Healthcare Business Review

Advertise

with us

  • APAC
    • US
    • EUROPE
    • APAC
    • CANADA
    • LATAM
  • Home
  • Sections
    Business Process Outsourcing
    Compliance & Risk Management
    Consulting Service
    Facility Management Services
    Financial Services
    Healthcare Consulting
    Healthcare Digital Marketing
    Healthcare Education
    Healthcare Marketing
    Healthcare Procurement
    Healthcare Staffing
    Medical Staff Training and Development
    Medical Transportation
    Nurse Staffing
    Plastic Surgery
    Regenerative Medicine
    Therapy Services 
    Business Process Outsourcing
    Compliance & Risk Management
    Consulting Service
    Facility Management Services
    Financial Services
    Healthcare Consulting
    Healthcare Digital Marketing
    Healthcare Education
    Healthcare Marketing
    Healthcare Procurement
    Healthcare Staffing
    Medical Staff Training and Development
    Medical Transportation
    Nurse Staffing
    Plastic Surgery
    Regenerative Medicine
    Therapy Services 
  • Contributors
  • News
  • Vendors
  • Conferences
  • Awards
×
#

Healthcare Business Review Weekly Brief

Be first to read the latest tech news, Industry Leader's Insights, and CIO interviews of medium and large enterprises exclusively from Healthcare Business Review

Subscribe

loading

Thank you for Subscribing to Healthcare Business Review Weekly Brief

  • Home
  • Contributors

Business Associates, HIPAA, Medical Necessity, Code of Conduct and Vendor Registration: A Perfect Storm

Healthcare Business Review

Karyn Holley, FACHE, RN, CHC, CPHRM, Chief Compliance & Clinical Risk Management Officer VNA Health Group
Tweet

Cardio DX was a laboratory company based in California that created the Corus CAD blood test. This test used a combination of a patient’s age, sex and gene expression to determine one’s risk of obstructive coronary artery disease (CAD). Cardio DX is no longer in business in part because of Medicare no longer paying for the tests and a number of whistleblower suits alleging that the company was defrauding Medicare. I was a healthcare compliance leader at an organization where Cardio DX representatives marketed the Corus CAD test to primary care providers, a few of which ordered the test for their patients.


The thing about genetic testing is that it likely is not very useful in the elderly population.


Many providers would question if it makes sense to order this test for a 75 year- old patient over one in their twenties or thirties or whether it makes sense to order if there is a positive family history of CAD. This is where CMS determined that the test was not medically necessary.


Suppose a laboratory company or any other business associate (BA) gathers protected health information (PHI) from a covered entity (CE), such as a healthcare provider, to process testing or any other services. In that case, they must execute a business associate agreement (BAA) with the CE. The BAA, in essence, states that the business associate will safeguard the PHI through administrative, technical and physical safeguards based on the HIPAA Privacy Rule.


The primary care organization did not have a BAA or agreement for services with CardioDX to perform any testing. Sometimes when vendor representatives are interacting with primary care offices, they may market their services (or goods) as a valuable part of the care plan but neglect to ensure there is a service agreement and BAA in place prior to providing services; this is usually the duty of the vendor and provider’s legal teams or leadership. 


Our department found out about the unauthorized blood testing through a phone call from an astute Medicare beneficiary. After reviewing her explanation of benefits, she noted a blood test she did not remember being discussed by her provider and was not mentioned by the phlebotomist.   She was rightfully concerned about the testing being charged to Medicare when she nor her provider had discussed or given authorization for the test.


After a lengthy investigation, it was revealed that the on-site phlebotomist had likely signed orders (unbeknown to the provider) for the blood test and drew an additional blood tube to send to CardioDX for each patient whose sample was sent for testing.


The phlebotomist offered the test in most cases to the patient without the provider’s knowledge. There was no admission by the phlebotomist of whether they were working with or compensated by CardioDX or their representative. 


They did acknowledge that their annual compliance training included the Code of Conduct. Needless to say, this person was relieved of their duties.


So at this point, there are a few significant problems:


• Invalid (forged) signatures resulting in invalid orders


• No BAA or service agreement in place


• HIPAA breach related to sharing protected health information with a vendor that was not a business associate


• Medically unnecessary testing being charged to Medicare


The testing involved less than 500 patients. This is important because if 500 or more individuals are involved, the HIPAA breach needs to be reported without unreasonable delay to the Office of Civil Rights in any case within 60 days from discovery and reported to prominent media outlets in the states and jurisdictions where the breach victims reside.


Best practice will ensure your organization’s locations are aware of the vendor registration process and your general Code of Conduct to guide vendor representatives and employees.


There must also be a posting on the breach entity’s (provider’s) home page. In addition, each individual must be notified of the breach in writing. The notification must include an explanation of what happened, the nature of the PHI, and the measures the provider has taken to prevent future breaches. There must also be instructions on how to breach victims who can limit harm along with a toll-free number, postal and email address to direct questions to contact the provider/ covered entity.


After discussion with the general counsel, the organization retained legal consultation with an outside firm versed in handling HIPAA breaches. This way, we could craft a comprehensive written notice to the beneficiaries, notify the Office of Civil Rights in a timely fashion, and set up a system to gather inquiries from affected individuals with customer service recovery. Because our organization did not charge any fees for the testing, we did not have to proceed with a Medicare refund repayment.


Lastly, we provided education to the primary care offices regarding directing vendor representatives to our vendor registration process, which included guidance on the service agreement process. Of note, vendor registration can be a challenge with organizations that have numerous locations. Best practice will ensure your organization’s locations are aware of the vendor registration process and your general Code of Conduct to guide vendor representatives and employees.


Weekly Brief

loading
  • Compliance & Risk Management 2024

    Current Issue

Read Also

Improving Quality through Strong Patient-Provider Relationships

Improving Quality through Strong Patient-Provider Relationships

Orlene St. Hill, Quality Director, AdvantageCare Physicians
READ MORE
Challenging the Status Quo to Improve Patient-Centered Care

Challenging the Status Quo to Improve Patient-Centered Care

Emma Monaco, Director, Post-Acute Strategy, Business Development Operations and Physician Relations, Marketing, Prime Healthcare
READ MORE
Turning a Bad Moment into a Better One

Turning a Bad Moment into a Better One

Alexia Spizzirri, Director of Patient Experience and Employee Engagement, St. Bernard Hospital
READ MORE
Elevating Nursing through Compassion and Care

Elevating Nursing through Compassion and Care

Lena Gorman, Nursing Case Manager, Faith Medical Services Inc
READ MORE
In the Future, Robots Will Replace Wound Care Doctors

In the Future, Robots Will Replace Wound Care Doctors

Kevin Orsak, Wound Care Program Manager, UT Southwestern Medical Center
READ MORE
Where Science Meets Beauty: The Medical Aesthetics Industry

Where Science Meets Beauty: The Medical Aesthetics Industry

Roger Kapoor, Senior Vice President, Beloit Health System
READ MORE

In the Future, Robots Will Replace Wound Care Doctors

Kevin Orsak, Wound Care Program Manager, UT Southwestern Medical Center

Where Science Meets Beauty: The Medical Aesthetics Industry

Roger Kapoor, Senior Vice President, Beloit Health System

Distraction in Digital Therapy

Beverly Wertheimer, PsyD, DMin, LCSW, Psychotherapist-Adolescent and Family Mental Health, Clinical Advisory Board Member, Daybreak Health

Navigating Quality, Safety, and Leadership in Healthcare

Christina Huitt, Sr. Director of Quality, Caromont Health
Loading...
Copyright © 2025 Healthcare Business Review. All rights reserved. |  Subscribe |  Sitemap |  About us |  Newsletter |  Feedback Policy |  Editorial Policy follow on linkedin
CLOSE

Specials

I agree We use cookies on this website to enhance your user experience. By clicking any link on this page you are giving your consent for us to set cookies. More info

This content is copyright protected

However, if you would like to share the information in this article, you may use the link below:

https://compliance-risk-management.healthcarebusinessreviewapac.com/cxoinsight/business-associates-hipaa-medical-necessity-code-of-conduct-and-vendor-registration-a-perfect-storm-nwid-922.html