healthcarecompliance101

Healthcare Compliance 101

Archive for the category “Health Care Compliance Program”

$750,000 Settlement Highlights the Need for HIPAA Business Associate Agreements

 

Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) has agreed to pay $750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by handing over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement.  HIPAA covered entities cannot disclose PHI to unauthorized persons, and the lack of a business associate agreement left this sensitive health information without safeguards and vulnerable to misuse or improper disclosure.  Raleigh Orthopaedic is a provider group practice that operates clinics and an orthopaedic surgery center in the Raleigh, North Carolina area.

 

OCR initiated its investigation of Raleigh Orthopaedic following receipt of a breach report on April 30, 2013.  OCR’s investigation indicated that Raleigh Orthopaedic released the x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films.  Raleigh Orthopedic failed to execute a business associate agreement with this entity prior to turning over the x-rays (and PHI).

 

“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).  “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”

 

In addition to the $750,000 payment, Raleigh Orthopaedic is required to revise its policies and procedures to: establish a process for assessing whether entities are business associates; designate a responsible individual to ensure  business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.

Advertisements

What Every Healthcare Provider Needs To Do To Avoid Damages Under The TCPA

Memorandum re Liability to Dental Practice under the Telephone & Consumer Protection Act – (TCPA)  – September 28, 2015.

 

Disclaimer: This material is for general reference purposes only and does not constitute legal advice.

 

Note: Even though the TCPA only covers phone calls and text messaging, we also included emails as part of the consent that patients give in the event that future regulations or laws are passed involving email communications.

 

The purpose of this memorandum is to discuss the changes to a Practice’s1) Notice of Privacy Practices and 2) Acknowledgement of Receipt of Notice of Privacy Practices & Consent for Use and Disclosure of Health Information (Acknowledgement). These changes are necessary in order to protect the practice from potential lawsuits and damages resulting from violations of the Telephone and Consumer Protection Act which stemmed from the class action suit against Walgreens where Walgreens settled for $11,000,000 for alleged violations of the TCPA.  The final approval hearing for this settlement was held on Aug. 5, 2015.

 

How come we need to make these changes when Healthcare Compliance Consulting, Inc. set up our HIPAA Privacy and Compliance programs for us and we already have our patients sign our Acknowledgement form ?

The problem is that even though a dental practice is a covered entity (just the same as Walgreens is a covered entity) and is subject to comply with the HIPAA regulations, the class action suit against Walgreens was not brought against it for violation of the HIPAA regulations but for violation of the TCPA, which is a federal act that is completely separate from the HIPAA regulations. The nature of the infraction and violation against Walgreens was such that this type of incident should have been covered under the HIPAA regulations, but there are no HIPAA regulations that discuss or govern this. Thus, a similar lawsuit could be brought against a dental practice on the grounds that the dental practice violated the TCPA.

 

The nature of the lawsuit against Walgreens was that it placed prerecorded prescription reminder calls to the cell phones of prior Walgreen consumers or customers without their consent. The court made a distinction between phone calls made by Walgreens to Pharmacy patients with a current prescription which were due to be picked with prior Walgreen Pharmacy patients that had no current prescriptions due to be picked up. The court said that the reminder calls to prior Walgreen patients that did not have a current prescription due to be picked up could not be made by Walgreens without that patient’s prior consent. Without prior consent, the court said that these cell phone calls were unauthorized because Walgreen did not get the patients consent first, and thus this constituted a violation of the TCPA and made Walgreens subject to damages.

 

Lawsuits can be brought under the TCPA against any dentist for sending out any kind of reminder message to patients (i.e.-to schedule recall appointments and unscheduled treatment) that are transmitted either by phone or text that are made without the prior consent of that patient.

 

How a violation of the TCPA could occur in a dental office is 1) where a phone call or text notice is sent or given to the patient where the patient is requested to call the dental office and set up an appointment for future treatment based on a prior recommendation from the dentist to have this unscheduled dental work done in the future or, 2) where the dental office calls or texts a recall notice to the patient to set up an appointment (such as a 3 month or 6 month, etc. recall appointment reminder) stating that it has been 3, 6, 9 months, etc. since you last treatment or visit and it is time to set up another dental appointment, and that patient has not given the practice his/her consent to send out such notices.

 

To be safe and to prevent the dental practice from having liability and subject to a lawsuit and damages for violation of the TCPA is for the dental practice to have language on its NPP and Acknowledgement form where the patient gives the dental practice his/her consent to send out such notices by either phone or text. We have revised the NPP and Acknowledgement form with language that gives the dental practice consent of the patients to send out such notices.

 

Special problems involving Recall Notices

When a dental office makes a phone call or sends a text message to a patient reminding them that it has been 3 months, 6 months, 9 months, 12 months, etc. and requests the patient to call and set up an appointment, this is a violation of the TCPA unless the patient gives consent to the practice to call or text him/her. The problem is that it has been a common practice for dental practices to make these kind of recall notices in order to keep business coming into the practice. To stop making these kinds of recall notices could cause the dental practice to lose a substantial amount of business. So, on one hand, based on the current litigation with Walgreens, it definitely is a violation of the TCPA to make these kinds of phone calls or text messages without the patients’ consent. On the other hand, the practice will lose business if it does not contact patients that it has previously treated to notify them that they have not been in for 3 months, 6 months, etc. and that they should set up an appointment. To further complicate the situation or problem is that if the dental practice does not contact its patients for recall appointments, it is possible that it could be cited for abandonment of treatment. Once a dentist begins treating a patient, the dentist may not abandon the patient without incurring liability for damages unless the dentist follows certain steps and procedures for terminating the dentist/patient relationship. So, the dentist is really in catch 22 situation. So a dental practice will have to decide how it wants to handle this situation because there will be risk involved no matter what it does.  If the dentist contacts the patient by phone or text in order to set up a recall appointment without the patients’ consent, it is in violation of the TCPA. If it does not make a recall phone call or recall text, it could be subject to liability under abandonment of treatment.  So the dentist will have to decide whether to take the risk and continue making recall phone and/or text messages and have the patient sign the consent form when they come in for treatment.

 

We have recommended that all dental practices have their existing and new patients sign their Acknowledgement form with the new consent language on it because 1)anyone can file a lawsuit against the practice under the TCPA  for failure of the practice to obtain consent from the patient (it doesn’t just have to be the patient that could file a lawsuit against the practice) and, 2) because of recent Walgreens settlement for violation of the TCPA (Aug. 5, 2015), lawyers may be more aggressive in searching out clients that would be willing to bring a lawsuit against any covered entity (such as a dental practice either large or small). There already are lawyers that are pursuing opportunities to solicit people that they can represent to bring lawsuits against healthcare providers for violations of the TCPA. If you Google Telephone Consumer Protection Act, there already are Minneapolis law firms whose names will appear on the side bar advertising their consumer protection services for violations of the TCPA.

Evaluating and Improving a Compliance Program

Evaluating and Improving a Compliance Program

Health care is one of the most highly regulated industries in the United States.  Thousands of health care entities have been excluded from participating in federal programs, such as Medicare and Medicaid, for violating laws.  Government agencies, such as the Federal Bureau of Investigation (FBI), Office of Inspector General (OIG), Department of Justice (DOJ) and Centers for Medicare and Medicaid Services (CMS) target health care fraud and abuse as high priority areas to conduct inquiries and investigations.  In light of the proliferation of fraud and abuse legislation and enforcement activities directed at the health care industry, it is becoming imperative for health care organizations to implement compliance programs not only to prevent violations but also to reduce the potential for liability should violations occur.

What is the Purpose of a Compliance Program?

The purpose of a compliance program is aimed at ensuring that the organization, its employees, and associates comply with applicable laws, regulations, and standards.  Health care compliance programs should outline a comprehensive strategy to ensure the submission of accurate claims to federal, state, and commercial payers.  The compliance program should include policies and procedures to comply with other applicable laws and regulations relating to the delivery of health care products and services. 

What Makes a Compliance Program Work?

Programs that work are about two things: a management commitment to do the right thing, and effective management steps to make that happen.  It is about making sure that all those who work for the organization know what to do, and believe that the organization is serious about acting legally and ethically.  

Compliance Program Foundation

The Office of the Inspector General, “OIG,” has spoken authoritatively on the basic elements of an effective compliance program.  The Federal Sentencing Guidelines have defined an effective compliance program as “a program that has been reasonably designed, implemented, and enforced so that it generally will be effective in preventing and detecting criminal conduct.”(1)  The Sentencing Guidelines outlines seven key elements of a compliance program.

 1.  Compliance Standards  “The organization must have established compliance standards and procedures to be followed by its employees and other agents that are reasonably capable of reducing the prospect of criminal, civil, and administrative violations.” Comment 3.(k)(1).

2.  High Level Responsibility “Specific individuals within high-level personnel of the organization must have been assigned overall responsibility to oversee compliance with the standards and procedures and have sufficient resources and authority to assure compliance.” Comment 3.(k)(2).

3.  Trustworthy Individuals  “The organization must have used due care not to delegate substantial dicretionary authority to individuals whom the organization knew, or should have know through the exercise of due diligence, had a propensity to engage in illegal activities.” Comment3.(k)(3).

4.  Education  “The organization must have taken steps to communicate effectively its standards and procedures to all employees and other agents, such as by requiring participation in training programs or by disseminating publications that explain in a practical manner what is required.” Comment3.(k)(4).

5.  Monitoring and Auditing  “The organization must have taken reasonable steps to achieve compliance with its standards, such as by utilizing monitoring and auditing systems reasonably designed to detect criminal, civil, and administrative violations by its employees and other agents.” Comment3.(k)(5).

6.  Enforcement and Discipline  “The standards must be consistently enforced through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect an offense.” Comment 3.(k)(6).

7.  Response and Prevention  “After an offense has been detected, the organization must have taken all reasonable steps to respond appropriately to the offense and to prevent further similar offenses. including any necessary modification to its program to prevent and detect criminal, civil, and administrative violations.” Comment3.(k)(7).

Health care organizations have recognized that compliance programs are important because the regulatory environment in which they operate is exceedingly complex, and they have a fundamental obligation to their patients and the public to ensure that participation in government and private reimbursement systems and the operation of health care organizations are consistent with applicable laws and regulations.

Healthcare Compliance Consulting, Inc. (HCC) has been providing consulting services and compliance programs to health care providers for almost a decade.  Our clients include medical doctors, cardiologists, allergy physicians, dermatologists, chiropractors, home health agencies and dentists. 

  

(1) Federal Sentencing Guidelines, §8A.2. Comment 3.

Healthcare Compliance Consulting, Inc.
Developers of Healthcare Compliance for Less Than $2.00 Per Day.
5755 Heather Ridge Drive
St. Paul, Minnesota 55126          
Phone: (651) 484-4303
Fax: (651) 484-6213
Email: davesina@q.com or candysina@q.com
www.healthcarecomplianceconsulting.net       

Evaluating and Improving a Compliance Program

Evaluating and Improving a Compliance Program.

Post Navigation