Report on Medicare Compliance 30, no. 32 (September 13, 2021)

◆ Saint Francis Medical Center in Missouri agreed to pay $1.625 million in a civil settlement of allegations it violated the Controlled Substances Act, the U.S. Attorney’s Office for the Eastern District of Missouri said Sept. 1.^[1] According to the U.S. attorney’s office, Saint Francis employed Farmington physician Brett Dickinson, who allegedly “wrote prescriptions for controlled substances without legitimate medical purposes and outside the usual course of professional practice.” The hospital, through Dickinson’s actions, “issued invalid prescriptions for opioids such as morphine, hydromorphone, and oxycodone,” the U.S. attorney’s office alleged. “Dickinson prescribed these opioids to patients simultaneously with muscle relaxers and benzodiazepines.” These drugs enhance “the addictive, euphoric effects of opioids and, as a result, are commonly sought-after in combination with opioids by individuals with substance abuse disorders and individuals who seek to use opioids recreationally.” Dickinson allegedly prescribed them “while ignoring warning signs of drug diversion or misuse, including aberrant urine drug test results and patients’ previous hospital treatment for medical problems related to drug misuse.” The hospital cooperated with the government’s investigation.

◆ CMS is recouping the 2019 payments it made to hospitals under the site-neutrality payment policy for off-campus outpatient clinic visits at provider-based departments, according to the MLN Connects posted Sept. 9.^[2] CMS will begin reprocessing claims Nov. 1 after its position on site neutrality was upheld by the U.S. Court of Appeals for the D.C. Circuit in July 2020. CMS implemented the site-neutrality policy in the 2019 outpatient prospective payment system regulation, but when it was overturned by a federal district court, CMS refunded the payments to hospitals. Now that CMS has won its appeal, it’s taking back the money.

◆ The Biden-Harris administration said July 9 it will “require COVID-19 vaccination of staff within all Medicare and Medicaid-certified facilities to protect both them and patients from the virus and its more contagious Delta variant.”^[3] An emergency regulation that mandates vaccines for nursing home workers will be expanded to hospitals and other facilities as a condition of participation.

◆ The FBI is warning organizations that Hive ransomware, which uses mechanisms such as phishing emails with malicious attachments and remote desktop protocol to access and move through victim networks, exfiltrate and encrypt files, is on the rise. This ransomware variant creates significant challenges for defense and mitigation, according to the FBI. Hive ransomware seeks processes related to backups, anti-virus/anti-spyware and file copying and terminates them to facilitate file encryption. The encrypted files commonly end with a “.hive” extension. After compromising a victim network, exfiltrating data and encrypting files, the actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site “HiveLeaks.” The note contains a “sales department” link, accessible through a Tor browser, that enables victims to contact the actors through a live chat. Some victims reported receiving phone calls from Hive actors requesting payment for their files, the FBI said. The initial deadline for payment ranges between two and six days, but the FBI reported that actors have prolonged the deadline in response to contact by the victim company.^[4]

1 Department of Justice, U.S. Attorney’s Office for the Eastern District of Missouri, “Southeast Missouri healthcare system agrees to pay $1,624,957.67 to resolve allegations that physician wrote invalid prescriptions,” news release, September 1, 2021, https://bit.ly/38Zj0Zj.
2 CMS, “Outpatient Clinic Visit Services at Excepted Off-Campus Provider-Based Departments: Payment Update,” MLN Connects, September 9, 2021, https://go.cms.gov/3zTOhc2.
3 CMS, “Biden-Harris Administration to Expand Vaccination Requirements for Health Care Settings,” news release, September 9, 2021, https://go.cms.gov/3CbVViX.
4 “FBI alerts organizations to new ransomware threat,” American Hospital Association, August 25, 2021, https://bit.ly/3DE6ahb.

[View source.]