This month, HCCA's Report on Medicare Compliance published an article featuring Margaret Scavotto's comments on the HIPAA risks of social media for healthcare providers:
In January 2018, EHR vendor Allscripts was a target of a ransomware attack that took down several of its applications, including its EHR and patient management/scheduling systems. FierceHealthcare reported the following notice from Allscripts: “While we cannot guarantee that the hosted Professional suite and hosted Allscripts PM service will be fully restored to all clients on Monday, Jan. 22, we do currently expect to return meaningful service to the majority of clients over the next 12-24 hours."
For example, a medical group was unable to use Allscripts’ e-prescribing system after the ransomware attack. Others could not access their EHR.
The use of cloud-based applications has increased providers’ reliance on EHR vendor security measures. A detailed contract that states standards for EHR data protection is a start. But it only provides the ability to seek legal and financial remedies if the EHR vendor fails to meet its contractual obligations. It does nothing to guarantee uninterrupted access to your data.
A copy of your EHR data that is saved to an on-site computer is the only way to ensure access. A mirror backup provides an exact copy of the data. The technology allows updates to the mirror backup every 15 minutes. When selecting an EHR vendor, the availability of a mirror backup must be a key selection criteria. A local copy of the EHR application is also needed. Without it, the data is useless.
An Allentown, PA resident stumbled across garbage bags of OB/GYN medical records at the local recycling center – and reported the records to the city and the media.
A reporter visited the recycling center and found the records – un-shredded. The records contained both personal information and healthcare information, including sexually transmitted disease diagnoses.
In Springfield, Ohio, another recycler was surprised to encounter lab records at the local recycling center on Thanksgiving Day: “There were thousands of records…social security numbers….This was a whole feast for total identity theft.”
Washington Health System (Greene) notified 4,145 patients that their PHI is at risk after a hard drive disappeared. The drive was used with a bone densitometry machine. The health system does not know whether the device was stolen – or simply misplaced. Patients were notified.
Many providers fear burglars and hackers – but overlook the HIPAA security risks of misplacing unsecured PHI. What about you? Do you track portable devices? Do you know, with confidence, where your portable devices are at this moment? Where they will be after hours? Whether they are encrypted? Locked up – or in an area with restricted access? If a device went missing, what steps would be taken to locate it?
Lost in the shuffle?
Franciscan Physician Network of Illinois and Specialty Physicians of Illinois LLC cannot find payment records kept in a storage facility. File boxes could not be located during a standard records request. Neither the providers nor the storage facility knows whether the 40 missing boxes were stolen or lost. Patients were notified.
When it comes to paper files, ignorance is not bliss – at least not when a box goes missing.
In 2016, a Pennsylvania hospital OR unit secretary had incisional hernia surgery at the hospital.
In 2017, she sued the hospital, a doctor, and multiple co-workers.
The employee-patient claims a scrub nurse used a smartphone to take a picture of her exposed genitals while she was under anesthesia.
Staff who witnessed the photograph allegedly did not stop the photo or report it. Later, a scrub nurse showed the photo to the plaintiff, and to other staff.
In addition to her privacy claim, the plaintiff asserts that the smartphone posed an infection risk to the sterile OR.
Finally, the plaintiff claims she experienced retaliation after she reported the scrub nurse (who was fired). She claims she was harassed by her co-workers.
The hospital reports a different side of the story - that the plaintiff filed a lawsuit over a practical-joke-gone-wrong:
On December 22, 2016, the Joint Commission issued Clarification: Use of Secure Text Messaging for Patient Care Orders is Not Acceptable. In this guidance, the Joint Commission clarified:
- PHI should not be sent by unsecured text messaging.
- The preferred method for submitting electronic orders is computerized provider order entry (CPOE).
- If CPOE is not available, verbal orders can be used – but verbal orders should be used minimally, and closely monitored.
- Secure text orders should not be used.
The Joint Commission gave three reasons for prohibiting text orders:
- When nurses must transcribe text orders into the EHR, they have less time to care for patients.
- Unlike verbal orders, text orders are asynchronous – and can require additional discussion to confirm the order.
- If an alert is issued while the order is being sent, the practitioner must be contacted, potentially delaying treatment.
These guidelines were clear, and fairly simple to follow. However, a year later, in December 2017, some providers received emails from CMS indicating that ALL texting regarding patients is prohibited – not just text orders or unsecured texts. Likely in response to the confusion and concern this caused compliance officers, CMS issued an official texting position on December 28, 2017: S&C 18-10-AL, Survey & Certification Group Memo: Texting of Patient Information among Healthcare Providers.
Chemed Corporation, Vitas Hospice Services LLC, and Vitas Healthcare Corporation entered a $75 million settlement with the government to resolve false claims allegations. Vitas, the biggest for-profit provider of hospice services in the nation, allegedly “knowingly submitted or caused to be submitted false claims to Medicare for services to hospice patients who were not terminally ill” between 2002 and 2013. The DOJ also accused Vitas of awarding bonuses to employees based on the number of patients on hospice, regardless of need.
In addition, Vitas was accused of billing Medicare for continuous home care services that were not necessary, not provided, or did not meet Medicare requirements. Like with hospice services, Vitas allegedly set corporate goals for billing continuous home care services, regardless of patient need.
According to the Complaint, “Vitas regularly ignored concerns expressed by its own physicians and nurses regarding whether its hospice patients were receiving appropriate care.” Complaint, page 3. The Complaint also says the company’s own auditors knew of the problem – but changes were not made.
Let’s look at the data
Yes, there is a connection.
I suspect most individuals read the latest #MeToo news stories with a strong, sometimes complex, and personal reaction.
For those of us who chose a career in compliance, there are lessons for our professional lives as well.
I regularly read Knowledge@Wharton, an online publication by the University of Pennsylvania’s Wharton School of Business that brings Wharton’s expertise to cutting edge issues. On November 28, 2017, Knowledge@Wharton published: What Can Firms Do to Prevent Sexual Harassment? In this article, Wharton management professor and director of Wharton’s Center for Human Resources Peter Cappelli hit the nail on the head: “I think the big challenge is that we have in recent years moved power away from bureaucracies and rules in companies and toward individual leaders. So we have many institutions where the leaders are all-powerful….”
The headlines of late bolster this notion that individuals in positions of power can have a profound effect on a corporation’s culture of discovering and rectifying misconduct. And, as we have also learned from the headlines, this concentration of power can lead to and perpetuate misconduct: “He couldn’t sleep around town with celebrities or on the road with random people, because he’s Matt Lauer and he’s married. So he’d have to do it within his stable, where he exerted power, and he knew people wouldn’t ever complain.”
Topics: Culture of Compliance
Jean Baptiste Alvarez was found guilty of federal charges of conspiracy to defraud the United States with respect to false claims, misuse of a Social Security number, aggravated identity theft, and aiding or assisting in the preparation of false federal income tax returns. Alvarez was accused of stealing census sheets containing patient names, SSNs and DOBs from his employer, the Kirkbride Center, a behavioral health facility where Alvarez worked as a mental health tech. Alvarez sold the census sheets for $1,000 per sheet. The stolen information was then used to file fraudulent tax returns and obtain refunds, yielding, on average, $1,500 per refund. Due to the vulnerable nature of the victims, who struggled with mental health issues and drug addiction, Alvarez was sentenced to 5 years in prison and ordered to pay $266,985 restitution.
It is challenging, and sometimes impossible, for providers to prevent HIPAA breaches caused by determined criminals. However, providers should keep in mind that 29.7% of data breaches in the healthcare industry are caused by insiders. Almost 1/3 of data breaches come from within our own walls.
What can you do?
10 Reasons Why Pre-transactional OIG Exclusion Checking is Essential
“The early bird catches the worm.”
“If you want to see the sunrise, get up early.”
“An ounce of prevention is worth a pound of cure.”
All of these sayings signify that it is never too early to do the right thing and when it comes to avoiding fines and penalties, that means pre-transactional OIG exclusion due diligence.
Lawyers know that the devil is in the detail. That is why careful consideration and time is taken to conduct thorough and complete due diligence as a part of a transaction. If done properly, it will include an audit of many areas of compliance. An article in the Nashville Post discusses this point. According to the article, evaluating deals requires a larger compliance push that is driving up the overall cost of deals. “Compliance is actually the reason most deals don’t get done,” said Todd Rudsenske, Cain Brothers managing director. “If proper compliance checks haven’t been made, then what happens when the value goes out the door?”
Topics: Excluded Providers