Health care gets a ‘D’ in cybersecurity, but no one scores high

The health care sector scored a ‘D’ grade in overall cybersecurity for 2016, but other industries didn’t fare much better, with the retail sector scoring a high ‘C,’ according to Tenable Network Security. Cybersecurity experts in most industries showed decreased confidence in their industry’s ability to assess risks and mitigate threats. New and increased challenges, including new platforms and environments and continued use of mobile devices, contributed to the decrease.

Tenable asked 700 security practitioners from seven industries and nine countries about their attitudes and beliefs toward security defenses, rather than actual effectiveness. Health care security professionals’ average confidence level in their risk assessments was only 54 percent, down 18 percent from Tenable’s 2015 report. Professional were more confident in their ability to mitigate threats through security assurances, showing an average 76 percent confident level, an increase of 1 percent from 2015. They were most comfortable in their ability to convey risks to executives and board members, measure security effectiveness, and view network risks continuously. However, a common theme across industries and countries were professionals’ concerns that the executive level did not responds effectively once given information about risks.

Tenable noted health significant health care sector weaknesses in assessing mobile devices. Confidence in risk assessment for mobile devices dropped 8 percent across all industries from 2015, and the web application security rating dropped 18 percent, the largest drop in any risk assessment category. The health care sector also showed weakness in assessing risks with respect to two new categories, developmental operations (DevOps) environments and containerization platforms. DevOps is a set of practices that emphasizes collaboration and communication between software developers and other information-technology (IT) professionals that also includes an automation component with respect to software delivery and infrastructure changes. Containerization technologies allow multiple isolated systems to run on a single control host by packing them in a “container” within their own operating environment.

Highlight on Alabama: Class action against state alleges inadequate prison mental health care

Focus on the issue of accessibility to quality mental health care has been growing in recent years, and the state of Alabama is facing intense scrutiny for the possible failure to treat mentally ill inmates. A federal trial began on December 5, 2016, in which dozens of inmates are expected to testify.

This trial is one part of a larger suit filed by the Southern Poverty Law Center (SPLC) in 2014 alleging that overall, medical care in the state’s prisons is below constitutional standards. Claims that the Department of Corrections (DOC) failed to accommodate prisoners with physical disabilities were previously settled, with the DOC agreeing to improve its facilities.

U.S. District Judge Myron Thompson granted class action status to the mental health portion of the case in November 2016,  noting that the failure to provide funding for staff creates an Eighth Amendment violation, even if this is caused by a lack of available money.

The claims currently being heard allege that the mental health care, provided through the contractor MHM Correctional Services, fails to provide enough providers to offer care, including psychiatrists, psychologists, and nurses. Additionally, the lack of security staff causes interruptions in care. This results in failing to identify mentally ill inmates and properly diagnose the severity of illness in those who are identified. These issues have led to a failure to prescribe medication, manage side effects, offer adequate counseling, and properly monitor and treat inmates who are suicidal and self harm.

According to a local news report, the first inmate witness had been in prison for six years and is currently at the Donaldson Correctional Facility. He testified that he had physical and mental illnesses and was prone to self harm, but he only sees mental health staff approximately every two months for sessions lasting about five or 10 minutes.

SPLC stated that other expected witnesses include a Dr. Kathryn Burns, a mental health expert who has inspected nine Alabama prisons and their mental health procedures.

This suit is not the only attention Alabama’s prisons are currently receiving. In October 2016, the Department of Justice began a statewide investigation into the conditions in Alabama’s prisons. This investigation is to focus on efforts to protect prisoners from abuse and excessive force at the hands of other prisoners or correctional offers, as well as the provision of sanitary, secure, and safe living conditions.

‘Don’t wait, facilitate!’ HCCA webinar encourages Medicare settlement

Providers should rely on settlement and facilitation processes when resolving Medicare audit appeals, according to a Health Care Compliance Association (HCCA) webinar presented by health care attorney Andrew Wachler of Wachler & Associates, P.C. In addition to providing advice regarding appeal processes and strategy, Wachler encouraged providers to rely on the newly reopened hospital appeals settlement process and the Settlement Conference Facilitation (SCF) Pilot.

Settlement process

CMS reopened the hospital appeals settlement process, allowing eligible hospitals to settle inpatient status claim appeals in exchange for timely partial payments (66 percent of net allowable amount). The settlement process is available, as of December 1, 2016, and the deadline for hospitals to submit an expression of interest is January 31, 2017. Eligible claims include claims denied by CMS on the basis that services may have been reasonable and necessary while treatment on an inpatients basis was not. Additionally, the settlement applies to claims with dates of admission prior to October 1, 2013.


In his discussion of the SCF pilot process, Wachler admonished listeners: “don’t wait, facilitate.” The SCF pilot was designed to bring CMS and an appellant together to discuss the potential for settlement of claims appealed to an administrative law judge (ALJ). When a settlement cannot be reached under the process, claims return to the ALJ level. Under Phase I of the program, which began in June 2014, the pilot facilitated settlements of Medicare Part B claim appeals, for ALJ hearing requests filed in 2013. In Phase I, the pilot resolved over 2,600 unassigned Part B ALJ Appeals. Phase II expanded the pilot in October 2015 for additional Part B claims and the program was further expanded for Part A claims in February 2016. However, each phase imposed specific claim eligibility requirements, regarding the kinds of claims at issue and the amount in controversy. Wachler noted, unlike the hospital settlement process, which mandates a 66 percent settlement rate, the SCF pilot allows providers to reach an agreement regarding the amount of the settlement.

ALJ appeals

In circumstances where settlement or facilitation is not available, providers may be forced to resolve claims before an ALJ. Wachler offered the following best practices for ALJ appeals:

  • prominently list Medicare Appeal Number on the request;
  • ensure beneficiary information matches Medicare Appeal Number;
  • list beneficiary’s full identification number;
  • include first page of the qualified independent contractor (QIC) decision or prominently list full name of the QIC;
  • document proof of service to other parties;
  • do not submit a courtesy copy to the QIC
  • submit only one request per Medicare Appeal Number;
  • mail requests via tracked mail to the Office of Medicare Hearings and Appeals (OMHA) Central Operations;
  • do not submit evidence already submitted at a lower level;
  • do not attach evidentiary submissions or submit additional filings to OMHA Central Operations; and
  • submit directly to the ALJ when an ALJ is assigned.

Additionally, Wachler recommended the OMHA case-processing manual as an important resource regarding ALJ process for any parties appealing to the ALJ level.

DOJ announces New Jersey Medicare and Virginia Medicaid fraud schemes

The U.S. Department of Justice (DOJ) announced that (1) a New Jersey woman has pled guilty in a $1 million Medicare fraud scheme that deceived seniors into unnecessary DNA tests, and (2) three Bristol, Virginia individuals have been indicted for fraudulently billing over $350,000 to Virginia Medicaid for services under the Virginia Medicaid Intellectual Disability (ID) waiver program that were not provided.

New Jersey fraud

Sheila Kahl, 44, admitted that she wrongfully accessed protected health information (PHI) and paid kickbacks to healthcare professionals on behalf of a Medicare fraud scheme involving a purported non-profit, The Good Samaritans of America. Sentencing is scheduled for March 14, 2017.

A DOJ press release from the District of New Jersey, based on the criminal information and court statements, alleged that from July 2014 through December 2015, Seth Rehfuss, 42, of Somerset, New Jersey, Kahl, of Point Pleasant, New Jersey and others used. The Good Samaritans of America as front to present information about genetic testing to seniors in low-income housing projects.

In order to convince senior citizens to submit to genetic testing, Rehfuss allegedly used fear-based tactics, including suggesting the senior citizens would be vulnerable to heart attacks, stroke, cancer and suicide if they did not have the genetic testing. Rehfuss also allegedly claimed that the genetic testing allowed for “personalized medicine.”

Rehfuss was previously charged on December 2, 2015. The pending criminal complaint against Rehfuss contains mere allegations, and he is considered innocent unless and until proven guilty.

Virginia fraud

A grand jury, sitting in the Western District of Virginia, charged Deborah Branch, 64, Melissa Harr, 49 and Bryan Harr Sr., 40, with one count of health care fraud, one count of conspiracy to commit health care fraud, and two counts of wire fraud.

According to a DOJ press release from the Western District of Virginia, the indictment alleged that Melissa and Bryan Harr Sr., hired Branch to work with one of their children, who suffers from intellectual and physical disabilities and qualifies for services paid for by Virginia Medicaid, under the Virginia Medicaid’s ID waiver program. Branch was allegedly paid through two different Virginia Medicaid contractors.

The indictment further alleged that from January 2010 until September 2015, Branch submitted time sheets claiming she was providing services for Harr’s disabled son when she was not. In exchange for assisting Branch in getting paid for work she did not do, Branch allegedly paid the Harrs approximately $200 every two weeks. Virginia Medicaid paid out $350,641.02 to two different Virginia Medicaid contractors, Public Partnerships, LLC and ResCare (formerly known as Creative Family Solutions), based on Branch’s time sheets, of which $207,854.43 was paid to Branch.