healthcarecompliance101

Healthcare Compliance 101

A Risk Assessment is a Necessary Requirement of a HIPPA Compliance Program

December 14, 2015

$750,000 HIPAA SETTLEMENT UNDERSCORES THE NEED FOR ORGANIZATION WIDE RISK ANALYSIS

 The University of Washington Medicine (UWM) has agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule by failing to implement policies and procedures to prevent, detect, contain, and correct security violations.  UWM is an affiliated covered entity, which includes designated health care components and other entities under the control of the University of Washington, including University of Washington Medical Center, the primary teaching hospital of the University of Washington School of Medicine.  Affiliated covered entities must have in place appropriate policies and processes to assure HIPAA compliance with respect to each of the entities that are part of the affiliated group.   The settlement includes a monetary payment of $750,000, a corrective action plan, and annual reports on the organization’s compliance efforts.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of the UWM following receipt of a breach report on November 27, 2013, which indicated that the electronic protected health information (e-PHI) of approximately 90,000 individuals was accessed after an employee downloaded an email attachment that contained malicious malware. The malware compromised the organization’s IT system, affecting the data of two different groups of patients:  1) approximately 76,000 patients involving a combination of patient names, medical record numbers, dates of service, and/or charges or bill balances; and 2) approximately 15,000 patients involving names, medical record numbers, other demographics such as address and phone number, dates of birth, charges or bill balances, social security numbers, insurance identification or Medicare numbers.

OCR’s investigation indicated UWM’s security policies required its affiliated entities to have up-to-date, documented system-level risk assessments and to implement safeguards in compliance with the Security Rule. However, UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.

The Resolution Agreement and Corrective Action Plan can be found on the OCR website at:http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/uwm/index.html

The HHS Press Release can be found at:  http://www.hhs.gov/about/news/2015/12/14/750000-hipaa-settlement-underscores-need-for-organization-wide-risk-analysis.html

HHS offers guidance on how your organization can conduct a HIPAA Risk Analysis:  http://www.healthit.gov/providers-professionals/security-risk-assessment

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/ocr/office

Advertisements

Understanding Individuals Rights Under HIPPA

January 7, 2016

 

Understanding Individuals’ Right under HIPAA to Access their Health Information

The HIPAA Privacy Rule has always provided individuals with the right to access and receive a copy of their health information from their doctors, hospitals and health insurance plans.  This right is critical to enabling individuals to take ownership of their health and well-being.  Individuals with access to their health information are better able to monitor chronic conditions, adhere to treatment plans, find and request fixes to errors in their records, track progress in wellness or disease management programs, and directly contribute their information to research.  As the health care system evolves and transforms into one supported by rapid, secure exchange of electronic health information and more targeted treatments discovered through the new precision medicine model of patient-powered research, it is more important than ever for individuals to have ready access to their health information. Unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule.  This must change.

Today, we took an important step toward ensuring that individuals can take advantage of their HIPAA right of access. We released a fact sheet and the first in a series of topical Frequently Asked Questions (FAQs) to further clarify individuals’ core right under HIPAA to access and obtain a copy of their health information.  This set of FAQs addresses the scope of information covered by HIPAA’s access right, the very limited exceptions to this right, the form and format in which information is provided to individuals, the requirement to provide access to individuals in a timely manner, and the intersection of HIPAA’s right of access with the requirements for patient access under the HITECH Act’s Electronic Health Record (EHR) Incentive Program.

We will continue to develop additional guidance and other tools as necessary to ensure that individuals understand and can exercise their right to access their health information.  In addition, the Office for Civil Rights will work with the White House Social and Behavioral Sciences Team and the Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) to produce consumer-friendly resources, including sample communications tools to encourage patients to access their digital health information.

The first set of materials may be found on OCR’s website at: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/ocr/

What Every Healthcare Provider Needs To Do To Avoid Damages Under The TCPA

Memorandum re Liability to Dental Practice under the Telephone & Consumer Protection Act – (TCPA)  – September 28, 2015.

 

Disclaimer: This material is for general reference purposes only and does not constitute legal advice.

 

Note: Even though the TCPA only covers phone calls and text messaging, we also included emails as part of the consent that patients give in the event that future regulations or laws are passed involving email communications.

 

The purpose of this memorandum is to discuss the changes to a Practice’s1) Notice of Privacy Practices and 2) Acknowledgement of Receipt of Notice of Privacy Practices & Consent for Use and Disclosure of Health Information (Acknowledgement). These changes are necessary in order to protect the practice from potential lawsuits and damages resulting from violations of the Telephone and Consumer Protection Act which stemmed from the class action suit against Walgreens where Walgreens settled for $11,000,000 for alleged violations of the TCPA.  The final approval hearing for this settlement was held on Aug. 5, 2015.

 

How come we need to make these changes when Healthcare Compliance Consulting, Inc. set up our HIPAA Privacy and Compliance programs for us and we already have our patients sign our Acknowledgement form ?

The problem is that even though a dental practice is a covered entity (just the same as Walgreens is a covered entity) and is subject to comply with the HIPAA regulations, the class action suit against Walgreens was not brought against it for violation of the HIPAA regulations but for violation of the TCPA, which is a federal act that is completely separate from the HIPAA regulations. The nature of the infraction and violation against Walgreens was such that this type of incident should have been covered under the HIPAA regulations, but there are no HIPAA regulations that discuss or govern this. Thus, a similar lawsuit could be brought against a dental practice on the grounds that the dental practice violated the TCPA.

 

The nature of the lawsuit against Walgreens was that it placed prerecorded prescription reminder calls to the cell phones of prior Walgreen consumers or customers without their consent. The court made a distinction between phone calls made by Walgreens to Pharmacy patients with a current prescription which were due to be picked with prior Walgreen Pharmacy patients that had no current prescriptions due to be picked up. The court said that the reminder calls to prior Walgreen patients that did not have a current prescription due to be picked up could not be made by Walgreens without that patient’s prior consent. Without prior consent, the court said that these cell phone calls were unauthorized because Walgreen did not get the patients consent first, and thus this constituted a violation of the TCPA and made Walgreens subject to damages.

 

Lawsuits can be brought under the TCPA against any dentist for sending out any kind of reminder message to patients (i.e.-to schedule recall appointments and unscheduled treatment) that are transmitted either by phone or text that are made without the prior consent of that patient.

 

How a violation of the TCPA could occur in a dental office is 1) where a phone call or text notice is sent or given to the patient where the patient is requested to call the dental office and set up an appointment for future treatment based on a prior recommendation from the dentist to have this unscheduled dental work done in the future or, 2) where the dental office calls or texts a recall notice to the patient to set up an appointment (such as a 3 month or 6 month, etc. recall appointment reminder) stating that it has been 3, 6, 9 months, etc. since you last treatment or visit and it is time to set up another dental appointment, and that patient has not given the practice his/her consent to send out such notices.

 

To be safe and to prevent the dental practice from having liability and subject to a lawsuit and damages for violation of the TCPA is for the dental practice to have language on its NPP and Acknowledgement form where the patient gives the dental practice his/her consent to send out such notices by either phone or text. We have revised the NPP and Acknowledgement form with language that gives the dental practice consent of the patients to send out such notices.

 

Special problems involving Recall Notices

When a dental office makes a phone call or sends a text message to a patient reminding them that it has been 3 months, 6 months, 9 months, 12 months, etc. and requests the patient to call and set up an appointment, this is a violation of the TCPA unless the patient gives consent to the practice to call or text him/her. The problem is that it has been a common practice for dental practices to make these kind of recall notices in order to keep business coming into the practice. To stop making these kinds of recall notices could cause the dental practice to lose a substantial amount of business. So, on one hand, based on the current litigation with Walgreens, it definitely is a violation of the TCPA to make these kinds of phone calls or text messages without the patients’ consent. On the other hand, the practice will lose business if it does not contact patients that it has previously treated to notify them that they have not been in for 3 months, 6 months, etc. and that they should set up an appointment. To further complicate the situation or problem is that if the dental practice does not contact its patients for recall appointments, it is possible that it could be cited for abandonment of treatment. Once a dentist begins treating a patient, the dentist may not abandon the patient without incurring liability for damages unless the dentist follows certain steps and procedures for terminating the dentist/patient relationship. So, the dentist is really in catch 22 situation. So a dental practice will have to decide how it wants to handle this situation because there will be risk involved no matter what it does.  If the dentist contacts the patient by phone or text in order to set up a recall appointment without the patients’ consent, it is in violation of the TCPA. If it does not make a recall phone call or recall text, it could be subject to liability under abandonment of treatment.  So the dentist will have to decide whether to take the risk and continue making recall phone and/or text messages and have the patient sign the consent form when they come in for treatment.

 

We have recommended that all dental practices have their existing and new patients sign their Acknowledgement form with the new consent language on it because 1)anyone can file a lawsuit against the practice under the TCPA  for failure of the practice to obtain consent from the patient (it doesn’t just have to be the patient that could file a lawsuit against the practice) and, 2) because of recent Walgreens settlement for violation of the TCPA (Aug. 5, 2015), lawyers may be more aggressive in searching out clients that would be willing to bring a lawsuit against any covered entity (such as a dental practice either large or small). There already are lawyers that are pursuing opportunities to solicit people that they can represent to bring lawsuits against healthcare providers for violations of the TCPA. If you Google Telephone Consumer Protection Act, there already are Minneapolis law firms whose names will appear on the side bar advertising their consumer protection services for violations of the TCPA.

HIPAA Privacy and Security Compliance Audits Begin November 2011

OCR Announces November 2011 start of Privacy and Security Compliance Audits

     Overview:  OCR has announced that it is initiating Compliance Audits beginning November, 2011, as it is authorized to do so by the HITECH Act.  The HITECH Act requires the Department of Health and Human Services (HHS) to provide for periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification Standards.  These audits will strengthen enforcement and accountability for compliance with existing and forthcoming (by the end of 2011) Rule modifications.  HHS has delegated this auditing function to OCR.  To implement this mandate, OCR is piloting a program to perform 150 compliance audits of covered entities to assess privacy and security compliance.

     Who will be audited? Every covered entity and business associate is eligible for an audit.  OCR is responsible for selecting the covered entities that will be audited.  OCR has indicated that selections will be designed to provide a broad assessment of a complex and diverse healthcare industry.  This means that OCR will randomly select covered entities that are large, that are medium size and that are small (such as a 1 doctor healthcare provider).  No covered entity will be exempt from the chance of being selected for a compliance audit by OCR.

     What is the purpose of these audits?  These audits precede the imminent release of the Final HIPAA/HITECH Act Privacy, Security, Breach Notification and Enforcement Rules (expected before the end of 2011) and will strengthen enforcement and accountability for compliance with existing and forthcoming Rule modifications.

     How the Audit Program will Work.  Covered entities selected for an audit will be informed by OCR of their selection and the covered entity will be asked to provide documentation (in writing) of their privacy and security compliance efforts.  Covered entities will have 10 business days to provide the requested information.  Every audit will include a site visit and result in an audit report.  OCR expects to notify covered entities selected for an audit between 30 and 90 days prior to the onsite visit.  During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance.  Onsite visits may take between 3 and 10 business days depending on the complexity of the organization and the auditor’s need to access materials and staff.  OCR will then issue a report based upon the audit.

     What happens After an Audit?  Should an audit report indicate a serious compliance issue, OCR my initiate a compliance review to address the problem.  Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective actions are most effective.

     Why the Push for Increased Audits?  The increase of 6,230,963 (for a total of 18,190,451) impacted individuals of HITECH breaches represents a skyrocketing jump of growing number of individuals affected by privacy and security breaches heightens the need by OCR to strengthen enforcement and accountability through compliance audits to ensure compliance with these Rules.

     What should a covered entity do to prepare for a potential OCR Audit and avoid the consequences (monetary penalties) for non-compliance?  To avoid the consequences of potential penalties for non-compliance, covered entities and business associates must now pay immediate attention to 1) conducting a new or reviewing an existing Risk Assessment of threat and vulnerability to Protected Health Information (PHI); 2) mitigating identified risks through privacy and security safeguard Policies and Procedures3) Training their workforce member (which includes management) to safeguard privacy and security of PHI; and, 4) Documenting those actions in writing.

 

Evaluating and Improving a Compliance Program

Evaluating and Improving a Compliance Program

Health care is one of the most highly regulated industries in the United States.  Thousands of health care entities have been excluded from participating in federal programs, such as Medicare and Medicaid, for violating laws.  Government agencies, such as the Federal Bureau of Investigation (FBI), Office of Inspector General (OIG), Department of Justice (DOJ) and Centers for Medicare and Medicaid Services (CMS) target health care fraud and abuse as high priority areas to conduct inquiries and investigations.  In light of the proliferation of fraud and abuse legislation and enforcement activities directed at the health care industry, it is becoming imperative for health care organizations to implement compliance programs not only to prevent violations but also to reduce the potential for liability should violations occur.

What is the Purpose of a Compliance Program?

The purpose of a compliance program is aimed at ensuring that the organization, its employees, and associates comply with applicable laws, regulations, and standards.  Health care compliance programs should outline a comprehensive strategy to ensure the submission of accurate claims to federal, state, and commercial payers.  The compliance program should include policies and procedures to comply with other applicable laws and regulations relating to the delivery of health care products and services. 

What Makes a Compliance Program Work?

Programs that work are about two things: a management commitment to do the right thing, and effective management steps to make that happen.  It is about making sure that all those who work for the organization know what to do, and believe that the organization is serious about acting legally and ethically.  

Compliance Program Foundation

The Office of the Inspector General, “OIG,” has spoken authoritatively on the basic elements of an effective compliance program.  The Federal Sentencing Guidelines have defined an effective compliance program as “a program that has been reasonably designed, implemented, and enforced so that it generally will be effective in preventing and detecting criminal conduct.”(1)  The Sentencing Guidelines outlines seven key elements of a compliance program.

 1.  Compliance Standards  “The organization must have established compliance standards and procedures to be followed by its employees and other agents that are reasonably capable of reducing the prospect of criminal, civil, and administrative violations.” Comment 3.(k)(1).

2.  High Level Responsibility “Specific individuals within high-level personnel of the organization must have been assigned overall responsibility to oversee compliance with the standards and procedures and have sufficient resources and authority to assure compliance.” Comment 3.(k)(2).

3.  Trustworthy Individuals  “The organization must have used due care not to delegate substantial dicretionary authority to individuals whom the organization knew, or should have know through the exercise of due diligence, had a propensity to engage in illegal activities.” Comment3.(k)(3).

4.  Education  “The organization must have taken steps to communicate effectively its standards and procedures to all employees and other agents, such as by requiring participation in training programs or by disseminating publications that explain in a practical manner what is required.” Comment3.(k)(4).

5.  Monitoring and Auditing  “The organization must have taken reasonable steps to achieve compliance with its standards, such as by utilizing monitoring and auditing systems reasonably designed to detect criminal, civil, and administrative violations by its employees and other agents.” Comment3.(k)(5).

6.  Enforcement and Discipline  “The standards must be consistently enforced through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect an offense.” Comment 3.(k)(6).

7.  Response and Prevention  “After an offense has been detected, the organization must have taken all reasonable steps to respond appropriately to the offense and to prevent further similar offenses. including any necessary modification to its program to prevent and detect criminal, civil, and administrative violations.” Comment3.(k)(7).

Health care organizations have recognized that compliance programs are important because the regulatory environment in which they operate is exceedingly complex, and they have a fundamental obligation to their patients and the public to ensure that participation in government and private reimbursement systems and the operation of health care organizations are consistent with applicable laws and regulations.

Healthcare Compliance Consulting, Inc. (HCC) has been providing consulting services and compliance programs to health care providers for almost a decade.  Our clients include medical doctors, cardiologists, allergy physicians, dermatologists, chiropractors, home health agencies and dentists. 

  

(1) Federal Sentencing Guidelines, §8A.2. Comment 3.

Healthcare Compliance Consulting, Inc.
Developers of Healthcare Compliance for Less Than $2.00 Per Day.
5755 Heather Ridge Drive
St. Paul, Minnesota 55126          
Phone: (651) 484-4303
Fax: (651) 484-6213
Email: davesina@q.com or candysina@q.com
www.healthcarecomplianceconsulting.net       

amednews: 5 ways to manage your online reputation :: Sept. 12, 2011 … American Medical News

amednews: 5 ways to manage your online reputation :: Sept. 12, 2011 … American Medical News.

Over 70% of Healthcare Providers Suffered Privacy Breaches

Over 70% of Healthcare Providers Suffered Privacy Breaches.

Congresswoman Mary Bono Mack

Congresswoman Mary Bono Mack.

Breach Notification Obligations In All 50 States?

Breach Notification Obligations In All 50 States?.

How to Achieve Accountable Care While Avoiding Downfalls of Medicare ACOs | Hospital-Physician Relationships

How to Achieve Accountable Care While Avoiding Downfalls of Medicare ACOs | Hospital-Physician Relationships.

Post Navigation