-->

Tuesday, January 25, 2011

Don’t Forget Your LEP Obligations

On January 21, 2011, the Department of Health and Human Services (DHHS) issued a press release regarding a new resolution agreement between the Office of Civil Rights (OCR) and the Rhode Island Department of Human Services (RIDHS) requiring RIDHS to develop new compliance policies and procedures to meet its Limited English Proficiency (LEP) obligations under Title VI of the Civil Rights Act of 1964. (We know the OCR as the folks who respond to HIPAA privacy complaints, but they do much more.)
Essentially, Title VI requires that all entities and agencies that receive financial assistance from DHHS administer their programs in ways that do not delay or deny services to persons on the basis of their race, color, or national origin.

The resolution agreement resolves a complaint filed with OCR by the Rhode Island Chapter of the American Civil Liberties Union, alleging that RIDHS termination of four Southeast Asian staff interpreters denied meaningful access to programs for eligible LEP clients. While an investigation concluded that RIDHS was not in violation of Title VI, OCR’s simultaneous review of RIDHS’ compliance with existing agreements exposed gaps in RIDHS’ compliance activities. Mainly, RIDHS had not adequately implemented improved access to its programs and services for people with LEP.

Lack of funding is no excuse, according to the OCR.  “While OCR recognizes States as well as other covered entities are experiencing ongoing and significant fiscal tension, it remains of nonnegotiable importance for providers to uphold compliance with Title VI and the other laws protecting the civil rights of individuals seeking health care,” says OCR Director Georgina Verdugo. 

Take away lessons your your practice?

1) If you receive any federal funding,  including Medicare or Medicaid reimbursement, make sure that your organization understands and can meet its language access and translation obligations. 
2)  IMPORTANT! Even though RIDHS was NOT found to have violated Title VI, once the OCR was on site, it looked at everything, locating other compliance gaps. This is not at all uncommon. And while is seems that RIDSH was already on the OCR’s radar in terms of LEP compliance, the concept still holds true: Once the regulators are under your roof, all bets are off.   You don't get to say "don't look over there..."
With the current and ever-increasing emphasis on compliance enforcement, this case is a good reminder to put your compliance house in order.
Posted by Stacey at 8:47 AM 0 comments

Tuesday, January 11, 2011

Red Flags Clarification Passes, But Are You Still on the Hook?

President Obama did, in fact, sign the Red Flags Clarification Bill S. 3987 into law as Public Law No: 111-319 on December 18, 2010. The physicians groups are celebrating that they are not specifically covered by this particular medical identity theft act.  But what does it really mean in terms of your data protection obligations?

The bill that was signed into law narrows the definition of creditor for the purposes of implementing the FTC requirements, originally intended for use by financial institutions to prevent and mitigate identity theft.  But the language of the bill itself does not specifically exclude healthcare providers. Rather, it limits the definition of “creditor,” and excludes from that definition one who “advances funds to or on behalf of a person for expenses incidental to a service provided by the creditor to that person.” 

But the language still includes the broad definition of "creditor" in the Equal Credit Opportunity Act (Section 702 of 15 U.S.C. 1691a) and states that those that "regularly and in the ordinary course of business" obtain or use credit reports or furnish information to credit reporting agencies in connection with a credit transaction. It also gives the FTC the right to determine that the “creditor” offers or maintains accounts that are subject to a "reasonably foreseeable" risk of identity theft.

Sorry to be a cold bucket of water, but it seems to me that plenty of professionals of all stripes, including physicians and other healthcare providers, will still need to maintain medical identity theft policies and processes by law.  Even without the "foreseeability" loophole, some hospitals file reports with consumer reporting agencies on past-due bills, which puts them squarely under the narrower FTC definition of creditor. Some practices do the same to assure the patient’s ability to self-pay, such as in plastic surgery offices. To know whether a hospital or health care practice is still subject to the Red Flags Rule, the professional or entity will have to look at its business, finance and collection activities.

But for all of you who have already put your Red Flags policy and process into place, bravo.  Regardless of the slimmed-down definition of who is or is not a creditor, you are under legal obligation to protect the privacy and security of your patient’s, client’s or resident’s data. FTC definition or not, if the PHI in your control were lost or breached, you’d have medical identity theft issues, HIPAA/HITECH issues, state breach notification issues, and your professional reputation, to address. Why not have your “just-in-case” steps in place? 

Keep using your common sense, and keep weaving compliance into your day-to-day business practices. You won’t regret it.  
Posted by Stacey at 8:33 AM 0 comments
Subscribe to: Posts (Atom)