healthcarecompliance101

Healthcare Compliance 101

What Every Healthcare Provider Needs To Do To Avoid Damages Under The TCPA

Memorandum re Liability to Dental Practice under the Telephone & Consumer Protection Act – (TCPA)  – September 28, 2015.

 

Disclaimer: This material is for general reference purposes only and does not constitute legal advice.

 

Note: Even though the TCPA only covers phone calls and text messaging, we also included emails as part of the consent that patients give in the event that future regulations or laws are passed involving email communications.

 

The purpose of this memorandum is to discuss the changes to a Practice’s1) Notice of Privacy Practices and 2) Acknowledgement of Receipt of Notice of Privacy Practices & Consent for Use and Disclosure of Health Information (Acknowledgement). These changes are necessary in order to protect the practice from potential lawsuits and damages resulting from violations of the Telephone and Consumer Protection Act which stemmed from the class action suit against Walgreens where Walgreens settled for $11,000,000 for alleged violations of the TCPA.  The final approval hearing for this settlement was held on Aug. 5, 2015.

 

How come we need to make these changes when Healthcare Compliance Consulting, Inc. set up our HIPAA Privacy and Compliance programs for us and we already have our patients sign our Acknowledgement form ?

The problem is that even though a dental practice is a covered entity (just the same as Walgreens is a covered entity) and is subject to comply with the HIPAA regulations, the class action suit against Walgreens was not brought against it for violation of the HIPAA regulations but for violation of the TCPA, which is a federal act that is completely separate from the HIPAA regulations. The nature of the infraction and violation against Walgreens was such that this type of incident should have been covered under the HIPAA regulations, but there are no HIPAA regulations that discuss or govern this. Thus, a similar lawsuit could be brought against a dental practice on the grounds that the dental practice violated the TCPA.

 

The nature of the lawsuit against Walgreens was that it placed prerecorded prescription reminder calls to the cell phones of prior Walgreen consumers or customers without their consent. The court made a distinction between phone calls made by Walgreens to Pharmacy patients with a current prescription which were due to be picked with prior Walgreen Pharmacy patients that had no current prescriptions due to be picked up. The court said that the reminder calls to prior Walgreen patients that did not have a current prescription due to be picked up could not be made by Walgreens without that patient’s prior consent. Without prior consent, the court said that these cell phone calls were unauthorized because Walgreen did not get the patients consent first, and thus this constituted a violation of the TCPA and made Walgreens subject to damages.

 

Lawsuits can be brought under the TCPA against any dentist for sending out any kind of reminder message to patients (i.e.-to schedule recall appointments and unscheduled treatment) that are transmitted either by phone or text that are made without the prior consent of that patient.

 

How a violation of the TCPA could occur in a dental office is 1) where a phone call or text notice is sent or given to the patient where the patient is requested to call the dental office and set up an appointment for future treatment based on a prior recommendation from the dentist to have this unscheduled dental work done in the future or, 2) where the dental office calls or texts a recall notice to the patient to set up an appointment (such as a 3 month or 6 month, etc. recall appointment reminder) stating that it has been 3, 6, 9 months, etc. since you last treatment or visit and it is time to set up another dental appointment, and that patient has not given the practice his/her consent to send out such notices.

 

To be safe and to prevent the dental practice from having liability and subject to a lawsuit and damages for violation of the TCPA is for the dental practice to have language on its NPP and Acknowledgement form where the patient gives the dental practice his/her consent to send out such notices by either phone or text. We have revised the NPP and Acknowledgement form with language that gives the dental practice consent of the patients to send out such notices.

 

Special problems involving Recall Notices

When a dental office makes a phone call or sends a text message to a patient reminding them that it has been 3 months, 6 months, 9 months, 12 months, etc. and requests the patient to call and set up an appointment, this is a violation of the TCPA unless the patient gives consent to the practice to call or text him/her. The problem is that it has been a common practice for dental practices to make these kind of recall notices in order to keep business coming into the practice. To stop making these kinds of recall notices could cause the dental practice to lose a substantial amount of business. So, on one hand, based on the current litigation with Walgreens, it definitely is a violation of the TCPA to make these kinds of phone calls or text messages without the patients’ consent. On the other hand, the practice will lose business if it does not contact patients that it has previously treated to notify them that they have not been in for 3 months, 6 months, etc. and that they should set up an appointment. To further complicate the situation or problem is that if the dental practice does not contact its patients for recall appointments, it is possible that it could be cited for abandonment of treatment. Once a dentist begins treating a patient, the dentist may not abandon the patient without incurring liability for damages unless the dentist follows certain steps and procedures for terminating the dentist/patient relationship. So, the dentist is really in catch 22 situation. So a dental practice will have to decide how it wants to handle this situation because there will be risk involved no matter what it does.  If the dentist contacts the patient by phone or text in order to set up a recall appointment without the patients’ consent, it is in violation of the TCPA. If it does not make a recall phone call or recall text, it could be subject to liability under abandonment of treatment.  So the dentist will have to decide whether to take the risk and continue making recall phone and/or text messages and have the patient sign the consent form when they come in for treatment.

 

We have recommended that all dental practices have their existing and new patients sign their Acknowledgement form with the new consent language on it because 1)anyone can file a lawsuit against the practice under the TCPA  for failure of the practice to obtain consent from the patient (it doesn’t just have to be the patient that could file a lawsuit against the practice) and, 2) because of recent Walgreens settlement for violation of the TCPA (Aug. 5, 2015), lawyers may be more aggressive in searching out clients that would be willing to bring a lawsuit against any covered entity (such as a dental practice either large or small). There already are lawyers that are pursuing opportunities to solicit people that they can represent to bring lawsuits against healthcare providers for violations of the TCPA. If you Google Telephone Consumer Protection Act, there already are Minneapolis law firms whose names will appear on the side bar advertising their consumer protection services for violations of the TCPA.

HIPAA Privacy and Security Compliance Audits Begin November 2011

OCR Announces November 2011 start of Privacy and Security Compliance Audits

     Overview:  OCR has announced that it is initiating Compliance Audits beginning November, 2011, as it is authorized to do so by the HITECH Act.  The HITECH Act requires the Department of Health and Human Services (HHS) to provide for periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification Standards.  These audits will strengthen enforcement and accountability for compliance with existing and forthcoming (by the end of 2011) Rule modifications.  HHS has delegated this auditing function to OCR.  To implement this mandate, OCR is piloting a program to perform 150 compliance audits of covered entities to assess privacy and security compliance.

     Who will be audited? Every covered entity and business associate is eligible for an audit.  OCR is responsible for selecting the covered entities that will be audited.  OCR has indicated that selections will be designed to provide a broad assessment of a complex and diverse healthcare industry.  This means that OCR will randomly select covered entities that are large, that are medium size and that are small (such as a 1 doctor healthcare provider).  No covered entity will be exempt from the chance of being selected for a compliance audit by OCR.

     What is the purpose of these audits?  These audits precede the imminent release of the Final HIPAA/HITECH Act Privacy, Security, Breach Notification and Enforcement Rules (expected before the end of 2011) and will strengthen enforcement and accountability for compliance with existing and forthcoming Rule modifications.

     How the Audit Program will Work.  Covered entities selected for an audit will be informed by OCR of their selection and the covered entity will be asked to provide documentation (in writing) of their privacy and security compliance efforts.  Covered entities will have 10 business days to provide the requested information.  Every audit will include a site visit and result in an audit report.  OCR expects to notify covered entities selected for an audit between 30 and 90 days prior to the onsite visit.  During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance.  Onsite visits may take between 3 and 10 business days depending on the complexity of the organization and the auditor’s need to access materials and staff.  OCR will then issue a report based upon the audit.

     What happens After an Audit?  Should an audit report indicate a serious compliance issue, OCR my initiate a compliance review to address the problem.  Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective actions are most effective.

     Why the Push for Increased Audits?  The increase of 6,230,963 (for a total of 18,190,451) impacted individuals of HITECH breaches represents a skyrocketing jump of growing number of individuals affected by privacy and security breaches heightens the need by OCR to strengthen enforcement and accountability through compliance audits to ensure compliance with these Rules.

     What should a covered entity do to prepare for a potential OCR Audit and avoid the consequences (monetary penalties) for non-compliance?  To avoid the consequences of potential penalties for non-compliance, covered entities and business associates must now pay immediate attention to 1) conducting a new or reviewing an existing Risk Assessment of threat and vulnerability to Protected Health Information (PHI); 2) mitigating identified risks through privacy and security safeguard Policies and Procedures3) Training their workforce member (which includes management) to safeguard privacy and security of PHI; and, 4) Documenting those actions in writing.

 

Evaluating and Improving a Compliance Program

Evaluating and Improving a Compliance Program

Health care is one of the most highly regulated industries in the United States.  Thousands of health care entities have been excluded from participating in federal programs, such as Medicare and Medicaid, for violating laws.  Government agencies, such as the Federal Bureau of Investigation (FBI), Office of Inspector General (OIG), Department of Justice (DOJ) and Centers for Medicare and Medicaid Services (CMS) target health care fraud and abuse as high priority areas to conduct inquiries and investigations.  In light of the proliferation of fraud and abuse legislation and enforcement activities directed at the health care industry, it is becoming imperative for health care organizations to implement compliance programs not only to prevent violations but also to reduce the potential for liability should violations occur.

What is the Purpose of a Compliance Program?

The purpose of a compliance program is aimed at ensuring that the organization, its employees, and associates comply with applicable laws, regulations, and standards.  Health care compliance programs should outline a comprehensive strategy to ensure the submission of accurate claims to federal, state, and commercial payers.  The compliance program should include policies and procedures to comply with other applicable laws and regulations relating to the delivery of health care products and services. 

What Makes a Compliance Program Work?

Programs that work are about two things: a management commitment to do the right thing, and effective management steps to make that happen.  It is about making sure that all those who work for the organization know what to do, and believe that the organization is serious about acting legally and ethically.  

Compliance Program Foundation

The Office of the Inspector General, “OIG,” has spoken authoritatively on the basic elements of an effective compliance program.  The Federal Sentencing Guidelines have defined an effective compliance program as “a program that has been reasonably designed, implemented, and enforced so that it generally will be effective in preventing and detecting criminal conduct.”(1)  The Sentencing Guidelines outlines seven key elements of a compliance program.

 1.  Compliance Standards  “The organization must have established compliance standards and procedures to be followed by its employees and other agents that are reasonably capable of reducing the prospect of criminal, civil, and administrative violations.” Comment 3.(k)(1).

2.  High Level Responsibility “Specific individuals within high-level personnel of the organization must have been assigned overall responsibility to oversee compliance with the standards and procedures and have sufficient resources and authority to assure compliance.” Comment 3.(k)(2).

3.  Trustworthy Individuals  “The organization must have used due care not to delegate substantial dicretionary authority to individuals whom the organization knew, or should have know through the exercise of due diligence, had a propensity to engage in illegal activities.” Comment3.(k)(3).

4.  Education  “The organization must have taken steps to communicate effectively its standards and procedures to all employees and other agents, such as by requiring participation in training programs or by disseminating publications that explain in a practical manner what is required.” Comment3.(k)(4).

5.  Monitoring and Auditing  “The organization must have taken reasonable steps to achieve compliance with its standards, such as by utilizing monitoring and auditing systems reasonably designed to detect criminal, civil, and administrative violations by its employees and other agents.” Comment3.(k)(5).

6.  Enforcement and Discipline  “The standards must be consistently enforced through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect an offense.” Comment 3.(k)(6).

7.  Response and Prevention  “After an offense has been detected, the organization must have taken all reasonable steps to respond appropriately to the offense and to prevent further similar offenses. including any necessary modification to its program to prevent and detect criminal, civil, and administrative violations.” Comment3.(k)(7).

Health care organizations have recognized that compliance programs are important because the regulatory environment in which they operate is exceedingly complex, and they have a fundamental obligation to their patients and the public to ensure that participation in government and private reimbursement systems and the operation of health care organizations are consistent with applicable laws and regulations.

Healthcare Compliance Consulting, Inc. (HCC) has been providing consulting services and compliance programs to health care providers for almost a decade.  Our clients include medical doctors, cardiologists, allergy physicians, dermatologists, chiropractors, home health agencies and dentists. 

  

(1) Federal Sentencing Guidelines, §8A.2. Comment 3.

Healthcare Compliance Consulting, Inc.
Developers of Healthcare Compliance for Less Than $2.00 Per Day.
5755 Heather Ridge Drive
St. Paul, Minnesota 55126          
Phone: (651) 484-4303
Fax: (651) 484-6213
Email: davesina@q.com or candysina@q.com
www.healthcarecomplianceconsulting.net       

amednews: 5 ways to manage your online reputation :: Sept. 12, 2011 … American Medical News

amednews: 5 ways to manage your online reputation :: Sept. 12, 2011 … American Medical News.

Over 70% of Healthcare Providers Suffered Privacy Breaches

Over 70% of Healthcare Providers Suffered Privacy Breaches.

Congresswoman Mary Bono Mack

Congresswoman Mary Bono Mack.

Breach Notification Obligations In All 50 States?

Breach Notification Obligations In All 50 States?.

How to Achieve Accountable Care While Avoiding Downfalls of Medicare ACOs | Hospital-Physician Relationships

How to Achieve Accountable Care While Avoiding Downfalls of Medicare ACOs | Hospital-Physician Relationships.

The HITECH Act – Little-Noticed Provision

Remember the HIPAA violation charge against the Alabama woman who stole PHI from more than 4,000 surgery patients at Trinity Medical Center in Birmingham, Alabama.  This case marked the first time that the DOJ has charged someone with a HIPAA violation who is not connected in any way to a covered entity.  In this case the woman is alleged to have been visiting a hospital when she took the documents.

The HIPAA charge against the Alabama woman, prior to the HITECH Act may not have occurred or may have been substantially more difficult to file.  individuals.  If convicted, this woman could be jailed for 10 years and fined $250,000 for just the HIPAA charge.  However, under the June 28 indictment there are added charges of “possessing stolen mail, attempting to commit bank fraud, misusing someone else’s Social Security number, and aggravated identity theft.” 

Prior to the HITECH Act, Section 1177(a) of the Social Security Act (42 U.S.C. 1320d-6(a)), “Wrongful disclosure of individually identifiable health information,” read:

(a) Offense, – “A person who knowingly and in violation of this part–(1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided” in later sections.

“Sec. 13409. Clarification of Application of Wrongful Disclosures Criminal Penalties,” which applied criminal penalties to individuals.  It states:

“Section 1177(a) of the Social Security Act (42 U.S.C. 1320d-6(a)) is amended by adding at the end the following new sentence: ‘For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1180(b)(3)) and the individual obtained or disclosed such information without authorization.”

Prior to this change, only CEs and certain individuals working for them were directly liable for criminal charges.  The expansion not only means the outsiders can be liable, but low-level employees now can be subject to direct prosecution.

10 Recent Stark, False Claims and Kickback Lawsuits Involving Hospitals and Health Systems | Hospital Financial and Business News

10 Recent Stark, False Claims and Kickback Lawsuits Involving Hospitals and Health Systems | Hospital Financial and Business News.

Post Navigation