Local Hospital Ransomware Victim
Clearwater Compliance reports that in March of 2016, Methodist Hospital in Henderson was hit by a ransomware infection.
Ransomware is malware that creates a situation where the computer owner cannot access its own data because the ransomware virus has put a seal or block around the data. Technically, the malware encrypts the data in place and the ransomware author demands a payment in order to unlock the user’s data.
Users subject to ransomware usually have very limited choices, pay the ransom, restore the system from a backup (if they have one) or hire “experts” who may or may not be able to unencrypt the data. None of these choices are good choices since while this drama carries on, the computers are essentially useless. Since hospitals now run on computers, the situation for ransomware victims and for Methodist Hospital was dire.
What can you do?
- Have multiple day offsite backup systems.
- Test your backups to see if they really work.
- Train and train and test and test. I have been to too many meetings where everyone in the meeting agreed to take certain steps, and then walked out of the meeting and immediately did something other than what was just agreed. When people agree to change passwords with certain frequency, to not accept emails that look suspicious, etc., do as Ronald Regan once said, “Trust, but verify”. Test your staff, test your leaders to see if they really follow your practices and procedures.
- Have a system in place to react to these disasters. Have you identified alternate servers and pc’s that can be brought in, loaded with backup data, and then proceed while your primary system is diagnosed and repaired?
- Put someone in charge who will take charge of this. Having everyone responsible means that no one will be responsible.
How Much Was I Overpaid?
We continue to see clients who are subject to Medicaid overpayment rules. We recently discussed the requirement that such overpayments be repaid within 60 days of the identification and reasonable quantification of such overpayments.
But what if you and Medicaid disagree as to the amount of the overpayment? In most cases, Medicaid will not audit all of your records, they will audit a sample, and then using that sample, they will extrapolate or project what the overpayment amount would be if they audited all of your records. If you disagree with Medicaid’s sampling and methodology in making this projection or extrapolation, what can you do?
The 7th Circuit Court of Appeals has already held that it will assume the Medicaid projection amount is correct, but that you may present evidence that their sample selection method was incorrect, and you may challenge the correctness of Medicaid’s decision in specific cases in the sample. Additionally, you can audit all of your records, present the results of that 100% audit to show that the extrapolation was incorrect.
Do you want to do this? In most cases, unless the sample is directed at a very narrow line of business or codes, you will not want to sample all of your records in that area as being prohibitively expensive. That means that in most cases you will need to attack the sampling methodology and show that the cases used (the samples), when individually reviewed, do not support Medicaid’s claim of overpayment. Just remember that the burden is yours, not Medicaid’s.
Price Transparency Still Not Focused
Recent reports indicate that only seven states have made any significant progress in providing healthcare price transparency. Indiana, Kentucky, and Illinois are not in the approved group but at the lower end of the grading scale. Much of our discussion about involving patients in making rational healthcare usage decision and in making appropriate rationing decisions about healthcare and healthcare dollars has, as an underlying basis, the idea that patients have the data available to them to make an intelligent decision. As long as quality and price information is not available (transparent) and accurate and timely, healthcare users will not be able to make good healthcare system choices.
This newsletter is edited by Paul Wallace of Jones ∙ Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians, practices and hospitals in contract items, federal legal compliance, practice entity creation, estate and wealth planning and similar issues. Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or firstname.lastname@example.org.