HIPAA Regulatory Alert

Former Cleveland Clinic worker charged with fraud

A former employee of the Cleveland Clinic and Health Management Associates and her cousin have been indicted by a federal grand jury in Miami on charges of identity theft, computer and health care fraud, and violating HIPAA in a conspiracy involving nearly $3 million in fraudulently submitted Medicare claims.

U.S. Attorney Alexander Acosta announced the eight-count indictment of Fernando Ferrer, Jr., and Isis Machado, whom he accused of stealing identification information from 1,100 patients and using it to falsely bill Medicare for $2.8 million in claims. Machado was employed at the Cleveland Clinic's Weston, FL, office from May 2005 until June 2006 as a front desk coordinator with access to confidential computerized patient information.

Prosecutors said Machado sold the information to her cousin, Ferrer, who owned Advanced Medical Claims, a Naples, FL, billing firm. In May 2006, the Cleveland Clinic sold its 70-bed hospital and 70-physician group practice in Weston to Health Management Associates, which also is in Naples. Prosecutors said the fraudulent practices continued after the sale.

The case reportedly is the first in south Florida and the third in the nation in which HIPAA violations are alleged for wrongfully disclosing private patient information.

Acosta said the case represented "an unwholesome criminal trilogy of medical privacy violations, identity theft, and health care fraud. In a rapidly expanding world of electronic medical records, preserving the privacy and integrity of confidential patient information is critical."

The two could be sentenced to 30 years in prison and fines totaling $750,000 each.

Acosta praised the Cleveland Clinic for reporting the incident quickly and cooperating in the federal probe. Cleveland Clinic spokeswoman Eileen Sheil issued a news release saying that the actions Machado was charged with were unauthorized and potentially criminal. She also said the identities of the 1,100 patients could be at further risk

"The Cleveland Clinic deeply regrets this incident as patients and visitors place their trust in our employees and staff," Shiel said.

GAO finds many agency privacy breaches

According to the Government Accountability Office (GAO), some 40% of health insurance contractors and state Medicare/Medicaid offices experienced data breaches in the last two years. GAO made the finding in an analysis of domestic and offshore outsourcing of personal information in the Medicare, Medicaid, and Tricare programs.

GAO did the study because federal contractors and state Medicaid agencies may contract with vendors to perform services involving use of personal health data, and thus outsourcing and privacy protections are of interest.

The agency surveyed all federal Medicare and Tricare contractors and all state Medicaid agencies (a combined total of 378 entities) to examine whether they (1) outsource services and (2) must notify federal agencies when privacy breaches occur.

Survey response rates ranged from 69% for Medicare Advantage contractors to 80% for Medicaid agencies. Among those that completed GAO's survey, more than 90% of Medicare contractors and state Medicaid agencies and 63% of Tricare contractors reported some domestic outsourcing in 2005. Typically, the report says, survey groups reported engaging from three to 20 U.S. vendors. One federal contractor and one state Medicaid agency reported outsourcing services directly offshore. However, some federal contractors and state Medicaid agencies knew that their domestic vendors had initiated offshore outsourcing.

Some 33 Medicare Advantage contractors, two Medicare fee-for-service contractors, and one Medicaid agency indicated that their domestic vendors transfer personal health information offshore, although they did not provide information about the scope of personal information transferred offshore.

GAO said the reported extent of offshore outsourcing by vendors may be understated because many federal contractors and agencies did not know whether their domestic vendors transferred personal health information to other locations or vendors.

"In responding to GAO's survey, over 40% of the federal contractors and state Medicaid agencies reported that they experienced a recent privacy breach involving personal health information," the GAO report said. "By survey group, 47% of Medicare Advantage contractors reported privacy breaches within the past two years, as did 44% of Medicaid agencies, 42% of Medicare fee-for-service contractors, and 38% of Tricare contractors."

GAO recommended that the Centers for Medicare and Medicaid Services (CMS) require state Medicaid agencies and all Medicare contractors responsible for safeguarding personal health information to notify CMS of privacy breaches. That type of requirement already exists for TRICARE and Medicare fee-for-service contractors, the report said.

CMS concurred with the GAO recommendation and cited examples of what it already was doing to make the change. The Department of Defense also concurred with the findings as they applied to Tricare.

The report said a privacy breach occurred in 2004 when a vendor hired to collect data from patient surveys in California outsourced the task to another vendor, who designed a survey in such a way that patients could see others' personal information. An offshore vendor for another project reportedly blackmailed the agency with threats of disclosing patients' personal information unless they received payment for their transcription services.

The report is available on-line at http://www.gao.gov/cgi-bin/getrpt?GAO-06-676.