Chiropractic HIPAA compliance: tales from the dark side

Compliance horror stories and what to avoid with chiropractic HIPAA compliance in your practice

I love a good scary story, which is only natural since I grew up in the small southern town of Yazoo City, Miss., which is home to the Witch of Yazoo, a legendary character made famous by the author (and Yazoo City native) Willie Morris in his book, “Good Old Boy.” Scary stories allow us to safely experience fear while learning from the characters’ mistakes in the story, something we can learn from chiropractic HIPAA compliance “horror stories.”

Avoid being a main character

We’ve all heard scary stories from consultants, colleagues and local media, and know too well what could happen if we find ourselves on the wrong side of an audit or investigation.

Unfortunately, the size of your clinic doesn’t make staying compliant much easier. The smaller your operation, the fewer employees there are to keep on top of things. The larger your practice, the more moving parts you must monitor.

Despite the challenges of maintaining a compliant office, individuals involved in financial and health care fraud schemes face civil liability and criminal penalties — including prison time.

The tale of: billing for DC services not provided

One type of fraud frequently seen in health care is billing for services not provided.

Last year a suburban Chicago chiropractor was sentenced to more than a year and a half in federal prison for fraudulently submitting reimbursement claims to private insurers and Medicare for nonexistent treatment. From 2010-17, John Kosloski, DC, billed the private insurers for services he purportedly provided to Amtrak employees and their family members, knowing he was not actively treating them or had never seen them as patients.

He paid cash to the Amtrak employees in exchange for the ability to falsely bill using the employees’ and their family members’ personal information. During his scheme, Kosloski submitted more than 18,000 claims to insurers for services he knew he did not provide, and he received more than $500,000 in reimbursements for the false claims.

Kosloski, 57, of Beecher, Ill., pleaded guilty to one count of health care fraud. U.S. District Chief Judge Rebecca R. Pallmeyer imposed a 20-month prison term and ordered Kosloski to pay a $25,000 fine and more than $500,000 restitution to the insurers (DOJ, 2021).

Although this is hardly an example of human error and accidentally billing for services not provided, the truth is that in offices across the country, services that were not provided are billed daily. Therefore, your chiropractic HIPAA compliance program needs a system to catch and correct these errors before they are submitted for payment. Having each provider review and initial the day sheets at the end of the day is a great way to double-check for billing mistakes.

The tale of: dumping patient files

Not every case is a blatant attempt to defraud a third party.

For example, earlier this year, two Arkansas chiropractic clinics were required to pay $321,000 after state officials said they dumped patient files in a park. The lawsuit stemmed from an incident in November 2020 when Mayflower city employees alerted local police that a white truck was parked in a wooded area in Palarm Park, where someone left approximately 271 medical files.

The court found that the defendants violated the Personal Information Privacy Act and the Arkansas Deceptive Trade Practices Act for failing to protect their patients’ personal information and failing to dispose of patient information as required by law (Ringo, 2022). For the record, it costs significantly less than $321,000 to have a mobile shredding company visit your practice and dispose of your patient files legally and compliantly.

The tale of: HIPAA violations for looking up old girlfriends

Since we are on the topic of HIPAA, did you know that a pharmacist cost Walgreens $1.4 million for allegedly reviewing the prescription records of a woman who had once dated her husband?

The case is significant because the order is the first published appellate court decision where a health care provider has been held liable for HIPAA violations committed by an employee (Ross, 2014). As part of your compliance program, you and your team are required to complete regular HIPAA training. A good rule of thumb is to provide chiropractic HIPAA compliance training on the first day of employment, refresher training annually, and security-awareness training throughout the year.

The tale of: employing ‘excluded’ individuals

Another often-overlooked part of a compliance program is that you should run your list of employees against the exclusions list monthly if your practice treats federally insured patients.

Unfortunately, one practice learned that lesson the hard way when they were required to pay $192,000 for employing an “excluded” individual. The employee worked as its practice administrator between February 2010-May 2021. He was previously convicted in the District of Jersey for health care fraud. As a result of his conviction, he was excluded from all federal health care programs.

While he served as the practice administrator for Windham Eye Group, the practice and its owners billed and sought reimbursements from federal health care programs, including Medicare, Medicaid and TRICARE. A portion of the reimbursements Windham Eye Group and its owners received were used to pay his salary and benefits (DOJ, 2022).

The tale of: billing for procedures learned via YouTube

A good rule of thumb when implementing a new procedure, product or service in your practice is to obtain billing and coding advice from a reputable source before taking someone’s word for it.

For example, a chiropractor was charged with falsely billing for a procedure he learned about on YouTube. The civil complaint, filed on March 10, 2021, alleges the chiropractor fraudulently obtained over $3.9 million from the Medicare and TRICARE programs by billing for the implantation of neurostimulator electrodes. These surgical procedures usually require an operating room, and Medicare pays thousands of dollars for this procedure, according to the complaint.

In addition, the lawsuit alleges nurse practitioners working for the chiropractic office learned how to implant the devices by watching YouTube videos and participating in training with sales representatives (DOJ, 2021).

Make the time for chiropractic HIPAA compliance training

Being a doctor of chiropractic is a privilege. But it also comes with a lot of responsibility and yes, risk.

However, all these risks in your practice can be managed and even eliminated if you carve out time to work on your practice instead of just in your practice. Compliance is not a game of just doing, but also of acting fast and adapting to an ever-changing regulatory environment.

With all the rules and regulations around health care today, it can be difficult to see where your risks may lie. As we learn from the mistakes of others, remember to focus on one task at a time and don’t forget to ask for help.

RAY FOXWORTH, DC, FICC, is founder and CEO of ChiroHealthUSA. For over 35 years he worked “in the trenches” facing challenges with billing, coding, documentation and compliance in his practice. He is a former medical compliance specialist and currently serves as chairman of The Chiropractic Summit, an at-large board member of the Chiropractic Future Strategic Plan Committee, a board member of the Cleveland College Foundation, and an executive board member of the Foundation for Chiropractic Progress. He is a former staff chiropractor at the G.V. Sonny Montgomery VA Medical Center and past chairman of the Mississippi Department of Health. Request a third-party Gap Analysis of your practices to see where you are hitting the mark or falling short with compliance at chiroarmor.com/gap.