Complete Professional Office Solutions

Orthotic and Prosthetic Services

How to Contact Us

Call Us Today!

Office (810) 629-6424
Fax (810) 626-4762

Mailing Address

Complete Professional Office Services P.O. Box 998 Fenton, MI. 48430

Hours of Operation

Mon - Fri 9 am - 5 pm Closed - Sat and Sun

HIPAA fines have skyrocketed to $21 Million with more on the way!

Special note about this post!!!

I have taken extensive measures at Complete Professional Office Services to prevent the possibility of being hacked, but we never knew what we were missing until we hired a Certified HIPAA Professional to assess our office. We were astonished at what we discovered that could lead to huge fines and penalties.

For this reason, we are assessing all of our clients and will do the same on all future accounts.

The following article was written by Martin Matties, he is the Certified HIPAA Professional we hired to assess our computer systems.  You may not have done much with HIPAA lately, but here is why you should look into it now.

John Dolza… President CPOS

Reposted from “HIPAA fines have skyrocketed to $21 Million with more on the way!” – Published January 10, 2017

HIPAA fines have skyrocketed to $21 Million with more on the way!

HIPAA has been around since it was first proposed in 1999 but most of the requirements have not been followed. In fact, up until 2011 there was very little enforcement and no fines were even given.

Why, you might ask? …

HIPAA was introduced with no enforcement rules. It was on the honors system to implement it.

That all changed in 2008 when the Office of Inspector General (U.S. Department of Health & Human Services) put out a report finding that CMS (Centers for Medicare & Medicaid Services) was not enforcing HIPAA. This meant that many medical practices were not complying with the rules. This places patients at significant risk to exposure of their personal health information due to poor security.  OCR (Office for Civil Rights) is now responsible for HIPAA enforcement. This gave individual State Attorney Generals and others the right to enforce HIPAA civil penalties.

Even with the right to enforce HIPAA there still was no way to pay for it. That changed with the HITECH Act. The HITECH Act paid to hire the staff required needed. This included former prosecutor, Jocelyn Samuels, to be the Director of OCR.

OCR 2016 funding was $39 million with a 2017 budget increased to $43 million. All fines and penalties given by the department will be kept by the department which means that the economic model for HIPAA enforcement is sustainable.

HIPAA fines are Huge!

2016 was a banner year for HIPAA Fines. The number of penalties handed out was over 3 times the amount from the previous year. In 2015 the total HIPAA penalties levied was $6.1 Million and in 2016 that amount skyrocketed to 21 Million and counting.

Like many practices your first concern is the good heath of your patients. All the work you do generates extremely valuable data stored on computer systems. This data is in high demand by hackers and regularly sold on the dark web. As a result, this puts your patients at risk unless you take steps to secure your practice and computer systems.

We have seen many good honest practices just not have the required expertise nor the time required to make their computer systems safe, secure and HIPAA compliant. This ultimately places their patients at increased risk of identity theft, Medicare and insurance fraud. Unscrupulous hackers can use Personal Health Information to steal patient identities and make fraudulent claims against their insurance programs, open accounts in their names and make your patients’ lives miserable. If you want to protect your patient’s personal information and your practice from large penalties and fines, then it’s time to start looking very hard into your HIPAA compliance.

Not sure where to start?

The very first thing is to get an overview of HIPAA requirements and how it applies to you. I have put together the 20 Minute HIPAA Quick Start Guide to help you. Take the next 20 minutes and answer the questions the best you can. “I don’t know” is a good answer, “No” is a good answer and “Yes” is a good answer. Don’t forget we are trying to figure out what we don’t know so we can avoid penalties and security breaches. The more you find out now, the better.

If you find your answers are “no” or “I don’t know” or not sure what the questions mean, chances are you need some help. Contact my office to discuss how we can help get your practice HIPAA Compliant @ (810) 695-4258 or

HIPAA Webinar February 23, 2017

If you would like to register for our HIPAA Webinar now, CLICK HERE!





Already by (October of 2016) fines total 21.38 million, 6 times 2015’s total of 6.1 Million. The goverment is randomly choosing organizations to audit similar to what MEDICARE did with RAC.

The Danger is the black market for information

The real danger to O&P is the high black market value of a hacked medical record $10 to $50 compared with 25₵ to 50₵ for a credit card record. The cost for the loss of 1 record is $402.00 according to the 2016 Cost of Data Breach Study: United States, sponsored by IBM and independently conducted by Ponemon Institute LLC, June 2016.

O&P companies exclusively handle highly desirable medical records, but do not understand electronic HIPAA compliance requirements. This perfect storm puts them in the crosshairs of bankruptcy.

2014 FBI Warning to Healthcare Providers

The biggest vulnerability (to the secuirty of patient data) was the perception of IT healthcare professionals’ beleifs that their current perimieter defeneses and compliance strategies were working when clearly the data states otherwise.

How to protect your practice!

We are organizing this webinar to discuss both the problem and solutions with a thorough Q&A at the end of in order to answer your questions!

Atendance is limited and more information is coming.

If you want to pre-sign up or have any questions: call John Dolza COe (810) 629-6424,   or eMail

Subject: Ohio Medicaid PA’s – IVR fixed?!!!

Dear OOPA Members and Associates,


Medicaid PA’s moved to HP (Hewlitt Packard) for processing.

As you may know by now, the Prior Authorization section has been turned over to HP and suppliers are not able to contact HP directly.

At our recent quarterly meeting our Policy rep suggested “if you have an issue with a PA, you should call the IVR number (1.800.686.1516).”


We just learned that the IVR was not set up with an option to receive PA inquiries or an option to leave a message for a call-back.   


After bringing this to Medicaid’s attention yesterday, we are told that the PA function has now been added to the IVR. Medicaid suggests, “When you select it, it indicates you should check the portal for PA status or select 0 to speak to a representative. The original prompt said for prior authorization but the second prompt sounded like provider authorization to me so that is probably confusing providers. I will contact our vendor today to ensure it says prior authorization.


The operators are trained (training ongoing) to be able to answer most questions. If they are unable to answer the question they are to forward it to an internal mailbox. That department will then contact the provider with an answer, correction, resolution, or explanation. If the phone operator does not do this or doesn’t offer to, you should ask them.




Please forward your Medicaid and/or Medicare questions prior to the conference.

Thank you,



Dianne Farabi

Ohio O & P Association

ICD-10 Specifity


DMEPOS suppliers should continue to look to the referring physicians for the ICD 10 diagnosis. However, physicians have been granted a 12-month flexibility period in which they do not have to submit diagnoses codes to the highest level of specificity. The physicians’ claims need only have a code with the correct family of diagnosis codes. DMEPOS are not allowed the same grace period. DMEPOS suppliers must bill with an ICD-10 code to the highest level of specificity. You need to submit your claims with the highest level of specificity.

Continue reading

Getting Started with ICD10 codes

ICD-10 take effect for all dates of service after 10-1-2015. Presently we have the dubious honor of filling in the ICD-10 coding for a written description. This is not all bad, consider it a crash course to get us up to speed. Medicare has not yet come up with a useable cross walk. We are including links here and on our web site both the Medicare information and to a crosswalk we have found that is fairly user friendly.

Continue reading