Hurricanes and HIPAA

Hurricane Irene was not as severe in many northern states as she was expected to be. But Irene reminds us about the importance of having a contingency and disaster recovery plans in place for our protected health information (PHI) and electronic PHI (ePHI). A colleague reported to me that several of his lower New England clients lost “everything.” They had not yet transitioned to an EHR, and had lost all of their patient’s paper records.  Others lost access to their EHRs with their power outage.  What to do?

No one likes to think about these things. Like buying life or homeowners insurance – who wants to consider the worst? But this is exactly what the law requires you to do: Consider the worst and prepare for it, especially when it comes to safeguarding your patient's PHI and ePHI.

Bottom line: HIPAA Security Standard § 164.308(a)(7) requires contingency planning. That means having a plan to protect the patient data in your possession. You are required to establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems containing ePHI. And although HIPAA Security Standards focus on electronic records, HIPAA Privacy standards and both state and federal (HITECH) breach notification requirements compel us to make reasonable efforts to protect data in any form.

The HIPAA Security Rule/Contingency Plan standard includes five implementation specifications:

1. Data Backup Plan (Required)

2. Disaster Recovery Plan (Required)

3. Emergency Mode Operation Plan (Required)

4. Testing and Revision Procedures (Addressable)

5. Applications and Data Criticality Analysis (Addressable)

Remember that “addressable” does not mean optional. It means conducting an analysis and determining whether your practice will implement this specification, or another type of protection. You need to document your thinking and determinations.

All of this goes hand-in-hand with a formal analysis of the risks to your patient data, including an assessment of the likely threats and vulnerabilities.  Your contingency/disaster recovery plan should include adminstrative, technical and physical safeguards that adequately and reasonably addresses the risks identified in your analysis, and include a policy and process that includes backup, storage, and recovery of your ePHI.  From a breach prevention perspective, it should also include the physical safeguards for your paper records and your portable media. 

When evaluating a disaster recovery plan for HIPAA compliance, consider the ability to properly move data to the disaster recovery site without violating standards for privacy and security. (One of the biggest breaches on record in the U.S. was by a business associate of the New York City Health and Hospitals Corporation, which left back-up tapes unattended at a stop en route to storage. The back-ups disappeared, impacting upwards of 1.7 million individuals.  Consider the costs of the notices in multiple languages and the free consumer reporting for those affected, as a start.)

You must also understand your vendor's ability to restore operations and safeguards at another site, if that is your contingency plan. Your vendor must ensure and explain the safety of back-up systems, including the mechanics of restoration and required security protections. 

So remember to keep contingency planning high on your list, especially as the OCR audits begin.

Despite the Summer Heat, the Feds Us Keep Busy With Compliance

Heat indexes are breaking records all over the country, but in Washington, D.C., compliance has not taken a summer holiday.  There has been activity in a number of areas worthy of note.

On June 10, 2011, the Department of Health and Human Services (HHS) awarded to KPMG a $9.2 million contract to create an audit protocol and then audit covered entities’ and business associates’ compliance with the privacy and security requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The contract calls for as many as 150 audits of entities varying in size and scope before Dec. 31, 2012.  HHS also awarded a contract of $180,000 on June 9, 2011 to Booz Allen Hamilton for "audit candidate identification."

Given the volume of HIPAA covered entities and business associates that exist, the likelihood of being audited will be small, but a number of entities will become the unlucky few. So, it is a good time for covered entities and business associates alike to review (or develop) their HIPAA privacy and security programs, to assess the effectiveness of their privacy and security programs and see that their policy documentation and training are up to date. Especially important is to ensure that your workforce is acting in accordance with policy, and that senior staff members are ready to respond to the audit process, as the award synopsis states that "part of every audit would include interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director); examination of physical features and operations; consistency of process to policy, [and] observation of compliance with regulatory requirements." After each site visit the contractor will submit an audit report to HHS.

Why Is this Happening?

Section 13411 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, requires HHS to conduct periodic audits to ensure that HIPAA covered entities and business associates are complying with the Privacy and Security Rules. This is a fundamental change from the complaint-driven investigations of the past.

A Little Good News

One bit of good news is that the contract is a firm fixed price, which appears to mean that payment to KPMG will not be based on whether audits result in resolution agreement payments or civil money penalties.

Many Open Questions

Currently, we only have access to the synopsis of the KPMG contract. As the contract itself becomes available, some of these questions may be answered. Most questions, however, will only be answered once KPMG creates an audit protocol and begins conducting audits.

Preparation is the Key

So, with these few published hints from HHS, covered entities and business associates should begin to revitalize and assess their privacy and security programs, including breach detection and notification, to prepare for the possibility of an audit. Compliance should be woven through the fabric of the organization, and an internal marketing of compliance goals should become a priority. Among other things, covered entities and business associates may now wish to:

• Review and ensure that policies and procedures are up to date, accessible to all workforce members;
• Discuss HIPAA/HITECH issues at regular meetings, include training topics in staff emails and other communications, and make privacy and security part of the organizational conversation, rather than a once-a-year discussion topic;
• Document that the workforce has been appropriately trained, not merely passing a simple test, but actually acting in compliance with policies and practices;
• Conduct mock audits and audit interviews to see that policies have been implemented and understood among staff and that they are effective in protecting privacy and security, rather than failing in the face of unclear protocols, human error, limited staff or resources;
• Ensure that the HIPAA security risk analysis is up to date, reflecting changes in technology and costs since the HIPAA Security Rule went into effect in 2005.  For example, where a 2005 risk analysis may have stated that encryption of laptops or email was too expensive to implement, it may be wise to update your analysis based upon changes in available technology and costs.  And further, where the encryption specification is "addressable" rather than "required," the covered entity or business associate must still "address" encryption and risks, threats and vulnerabilities to electronic protected health information, documenting its alternate means of protecting such data if encryption is not a viable option.

While it may be impossible to achieve an absolutely audit-safe Privacy and Security Compliance Program, the time has never been better to focus on HIPAA and HITECH compliance than today. There is no better investment or protection for your organization's healthcare services or its bottom line.

New HIPAA Rights for Patients, New Requirements for You

It's official. The Office of Civil Rights (OCR) is proposing to add another regulatory burden to your plate.  On May 27, 2011, the OCR issued its Notice of Proposed Rulemaking on "Accounting of Disclosures."  The problem is, the rule is not only about disclosures. If only it were. Requests for accountings of disclosure have been few and far between, according to most providers.

Instead, the NPRM, if finalized as proposed, would narrow your accounting obligations while adding a new patient right to your administrative requirements. Generally within 30 days from request, you would have to provide the patient or his/her personal representative with an "access report." It essentially amounts to your (or your business associate's) production of an electronic audit trail of access for both uses and disclosures of protected health information (PHI) for treatment, payment or healthcare operations.  This requirement would apply to your covered entity and your business associate.  My experience as a medical malpractice attorney makes me wonder why a patient, healthcare client or long-term care resident, or that individual's family member, would want or need this detailed information other than to support a legal claim, but in the name of responding to the interests of the public, OCR has created an absolute right for the individual to receive this PHI residing within the designate record set. As proposed, the audit trail would not necessarily have names of individuals accessing the PHI if the EHR audit trail does not capture that information (for example, the audit trail might only reflect a user ID number), nor would the access report necessarily reflect whether the access was for the purpose of use or disclosure.  So why would this be helpful? 

Ironically, OCR actually acknowledges that the majority of the comments received in response to its Request for Information (RFI) regarding possible revision to the accounting/access report concept stated that these proposed changes would provide little or no benefit to the individual while creating administrative, staffing and monetary burdens on the covered entity.  Yet OCR imposed the requirements anyway. And would required you to update your Notice of Privacy Practices to reflect this new right, to boot.

Operationally, providers with an EHR would need to figure out how to accomplish this new task.  Since the Office of the National Coordinator has not yet mandated that certified EHR technology be capable of accounting for disclosures (and uses) for treatment, payment or healthcare operations to qualify for Stage 1 Meaningful Use incentives, many EHRs may not have this capability.

OCR would allow you to work with the patient to provide the requested data, even if that means providing the information in hard copy.  Entities and practices that acquired an (older) EHR (prior to 2009) would have an additional year to effectuate this change, but those with newer EHRs, acquired from 2009 forward, would need to be ready to provide these reports by January 1, 2013, even in the face of many acknowledged comments that these time frames are completely unworkable.

However, if it is any comfort, the OCR does shorten the timeframe for the accounting in paper format (6 years) to that of the more current electronic format request (3 years) since no one was asking for that 6-year-old information anyway.

The OCR discussion preceeding the Proposed Rule seems to blend breach notification requirements, accounting for disclosures and the new access reporting requirements into one long spectrum of notice to the patient in the name of "transparency." Providers know that adding the "access report" burden will not necessarily capture all things impermissable, but depending on the practice setting, if finalized as written, it may impose an administrative burden with which compliance feels nearly impossible.

Score one for your EHR vendor. Since the HIPAA security rule expected you to audit your ePHI for years now, it makes sense for you and your EHR vendor to see how you can operationalize this latest proposal from the OCR.  

Thoughts on the OCR/NIST HIPAA Security Conference

I’m writing this as I fly back from a conference held in Washington, DC entitled "Safeguarding Health Information: Building Assurance Through HIPAA Security."  The attendees were an interesting mix of tech folks and administrative/regulatory professionals, all hoping to gain insight into the latest priorities and upcoming changes in the HIPAA/HITECH arena.  I had the opportunity to meet and learn from some talented people who are very serious about managing the risks associated with clinical information and EHRs.  Of course, my primary reason for attending was that I hoped to hear some helpful  information straight from the source.

Sue McAndrew, Deputy Director for Health Information Privacy, spoke to the attendees several times. Among other things, she told us that the final rules on HITECH, breach notification, enforcement, GINA and  would be issued together in one “big mother” of a regulation.  (I think she meant as an “omnibus” regulation,) which would also include issues on research and student immunization.  The accounting for disclosures NPRM  would be issued separately.

She reinforced that patients have an “absolute right” to an electronic copy of their electronic DRS and to designate a recipient of the transmission of that record.  I got up and asked her about that point; specifically, about the concern of small providers who email electronic PHI without encrypting the data, especially because HIPAA Privacy Rule allows providers to honor the patient’s request for email communications (presumably, without difficulty accessing the information), and the HIPAA Security Rule does not mandate encryption where it is reasonable and appropriate. Ms. McAndrew essentially responded (I’m paraphrasing) that the patient’s right to the data was paramount, so where the patient is advised of and knowingly waives the risk of email insecurity, OCR would not find a security violation. At last!

However, encryption is still highly promoted as a safe harbor for breach notification, and the reported breaches so far include loss of unencrypted "data a rest" on missing laptops.  

The biggest take-away message, repeated throughout the conference, is the need for covered entities to have "robust" compliance plans.  No matter how large or small your organization, you are expected meet these requirements: conduct your risk assessment, address your gaps, prepare policies, monitor, train your staff, keep privacy and security awareness front and center.  Even though the details may change, this underlying theme remains the same. Be aware, be prepared.

Privacy and the ACO

By now, I’m sure you have heard the term “ACO”, short for Accountable Care Organization, a creation of the Healthcare Reform Bill and the subject of much medical, legal and consulting energy.  Last week, the Department of Health and Human Services issued 429 pages of proposed rules on ACOs that are open to public comment. 

Essentially, an ACO is the latest model of care delivery intended to lead to cost savings for the Medicare program, with greater efficiencies and a patient care focus. DHHS claims that “ACOs create incentives for health care providers to work together to treat an individual patient across care settings – including doctor’s offices, hospitals, and long-term care facilities. The Medicare Shared Savings Program will reward ACOs that lower health care costs while meeting performance standards on quality of care and putting patients first." The program will be administered by CMS.

The law requires each ACO to take responsibility for at least 5,000 beneficiaries for a period of three years, and meet certain proposed quality measures. There is also a proposed scoring methodology, including proposals to prevent providers in ACOs from being penalized for treating patients with more complex conditions. Medicare beneficiaries whose doctors participate in an ACO will have a full choice of providers, can still choose to see doctors outside of the ACO, and will have access to information about how well their doctors, hospitals, or other caregivers are meeting quality standards. 

And members of the ACOs will need to their HIPAA/HITECH privacy security issues, which are also addressed in the proposed rules. Yet simultaneously, CMS is proposing to allow ACOs to receive data on ACO members/patients who seek services from providers outside of the ACO itself to promote “coordinated care and a better understanding of the population served by the ACO” unless they opt out of such sharing.  Privacy specialists may not be pleased.

So stay tuned. We are only at the surface of understanding the privacy and security issues surrounding this new incentive program.

Coming to a State Near You

The Office of Civil Rights (OCR) that enforces HIPAA Privacy, Security and those pesky HITECH mandates (the final language of which is due any day now), has announced four 2-day training courses for all state attorney's general.  The programs will be taking place at different locations around the country (Dallas, Atlanta, San Francisco, Washington, D.C.) beginning in April.  The advertisement on the DHHS website states.  The purpose of the program is "To help State Attorneys General begin to implement their enforcement authority under the HITECH Act."

Among the many issues to be covered are

• Investigative techniques for identifying and prosecuting potential violations
• OCR's role in enforcing the HIPAA Privacy and Security Rules
• SAG roles and responsibilities under HIPAA and the HITECH Act
• Resources for SAG in pursuing alleged HIPAA violations
• HIPAA Enforcement Support and Results

So be aware, and be prepared. Between the seven figure penalties imposed last month and the trainings beginning next month, providers are advised to get their HIPAA and HITECH houses in order.

To Email or Not to Email? That is the Question.

I have been getting a great deal of inquiry on the question of emailing PHI.  From a HIPAA compliance perspective, should a provider send email to a patient?

The answer is, it depends.

There are so many benefits to email: the speed, the ability to address an issue without scheduling an appointment, the assistance to patients who need regular management of their meds, blood levels, or rehabilitative exercise routines.  But the inherent insecurity of email is always there, and places the provider at risk of compliance failure. So, what do the regulators say?

In its FAQ section, DHHS specifically says that the HIPAA Privacy Rule permits healthcare providers to use email to discuss health issues and treatment with their patients, so long as they provide "reasonable safeguards when doing so," such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.

Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements.

The HIPAA Privacy Rule gives patients the right to ask for "alternative communications" via email, where available. If a patient initiates an email correspondence, the healthcare provider may assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. But the provider still has the responsibility of maintaining the confidentiality and security of the patient's PHI. DHHS suggests that "If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications."

However, in response to a question of whether the HIPAA Security Rule allows for sending electronic PHI (e-PHI) in an email or over the Internet, DHHS's response is a bit more cryptic. While not expressly prohibiting the use of email for sending e-PHI, the provider still must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected. What does "adequately protected" mean?

And don't forget the HITECH Breach Notification Interim Rules that give providers who encrypt their data in accordance with National Institute of Standards and Technology ("NIST") standards a safe harbor by exempting them from extensive notification requirements even if a security breach were to occur. In other words, providers would not have to write letters, contact the media or DHHS, among mandates, if they lost a laptop or misfired email that contained appropriately encrypted PHI. Now there's a big incentive to encrypt your data.   

And now, here comes the latest.  Apparently, Adam Greene, Senior Privacy and Security IT Advisor to the OCR, spoke at last week's Health Information Management Systems Society conference in Orlando. Apparently, along with the many items he touched upon concerning the upcoming HIPAA and HITECH changes, Mr. Greene was reported to have said that although HIPAA and the HITECH Act do not explicitly mandate the use of encryption, the HIPAA security rule makes encryption "addressable," meaning that "it's required if it's reasonable and appropriate." He added, "For electronic health records, it is generally reasonable and appropriate to encrypt."

Where does that leave you?  For the provider, especially the small practice, you may want to start by considering the following, understanding that nothing guarantees that a patient won't file a complaint under HIPAA, starting that parade of regulators through your door:

1. Know your system, and understand that "addressable" HIPAA Security items do not mean "optional" Security items, especially in today's regulatory environment. This applies to practices great and small.

2. Do you have encrypted email? For those of you whom I've met who do not know, or do not want to know, you need to find out. If your email is or can be encrypted, how will the emailed be received and opened by the patient? While the HIPAA Privacy Rules suggest that patient request for email should be honored, the HIPAA Security Rules simultaneously require that you comply with and document the required steps and decisions as these questions relate to your practice.

3. As part of your HIPAA policies, procedures and training that ensure the protection and integrity of paper and electronic PHI, include a security policy and procedure that limits the PHI that is shared by email, and that ensures careful exchanges, such as the checking the email address prior to transmission or sending a test email to the patient to ensure accuracy.

4. For what it is worth, some providers include a disclaimer on their emails, reminding the receiver that the email is confidential and only for the intended recipient.

5. Work with a knowledge expert on this issue. Health information technology is very likely completely foreign to providers who were trained to heal patients, not understand computer and internet security.

Email is here to stay, and providers and patients alike often swear by its usefulness. But to avoid becoming a statistic of the ever-increasing enforcement activities, work to ensure that you are sending the most secure email possible for your practice.

OCR Gets Serious

It has been quite a month for the federal regulators. Healthcare providers, be advised, the enforcers are out. Seven figure fines and penalties are in the news.

Two recent enforcement Actions

On February 24, 2011, the Office of Civil Rights ("OCR") which enforces HIPAA for the Department of Health and Human's Services ("DHHS") announced a Resolution Agreement with the entities that make up Massachusetts General Hospital and its practices. Mass General agreed to pay $1,000,000 in fines for "potential" violations of HIPAA, arising from the loss of PHI by an employee on subway train in March 2009. The PHI included names, diagnoses, including HIV/AIDS information, billing data and more.

Quotes from the OCR:  “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement.  It is a covered entity’s responsibility to protect its patients’ health information,” said OCR Director Georgina Verdugo.   

“To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” said Verdugo. “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”

On February 4, 2011, in a Notice of Final Determination, DHHS found that a number of entitied doing business as Cignet Health in  Prince George County, Maryland (“Cignet”) had violated the HIPAA Privacy Rule  to the tune of a $4.3 million dollar civil money penalty (CMP),  representing the first CMP issued under violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act. 

The claim was that Cignet had failed to provide 41 patients with access to their records, leading to a $1.3 million dollar fine. The bigger chunk of change ($3 million) came as a result of what the OCR called Cignet's failure to respond to the OCR subpoena or cooperate with the DHHS investigation.

More OCR quotes:  “Today the message is loud and clear:  HHS is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule and ensuring provider cooperation with our enforcement efforts,” said OCR Director Georgina Verdugo.

“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and seriously consider their compliance with all of HIPAA’s requirements,” said Director Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”

And, if that isn't enough, last week Adam Greene, Senior Health IT and Privacy Advisor to the OCR, outlined a number of changes to existing regulations at the recent HIMSS conference in Orlando.  According to press coverage of the conference, the final HITECH privacy, security and breach notification rules will arrive in 2011 and be issued together, Greene said, to minimize staggered compliance dates and changes to notices of privacy practices.  He apparently emphasized certain key HITECH changes, including:

* Patients' access to their treatment information in electronic format

* Ability of EHRs to handle requested restrictions where patients pay out of pocket

* Exponentially higher CMPs, starting at $50,000 up to $1,500,000 for identical violations

* Accounting for disclosures of patient information for treatment, payment and health care operations information from your EHR (notwithstanding the near impossibility of that task, according to every provider I've ever encountered.)

What does this mean for you, as a provider?  Do your gap analysis and risk assessments, get your policies in place and train your staff, monitor your program, and keep HIPAA and HITECH on your regular agenda. These changes can be initiated in a methodical, step-by-step fashion, but by the look of things in Washington, they absolutely must be done.

FTC Issues an FAQ on Medical Identity Theft

The Federal Trade Commission recently issued an FAQ on medical identity theft that is very informative given all the recent noise about the application (or non-application) of the Red Flags Rule to medical providers (see my earlier posts). 

The FAQs advise that if a provider learns that a patient may be a victim of medical identity theft, the provider should conduct an investigation, and if medical identity theft is found to have occurred, then, among other things, the provider should 1) notify everyone who accessed the patient's medical or billing records to ensure that the records are corrected, 2) assure that the provider acts in accordance with the requirements under the Fair Credit Reporting Act, which includes understanding that there is no reporting of a debt associated with a reported medical identity theft, 3) review their data security practices and report any security breaches as required under the Health Insurance Portability and Accountability Act (HIPAA), and 4) ensure that patients should be informed of their rights within the organization's Notice of Privacy Practices.

So whether or not you believe the the Red Flags Rule applies to providers, all roads lead to HIPAA and your obligation to protect patient privacy and security in a global sense.  You might as well dust off that draft Red Flags Rule policy and just be ready to do the right thing regarding the PHI or EPHI you handle.  

Conflict Management: A Joint Commission Requirement

I recently had lunch with a person who works in the compliance world. He is very knowledgeable, but was surprised to learn that The Joint Commission requires hospitals to maintain a conflict management process for accreditation purposes.  So, in the event that others could use this information as well, here you go:

The Joint Commission mentions conflict management in several of it accreditation standards and elements of performance ("EPs").  Leadership Standard .01.03.01, EP 7, requires “a system for resolving conflicts among  individuals working in the hospital.” For 2009, the Joint Commission added a new Leadership Standard that called for a formal process of managing conflict between leadership groups to protect the quality and safety of care.  The rationale behind this addition was a recognition that conflict occurs even in well-functioning organizations, and while it may at times be productive, unresolved conflict at the leadership level, whether regarding practices, procedures, policies or otherwise, may adversely impact the quality of patient care.

The language of Standard LD.02.04.01* was originally issued as follows:

The [organization] manages conflict between leadership groups to protect the quality and safety of care. 

The related EPs were originally issued as follows:

1. Senior managers and leaders for the organized medical staff work with the governing body to develop an ongoing process for managing conflict among leadership groups.
2. The governing body approves the process for managing conflict among leadership groups.
3. Individuals who help the hospital implement the process are skilled in conflict management. Note: These individuals may be from either inside or outside the hospital. (*This EP was eliminated in July 2010.)
4. The conflict management process includes the following:

-          Meeting with the involved parties as early as possible to identify the conflict

-          Gathering information regarding the conflict

-          Working with the parties to manage, and, when possible, resolve the conflict

-          Protecting the safety and quality of care

5.   The hospital implements the process when a conflict arises that, if not managed, could adversely affect patient safety or quality of care.

What does this require from your organization? I suggest including the following:

·    Develop a conflict management policy, procedure and process with input from stakeholders and approved by the governing body.

·    Identify and document the process steps for addressing conflict from its earliest stages.

·    Educate your workforce, from volunteer staff to clinical staff to administration, on policy and procedure, and the impact on patient care and safety if a conflict is not addressed.

·    Process should involve information gathering and working with parties to resolve issues.

·    Identify resource(s) skilled in conflict management to assist your organization in meeting this standard.

·    And finally, reaffirm your organizational commitment to a culture of excellence and integrity, safety and quality, with an understanding that a unified care team is your best option for optimal patient care.

Don’t Forget Your LEP Obligations

On January 21, 2011, the Department of Health and Human Services (DHHS) issued a press release regarding a new resolution agreement between the Office of Civil Rights (OCR) and the Rhode Island Department of Human Services (RIDHS) requiring RIDHS to develop new compliance policies and procedures to meet its Limited English Proficiency (LEP) obligations under Title VI of the Civil Rights Act of 1964. (We know the OCR as the folks who respond to HIPAA privacy complaints, but they do much more.)

Essentially, Title VI requires that all entities and agencies that receive financial assistance from DHHS administer their programs in ways that do not delay or deny services to persons on the basis of their race, color, or national origin.

The resolution agreement resolves a complaint filed with OCR by the Rhode Island Chapter of the American Civil Liberties Union, alleging that RIDHS termination of four Southeast Asian staff interpreters denied meaningful access to programs for eligible LEP clients. While an investigation concluded that RIDHS was not in violation of Title VI, OCR’s simultaneous review of RIDHS’ compliance with existing agreements exposed gaps in RIDHS’ compliance activities. Mainly, RIDHS had not adequately implemented improved access to its programs and services for people with LEP.

Lack of funding is no excuse, according to the OCR.  “While OCR recognizes States as well as other covered entities are experiencing ongoing and significant fiscal tension, it remains of nonnegotiable importance for providers to uphold compliance with Title VI and the other laws protecting the civil rights of individuals seeking health care,” says OCR Director Georgina Verdugo. 

Take away lessons your your practice?

1) If you receive any federal funding,  including Medicare or Medicaid reimbursement, make sure that your organization understands and can meet its language access and translation obligations. 

2)  IMPORTANT! Even though RIDHS was NOT found to have violated Title VI, once the OCR was on site, it looked at everything, locating other compliance gaps. This is not at all uncommon. And while is seems that RIDSH was already on the OCR’s radar in terms of LEP compliance, the concept still holds true: Once the regulators are under your roof, all bets are off.   You don't get to say "don't look over there..."

With the current and ever-increasing emphasis on compliance enforcement, this case is a good reminder to put your compliance house in order.

Red Flags Clarification Passes, But Are You Still on the Hook?

President Obama did, in fact, sign the Red Flags Clarification Bill S. 3987 into law as Public Law No: 111-319 on December 18, 2010. The physicians groups are celebrating that they are not specifically covered by this particular medical identity theft act.  But what does it really mean in terms of your data protection obligations?

The bill that was signed into law narrows the definition of creditor for the purposes of implementing the FTC requirements, originally intended for use by financial institutions to prevent and mitigate identity theft.  But the language of the bill itself does not specifically exclude healthcare providers. Rather, it limits the definition of “creditor,” and excludes from that definition one who “advances funds to or on behalf of a person for expenses incidental to a service provided by the creditor to that person.” 

But the language still includes the broad definition of "creditor" in the Equal Credit Opportunity Act (Section 702 of 15 U.S.C. 1691a) and states that those that "regularly and in the ordinary course of business" obtain or use credit reports or furnish information to credit reporting agencies in connection with a credit transaction. It also gives the FTC the right to determine that the “creditor” offers or maintains accounts that are subject to a "reasonably foreseeable" risk of identity theft.

Sorry to be a cold bucket of water, but it seems to me that plenty of professionals of all stripes, including physicians and other healthcare providers, will still need to maintain medical identity theft policies and processes by law.  Even without the "foreseeability" loophole, some hospitals file reports with consumer reporting agencies on past-due bills, which puts them squarely under the narrower FTC definition of creditor. Some practices do the same to assure the patient’s ability to self-pay, such as in plastic surgery offices. To know whether a hospital or health care practice is still subject to the Red Flags Rule, the professional or entity will have to look at its business, finance and collection activities.

But for all of you who have already put your Red Flags policy and process into place, bravo.  Regardless of the slimmed-down definition of who is or is not a creditor, you are under legal obligation to protect the privacy and security of your patient’s, client’s or resident’s data. FTC definition or not, if the PHI in your control were lost or breached, you’d have medical identity theft issues, HIPAA/HITECH issues, state breach notification issues, and your professional reputation, to address. Why not have your “just-in-case” steps in place? 

Keep using your common sense, and keep weaving compliance into your day-to-day business practices. You won’t regret it.