Copyright: / 123RF Stock Photo
Copyright: / 123RF Stock Photo

This post, written by my colleague Elizabeth Hampton, originally appeared on Garden State Gavel, a new blog focusing on New Jersey litigation topics.

Fraud is on the rise in every industry and the lengths that some people will go to make money by “gaming” the system is both fascinating and alarming.  Look for some of these stories in this regular feature designed to inform you of the latest fraud trends and provide practice tips to safeguard your business from unwelcome intruders.

Steps to Fraud- Proof Your  Professional Practice

Fraud is an increasingly lucrative “ business” that weaves its web of deception through corporations, religious and educational institutions, and the provision of health care. The recent data breaches a la Target and Sony are just some of the more highly publicized examples of the breadth of this problem for businesses and their customers.

But did you know that the healthcare industry tops the charts of data breaches and fraud costs?    In fact, The Economist (31 May, 2014) suggests that healthcare fraud in this country contributes to $272 billion dollars in incremental costs to the system.

Health records are like gold to fraudsters because they often contain financial information, insurance numbers and personal data that can be used to obtain drugs or other benefits.  Converting this information in order to submit false healthcare claims has been a regular practice for some scammers.

As government and private insurers have stepped up their fraud detection models, medical providers likewise need to review their policies and step up their own monitoring to protect their practice from potential data breaches and fraud claims.

Have you considered whether your business is at risk for a data breach? Are you taking steps to “fraud- proof” your health care practice?  Consider the following:

1. Perform a “Check- up.”  Every practice needs one. Conduct a random review of your patient files to ensure that all information is appropriately filed and that the files are complete.  Have your patients completed intake forms? Is there proper documentation of an accident or injury?  How is the health information protected from improper disclosure?

2. Review Protocols. When was the last time you reviewed your policies? Have they been updated to comport with new HIPAA standards? Do you understand what the standards mean for you and your employees?

3. Billing. Make sure that your billing is done correctly and that those who have been entrusted to perform this function are on top of things. Have there been trends in collection? Have insurers rejected claims? Find out why.

4. Employees. Do not assume that your employees are aware of the dire consequences associated with the improper disclosure of health care information.  Educate them and set a high bar for security of this information.

Stay tuned for more fraud stories and ways that you can prevent it from damaging your business.

New Jersey Governor Chris Christie signed a bill (S.562) into law on January 9, 2015 that will impose a standard more stringent than HIPAA on health insurance carriers authorized (i.e., licensed) to issue health benefits plans in New Jersey.  Effective August 1, 2015, such carriers will be required to secure computerized records that include certain personal information by encryption (or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person).  “Personal information” requiring encryption includes an individual’s first name or first initial and last name when linked with any one or more of the following data elements:

*          Social security number

*          Driver’s license number or State identification card number

*          Address


*          Individually identifiable health information as defined under HIPAA

Notably, the encryption requirement applies only to “end user computer systems” and “computerized records transmitted across public networks”, as those terms are defined in the law.  “End user computer systems” are defined as computer systems “designed to allow end users to access computerized information, computer software, computer programs, or computer networks” and include “desktop computers, laptop computers, tables or other mobile devices, or removable media.”

The law is more stringent than HIPAA not only because it requires encryption, but because it applies to personal data that is more rudimentary than the type of data that constitutes protected health information (PHI) under HIPAA.  For example, under the new law, if a health insurance carrier compiles or maintains a computerized record that contains an individual’s first initial, last name, and address (and this information is not publicly available in a directory listing to which the individual has consented, which effectively excludes the information from the law’s definition of a “record”), the encryption requirement would apply even if the individual is not covered (insured) by the carrier.  A health insurance carrier subject to this new law that is building a mailing list of prospective customers or otherwise collecting information about individuals who are not plan members or insureds will need to make sure its encryption capabilities encompass not only existing or future members’ PHI, but any and all “personal information” that is compiled or maintained.

In accordance with the 90-day deadline established for an operating plan to be submitted to Congress on expenditures related to the $2 Billion Dollars appropriated under the American Recovery and Reinvestment Act ("ARRA") relating to health information technology ("HIT"), the Office of the National Coordinator ("ONC") has submitted its proposed ARRA Implementation Plan to Congress. The Plan’s proposed Funding Table is as follows:

Total Appropriated

(Dollars in Millions)

Privacy and Security*

$ 24.285

National Institute of Standards and Technology (NIST)


Regional HIT Exchange




Total towards HIT

$ 2,000.000

* Includes 9.5 Million for audits by OCR and CMS.

Of particular interest to many should be the Privacy and Security Spend Plan section.  It specifies that over $24 Million of the federal dollars made available through ARRA would be spent on activities such as enhancing enforcement. More specifically, the Plan indicates that the ARRA funding "will enable the Centers for Medicare and Medicaid Services (CMS) and the Office for Civil Rights (OCR) to carry out mandated audits, make modifications in their case and document management systems, and train State Attorneys General on their new enforcement role."   The Plan even aims to have State Attorneys General trained and ready to enforce HIPAA and HITECH by the end of the Third Quarter of 2009, or around September 2009!  If completed according to schedule, then the federal government could have a bastion of new HIPAA/HITECH enforcement soilders on the ground and ready when the interm final regulations for implementing breach notification for covered entities and business associates are released on August 18, 2009. 

For a copy of the entire Plan, visit HHS’ Recovery Website.

On December 15, 2008, the Division of Consumer Affairs ("DCA") published its Notice of Pre-Proposed Rule for "Identity Theft, Written Security Programs and Violations."  Comments to the Pre-Proposed Rule are due February 13, 2009.

The pre-proposed Subchapter 3 seeks to require every business and every public entity to implement a comprehensive written information security "program" that includes administrative, technical and physical safeguards for the protection of individuals’ social security numbers, driver’s license numbers, state identification card numbers, or an account or credit or debit card number in combination with a required code or means of access that account (defined as "Personal Information").   Also "pre-proposed" are specific procedures for handling security breach incidents, including when and what agencies and individuals must be notified, and what information must be included in that notification.  

The original draft of Subchapter 3 was pulled when the regulations proposed pursuant to the Identity Theft Prevention Act were adopted last year on April 7, 2008 due to numerous comments submitted in opposition that original draft.   You can keep an eye out for the next draft to follow this "pre-proposed" version of Subchapter 3 on the NJ Division of Consumers website.

The National Health Information Network (NHIN) may get information moving as early as the first quarter of 2009.  In its December 16th Press Release, the Social Security Administration (SSA) indicates that it will begin receiving medical records for some disability applicants via the "MedVirginia" health information exchange (HIE) based in Richmond.  

SSA and MedVirginia were also among several federal agencies and HIEs that participated in demonstrations of the national network during the 3rd annual NHIN Forum in Washington D.C., which took place this December 15-16.  Other federal agencies that are participating in the NHIN Trial Implementation include Centers for Disease Control (CDC), Veterans Administration (VA), Department of Defense (DOD) and Indian Health Service.  There are also several other state HIEs that are actively participating in the NHIN Trial Implementation, including HIE networks from Indiana, North Carolina, Ohio, Delaware, West Virginia. 

As I’ve posted before, New Jersey is actively working on developing its own state-wide HIE.  The New Jersey Health Information Technology (NJ HIT) Commission is charged with approving the plan for the creation of an infrastructure to move health information, in a confidential and secure manner, among participants in a state-wide RHIO.  On December 4, 2008, I participated in the first meeting of the NJ HIT Commission, which was both inspiring and daunting at the same time, with respect to the road that lies ahead.  Yet, I look forward to working together with the other Commission members during a time of potentially revolutionary changes to health care delivery in this State, and nationally.

Assemblyman Herb Conaway introduced legislation (A 3368) today that would establish an electronic Health Information Technology ("e-HIT") Fund to be used to implement the objectives of the Statewide health information technology plan.  The Bill proposes that beginning April 1, 2009, and on a quarterly basis thereafter, each health care payer will pay a "technology reinvestment fee" into the e-HIT fund in an amount equal to 0.199% of one percent of all health care benefits claims paid by the payer for its New Jersey covered persons.  Payers that fail to pay the technology reinvestment fee would be subject to penalties

Not all health benefit plans will be subject to the fee, however.  The Bill excludes the following types of plans from having to pay the technology reinvestment fee:

  • Accident only
  • Credit
  • Disability
  • Long-term care
  • Workers’ compensation
  • Automobile medical payment insurance
  • PIP
  • Hospital confinement indemnity coverage
  • Medicaid
  • the New Jersey FamilyCare Program, and
  • any other State health care assistance program financed in whole or in part through a federal program, unless authorized by federal law and approved by the State.

Some have expressed concern that although private payers would bear the cost of the fee, significant savings that result from the implementation of a State-wide health information exchange would inure to excluded plans. 

Sustaining a RHIO once federal government HIT funding sources are no longer available is an issue that has led to the demise of dozens of RHIOs in previous years.  Congressman Conaway’s Bill attempts to address this issue.

Health Data Management reported yesterday that Horizon Blue Cross Blue Shield of New Jersey will commit up to $500,000 to help select hospitals in its New Jersey network adopt electronic medication history technology.  This would give physicians real-time medication histories when patients check into a hospital or emergency department.  Under the program, Horizon will pay for 85% of the costs of the technology up to $40,000 for each hospital.  Horizon expects up to eight hospitals to join its subsidy program by the end of the year.

I would assume that the Horizon’s subsidy program for hospitals would need to comply with the requirements under the EHR safeharbor to assure that the arrangement is not found as potentially violating the federal Anti-kickback Statute.  Under the safeharbor, a health plan is a protected donor, and a hospital a protected recipient, but several additional requirements must be met in addition to the hospital paying for 15% of the cost of the technology.  It does not appear that the subsidy program would need to meet the equivalent Stark Exception where the recipients of the technology will be limited to hospitals, and so the Stark prohibition on physicians’ self-referrals should not be triggered. 

More information on Horizon’s subsidy program, see and

In a June 10 HHS News Release, Secretary Mike Leavitt named the 12 communities that will participate in a 5-year national Medicare demonstration project that provides incentive payments to physicians for using certified electronic health records (EHR) to improve the quality of patient care (the "EHR Demo Project").  The communities selected to work with the CMS on the EHR Demo Project are:

  • Alabama
  • Delaware
  • Jacksonville, FL (multi-county)
  • Georgia
  • Maine
  • Louisiana
  • Maryland/Washington, DC
  • Oklahoma
  • Pittsburgh, PA (multi-county)
  • South Dakota (multi-state)
  • Virginia
  • Madison, WI (multi-county)

Over the five-year span of the project, total financial incentives and bonus payments provided to participating physician practices may be up to $58,000 per physician or $290,000 per practice.  Secretary Leavitt states:

"The use of electronic health records, and of health information technology as a whole, has the ability to transform the way health care is delivered in our nation [and] we believe that EHRs can help physicians deliver better, more efficient care for their patients, in part by reducing medical errors. This project is designed to demonstrate these benefits and help increase the use of this technology in practices where adoption has been the slowest at the individual physician and small practice level."

Although in some respects it is disappointing that New Jersey was not among the communities selected to be a part of the EHR Demo Project, perhaps it is an indication that physicians in this state are ahead of the curve with EHR adoption.  If this is indeed the case, New Jersey may already be well on its way to improving patient care and reducing health care delivery costs through the use of technology ….. making it a "winner" too. 


May 23 is the compliance date for the National Provider Identifier (NPI) to be used exclusively for electronic health care claims under HIPAA.  Providers who do not use their assigned NPI after this date may find health insurers starting to reject and return electronic claims.  Although millions of NPI numbers have been issued, it is unclear how may providers are in compliance.  As a result, the next several weeks-to-months are likely to be bumpy as providers begin to find that claims they believe are compliant are rejected.  Some commentators have predicted that if the industry experiences severe problems starting over the Memorial Day Weekend, CMS might relax the deadline.  Health Data Management noted, however, that providers that get too many claim rejections may resubmit the claims on paper. That will enable providers to get paid, but slow the process considerably and adversely affect cash flow.

On May 13th, the Office of the Governor announced several direct appointments to the New Jersey Health Information Technology (NJ-HIT) Commission, and I am extremely pleased to pass along that I have been appointed to the attorney seat on the Commission.  I look forward to bringing my experience and enthusiasm to the table, and contributing to the success of the Commission’s goals.

The NJ-HIT Commission was created by the New Jersey Health Information Technology Promotion Act, and its members, with the assistance of the Department of Banking and Insurance, are charged with developing, implementing and overseeing the establishment and creation of a state-wide health information technology plan utilizing electronic medical records.  Among other things, the Commission will be looking to the national standards for the State’s HIT system for security, privacy, data content, format, vocabulary and information transfer standards.

The Commission will ultimately include over 19 members of the public, including representatives from professional health care organizations from across the State.

In 1994, Thomas Edison State College released a health care information networks and technology study that showed that New Jersey could save as much as $760 million by migrating from paper-based systems to an electronic network.