter and the ALJ noted in his written opinion that MD Anderson “made only half-hearted and incomplete efforts at encryption.” MD Anderson recognized the need to encrypt data in 2006. The ALJ opinion noted that as of November 2013 more than 4,400 MD Anderson computers were not encrypted and that as of January 2014 more than 2,600 MD Anderson computers were not encrypted. Further, an MD Anderson 2011 risk analysis had identified the lack of an enterprise-wide encryption solution as a “high risk” area. Because the lost health records were not encrypted, the OCR determined that MD Anderson violated the HIPAA privacy and security rules.

The MD Anderson ruling demonstrates the importance of an effective HIPAA security program and the importance of timely efforts to ensure full compliance. In particular, (i) areas identified as “high risk” in HIPAA risk analyses should be addressed as quickly as possible; and (ii) covered entities and business associates should develop and implement their policies. The amount of penalties in this matter serves as an important reminder of the costly impact of HIPAA non-compliance.

Continue Reading

U.S. Office of Personnel Management Accuses Health Net of California of Obstructing Federal Data Security Audit

The Office of the Inspector General (“OIG”) at the U.S. Office of Personnel Management (“OPM”) alleged in a report dated February 12, 2018 that Health Net of California (“Health Net”) obstructed a federal IT audit, thereby violating its contract with the OPM.

In the report, OIG refers to Health Net’s refusal to comply with the planned testing as “unprecedented”. The report further states that Health Net, on February 7, 2018, responded to a formal request from OPM, indicating that it would not provide the requested documentation, nor would it allow the agency to conduct testing. OPM stated that Health Net’s refusal to permit this “standard audit” testing leaves multiple questions about Health Net’s vulnerability and configuration management programs unanswered. In particular, OPM is not able to perform testing related to Health Net’s ability to effectively remove information system access to terminated employees and contractors.

It appears from the OIG report that OPM’s level of security scrutiny of Health Net is due to vendor requirements for participating in government programs (in this case, Federal Employee Health Benefit Programs). Vendor requirements for security controls in these government programs are far more stringent that the HIPAA Security Rule. (Hard to believe!)

It is not uncommon for similar disputes to arise, in the context of HIPAA, when healthcare organizations attempt to evaluate the security practices of their business associate vendors. Since HIPAA was enacted, covered entities have found it challenging to get business associates to cooperate in security testing, risk assessments and program audits, or even just viewing the business associates’ information security and privacy policies. Business associates often offer some type of poor excuse for failing to comply with such requests, including that such assessments would take too much time and be disruptive to normal business operations, or even pose a security threat in and of themselves. It is speculated that BA’s refusal to cooperate in such matters can be due to the potential of the BA’s belief that the CE is dependent upon them and cannot terminate them.

In the private sector, it is not common for CEs to technically test their BAs’ security. Most CEs focus, at a first level of oversight, on improving their own security and assuring they have BA contracts in place. The next step in such oversight activities is for CEs to perform desk audits of their BAs, using a survey tool, as well as reviewing policies and procedures. CEs may also ask for evidence of the BA having passed a “penetration test” from an established third-party testing company. These greater levels of scrutiny have become more common, especially with large CEs such as health plans and pharmacy benefit managers.

Most healthcare providers, however, except perhaps large health systems and for-profit hospital chains, do not reach this level of sophistication in security testing, due primarily to resource constraints. Regrettably, federal requirements for data privacy and security are predominantly “one size fits all”, rather than being scaled to accommodate different sized organizations. This creates significant challenges, particularly in compliance and enforcement matters, for smaller providers.

Health Net claims that it has fully cooperated in this OPM audit, and continues to deny that it failed to satisfy OPM’s documentation requests. In a recent public statement, Health Net claims that it has fully cooperated with the OPM’s IT audit. Furthermore, Health Net claims that the OIG report contains grossly inaccurate statements about the security of Health Net’s IT systems. Finally, in this statement, Health Net claims to have been advised by legal counsel that complying with certain audit requests would risk violation of Health Net’s contractual obligations to protect its PHI.

It is not yet clear what type of action OPM will take. We will post further information as it becomes available.


GWB, LLC is a boutique law firm specializing in health care law. The Firm has significant background and experience in HIPAA data privacy and security matters in the areas of compliance and enforcement.

Continue Reading

Tax Cuts and Jobs Act – Implications for Healthcare Industry

The recent enactment of the Tax Cuts and Jobs Act (the “Act”) represents the most sweeping reform of tax laws in over 30 years. It also represents, by far, the most significant legislative accomplishment of the Trump administration in 2017. The following paragraphs highlight the Act’s impact on the healthcare industry:

1. Starting in 2019, the Act repeals the Obamacare “individual mandate” that requires all Americans under 65 to have health insurance or pay an annual penalty, $695 per person or 2.5 percent of income—whichever is higher. Per the Congressional Budget Office’s November 2017 analysis, “Repealing the Individual Health Insurance Mandate: An Updated Estimate,” the repeal of the individual mandate in 2019 would increase the number of uninsured Americans by approximately 4 million in 2019. This figure is expected to grow to 13 million in 2025 and remaining at that level thru 2027.

An increase in the number of uninsured Americans would contribute to increased uncompensated care (charity care and bad debt) for hospitals and health systems. As a result, hospitals may want to consider adjusting their charity care policies to limit or exclude assistance for patients who qualify for subsidized Affordable Care Act, Medicaid or other coverage but choose not to seek to obtain it.

2. Tax-exempt health systems will now be liable for a new 21% excise tax on employee compensation exceeding $1 million paid to their five (5) highest-paid employees. This new provision could be particularly problematic for larger systems with multiple tax-exempt entities, because they could have to pay this excise tax on the highest-paid employees in each entity.

The new excise tax on high-earning employees does not apply to compensation for the direct provision of professional medical services (i.e., physicians providing patient care services). These organizations, however, will need to report the portion of compensation for physician executives that relates to patient care services versus management duties and responsibilities.

3. For-profit health systems are now more limited in their ability to deduct False Claims Act settlements. For a portion of such settlements to be deductible, defense attorneys must identify the portion to be deductible in settlement documents or court orders.

4. For-profit health care organizations’ ability to deduct interest payments is capped at 30% of adjusted taxable income starting in 2018. As a result, such companies may consider taking steps to reduce their outstanding debt obligations.

5. Tax-exempt health systems will no longer will be able to offset income from unrelated business activities with losses from other unrelated business activities.

6. Publicly traded hospital companies will have to take the tax law changes into account for their 2017 financial statement audits. The Securities and Exchange Commission recently said companies can provide reasonable estimates in their audited statements of the impact of the Act and will be provided extensions to complete these 2017 audits.

Continue Reading

Appeals Court Affirms Breach of Recruitment Agreement Against Physician

The U.S. Court of Appeals (8th Circuit) recently affirmed the grant of summary judgment by the District Court for the Western District of Arkansas to Johnson Regional Medical Center (“JRMC”) in a breach of contract action against Dr. Robert Halterman, a former employee physician.  Halterman was ordered to pay JRMC $64,931.81 in principal, interest, attorney fees, and additional costs for breaching a recruitment agreement (including an employment agreement and a promissory note) entered into with JRMC.

JRMC and Halterman entered into a recruitment agreement in which JRMC provided Halterman with a $50,000.00 signing bonus, payable in monthly installments. The monthly payments were to be forgiven so long as Halterman remained an employee of JRMC and remained in full compliance with the terms of the recruitment agreement.  Under their terms, the recruitment agreement and the promissory note obligations were to remain in effect until the final payment on the note was either made or forgiven.

Halterman worked for JRMC for a short period prior to resigning, due to an alleged shoulder injury and an alleged misrepresentation by JRMC regarding on-call obligations of the position.  Upon his resignation, JRMC informed Halterman that the monthly forgiveness of the promissory note would cease and that he was obligated to begin making payments on the principal amount of the note ($37,894).   Halterman did not make any payments toward this obligation and JRMC brought a lawsuit against him for breach of contract. The trial court ruled in favor of JRMC and issued a judgment in the amount of $64,931.82 (principal, interest, attorney fees and additional costs) against Halterman.

Halterman appealed the trial court’s decision, alleging that JRMC fraudulently induced him into signing the agreements by misrepresenting the on-call requirements of the OB-GYN position. He also claimed that his performance under the agreements was excused due to his shoulder injury, which impaired his ability to perform his duties as an OB-GYN.  The latter claim was contradicted by the fact that he accepted employment as an OB-GYN shortly after resigning from JRMC.

The Eighth Circuit rejected Halterman’s arguments, holding that he was contractually obligated to return the remainder of the principal amount of $37,894. The court also affirmed the lower court’s award of attorney fees and costs against Halterman, based on the promissory note provision allowing JRMC to collect reasonable costs and expenses incurred in collecting the balance due thereunder.

Continue Reading

Revenue Recognition Rule Changes Could Trigger Increased in Fraud Inquiries

A new accounting rule, known as ASC 606, was adopted recently by the U.S. Financial Accounting Standards Board and the International Accounting Standards Board.  This new rule requires fundamental changes to the manner in which health care organizations will report revenue.  The rules go into effect for public companies in 2018 and for all other companies in 2019.  These changes to revenue recognition rules could create an increase in healthcare fraud investigations and prosecutions, as various healthcare industry sectors (including hospitals, physician practices, skilled nursing facilities etc.) transition from fee-for-service to value-based payments.

Upon the effective date of ASC 606, virtually all of the revenue recognition guidance previously applied by health care organizations is superseded.

Industry observers are concerned that health care organizations, in seeking to report on various quality measures under value-based payment methods (i.e., bundled payment arrangements, shared savings arrangements) would be potentially violating the Federal False Claims Act were they to misstate their achievement of certain performance obligations.  Any claim that is submitted with an overestimation of a quality index resulting in  excess reimbursement could be construed as a false claim.  To be sure, processes will need to be agreed upon by providers and payors that will allow for periodic reconciliation of any such estimating errors.

In the recent past, attestations used to garner incentive payments from CMS for the “meaningful use” of electronic health records have been challenged by government enforcement agencies as false claims because the attestations themselves were found to be inaccurate.  It is expected that similar problems could arise for health care organizations in financial reporting for value-based payments under these revenue reporting rules.

These new revenue recognition rules will have a dramatic effect on the already complex world of governmental and non-governmental reimbursements.  Health care organizations will need to evaluate the nature and scope of the changes required to comply with current revenue and financial reporting processes and systems to minimize the risk of false claim allegations.

Continue Reading

New York Hospital Management Company Agrees to $4 Million False Claims Act Settlement

Arising from Stark Law Improprieties

On September 13, 2017 the Justice Department announced that MediSys Health Network Inc. (“MHS”) agreed to pay $4 million to settle allegations that it violated the False Claims Act by engaging in improper financial relationships with referring physicians. MHS owns and operates Jamaica Hospital Medical Center and Flushing Hospital and Medical Center in Queens, New York.

The settlement resolves allegations that the MHS hospitals submitted false claims to the Medicare program for services rendered to patients referred by physicians with whom the MHS hospitals had compensation arrangements that did not comply with the requirements of the Stark Law. The claims settled by this agreement are allegations only, and there has been no determination of liability.

The lawsuit was filed by Dr. Satish Deshpande under the qui tam, or whistleblower, provisions of the False Claims Act, which permit private citizens to bring suit on behalf of the United States and share in the resultant recovery. Dr. Deshpande will receive $600,000 as his share of the recovery.

The case, United States ex rel. Deshpande, et al. v. The Jamaica Hospital Medical Center, et al., Case No. 13-cv-4030 (E.D.N.Y.), was handled by Senior Trial Counsel David T. Cohen of the Civil Division’s Commercial Litigation Branch, Assistant U.S. Attorney Kenneth M. Abell of the U.S. Attorney’s Office for the Eastern District of New York and Associate Counsel David Fuchs from HHS-OIG.

This settlement demonstrates that Stark Law prosecutions and resultant False Claims Act fines and penalties, remain an important weapon in the Justice Department’s enforcement arsenal.

The Bodenger Law Firm is a boutique legal practice providing specialty legal services to a wide range of healthcare providers.

Our extensive experience and comprehensive understanding of the healthcare delivery system makes us unique in our ability to assist clients in achieving their business objectives while ensuring compliance with relevant healthcare laws and regulations.

Our Firm mission is to provide legal services at least equal to “big firm” quality standards, at a fraction of the cost through extremely competitive hourly rates, as well as fixed fee, retainer-based and other creative billing arrangements.

Continue Reading

CMS Launches New Fraud Audit Initiative

Earlier this month, the Centers for Medicare & Medicaid Services (“CMS”) introduced plans to implement a new strategy for fraud audits used by Medicare administrative contractors (“MACs”). Under the new program, MACs will target only those providers and suppliers with the highest claim error rates or billing practices that vary significantly from their peers. Current processes permit MACs to largely flag and challenge claims at random, which has led to a crushing backlog of pending appeals. The new program is designed to address such concerns.

It is expected that this new audit strategy will result in fewer providers and suppliers being subject to Medicare investigations for improper billing practices. This new audit process augments CMS efforts started in 2014 for “probe and educate reviews”, which combined a claims review with education to help reduce errors in billing practices. CMS has found that claim errors tend to decrease after providers and suppliers received education.

CMS plans to launch the audits in all MAC jurisdictions before the end of 2017.

Continue Reading

Bipartisan Efforts to Address Healthcare Issues

On Tuesday, August 1, 2017, the Senate Health Committee (the “Committee”) announced hearings, to take place in September, on the issue of stabilizing the individual health insurance market. The announcement of these hearings is in response to continued legislative efforts to repeal Obamacare and President Trump’s threats to stop paying insurance companies cost-sharing subsidies, currently availed under Obamacare, that reduce out-of-pocket expenses for low-income policyholders.

Republican Senator Lamar Alexander, Chair of the Committee, is working with Democratic Senator Patty Murray to make the hearings bipartisan. Congress must develop a solution before September
27th, when insurers enter into contracts with the federal government over what insurance plans to sell on the exchange for 2018. If these subsidies are eliminated, then insurance companies will likely stop offering individual products through the exchange,
which is likely to affect a large number of the 18 million Americans who obtain their insurance in this manner.

In addition, a group of around 40 Republicans and Democrats, known as the “Problem Solvers Caucus” (“PSC”), have endorsed a white paper outline of ideas directed toward making some major Obamacare
improvements. While there is no formal legislative text at this time, PSC members are moving rapidly to garner broader support for their proposals in light of the most recent defeat of the Senate bill to repeal Obamacare and to force Republicans, once and
for all, to stop trying to get rid of Obamacare.

The PSC proposal includes mandatory funding for the cost-sharing subsidies for low income policyholders; repeal of the medical device tax; and raising the threshold of the “employer mandate”,
so that companies with 500 employees or more, rather than 50, are required to provide employee health insurance. PSC leadership has acknowledged that this initial proposal is an attempt to fix only certain pieces of Obamacare and should not be viewed as a
“cure all” to its shortfalls

The Committee and the PSC face a number of challenges. First, conservative legislators have made it clear that they are still favor of repeal. In addition, House Speaker Paul Ryan’s office
has stated that a bipartisan healthcare proposal would not be approved by the House anytime soon. At the same time, however, other GOP members are insisting that it is time to leave “repeal and replace” behind and devote their efforts to reaching accord with
the Democrats on smaller fixes before September 27th.

Continue Reading

Centers for Medicare & Medicaid Services (“CMS”) overpaid an estimated $729 million under the Medicare and Medicaid Electronic Health Record (“EHR”) Incentive Program

According to a report issued last month by the Department of Health and Human Services’ Office of Inspector General (“OIG”), the Centers for Medicare & Medicaid Services (“CMS”) overpaid an estimated $729 million under the Medicare and Medicaid Electronic Health Record (“EHR”) Incentive Program (the “EHR Incentive Program”) to physicians and other eligible professionals who did not actually comply with federal meaningful use requirements.    In addition, the Report estimates that CMS mistakenly paid $2.3 million in EHR incentive payments to eligible professionals who switched incentive programs.  These overpayments represent approximately twelve percent (12.0%) of total Medicare/Medicaid spending.

Since the Report’s issuance, several professional associations have voiced concern over the prospect of CMS seeking to recover these overpayments. The primary issues raised by these groups (including Medical Group Management Association, American College of Physicians, American Medical Association, American Osteopathic Association) relate to whether the results of the Report stem from these professionals receiving improper payments or their failing to provide sufficient proof during the audit process.

As an example, one of the requirements tested in the Report was having clinical decision alerts.  To meet the requirements, the randomly sampled providers were required to have five (5) such alerts.  An example alert is for the EHR system to flag high medical dosage(s).  During an audit, a provider may be able to demonstrate that the alerts were working at a point in time, but it would be impossible to prove that these alerts were in effect during the entire meaningful use reporting period unless the provider had taken a screenshot of the alert every day of the reporting period.

At this point, it is not entirely clear that provider need to be concerned about CMS trying to recoup these overpayments.  In a written statement following the Report’s release, CMS stated that “….this administration is committed to turning the page and ushering in a new era of accountability.  We stand committed to safeguarding federal funding by leveraging proven and new program integrity tools to prevent and identify waste, fraud and abuse.”

So, for the time being, at least, it appears that CMS will not take action to recover these overpayments.  Nonetheless, it will continue to be important for healthcare professionals to make good faith efforts to satisfy these meaningful use requirements and have the evidence to support such attestations when audits are performed.

Continue Reading

Key Takeaways in Recent HIPAA Settlements

Over the past several months, a steady stream of security breaches, coupled with a number of settlements recently announced by the U.S. Department of Health and Human Services – Office for Civil Rights (“OCR”), have put healthcare providers on high alert.  Several OCR decisions, including a $5.5 million settlement with Memorial Healthcare System last month—have highlighted the legal implications of security breaches in the wake of a record-setting year of hackers targeting the healthcare industry. The costs associated with a breach will likely far exceed any settlement with OCR because the significant majority of corrective action plans require providers to hire independent, third-party investigators to assess HIPAA compliance.

In reviewing some of the more significant settlements during the past several months, four (4) distinct themes seem to be evolving regarding the nature and scope of these breaches, which ca be summarized as follows:

  • business associate agreements between providers (as covered entities) and vendors (as business associates) are an important target for OCR enforcement actions;
  • failure to conduct or implement the findings from a risk assessment required by HIPAA can lead to significant fines and penalties over and above standard amounts of $1.5 million;
  • “cloud service” providers are liable for failing to protect PHI; and
  • OCR will take an organization’s failure to report a breach very seriously.


The healthcare industry has received substantial criticism over the past year for cybersecurity failures.  Therefore, it is critical for security concerns to be handled on a timely basis at the executive level and with the full involvement of the organization’s board.

Continue Reading

Attorney George W. Bodenger


  • Member, American Bar Association, Health Law Section
  • Member, American Health Lawyers Association
  • Member, American Health Lawyers Association Accountable Care Organization Task Force.


  • J.D., Temple University James E. Beasley School of Law
  • M.B.A., Drexel University, summa cum laude
  • B.S., Pennsylvania State University

Bar Admission(s)

  • Pennsylvania
  • New Jersey


November 2018
« Jun