Breaking Compliance News Blog

Hot HIPAA Issues: Employee Credentials & Business Associate Management

Posted by ScottGima on 6/4/19 7:54 AM

In late 2018, the OCR entered an $111,400 settlement with Pagosa Springs Medical Center (PSMC), a Colorado critical access hospital. The OCR alleged that the hospital failed to terminate a former employee’s remote access to the hospital’s scheduling calendar, which includes patient PHI. The OCR also alleged that the hospital failed to enter a Business Associate Agreement with the scheduling calendar vendor.

Read More

Topics: HIPAA, business associates

Is your SNF ready for the November compliance program deadline??

Posted by Margaret Scavotto, JD, CHC on 5/29/19 10:24 AM

Note: This topic is of special interest to our SNF readers. General healthcare compliance and HIPAA topics will return next week!

The Affordable Care Act mandated compliance and ethics programs for all nursing facilities. Medicare and Medicaid will require implementation by November 28, 2019.

Are you ready?

Fortunately, the ACA requirements closely – but not entirely – track the ACA OIG compliance program guidance and the Federal Sentencing Guidelines principles for compliance programs, so providers who have built compliance programs on these documents should be in pretty good shape. Here is what the ACA requires nursing facilities to have by November 28, 2019:

  • Written compliance and ethics policies and procedures that are communicated to staff, contractors and volunteers and:
    • Reduce the risk of criminal, civil and administrative violations
    • Promote quality of care
    • Designate a compliance contact to receive reports
    • Include an anonymous way to report non-compliance without retribution
    • Include disciplinary standards
    • Apply to contractors and volunteers
  • Assigned high-level personnel oversight for the compliance program, and sufficient resources and authority for such high-level personnel
  • Due care not to delegate substantial discretionary authority to individuals the SNF knew or should have known had a propensity to commit a crime
  • Auditing and monitoring
  • A reporting system
  • Consistent enforcement via discipline
  • Annual review.* 

*It can take weeks or even months to review a compliance program, so if this is your first experience with annual review, it is a good idea to start early.

Organizations with five or more facilities must also have:

Read More

Topics: Compliance Basics, Affordable Care Act, skilled nursing

Erectile dysfunction prescription privacy: another HIPAA lawsuit proceeds

Posted by Margaret Scavotto, JD, CHC on 5/21/19 11:06 AM

An Arizona patient received a free sample for an erectile dysfunction (“ED”) medication from his doctor. Later, his pharmacy, Costco, called the patient to tell him that his full prescription was ready. The patient told Costco that he did not want the prescription and would not be picking it up.

One month later, the patient called Costco about another prescription. Costco again told the patient that his ED prescription was ready, and the patient again told Costco he did not want that prescription. The next day, the patient called Costco to give his ex-wife permission to pick up is prescription. The patient and his ex-wife were considering reconciling. A Costco employee gave the ex-wife the patient’s prescription – and the ED prescription, and joked with the ex-wife about the patient taking so long to pick it up. The ex-wife ended reconciliation attempts with the patient.

The patient sued Costco for negligence and other claims.

Read More

Topics: HIPAA

2019 Is the Year of the Compliance Program Annual Review

Posted by Margaret Scavotto, JD, CHC on 5/15/19 12:17 PM

All skilled nursing facilities will be required to have conducted an annual review of their compliance programs by November 28, 2019 (and it’s essential for other providers, too).  SNFs who have not conducted an annual review by November 28, 2019 will be in violation of the law.  

Read More

Topics: Compliance Basics, Affordable Care Act, annual review, skilled nursing

Ransomware attack causes doctor’s office to permanently close

Posted by ScottGima on 5/9/19 8:06 AM

After ransomware took over Brookside ENT & Hearing Services’ EMR system, it decided to close its practice for good. The virus deleted and overwrote the medical practice’s medical records, bills and appointments—and the backups. The virus left behind duplicates, which the hacker promised to unlock in exchange for a $6,500 ransom. The two doctors who own the practice wisely refused to pay the ransom. Instead, they called the FBI.

Read More

Topics: HIPAA

*Breaking News: OCR reduces HIPAA penalty caps

Posted by Margaret Scavotto, JD, CHC on 5/6/19 12:55 PM

Effective April 23, 2019, the Office of Civil Rights (OCR) has reduced the annual aggregate HIPAA penalty caps for covered entities and business associates.

Read More

Topics: HIPAA

Mandatory SNF Compliance Programs Will Be Here in November! Are You Ready?

Posted by Margaret Scavotto, JD, CHC on 5/2/19 8:41 AM

Note: This topic is of special interest to our SNF readers. General healthcare compliance and HIPAA topics will return next week!

The Affordable Care Act mandated compliance and ethics programs for all nursing facilities. Medicare and Medicaid will require implementation by November 28, 2019.

Are you ready?

Fortunately, the ACA requirements closely – but not entirely – track the ACA OIG compliance program guidance and the Federal Sentencing Guidelines principles for compliance programs, so providers who have built compliance programs on these documents should be in pretty good shape. Here is what the ACA requires nursing facilities to have by November 28, 2019:

  • Written compliance and ethics policies and procedures that are communicated to staff, contractors and volunteers and:
    • Reduce the risk of criminal, civil and administrative violations
    • Promote quality of care
    • Designate a compliance contact to receive reports
    • Include an anonymous way to report non-compliance without retribution
    • Include disciplinary standards
    • Apply to contractors and volunteers
  • Assigned high-level personnel oversight for the compliance program, and sufficient resources and authority for such high-level personnel
  • Due care not to delegate substantial discretionary authority to individuals the SNF knew or should have known had a propensity to commit a crime
  • Auditing and monitoring
  • A reporting system
  • Consistent enforcement via discipline
  • Annual review.* 

*It can take weeks or even months to review a compliance program, so if this is your first experience with annual review, it is a good idea to start early.

Organizations with five or more facilities must also have:

  • A mandatory annual compliance training program, and
  • A compliance officer who reports directly to the governing body, with designated compliance liaisons at each site

Note: while these items are only mandatory under the ACA for SNFs with five or more sites, it is a good idea for all SNFs to consider incorporating these items into their own compliance programs. While they are not mandatory for smaller organizations, they will strengthen your program and make it easier to run an effective compliance program.

 

Read More

Topics: Compliance Basics, Affordable Care Act, skilled nursing

Women’s Obstetrical Procedures Secretly Filmed

Posted by Margaret Scavotto, JD, CHC on 4/30/19 8:04 AM

A San Diego hospital is being sued for secretly video recording 1,800 patients while they received procedures in three labor and delivery operating rooms. Women were also recorded while undressing, and with their genitals exposed. The lawsuit alleges that the recorded women have suffered anxiety, humiliation, depression, and other harm.

The hospital installed motion-activated cameras on drug carts in the operating rooms, in order to investigate potential employee diversion of propofol from operating room drug carts. The cameras continued to record after the motion stopped. The lawsuit alleges that multiple users – including strangers and non-medical employees – could access the recordings on computers, and the hospital did not track who accessed the recordings.

While we don’t know exactly what procedures were followed in this example, some good HIPAA questions are raised for other providers considering using filming in similar circumstances.

From a HIPAA standpoint, a HIPAA authorization would be required for any such recording to be legally obtained. This story also raises concerns about how the recordings were stored and accessed, and whether access to the recordings was properly limited. And of course, before any new technology is used that will record and store ePHI, it should first be addressed in your HIPAA security risk analysis.

MCS Signature November 2018

HIPAA Handbook CTA

Read More

Topics: HIPAA

PEPPER Reports are here: Don't be outnumbered

Posted by Margaret Scavotto, JD, CHC on 4/24/19 8:00 AM

The latest PEPPER (Program for Evaluating Payment Patterns Electronic Report) reports have been released for SNF, LT, IRF, IPF, CAH and hospice providers. You can access your PEPPER online. Home health providers and partial hospitalization programs can expect their PEPPERs to arrive in July 2019.

This latest PEPPER uses statistics for October 1, 2017 through September 30, 2018. To download your PEPPER, the Chief Executive Officer, President, Administrator, Compliance Officer, or Quality Assurance/Performance Improvement Officer needs to:

  1. Visit the PEPPER Resources Portal
  2. Enter your information. Note: A patient control number (UB04 form locator 03a) or medical record number (UB04 form locator 03b) from a claim for a traditional Medicare FFS beneficiary with a claim "from" or "through" date between July 1 - Sept. 30, 2018, will be required.
  3. Download your PEPPER!

If you need help, review the Secure PEPPER Access Guide.

Will you get your PEPPER? You should.

Last year, on average, less than half of providers viewed their PEPPER reports. For example:

  • IL:   50.79%
  • CA: 44.93%
  • NY: 44.86%

(% of SNFs that accessed their PEPPER reports in the state between April 16, 2018 and March 20, 2019). 

Providers who who don't download their PEPPERs are missing out on some valuable data.

Why PEPPER matters

Your PEPPER report can help you compare your organization to other providers, and determine whether you have been identified as an outlier at risk for improper payments. PEPPER considers a provider to be an outlier if its Target Areas are at or above the 80th percentile, or at or below the 20th percentile, depending on the area. If your PEPPER shows you are an outlier, an internal audit should be conducted to identify any improper payments or non-compliant practices. CMS is quick to point out that variances from the national data do not necessarily mean billing irregularities have occurred. However, it would be wise to determine why the government has identified you as an outlier.

In other words, the government is mining your data and evaluating your claims—and so should you. By incorporating PEPPER data into your compliance auditing strategy, you can identify potential areas of non-compliance that could make you a government target. And of course, a "good" PEPPER should not give you false confidence about your claims – MPA recommends conducting documentation reviews to ensure claims are appropriate, even if you aren't an outlier.

Don’t wait

PEPPER comes once a year, but our attention to it should be ongoing. Don't wait for the report to be released in April. Work with your billing department to see what reports you can run internally to track the Target Areas as part of your compliance efforts. This way, there will be no surprises in April 2020.

Read More

Topics: PEPPER

Compliance and HIPAA Training Handbooks are Here!

Posted by Margaret Scavotto, JD, CHC on 4/16/19 9:17 AM

MPA's Compliance and HIPAA training handbooks for healthcare staff are here!

 

Help your staff get HIPAA right, all day, every day.

MPA noticed that most HIPAA training doesn't cover the top calls we get: snooping, selfies, social media, and other common breaches.

This HIPAA training handbook won't tell your staff that HIPAA was enacted in 1996 - because that won't help your staff make good HIPAA decisions on a daily basis. This handbook will, however, provide common sense HIPAA information your staff need to succeed in healthcare.

Each chapter is accompanied by a mini-quiz to test staff knowledge.

Learn more.

 

Help your staff get compliance right, all day, every day.

MPA noticed that most compliance training does not cover the daily risks most healthcare staff encounter - or is written in legalese that is challenging for many healthcare employees.

This training handbook won't tell your staff that OIG stands for "Office of Inspector General," because that isn't going to help most of your staff understand compliance. This handbook will break down compliance concepts in simple, understandable chapters to help them do their jobs in a way that follows your compliance program. 

Each chapter is accompanied by a mini-quiz to test staff knowledge.

Learn more.

Read More

Topics: Compliance Basics, Training and Education, HIPAA, Culture of Compliance, MPA's Compliance Store

    Privacy Policy           Terms of Use