OCR Gets Serious

It has been quite a month for the federal regulators. Healthcare providers, be advised, the enforcers are out. Seven figure fines and penalties are in the news.

Two recent enforcement Actions

On February 24, 2011, the Office of Civil Rights ("OCR") which enforces HIPAA for the Department of Health and Human's Services ("DHHS") announced a Resolution Agreement with the entities that make up Massachusetts General Hospital and its practices. Mass General agreed to pay $1,000,000 in fines for "potential" violations of HIPAA, arising from the loss of PHI by an employee on subway train in March 2009. The PHI included names, diagnoses, including HIV/AIDS information, billing data and more.

Quotes from the OCR:  “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement.  It is a covered entity’s responsibility to protect its patients’ health information,” said OCR Director Georgina Verdugo.   

“To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” said Verdugo. “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”

On February 4, 2011, in a Notice of Final Determination, DHHS found that a number of entitied doing business as Cignet Health in  Prince George County, Maryland (“Cignet”) had violated the HIPAA Privacy Rule  to the tune of a $4.3 million dollar civil money penalty (CMP),  representing the first CMP issued under violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act. 

The claim was that Cignet had failed to provide 41 patients with access to their records, leading to a $1.3 million dollar fine. The bigger chunk of change ($3 million) came as a result of what the OCR called Cignet's failure to respond to the OCR subpoena or cooperate with the DHHS investigation.

More OCR quotes:  “Today the message is loud and clear:  HHS is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule and ensuring provider cooperation with our enforcement efforts,” said OCR Director Georgina Verdugo.

“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and seriously consider their compliance with all of HIPAA’s requirements,” said Director Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”

And, if that isn't enough, last week Adam Greene, Senior Health IT and Privacy Advisor to the OCR, outlined a number of changes to existing regulations at the recent HIMSS conference in Orlando.  According to press coverage of the conference, the final HITECH privacy, security and breach notification rules will arrive in 2011 and be issued together, Greene said, to minimize staggered compliance dates and changes to notices of privacy practices.  He apparently emphasized certain key HITECH changes, including:

* Patients' access to their treatment information in electronic format

* Ability of EHRs to handle requested restrictions where patients pay out of pocket

* Exponentially higher CMPs, starting at $50,000 up to $1,500,000 for identical violations

* Accounting for disclosures of patient information for treatment, payment and health care operations information from your EHR (notwithstanding the near impossibility of that task, according to every provider I've ever encountered.)

What does this mean for you, as a provider?  Do your gap analysis and risk assessments, get your policies in place and train your staff, monitor your program, and keep HIPAA and HITECH on your regular agenda. These changes can be initiated in a methodical, step-by-step fashion, but by the look of things in Washington, they absolutely must be done.

FTC Issues an FAQ on Medical Identity Theft

The Federal Trade Commission recently issued an FAQ on medical identity theft that is very informative given all the recent noise about the application (or non-application) of the Red Flags Rule to medical providers (see my earlier posts). 

The FAQs advise that if a provider learns that a patient may be a victim of medical identity theft, the provider should conduct an investigation, and if medical identity theft is found to have occurred, then, among other things, the provider should 1) notify everyone who accessed the patient's medical or billing records to ensure that the records are corrected, 2) assure that the provider acts in accordance with the requirements under the Fair Credit Reporting Act, which includes understanding that there is no reporting of a debt associated with a reported medical identity theft, 3) review their data security practices and report any security breaches as required under the Health Insurance Portability and Accountability Act (HIPAA), and 4) ensure that patients should be informed of their rights within the organization's Notice of Privacy Practices.

So whether or not you believe the the Red Flags Rule applies to providers, all roads lead to HIPAA and your obligation to protect patient privacy and security in a global sense.  You might as well dust off that draft Red Flags Rule policy and just be ready to do the right thing regarding the PHI or EPHI you handle.  

Conflict Management: A Joint Commission Requirement

I recently had lunch with a person who works in the compliance world. He is very knowledgeable, but was surprised to learn that The Joint Commission requires hospitals to maintain a conflict management process for accreditation purposes.  So, in the event that others could use this information as well, here you go:

The Joint Commission mentions conflict management in several of it accreditation standards and elements of performance ("EPs").  Leadership Standard .01.03.01, EP 7, requires “a system for resolving conflicts among  individuals working in the hospital.” For 2009, the Joint Commission added a new Leadership Standard that called for a formal process of managing conflict between leadership groups to protect the quality and safety of care.  The rationale behind this addition was a recognition that conflict occurs even in well-functioning organizations, and while it may at times be productive, unresolved conflict at the leadership level, whether regarding practices, procedures, policies or otherwise, may adversely impact the quality of patient care.

The language of Standard LD.02.04.01* was originally issued as follows:

The [organization] manages conflict between leadership groups to protect the quality and safety of care. 

The related EPs were originally issued as follows:

1. Senior managers and leaders for the organized medical staff work with the governing body to develop an ongoing process for managing conflict among leadership groups.
2. The governing body approves the process for managing conflict among leadership groups.
3. Individuals who help the hospital implement the process are skilled in conflict management. Note: These individuals may be from either inside or outside the hospital. (*This EP was eliminated in July 2010.)
4. The conflict management process includes the following:

-          Meeting with the involved parties as early as possible to identify the conflict

-          Gathering information regarding the conflict

-          Working with the parties to manage, and, when possible, resolve the conflict

-          Protecting the safety and quality of care

5.   The hospital implements the process when a conflict arises that, if not managed, could adversely affect patient safety or quality of care.

What does this require from your organization? I suggest including the following:

·    Develop a conflict management policy, procedure and process with input from stakeholders and approved by the governing body.

·    Identify and document the process steps for addressing conflict from its earliest stages.

·    Educate your workforce, from volunteer staff to clinical staff to administration, on policy and procedure, and the impact on patient care and safety if a conflict is not addressed.

·    Process should involve information gathering and working with parties to resolve issues.

·    Identify resource(s) skilled in conflict management to assist your organization in meeting this standard.

·    And finally, reaffirm your organizational commitment to a culture of excellence and integrity, safety and quality, with an understanding that a unified care team is your best option for optimal patient care.