Business Associates, HIPAA, Medical Necessity, Code of Conduct and Vendor Registration: A Perfect Storm

Cardio DX was a laboratory company based in California that created the Corus CAD blood test. This test used a combination of a patient’s age, sex and gene expression to determine one’s risk of obstructive coronary artery disease (CAD). Cardio DX is no longer in business in part because of Medicare no longer paying for the tests and a number of whistleblower suits alleging that the company was defrauding Medicare. I was a healthcare compliance leader at an organization where Cardio DX representatives marketed the Corus CAD test to primary care providers, a few of which ordered the test for their patients.

The thing about genetic testing is that it likely is not very useful in the elderly population. Many providers would question if it makes sense to order this test for a 75 year- old patient over one in their twenties or thirties or whether it makes sense to order if there is a positive family history of CAD. This is where CMS determined that the test was not medically necessary.

If a laboratory company, or any other business associate (BA) gathers protected health information (PHI) from a covered entity (CE) such as a healthcare provider in order to process testing or any other services, they must execute a business associate agreement (BAA) with the CE. The BAA in essence states that the business associate will safeguard the PHI through administrative, technical and physical safeguards based on the HIPAA Privacy Rule.

The primary care organization did not have a BAA or agreement for services with CardioDX to perform any testing. Sometimes when vendor representatives are interacting with primary care offices, they may market their services (or goods) as a valuable part of the care plan but neglect to ensure there is a service agreement and BAA in place prior to providing services; this is usually the duty of the vendor and provider’s legal teams or leadership. 

Our department found out about the unauthorized blood testing through a phone call from an astute Medicare beneficiary. After reviewing her explanation of benefits, she noted a blood test she did not remember being discussed by her provider and was not mentioned by the phlebotomist.   She was rightfully concerned about the testing being charged to Medicare when she nor her provider had discussed or given authorization for the test.

After a lengthy investigation, it was revealed that the on-site phlebotomist had likely signed orders (unbeknown to the provider) for the blood test and drew an additional blood tube to send to CardioDX for each patient whose sample was sent for testing. The phlebotomist offered the test in most cases to the patient without the provider’s knowledge. There was no admission by the phlebotomist of whether they were working with or compensated by CardioDX or their representative. They did acknowledge that their annual compliance training included the Code of Conduct. Needless to say, this person was relieved of their duties.

So at this point, there are a few significant problems:

• Invalid (forged) signatures resulting in invalid orders

• No BAA or service agreement in place

• HIPAA breach related to sharing protected health information with a vendor that was not a business associate

• Medically unnecessary testing being charged to Medicare

The testing involved less than 500 patients. This is important because if 500 or more individuals are involved, the HIPAA breach needs to be reported without unreasonable delay to the Office of Civil Rights in any case within 60 days from discovery and reported to prominent media outlets in the states and jurisdictions where the breach victims reside.

There must also be a posting on the breach entity’s (provider’s) home page. In addition, each individual must be notified of the breach in writing. The notification must include an explanation of what happened, the nature of the PHI, and the measures the provider has taken to prevent future breaches. There must also be instructions on how to breach victims who can limit harm along with a toll-free number, postal and email address to direct questions to contact the provider/ covered entity.

After discussion with the general counsel, the organization retained legal consultation with an outside firm versed in handling HIPAA breaches. This way, we could craft a comprehensive written notice to the beneficiaries, notify the Office of Civil Rights in a timely fashion, and set up a system to gather inquiries from affected individuals with customer service recovery. Because our organization did not charge any fees for the testing, we did not have to proceed with a Medicare refund repayment.

Lastly, we provided education to the primary care offices regarding directing vendor representatives to our vendor registration process, which included guidance on the service agreement process. Of note, vendor registration can be a challenge with organizations that have numerous locations. Best practice will ensure your organization’s locations are aware of the vendor registration process and your general Code of Conduct to guide vendor representatives and employees.