Patient First Illegal billing practices and HIPAA violations Glen Allen Virginia

I believe Patient First is currently violating state and federal laws as they pertain to billing policies and HIPAA regulations.

Billing:

I was treated by the Short Pump, VA location of Patient First on April 28, 2014.  I paid my insurance co-payment and received treatment.

When I returned to Patient First for follow-up treatment on June 30, 2014.  Upon arrival, the billing clerk refused to authorize medical treatment stating that I had an unpaid balance of $114.14 which had not been paid by Blue Cross Blue Shield.  When I advised the billing clerk that my wife had already paid the $114.14 amount over their automated telephone billing system, she indicated that there was no record of a payment being made.  I then called my wife who indicated that she had already paid the bill over their automated telephone billing system and she provided a confirmation number.  The billing clerk responded by stating that she had no way of knowing if my wife was telling the truth or not because their systems did not show that a payment had been made, and I was forced to double pay the $114.14 amount just to be treated.  This resulted in me prepaying $114.14 towards my June visit, which conflicts with my contract with Blue Cross Blue Shield, and it conflicts with the Patient First billing policies.   By the way, during my June 2014 treatment, the physician misread an x-ray and misdiagnosed my medical condition.  I learned of the misdiagnosis when a radiologist called me at home to advise that the Patient First physician had made an error.  When my own PCP saw the x-ray, she could not believe the diagnosis of the Patient First physician because she said the error was just so obvious.

When I returned to Patient First on August 14, 2014 for follow-up treatment, the billing clerk again refused to authorize treatment, because she said I had an unpaid balance of $181.76 from my June treatment.  When I asked her if my $114.14 overpayment had yet been credited towards my June 2014 bill, she stated that only a single payment of $114.14 had ever been received.  I then called my wife who advised that both payments of $114.14 already appeared on her bank statements.  When I advised the billing clerk of this fact, she stated that she had no way to know if my wife was telling the truth, and she refused to authorize medical treatment.  After asking to speak to a Manager, I was escorted to the office of Linda Bennett.  Linda Bennett checked their billing system, and she insisted that only a single payment of $114.14 had ever been received, and therefore, no credit in that amount had been applied to  my June 2014 bill which had a balance of $181.86.  She said that she would only authorize treatment if I could assure her that my had made a payment in the amount of $181.86 or that she was going to make a payment in that amount.  I explained to her that if no credit had been applied to my June 2014 bill, then my wife was only going to pay the difference between $181.76 and $114.14 because I was owed a credit for a double payment.  She said my wife would have to make copies and send them to their billing department to prove that two payments in the amount of $114.14 had been made.  I then advised Linda Bennett that I was leaving and I would find a medical provider who could actually account for the past payments of their patients. 

Upon leaving Patient First to receive treatment at a hosptial, my wife called Linda Bennet and explained that two payments had already posted to her bank account, and to complain that she refused to authorize me to receive medical treatment.  Linda advised that she had authorized treatment, but she left off the part about me having to assure her that my wife had paid $181.76 or was going to pay $181.76.  Linda Bennett then referred my wife to the corporate headquarters of Patient First located just a couple of miles away at 5000 Cox Road, Glen Allen, VA 23059.

On August 14, 2014, when my wife called the Patient First billing department, at which time an employee named Gilberto advised that he would send me a copy of my itemized billing statements so that my wife could review the bills and figure out exactly what we owed.  He stated that my wife could scan or copy the bank statements to prove that two payments had already been deduced from her bank account. 

HIPAA violatons

On approximately August 22, 2014, I received a letter in the mail from a woman who lives in Yorktown, Virginia.  In her letter dated August 18, 2014, she stated she had received my personal billing records (which contain a significant amount of my personal health information) in the mail.  She provided a copy of the envelope used by Patient First to send my personal health information, which was addressed to her at her home address in Yorktown, Virginia.  In her letter, she wrote that when she contacted Patient First on August 18, 2014, she spoke to a Patient First employee named Amber who instructed her to "trash it" and she advised that Patient First would mail me another copy of my itemized billing statements.  The woman in Yorktown, Virginia wrote "I informed them, I thought you had the right to know of their error and I would return it to you along with a letter."  She then provided me with the name and direct telephone number of the Patient First employee she spoke to. When I spoke to the woman in Yorktown and thanked her for mailing me my records, she stated that the Patient First employee did not take the matter seriously when she called, and she said at no point in time did she ever provide her with any instructions on how to dispose of the items.  She said that she either said to put my records in the trash or "trash it."

Because of the severe problems I experienced with Patient First billing systems that were not up to date, and which contained incorrect payment information, I was curious to know if Patient First had recorded anything about the breach of my medical records being provided to an unauthorized 3rd party.  Beginning on September 3, 2014, I spoke to numerous Patient First employees on the phone - from Manager Linda Bennett from the Short Pump office to other employees in the billing department and their Administrative Services department.  One employee stated on two occasions that there was a "zero" chance that my personal health information was mailed to an unauthorized 3rd party. In each case, the employees "guaranteed" that my personal health information had been mailed in an envelope addressed in my name and my home address. and not mailed to an unauthorized 3rd party.   After leaving multiple voice mail messages with a woman named Shantae White, the Patient First Administrative Services Coordinator, and with a Theresa Dabney, an Administrative Services Supervisor,  and after not receiving any calls back, I called the Patient First corporate headquarters and spoke to a receptionist and asked to speak with the corporate executive who was in charge of the Administrative Services department.  She stated that Patient First customers were not permitted to escalate any complaints about the Administrative Services department.  I then stated that I wanted to speak to the executive who Shantae White reports to, and the receptionist stated that I would have to call Administrative Services because no complaints could be escalated above that department.  When I advised her that I had been waiting multiple days for Shantae White to return my phone calls, she stated that it takes up to 7 days for a Supervisor to return a phone call.

I then emailed a letter to Patient First CEO and Chairman Dr. Richard P. Sowers, and I asked him to have somebody from the Administrative Services department call me.  Within minutes of my email, Shantae White, the Administrative Services Coordinator returned my call.  During a conversation with Shantae White, when speaking about their mailing procedures, she stated that when the print off our statements, it already has the address on it and there is no way that they can mess that up.  She said that they just send it directly to that address that's printed on the statement.  She later put in writing, at my request, that my personal health information was mailed to my name at my home address.  She stated that if I did not receive the materials, then I should bring my complaint to the U.S. Post Office.  She also put in writing that nobody had ever called Patient First to report that they had received my medical records.

On September 12, 2014, I called the Patient First employee, Amber, who actually received the phone call from the woman in Yorktown, Virginia who had reported the breach on August 18, 2014.  Amber checked both their patient account system and even the medical record system, and she stated that there was no record of my personal health information having been sent to an unauthorized 3rd party. 

On September 12, 2014, after speaking to Patient First employee Amber, I emailed the CEO of Patient First Dr. Richard P. Sowers, and the unnamed Privacy Officer (Steve McCoy) and I advised them of the fact that my Personal Health information had been mailed to an unauthorized 3rd Party without my consent.  At that time, I requested an Accounting of Disclosures and asked to know the name of every single person and business who had received my personal health information.

Shortly after I had emailed the CEO of Patient First and the Privacy Officer to report the breach, Patient First employee Amber, the woman who actually received the call from the woman in Yorktown, Virginia, called me and apologized for previously providing me with false information relating to the disclosure of my personal health information to a woman in Yorktown, Virginia.  During this conversation, she stated that the HIPAA laws for patient billing records were not as strict as for medical records.  She explained that when an unauthorized 3rd party calls in to report a breach, Patient First only records the breach on the patient account of the person who called into Patient First to report the breach, and she said that they do not record the breach on the account of the Patient whose records were actually sent to an unauthorized 3rd party.  She said that is why she could not find any record of the breach on my patient account files or in my medical record file.  She stated that she had reported the breach to their Privacy Officer named Steve McCoy on August 18th. 

On September 12, 2014, Patient First Privacy Officer and General Counsel Steve McCoy called me and apologized for the breach of my personal health information and the other problems I had experienced.  He said that Amber had sent him an email on August 18th but that he had not yet acted on the breach.  He did offer to pay the $181.76 balance, and he said it would in no way prevent me from seeking legal recourse or filing complaints against Patient First.  During this conversation, I explained to him the problems I had experienced both with their billing practices and with the breach of my personal health information.  I explained that during my inquiries of his own employees, I had identified an obvious and very serious flaw in their procedures for mailing out personal health information.  I explained that after a Patient First employee prints out a billing statement they cut and paste the address from the billing statement on the computer and they paste the name and address into an envelope template.  After they print the envelope, they then manually place the personal health information into the envelope and mail the envelope.  In my case, they placed my personal health information into an envelope addressed to the woman in Yorktown, Virginia.   I also explained that when the personal health information is mailed out, Patient First does not keep a record of where the PHI was mailed, they only record where the PHI was supposed to be mailed.  I further advised that Patient First depends 100% on the unauthorized 3rd party recipients to notify them if there is a breach.  I explained a very obvious and simply solutioin to these very serious problems with their billing systems and procedures.  I explained that since the patient's name and address already appeared on the billing statement, if they used a windowed envelope, it would guarantee that the personal health information was mailed to the correct patient.  If somehow the materials were inserted into an envelope backwards, only a blank white section of the documents would appear and the documents would be returned to Patient First.  I explained that if they implemented this type of system, it would greatly reduce the amount of personal health information being mailed to unauthorized 3rd parties, and it would result in their patient accounts actually recording where the documents were mailed, not where they were supposed to be mailed like their current system.  Steve advised that he thought that was a great idea that he would consider.  Steve later contacted me and advised that Patient First would be implementing my idea and they were going to start using windowed envelopes.  During my conversations with Steve McCoy, he made some comments that in my opinion, were quite shocking about Patient First.  I plan on sharing these comments with state and federal regulators and with the media.   In the end, Steve McCoy said that if he were in my shoes, he would file complaints about the past actions of his own company and they would deal with it. 

On September 15, 2015, Patient First Privacy Officer and General Counsel Steve McCoy emailed me an Accounting of Disclosures report.  During my review of the report, I found that Steve McCoy had excluded the illegal disclosure of my personal health information to the woman in Yorktown, Virginia.  On the same date, I then requested that he provide me with a corrected Accounting of Disclosure that included the illegal breach of my personal health information.  He sent a corrected Accounting of Disclosures report on this same date,  at which time he advised that he had excluded the information about the disclosure of my information to the unauthorized 3rd party in Yorktown, Virginia from his original report,  because I already knew about it. 

On September 18, 2014, I emailed the Patient First Privacy Officer and General Counsel Steve McCoy and I advised him that during my conversation with Amber, she had told me that my personal health information had been disclosed to a Pharmacy.  I also advised him that I wanted to know the names of every individual and every business who had received my information including the pharmacy that Amber had referenced in my conversation with her.  In addition, I advised Steve McCoy that on his corrected Accounting of Disclosures report, he had incorrectly reported that my personal health information had been mailed to the unauthorized 3rd party on August 14, 2014, and I informed him that my PHI had actually been mailed by Patient First on August 15th - not August 14th.  I advised him that if my personal health information had also been mailed out on August 14, 2014, I wanted to know to whom my PHI was mailed.  

On September 19, 2014, Steve McCoy emailed me back and stated that he must decline to respond to my inquiries.  He said that "It is unfortunately clear that no response of mine will suffice to reassure the good faith with which Patient First has addressed your concerns."  He further stated that "Patient First has responded fully to your request for an accounting of disclosures, and provided more information that they were required to provide."  He also talked about my right to file a complaint, and have a review of my medical care completed by my health insurance company.  In this letter, he failed to even address my request for him to correct the date that my personal health information was mailed as August 15th instead of August 14th as his report falsely claimed, and he failed to address my request to know the name of the Pharmacy which Amber said had been provided with my personal health information.

I am planning on sharing my story, along with comments made by various Patient First employees to include comments made to me by Privacy Officer and General Counsel Steve McCoy, with the media, and with state and federal regulators.  In my opinion, the fact that Patient First has been using an antiquated mailing system and procedures which subjected their patient's personal medical information to breaches, and the fact that their internal systems only record where personal health information is supposed to have been mailed, and not where it is actually mailed, represents gross negligence on the part of Patient First and the executives in charge.  The fact that I had to identify this very serious problem to Steve McCoy, the Privacy Officer and General Counsel, and the fact that I had to provide Steve McCoy with a very obvious and simple solution to this problem, is quite shocking. 

Conclusions 

As I advised Patient First CEO Richard P. Sowers in one of my emails, I believe the name "Patient First" is not appropriate for his company.  I  believe the name should be changed to "Patient Second" or "Profit First."  The information I learned during my contacts with Patient First have been somewhat shocking to me, and I sincerely hope that state and federal regulators impose very serious penalties that will prevent Patient First from taking advantage of their customers in the future.  

Because the systems in place today at Patient First, totally depend on having unauthorized 3rd parties report breaches, there is absolutely no way to tell today just how many Patient First customers in the past have had their personal health information illegally disclosed to unauthorized 3rd parties.  At the very best, Patient First could only know how many 3rd party breaches were reported.  Based on my experiences, I wonder how many times Patient First notified all of their customers whose records were actually breached?    

Finally, I believe that because the Patient First billing systems are not up to date, and because they are not accurate, I believe that various state and/or federal laws have been broken.  You have to wonder how many times in the past, people like me who had paid their bills in full, were not able to double pay their bills and were turned away without receiving any medical treatment?  The consequences for low income people could be devastating where they have to make the following decision;  "Do I double pay my bill or walk away without receiving treatment?"

I have been working as a Fraud Investigator for nearly 30 years, and while I will be in contact with media sources in the Richmond, Virginia area, I would love to speak to media sources on a regional basis so that other Patient First customers, and the general public, can learn about the past actions of Patient First.