In December 2023, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced a $480,000 settlement with a Louisiana medical group following a phishing incident. In 2021, the medical group filed a breach report with HHS stating that a hacker – through a successful phishing attack – gained access to electronic protected health information (“ePHI”) contained in one of its email accounts.

What You Need to Know:

• Phishing incidents continue to challenge health care providers.
• HIPAA Security and Privacy Rule compliance remains imperative.
• Remote patient monitoring (RPM) can provide benefits for patients, but dishonest companies offering RPM may receive federal enforcement scrutiny.

OCR’s investigation uncovered that, prior to the 2021 breach, the medical group failed to conduct the required HIPAA Security Rule risk analysis and never implemented procedures to regularly review records relating to its information systems.

The medical group was unable to identify the specific patients affected by the phishing incident and, therefore, notified its approximately 35,000 patients of the incident. In addition to paying the significant fine to resolve the matter, and without admitting wrong-doing, the medical group entered into a two-year corrective action plan (“CAP”) with OCR. Pursuant to the CAP the medical group agreed to:

• improve its ePHI security management process;
• revise its policies and procedures;
• distribute its updated policies and procedures to its workforce; and
• provide training to its workforce regarding the HIPAA Privacy Rule and Security Rule requirements.

In its press release announcing the settlement agreement, OCR highlighted the risks from phishing attacks. OCR noted that over 89 million individuals were affected by large HIPAA breaches in 2023, a significant increase from the 55 million individuals affected in 2022.

A copy of the OCR Resolution Agreement with the medical group can be reviewed here.

In November 2023, the HHS Office of Inspector General (“OIG”) released a consumer alert – here – related to fraudulent remote patient monitoring (“RPM”) schemes. The OIG noted that Medicare beneficiaries received an unsolicited contact to set up a monthly billing arrangement for remote patient monitoring, irrespective of the medical necessity for the beneficiary.

As the OIG noted, “Legitimate RPM involves using medical devices such as scales, glucose monitors, blood pressure cuffs, cardiac rhythm devices, and other equipment to remotely monitor for anomalies in patients with chronic medical conditions.” The consumer alert noted that “unscrupulous” companies are contacting Medicare beneficiaries through unsolicited phone calls, internet ads and or television advertising and, in many instances, RPM does not occur and the beneficiary is still billed monthly.

The OIG included several tips to beneficiaries. From providers’ perspectives, these include:

• The Medicare beneficiary’s trusted health care provider should approve any requests for equipment to address the individual’s medical needs.
• Medicare beneficiaries should be cautious of unsolicited requests for Medicare information and, if anyone other than the beneficiary’s provider’s office requests Medicare information, they should not provide it.
• If a Medicare beneficiary receives a call from someone offering a free brace that will be billed to Medicare, they should hang up immediately.
• Medicare beneficiaries should review the Explanation of Benefits notices for any services not ordered.
• Medicare beneficiaries who suspect Medicare fraud should contact the HHS-OIG Hotline here. 

HIPAA compliance will remain an important issue for all covered entities in 2024. Health care fraud remains a concern for OIG, particularly arrangements that prey on Medicare beneficiaries.

Economic headwinds continue to challenge the health care delivery system. This is not the time, however, to abandon or minimize compliance efforts or enter into arrangements that are not fully compliant with fraud and abuse laws.