Health Care Compliance Matters

A Complimentary Newsletter From:

Law Offices Of David S. Barmak, LLC

Managing Risk for Long Term Care and Health Care Providers


Volume 14, Issue 1                            ADVERTISEMENT                                  JANUARY 2013

In This Issue
Congress Extends Period of Time During Which Medicare Contractors Can Attempt to Collect Overpayments
Accepting the Inevitable
OCR Cracking Down on Minor HIPAA Violations


                  Find us on Facebook Follow us on Twitter

David Barmak, Esq.


Matthew Streger, Esq.


Brandon Goldberg, Esq.


Jennifer Cohen
Jennifer Cohen, Esq.
Aaron Rubin
Aaron Rubin, Esq.





Click on Attorney's Name
 for More Information
Register to Receive Our
Health Care Compliance Matters Newsletter
Join Our Mailing List
Congress Extends Period of Time During
Which Medicare Contractors Can
Attempt to Collect Overpayments


Congress on New Year's Day passed the "American Taxpayer Relief Act of 2012," (ATRA), the main purpose of which was to freeze automatic tax increases and federal budget cuts that were to have taken effect on January 1, 2013. Also known as the "fiscal cliff," ATRA has imbedded in it a mistakable continuing bias that most healthcare providers commit fraud and that attempts to prevent and recoup "ill -gotten reimbursements" justify the government to do whatever it needs to in order to successfully get back that money.



This act passed by Congress includes some unrelated changes to the Medicare and Medicaid programs. Notable in support of the long-standing federal government's bias, ATRA extends the period of time during which Medicare contractors can attempt to collect over payments from three years to five years.  Arguably the top worry that keeps healthcare providers up at night is being audited by Medicare contractors benefiting on a contingency basis from the recoupments of allegedly "ill -gotten reimbursements". This extension from three years to five years no doubt in some situations will be warranted; however, the overall message that Congress has sent with this provision is that Medicare contractors are doing well, regardless of the means employed to achieve the end, and therefore can expand their purview from three to five years of reimbursements.   


As Will Rogers once said, "Even if you're on the right track, you'll get run over if you just sit there."


Healthcare providers must intensify their efforts to maximize the protections available under the Patient Protection and Affordable Care Act, also known as Obamacare.  One of these protections is an effective compliance program that creates a mechanism for the discovery of violations before they get out of hand and often before they are discovered by government enforcement authorities.  If an organization's compliance program uncovers a violation of law, it is easier for the organization to self-report. If this is done prior to an imminent threat of disclosure or government investigation, within a reasonably prompt time of discovering the violation and the provider cooperates and accepts responsibility, the potential penalties could be
less severe.


If you have any questions concerning establishing an effective compliance program please contact Jennifer Cohen, Esq. at
609- 454-5351 or


Accepting the Inevitable



In many ways, perfection is critical when dealing with the health and well-being of residents and patients. However, no person is perfect, and no facility is perfect.  Mistakes are inevitable, and how you respond to mistakes will often determine how significant the government considers the situation to be. The mistake might be a medication error, a privacy violation, or an employee problem. You may have discovered the mistake through your auditing process, by a complaint from an employee or client, or through accidental but fortunate exposure. Once that happens, the government will judge you in large part by what happens next.


You want to ensure three things occur upon the discovery of a mistake:


1. That the mistake itself is corrected.

2. That preventative measures are taken to ensure the mistake does not happen again.

3. That appropriate disciplinary actions are taken against any employees who were responsible.


These three actions demonstrate an effective response. Such a response would show government investigators that the provider recognizes the need to change something and act accordingly. Under new Federal guidelines, correcting mistakes can mean a mandated decrease in penalties.  Any such efforts should be fully documented and carried out as consistently as possible when compared to other situations. If the situation is reportable, then such a report should be made promptly. Policies and procedures should be reviewed and updated as necessary to limit recurrences. Employees who made a mistake should be treated in a proportionally consistent manner as employees who had made previous errors.


Perhaps the worst action a provider can take is to try and cover up the mistake. As the old Nixon adage goes, it's the cover up that will get you in the end. Be sure to accept the mistake that has occurred and deal with it head on. Efforts at covering up mistakes often fail and result in much for significant repercussions for the provider.


To ensure the most appropriate response, an effective Affordable Care Act compliance program should be in place well before a mistake occurs. If you have any questions concerning establishing such a program or addressinga particular mistake that has occurred, please contact Brandon Goldberg, Esq. at 609-454-5351 or


OCR Cracking Down on

Minor HIPAA Violations


The Department of Health and Human Services' Office for Civil Rights (OCR) has recently started ramping up penalties and sanctions for HIPAA violations. In fact, if a recent case is any indication, the OCR has even started imposing penalties on facilities for relatively small breaches of HIPAA rules and regulations.


On December 28, 2012, the Hospice of North Idaho settled a case brought by the OCR for a HIPAA violation stemming from the June 18, 2010, theft of an unencrypted laptop computer from an employee's car parked at her home. The computer contained the protected health information (PHI) of 441 of the hospice's residents. The OCR found the hospice at fault for not previously conducting an accurate and thorough inquiry into the risk to the confidentiality of electronic PHI. Specifically, the OCR faulted the hospice for not evaluating the likelihood and potential risks with regard to PHI transmitted via portable devices, addressing those risks, and implementing reasonable and appropriate security measures designed to prevent such breaches.


As part of its settlement agreement, the hospice agreed to pay a $50,000 fine and to institute, going forward, a corrective plan of action to prevent similar occurrences. Pursuant to the corrective plan, the hospice pledged to improve its HIPAA Privacy and Security compliance program by encrypting all hospice laptops, strengthening password enforcement, and providing ongoing HIPAA privacy and security training to its employees.


The hospice credited its relatively low fine, which was lower than the standard penalty usually imposed in similar cases, to the fact that it took immediate corrective action. Indeed, immediately upon learning of the breach, the hospice conducted a risk assessment, developed a corrective plan of action, and hired information technology and human resources industry experts to implement these new policies and procedures.


The lesson learned from this case is that to avoid exposure to HIPAA violations, healthcare providers should take proactive steps to address potential problems. Had the hospice invested a comparatively small amount of money in implementing encryptions and comprehensive privacy policies and procedures to prevent a breach of PHI, its costs would have been much lower. In the current government regulatory climate, providers need to recognize that simply conducting sporadic risk assessments will likely be insufficient for HIPAA compliance. Consequently, to avoid potential liability, providers should put in place policies and procedures designed to prevent potential HIPAA breaches.


If you have any questions about HIPAA compliance or data security requirements, please contact Jennifer Cohen, Esq. at 609-454-5351 or

Law Offices Of David S. Barmak, LLC

Our firm is dedicated to helping health care providers, such as skilled nursing facilities and other health care providers, and the suppliers of products and services to those providers, manage risk through comprehensive compliance programs that focus on early intervention through on-site training, communication, policy & procedure review, monitoring and consultation. The program includes on site auditing and training in the areas of, but not limited to, fraud & abuse, HIPAA privacy & HITECH data security, employment, emergency preparedness, workplace violence, clinical documentation, sexual harassment and social networking.


The firm's compliance team includes experienced compliance attorneys, nurses, physical therapists, pharmacy consultants, information technology specialists, nurse practictioners, administrators, orthotists & prosthetists and EMS professionals, who are available to assist clients with pre and post Department of Health (DOH) survey procedures, respond to DOH questions, prepare for re-inspections, minimize risks for deficiencies, offer support to Directors of Nursing regarding accurate care plans, incident and accident reports and therapy notes, review Medicare billing and audit PPS/Medicare/Medicaid insurance documentation.


The recipient may, if the newsletter is inaccurate or misleading, report the same to the Committee on Attorney Advertising.


This newsletter has been prepared by the Law Offices Of David S. Barmak, LLC for informational purposes only and is not intended to provide legal advice. You should consult an attorney for advice regarding your individual situation. We invite you to contact us. Contacting us does not create an attorney-client relationship. Please do not send any confidential information to us until such time as an attorney-client relationship has been established.


For more information, please contact David S. Barmak, Esq.:

Telephone (609) 454-5351

Fax (609) 454-5361

Copyright, 2013.  Law Offices Of David S. Barmak, LLC.  All rights reserved.
No portion of these materials may be reproduced by any means without the advance written permission of the author.