Healthcare Integration Advisors - Overcoming Obstacles Along the Continuum of Care

Patient-focused health care providers understand that privacy is important to patients.  Providing patients with an explanation of their health information privacy rights has been a standard part of provider office procedures when patients present for medical care since HIPAA was enacted.  If  patients are being handed a Notice of Privacy Practices (NPP) dated before the January 17, 2013, Final Rule was issued, or if the website publishes an old form, providers have until September 23, 2013, to revise and distribute it. The Final Rule applies to “covered entities” -- you know who you are!

The new HIPAA regulations explain the details required to be part of the NPP  (even down to capitalized headers), and must be consulted to ensure that a compliant NPP is developed and publicized. An overview of the change process provides a roadmap for providers undertaking this task.  NPPs must be made more “user friendly” and include additional descriptions of patient’s rights concerning their Protected Health Information (PHI). 

What happens if the NPP is not revised?

• Covered entities may be exposed to patient complaints, governmental investigations, and civil and criminal penalties. 

What new information needs to be added to the NPP?

• Authorized uses under HIPAA; examples.  A description of how information may be used without patient authorization, and at least one example of what is meant by treatment, payment, and healthcare operations (e.g., “for example…”).
• Provider’s intentions.  Disclosure if PHI will be used to give appointment reminders, provide alternative treatment information, disclose to plan sponsor, or for fundraising.
• How patients can obtain access to PHI. Right to inspect records and obtain paper copy of electronic PHI.
• Where patient authorization is needed. List must include psychotherapy notes, marketing, subsidized treatment communications, sale, and certain other uses.
• How patients may pro-actively restrict disclosure. Specific written request; may not be honored with regard to health insurer unless services completely paid out-of-pocket.
• Opting out of fundraising. Inform patients of right to opt out of each solicitation.
• Accounting to patients for disclosure.
• How patients may complain about privacy violation.  How to file a complaint; non-retaliation.
• Breach notification.  Statement covered entity is required to notify patient of each breach.
• List of provider duties. Include contact for privacy office.
• Health plans only. Provide notice genetic information may not be used for underwriting, with exceptions for some long-term care policies. 

What must be done after the NPP is revised?

• Make available.  Copy to new patients; available to existing patients; NPP or notice of material change in next mailing of health insurer.
• Post.  On website, in office (or post summary with full NPP available).
• Keep records.  Keep copies of prior versions of NPPs and written patient acknowledgements of receipt.

This is a only a roadmap of the major highways, but the path is clear. With reasonable effort and attention to detail, enhanced patient communication concerning privacy can be implemented as required.

Any healthcare provider using portable electronic devices, such as smartphones, laptops, tablets, personal digital assistants, or thumb drives must comply with HIPAA to protect the confidentiality of electronic protected health information (ePHI), which means adopting and implementing adequate policies and procedures.  The U.S. Department of Health and Human Services, Office of Civil Rights (OCR) delivered a strong message to the provider community on September 17, 2012, when it announced that Massachusetts Eye and Ear Infirmary (Hospital) and its associated physician practice group had agreed to a $1.5 million settlement which included a Resolution Agreement and a Corrective Action Plan. 

When a Hospital physician’s unencrypted laptop was stolen on vacation, the Hospital self-reported the security incident.  The OCR proceeded to review the Hospital's entire HIPAA compliance program.  According to the Hospital’s press release, there was no patient harm discovered in the subsequent OCR investigation.

The OCR complained that since the HIPAA Security Rule compliance date of March 8, 2010, the Hospital had failed to act appropriately with regard to portable electronic devices, and pointed to the need to:

• Restrict access to ePHI from unauthorized users/unauthorized portable devices, and be able to trace access;
• Track movement of both Hospital-owned and personally owned portable devices containing ePHI both on and off its premises; and
• Implement encryption or appropriate alternatives to encryption.

As part of the settlement, the Hospital agreed to adopt and distribute policies and procedures governing both workstations and portable devices accessing ePHI, and to implement these through training, monitoring, and reporting on workforce non-compliance.

A list of the minimum content of the policies and procedures was set forth in the Corrective Action Plan.  This list effectively provides a high-level framework for every healthcare provider to use in reviewing and updating its own compliance arrangements.  Among the OCR requirements were that the Hospital implement mechanisms to encrypt and decrypt portable devices so that only authorized persons could access the devices. The Hospital must also track the movement of hardware and electronic media, and implement other administrative, physical, and technical safeguards to protect the confidentiality and security of its ePHI, as well as institute sanctions for non-compliance.

Other information security aspects of such an electronic device policy are illustrated in a recently published “Mobile Device Policy” template, including changing passwords, timeouts, encryption of wireless transmissions, anti-virus software, prohibitions on storage of non-encrypted information, and IT department approval of applications, services, and configuration of bluetooth and infrared services.

On April 17, 2012, the U.S. Department of Health and Human Services (HHS) announced a Resolution Agreement with a five-physician practice, Phoenix Cardiac Surgery, P.C. (Practice).  This agreement requires the Practice to pay $100,000 to resolve a HIPAA violation charge, and to implement a corrective action plan.  The Office of Civil Rights (OCR), which enforces HIPAA, alleged that the practice had disclosed electronic protected health information (ePHI) on a publicly accessible Internet-based calendar, and had emailed ePHI to its employee’s personal Internet-based email accounts.  Once having investigated the complaint, the OCR reviewed and found wanting the practice's HIPAA compliance for the preceding six years. 

Small physician groups have largely flown under the radar when it comes to HIPAA compliance, but times are changing.  The director of OCR specifically made this point in its press release on the settlement:

This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR.  “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.

This is a wake-up call to all providers of health care services.  Appropriate HIPAA policies, Business Associate Agreements with vendors who have access to protected health information, and workforce training are mandatory for all health care providers, regardless of size,  that qualify as a "covered entity" under the regulations.

The prevention and detection of Medicaid fraud and abuse was the general theme at the New York State Bar Association Health Law Section meeting held on January 25, 2012.  While speakers from various governmental agencies and private attorneys addressed the topic from different perspectives, one sub-theme emanated across the board: the government has increasing authority and ability to collect, store, and use information that participants in the health care world are required to disclose.

More than one speaker boasted about the wealth of information that is available right at his or her fingertips.  An ever increasing number of health care related entities must make information available to the government which, in turn, may disclose the information to the public generally via the internet.  The importance of information technology cannot be overstated.

Below are several points addressed by the speakers.

• Early detection of fraud  The strategy of the Center for Program Integrity (CPI) within the Centers for Medicare & Medicaid Services (CMS) is to prevent payment of fraudulent claims by screening providers and spotting fraudulent practices before claims are ever paid.  To accomplish this, CPI has created a state of the art Medicaid data analysis management information system that captures and stores certain state Medicaid data.  Algorithm concepts have been developed and applied to detect payment anomalies, leading to the recovery of fraudulent payments and identifying targets for audits.

• Sharing of information across states  Information stored electronically can be made available to multiple users.  For example, CPI has developed a platform for states to share information with one another on terminated providers and supplies.  A provider who has been terminated from participation under one state’s Medicaid program can now be identified by regulators in other states.  This sounds a death knell for a terminated provider since under 42 CFR § 455.416(c) a state Medicaid agency must deny enrollment or terminate the enrollment of any provider that is terminated on or after January 1, 2011, under Medicare, the Medicaid program, or CHIP of any other state. 

• Sunshine Act  This law requires that by March 31, 2013, manufacturers of pharmaceutical, device, biological, and other medical supplies must report payments and gifts to physicians and teaching hospitals. The name, address, and NPI of the recipient of the payment or gift must be reported along with a description of the form of payment, the value, and the dates on which the payments were provided.  This information will be made public on the website of the Department of Health and Human Services by September  30, 2013.   Even if payments are legitimate and do not violate any fraud or abuse laws, there is sure to be great interest by the press and others in this information.

For health care providers, it is important to be aware not only of ever changing disclosure requirements, but to be cognizant that the information you disclose may be used by many different readers for many different purposes.

As anyone who has been to a doctor in the past decade knows, federal regulations commonly referred to as the HIPAA Privacy Rule, or just HIPAA, protect the confidentiality of medical records.  You can’t even see a doctor until you have been advised of your privacy rights and signed an appropriate HIPAA acknowledgment.  Try to obtain medical information about your adult child or your parent and you will bump into HIPAA again and State law as well.  You can overcome this hurdle if your family member signs an authorization to permit you to have access to the records or  if you are considered her “personal representative” under State or other applicable law.   

Who is this “personal representative” who may be entitled to medical records?  That depends on where you live and whether the patient is living or deceased.  In New York, an individual may nominate a health care agent to make medical decisions and that agent can generally access medical records necessary to make medical decisions.  In addition, if the patient is alive, a legally-appointed guardian, a parent of an infant, or an attorney acting on their behalf, is entitled to access.

What happens to the confidentiality of a medical record when a person dies?  The confidentiality lives on.  In fact, those who had access when the patient was alive might not have access after her death.  For example, a health care agent’s power lapses upon the death of the individual.  A written authorization may no longer be valid.   HIPAA provides that a decedent’s executor, administrator, or other person authorized to act on behalf of a decedent’s estate may request a decedent’s medical record.  In New York, a distributee of a decedent’s estate may also access the medical records if no administrator or executor has been appointed. So too can the distributee's attorney if he or she holds a power of attorney from the distributee explicitly authorizing the attorney to execute a written request for the deceased patient’s information.

Health care providers must ensure that they are familiar with HIPAA and their State’s laws regarding access to a decedent’s medical records.   The provider may not turn over records unless it has received a written request, verified the status of the requestor, and ensured that the requestor is entitled to all the information sought.  Documentation should be kept in the medical record.   Because violations of HIPAA privacy rules carry penalties, providers should consult with their legal counsel when they are unsure whether disclosure is appropriate or not.

HIPAA audits are coming, but significant HIPAA enforcement is occurring now.  The Office of Civil Rights (OCR) of the U. S. Department of Health and Human Services (HHS) recently awarded  KPMG a $9.2 million contract to conduct HIPAA audits on 150 covered entities and business associates before December 31, 2012.   Booz Allen Hamilton was contracted  to identify HIPAA audit candidates.  An increasing level of enforcement has already been observed (check out “All Signs Point to Ramped-Up HIPAA Enforcement”) and even more enforcement activity is expected as a result of the planned audits. 

The OCR announced its most recent enforcement action on July 7, 2011, a Resolution Agreement and Corrective Action Plan (Plan) with the University of California at Los Angeles Health System to settle violations of the HIPAA Privacy and Security Rules.  OCR found that hospital employees had accessed and reviewed electronic protected health information of celebrity patients repeatedly and without a permissible reason.

The Plan provides for an independent monitor, implementation of updated policies, procedures, and training, but with a significant downside: if the Plan is breached, HHS may impose a civil monetary penalty for the HIPAA breaches.

The takeaway for covered entities and business associates subject to HIPAA is to consider the Plan as a form of “best practices” to use to implement a customized HIPAA compliance program.  It is particularly important for entities to update and actually roll out, train, and enforce their policies and procedures.  Current HIPAA programs are more likely to be based on safeguarding paper medical records and not on properly handling electronic protected health information (PHI) if they have not recently been revised.  In particular, the following concrete steps required by the Plan should be considered for addition to entity HIPAA programs:

• Update policies and distribute to anyone in the workforce who has access to PHI along with written or electronic compliance certification that the policies have been read and understood, without which employees may not perform services that involve PHI;
• Policies must address permissible and impermissible use and disclosure of PHI,  information access standards, and sanctions;
• Train workforce to comply with policies, through updated annual training as appropriate, including written certification that training has been received, without which employees may not have access to PHI;
• Investigate and respond to non-compliance; and
• Officer accountability for training and certification of training.

These are practical steps to follow and would serve well in the event of any future HIPAA audit. KPMG has been tasked, in its conduct of HIPAA audits, to visit the entity, interview leadership, examine operations, assess whether policies are being implemented and HIPAA standards are being met, and make recommendations for corrective action going forward.   It is not clear how the OCR will respond to negative audit findings, but it is not sensible to wait for the shoe to drop.  Providers should take a good hard look at their HIPAA privacy and security polices, update them particularly with regard to their current electronic health records operations, then implement them carefully and with appropriate documentation.

To prevent a 1% reduction in Part B Medicare payments in 2012, eligible professionals must successfully e-prescribe (eRx) for the required number of Medicare beneficiaries before June 30, 2011.  This “payment adjustment,” which will increase over time (1.5% in 2013, and 2% in 2014), is the "stick" aspect of the “carrot and stick” implementation of the eRx incentive program.  The "carrot" is a 1% incentive payment for program years 2011 and 2012, and 1.5% incentive payment for 2013 to “successful electronic prescribers.”

To be considered a successful electronic prescriber, an eligible professional must report at least 10 unique eRx events between January 1, 2011 and June 30, 2011. A group practice may register and meet the eRx standard with between 75 and 2,500 unique eRx events, depending on the size of the group. The eligible professionals are physicians, physician assistants, CRNAs and nurse midwives.

Physician incentive programs not aligned; CMS offers a patch related to e-prescribing overlap.  In response to requests to better align the eRx Incentive Program with the Medicare and Medicaid EHR Incentive Programs and to expand the hardship exemption categories, CMS issued “Proposed Changes to the Electronic Prescribing (eRx) Incentive Program”  on June 1, 2011 in the Federal Register.  A summary of the proposal is available in a CMS fact sheet.

Continue Reading

In Part I of this series I discussed important developments in the Office of Civil Rights’ (“OCR”) HIPAA enforcement strategy.  The sweeping enforcement changes observed over the past few months make HIPAA compliance a high priority.

Traditionally, entities covered by HIPAA have compartmentalized their compliance programs; one group manages privacy compliance, while another manages security.  There is often a close nexus between an entity’s privacy compliance program and the HIPAA  Privacy Rule, as privacy controls are driven by compliance requirements.  Security, however, is generally a business issue  managed by Information Technology / Information Services professionals.  The focus is on security and data protection – functions driven primarily by business needs, not compliance.

As a result, healthcare information systems are often secure but are not necessarily compliant.  Although it may seem counterintuitive,  a secure system may be non-compliant, and a compliant system may be vulnerable, due to the nature of regulatory mandates versus real-world risk.  The goal, particularly given OCR’s stepped-up enforcement, is to convert existing security management functions into a compliant program.  Stated differently; to create that nexus between real-world security and Security Rule compliance.

A baseline compliance assessment is the first step.  While  many healthcare organizations and insurers undergo routine security risk assessments and understand this process well, most have not completed a compliance review.  A compliance assessment should examine security controls, but it must go further to evaluate controls and practices against the precise  framework and requirements of the Security Rule.  To the extent possible, the compliance assessment should mirror compliance reviews done by OCR pursuant to 45 C.F.R. § 160.308.  Instead of relying upon a technical audit, OCR focuses mainly on document review and interviews of IT professionals.

Here are some strategies for conducting Security Rule assessments:

• Conduct the review through, and under the direction of, legal counsel.  Care should be taken to establish and preserve attorney-client and attorney work product privileges, to the extent possible, over sensitive findings and conclusions that may result from the review.
• Documentation is key.  OCR utilizes a comprehensive document request list, which mirrors the Security Rule’s document requirements.  The review should confirm that all policies, procedures, and risk assessment determinations and justifications required by the regulations are in place and are adequate.
• Conduct interviews of key IT professionals.  This process serves two purposes: (1) it will reveal how things are actually done (as opposed to documented, or not documented) and (2) it will raise awareness among those in charge of running IT systems by informing them of compliance requirements.
• Incorporate a recent security assessment as proof of the effectiveness of security controls or plan a new technical assessment under the direction of counsel to coincide with the compliance review.
• Develop written corrective action plans to mitigate or eliminate compliance deficiencies.
• Pay particular attention to high risk / high exposure points (e.g. mobile devices, unencrypted e-mail, procedures for disposal of equipment, workforce training and awareness).
• Remember: Security Rule compliance is the baseline.  The regulations are broad and high-level by design.  Security requirements evolve constantly with changing technology and risk.  Supplement the compliance review with an evaluation against accepted industry practices.

In the final part of this series I will discuss common Security Rule compliance pitfalls and solutions.

As of 2010, only  25% of physician offices and 15% of acute care hospitals were taking advantage of Electronic Health Records technologies;  this is due in part  to barriers relating to lack of capital, the alteration of workflows, and the lack of an interoperable infrastructure to securely exchange health information. However, the creation of Medicare and Medicaid EHR  Incentive Programs have contributed to a rapid and widespread surge of activity by providers in purchasing and implementing certified  EHR systems. This is true especially among  providers who are seeking to achieve the Stage I of Meaningful Use in time to qualify for 2011 incentive payments (deadlines to register and attest  are November 30, 2011 for hospitals and February 29, 2011 for eligible providers).  Most providers are also aware that they will face payment reductions after 2015 if they do not meet Meaningful Use requirements.

The increase in adopting EHR has also been coupled with an increased level of donation of EHR systems by hospitals and other entities that bill for designated health services, such as  pharmacies, laboratories (but not in NY), and health plans.  While a federal Stark exception  and Anti-Kickback safe harbor for e-prescribing and EHR donations have been around since 2006, the upswing in technology adoption has caused donors to establish donation programs now  so that EHR technology can be donated to providers before the December 31, 2013 sunset.

Donation programs  must be organized so that the selection of recipients is made in a reasonable and verifiable manner, not directly taking into account the volume or value of referrals or other business generated between the parties.   Donors must structure their contractual arrangements (under which they may donate up to 85% of “covered” technology in which  EHR function predominates)  in accordance with federal regulations including IRS rules for tax-exempt entities, and state laws/regulations.  Donation transactions typically involve a provider’s obtaining technological items and services  through either  a) license/sublicense from the donor pursuant to a master agreement between a donor and a vendor,  or  b)  direct purchase  from a vendor appropriately subsidized by a donor.   

Federal regulations require a written agreement between the donor and recipient which specifies the items and services provided  as well as the donor’s costs and the recipient’s contribution. 

Practical considerations usually result in a three-way agreement between the vendor, donor, and recipient. This covers payment arrangements and termination, incorporating any  other two-way agreements, and ensuring that the recipient’s 15% share is paid in advance of the donor’s 85% share. Because all three participants have access to Protected Health Information, Business Associate Agreements which meet current regulatory standards  are also required.  Any EHR technology purchased must be capable of implementing  and verifying the measurement of a provider’s achievement of the Meaningful Use Core Objectives and Clinical Quality Measures; a central consideration which should impact the representations and warranties made in the transaction documentation.

On February 24, 2011, the Department of Health and Human Services announced in their press release that Massachusetts General Hospital and Massachusetts General Physicians Organization (the “Hospital”) agreed to pay a $1 Million  settlement  in a resolution agreement to resolve an alleged HIPAA  violation, which arose when an employee left Protected Health Information (patient names, addresses, and billing information, including patients with HIV/AIDS) on the subway.  The settlement includes a “Corrective Action Plan” under which comprehensive new compliance policies must be promulgated to ensure that patient data is protected when removed from the facility.  These policies must be implemented by employee training and assessed by an independent “monitor” who will make unannounced inspections of laptops and flash drives and who will confirm that training has been done.  Otherwise, a civil monetary penalty may be levied on the Hospital beyond the settlement amount already paid.

Compliance officers for all healthcare entities subject to HIPAA privacy and security rules, including physicians, hospitals, long term care facilities, managed care entities, and health insurers,would do well to heed the key elements of the settlement’s Corrective Action Plan, and integrate them into their own compliance programs. Written policies and procedures should be developed, and should be updated annually or sooner as electronic data storage evolves and regulations change, in order to provide safeguards governing the physical removal and transportation of Protected Health Information from the premises, as well as laptop and USB drive encryption.  Employees should be trained in these procedures, and their compliance with these policies should be monitored by regular audits, including inspection of any electronic devices holding patient data which could leave the premises, in order to to ensure encryption of patient data.   

The vigilant implementation of data safeguards on portable electronic devices containing patient data is important for everyone in the healthcare industry, especially  as increasing numbers of healthcare providers are installing  new  Electronic Health Records systems in order to meet Meaningful Use deadlines.  According to Adam Greene, senior health IT and Privacy Adviser in the HHS Office for Civil Rights, the theft or loss of portable devices such as laptops were the root cause of 66% of large breaches.