healthcarecompliance101

Healthcare Compliance 101

Archive for the category “HIPAA Audits”

Phase Two HIPAA Audits Have Begun

July 12, 2016

OCR’s Phase Two HIPAA Audits Have Begun

Phase Two of OCR’s HIPAA audit program, which officially began a couple of months ago, has officially kicked into high gear.   Selected covered entities have now received notification letters regarding their inclusion in the desk audit portion of the audit program.  Letters were delivered on Monday, July 11, 2016 via email to 167 health plans, health care providers and health care clearinghouses (covered entities).  The desk audits will examine the selected entities’ compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules.

The desk audits are focused examinations of documentation of entity compliance with certain requirements of the HIPAA Rules (see table below).  OCR selected these provisions for focus during the desk audits because our pilot audits, as well as our enforcement activities, have surfaced these provisions as frequent areas of noncompliance.  Entities received two email communications, which were sent to the contact information confirmed by the entity during the pre-audit phase of the program. Nevertheless, these emails may be incorrectly classified as spam in the recipient’s email service.  Covered entities should monitor their spam filtering and junk mail folders for emails from OSOCRAudit@hhs.gov.   One e-mail includes a notification letter providing instructions for responding to the desk audit document request, the timeline for response, and a unique link for each organization to submit documents via OCR’s secure online portal. A second email contains an additional request to provide a listing of the entity’s business associates and also provides information about an upcoming webinar, where OCR will explain the desk audit process for auditees and take their questions.    Entities have 10 business days, until July 22, 2016, to respond to the document requests. Desk audits of business associates will follow this fall.

For more information, see http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.

Requirements Selected for Desk Audit Review

Privacy Rule Notice of Privacy Practices & Content Requirements   [§164.520(a)(1) & (b)(1)]
Provision of Notice – Electronic Notice   [§164.520(c)(3)]
Right to Access  [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3),  (c)(4), (d)(1), (d)(3)]
Breach Notification Rule Timeliness of Notification  [§164.404(b)]
Content of Notification  [§164.404(c)(1)]
Security Rule Security Management Process —  Risk Analysis  [§164.308(a)(1)(ii)(A)]
Security Management Process — Risk Management  [§164.308(a)(1)(ii)(B)]

 

Advertisements

OCR Launches Phase 2 of HIPAA Audit Program

March 21, 2016

OCR Launches Phase 2 of HIPAA Audit Program 

As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates.  Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.  These tools enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).

In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.  These audits will primarily be desk audits, although some on-site audits will be conducted.

The 2016 audit process begins with verification of an entity’s address and contact information.  An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner.  OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publicly available information about the entity to create its audit subject pool.  Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.  Communications from OCR will be sent via email and may be incorrectly classified as spam.  If your entity’s spam filtering and virus protection are automatically enabled, we expect entities to check their junk or spam email folder for emails from OCR.

What Every Healthcare Provider Needs To Do To Avoid Damages Under The TCPA

Memorandum re Liability to Dental Practice under the Telephone & Consumer Protection Act – (TCPA)  – September 28, 2015.

 

Disclaimer: This material is for general reference purposes only and does not constitute legal advice.

 

Note: Even though the TCPA only covers phone calls and text messaging, we also included emails as part of the consent that patients give in the event that future regulations or laws are passed involving email communications.

 

The purpose of this memorandum is to discuss the changes to a Practice’s1) Notice of Privacy Practices and 2) Acknowledgement of Receipt of Notice of Privacy Practices & Consent for Use and Disclosure of Health Information (Acknowledgement). These changes are necessary in order to protect the practice from potential lawsuits and damages resulting from violations of the Telephone and Consumer Protection Act which stemmed from the class action suit against Walgreens where Walgreens settled for $11,000,000 for alleged violations of the TCPA.  The final approval hearing for this settlement was held on Aug. 5, 2015.

 

How come we need to make these changes when Healthcare Compliance Consulting, Inc. set up our HIPAA Privacy and Compliance programs for us and we already have our patients sign our Acknowledgement form ?

The problem is that even though a dental practice is a covered entity (just the same as Walgreens is a covered entity) and is subject to comply with the HIPAA regulations, the class action suit against Walgreens was not brought against it for violation of the HIPAA regulations but for violation of the TCPA, which is a federal act that is completely separate from the HIPAA regulations. The nature of the infraction and violation against Walgreens was such that this type of incident should have been covered under the HIPAA regulations, but there are no HIPAA regulations that discuss or govern this. Thus, a similar lawsuit could be brought against a dental practice on the grounds that the dental practice violated the TCPA.

 

The nature of the lawsuit against Walgreens was that it placed prerecorded prescription reminder calls to the cell phones of prior Walgreen consumers or customers without their consent. The court made a distinction between phone calls made by Walgreens to Pharmacy patients with a current prescription which were due to be picked with prior Walgreen Pharmacy patients that had no current prescriptions due to be picked up. The court said that the reminder calls to prior Walgreen patients that did not have a current prescription due to be picked up could not be made by Walgreens without that patient’s prior consent. Without prior consent, the court said that these cell phone calls were unauthorized because Walgreen did not get the patients consent first, and thus this constituted a violation of the TCPA and made Walgreens subject to damages.

 

Lawsuits can be brought under the TCPA against any dentist for sending out any kind of reminder message to patients (i.e.-to schedule recall appointments and unscheduled treatment) that are transmitted either by phone or text that are made without the prior consent of that patient.

 

How a violation of the TCPA could occur in a dental office is 1) where a phone call or text notice is sent or given to the patient where the patient is requested to call the dental office and set up an appointment for future treatment based on a prior recommendation from the dentist to have this unscheduled dental work done in the future or, 2) where the dental office calls or texts a recall notice to the patient to set up an appointment (such as a 3 month or 6 month, etc. recall appointment reminder) stating that it has been 3, 6, 9 months, etc. since you last treatment or visit and it is time to set up another dental appointment, and that patient has not given the practice his/her consent to send out such notices.

 

To be safe and to prevent the dental practice from having liability and subject to a lawsuit and damages for violation of the TCPA is for the dental practice to have language on its NPP and Acknowledgement form where the patient gives the dental practice his/her consent to send out such notices by either phone or text. We have revised the NPP and Acknowledgement form with language that gives the dental practice consent of the patients to send out such notices.

 

Special problems involving Recall Notices

When a dental office makes a phone call or sends a text message to a patient reminding them that it has been 3 months, 6 months, 9 months, 12 months, etc. and requests the patient to call and set up an appointment, this is a violation of the TCPA unless the patient gives consent to the practice to call or text him/her. The problem is that it has been a common practice for dental practices to make these kind of recall notices in order to keep business coming into the practice. To stop making these kinds of recall notices could cause the dental practice to lose a substantial amount of business. So, on one hand, based on the current litigation with Walgreens, it definitely is a violation of the TCPA to make these kinds of phone calls or text messages without the patients’ consent. On the other hand, the practice will lose business if it does not contact patients that it has previously treated to notify them that they have not been in for 3 months, 6 months, etc. and that they should set up an appointment. To further complicate the situation or problem is that if the dental practice does not contact its patients for recall appointments, it is possible that it could be cited for abandonment of treatment. Once a dentist begins treating a patient, the dentist may not abandon the patient without incurring liability for damages unless the dentist follows certain steps and procedures for terminating the dentist/patient relationship. So, the dentist is really in catch 22 situation. So a dental practice will have to decide how it wants to handle this situation because there will be risk involved no matter what it does.  If the dentist contacts the patient by phone or text in order to set up a recall appointment without the patients’ consent, it is in violation of the TCPA. If it does not make a recall phone call or recall text, it could be subject to liability under abandonment of treatment.  So the dentist will have to decide whether to take the risk and continue making recall phone and/or text messages and have the patient sign the consent form when they come in for treatment.

 

We have recommended that all dental practices have their existing and new patients sign their Acknowledgement form with the new consent language on it because 1)anyone can file a lawsuit against the practice under the TCPA  for failure of the practice to obtain consent from the patient (it doesn’t just have to be the patient that could file a lawsuit against the practice) and, 2) because of recent Walgreens settlement for violation of the TCPA (Aug. 5, 2015), lawyers may be more aggressive in searching out clients that would be willing to bring a lawsuit against any covered entity (such as a dental practice either large or small). There already are lawyers that are pursuing opportunities to solicit people that they can represent to bring lawsuits against healthcare providers for violations of the TCPA. If you Google Telephone Consumer Protection Act, there already are Minneapolis law firms whose names will appear on the side bar advertising their consumer protection services for violations of the TCPA.

HIPAA Privacy and Security Compliance Audits Begin November 2011

OCR Announces November 2011 start of Privacy and Security Compliance Audits

     Overview:  OCR has announced that it is initiating Compliance Audits beginning November, 2011, as it is authorized to do so by the HITECH Act.  The HITECH Act requires the Department of Health and Human Services (HHS) to provide for periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification Standards.  These audits will strengthen enforcement and accountability for compliance with existing and forthcoming (by the end of 2011) Rule modifications.  HHS has delegated this auditing function to OCR.  To implement this mandate, OCR is piloting a program to perform 150 compliance audits of covered entities to assess privacy and security compliance.

     Who will be audited? Every covered entity and business associate is eligible for an audit.  OCR is responsible for selecting the covered entities that will be audited.  OCR has indicated that selections will be designed to provide a broad assessment of a complex and diverse healthcare industry.  This means that OCR will randomly select covered entities that are large, that are medium size and that are small (such as a 1 doctor healthcare provider).  No covered entity will be exempt from the chance of being selected for a compliance audit by OCR.

     What is the purpose of these audits?  These audits precede the imminent release of the Final HIPAA/HITECH Act Privacy, Security, Breach Notification and Enforcement Rules (expected before the end of 2011) and will strengthen enforcement and accountability for compliance with existing and forthcoming Rule modifications.

     How the Audit Program will Work.  Covered entities selected for an audit will be informed by OCR of their selection and the covered entity will be asked to provide documentation (in writing) of their privacy and security compliance efforts.  Covered entities will have 10 business days to provide the requested information.  Every audit will include a site visit and result in an audit report.  OCR expects to notify covered entities selected for an audit between 30 and 90 days prior to the onsite visit.  During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance.  Onsite visits may take between 3 and 10 business days depending on the complexity of the organization and the auditor’s need to access materials and staff.  OCR will then issue a report based upon the audit.

     What happens After an Audit?  Should an audit report indicate a serious compliance issue, OCR my initiate a compliance review to address the problem.  Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective actions are most effective.

     Why the Push for Increased Audits?  The increase of 6,230,963 (for a total of 18,190,451) impacted individuals of HITECH breaches represents a skyrocketing jump of growing number of individuals affected by privacy and security breaches heightens the need by OCR to strengthen enforcement and accountability through compliance audits to ensure compliance with these Rules.

     What should a covered entity do to prepare for a potential OCR Audit and avoid the consequences (monetary penalties) for non-compliance?  To avoid the consequences of potential penalties for non-compliance, covered entities and business associates must now pay immediate attention to 1) conducting a new or reviewing an existing Risk Assessment of threat and vulnerability to Protected Health Information (PHI); 2) mitigating identified risks through privacy and security safeguard Policies and Procedures3) Training their workforce member (which includes management) to safeguard privacy and security of PHI; and, 4) Documenting those actions in writing.

 

Post Navigation