Effective April 23, 2019, the Office of Civil Rights (OCR) has reduced the annual aggregate HIPAA penalty caps for covered entities and business associates.
Note: This topic is of special interest to our SNF readers. General healthcare compliance and HIPAA topics will return next week!
The Affordable Care Act mandated compliance and ethics programs for all nursing facilities. Medicare and Medicaid will require implementation by November 28, 2019.
Are you ready?
Fortunately, the ACA requirements closely – but not entirely – track the ACA OIG compliance program guidance and the Federal Sentencing Guidelines principles for compliance programs, so providers who have built compliance programs on these documents should be in pretty good shape. Here is what the ACA requires nursing facilities to have by November 28, 2019:
- Written compliance and ethics policies and procedures that are communicated to staff, contractors and volunteers and:
- Reduce the risk of criminal, civil and administrative violations
- Promote quality of care
- Designate a compliance contact to receive reports
- Include an anonymous way to report non-compliance without retribution
- Include disciplinary standards
- Apply to contractors and volunteers
- Assigned high-level personnel oversight for the compliance program, and sufficient resources and authority for such high-level personnel
- Due care not to delegate substantial discretionary authority to individuals the SNF knew or should have known had a propensity to commit a crime
- Auditing and monitoring
- A reporting system
- Consistent enforcement via discipline
- Annual review.*
*It can take weeks or even months to review a compliance program, so if this is your first experience with annual review, it is a good idea to start early.
Organizations with five or more facilities must also have:
- A mandatory annual compliance training program, and
- A compliance officer who reports directly to the governing body, with designated compliance liaisons at each site
Note: while these items are only mandatory under the ACA for SNFs with five or more sites, it is a good idea for all SNFs to consider incorporating these items into their own compliance programs. While they are not mandatory for smaller organizations, they will strengthen your program and make it easier to run an effective compliance program.
A San Diego hospital is being sued for secretly video recording 1,800 patients while they received procedures in three labor and delivery operating rooms. Women were also recorded while undressing, and with their genitals exposed. The lawsuit alleges that the recorded women have suffered anxiety, humiliation, depression, and other harm.
The hospital installed motion-activated cameras on drug carts in the operating rooms, in order to investigate potential employee diversion of propofol from operating room drug carts. The cameras continued to record after the motion stopped. The lawsuit alleges that multiple users – including strangers and non-medical employees – could access the recordings on computers, and the hospital did not track who accessed the recordings.
While we don’t know exactly what procedures were followed in this example, some good HIPAA questions are raised for other providers considering using filming in similar circumstances.
From a HIPAA standpoint, a HIPAA authorization would be required for any such recording to be legally obtained. This story also raises concerns about how the recordings were stored and accessed, and whether access to the recordings was properly limited. And of course, before any new technology is used that will record and store ePHI, it should first be addressed in your HIPAA security risk analysis.
The latest PEPPER (Program for Evaluating Payment Patterns Electronic Report) reports have been released for SNF, LT, IRF, IPF, CAH and hospice providers. You can access your PEPPER online. Home health providers and partial hospitalization programs can expect their PEPPERs to arrive in July 2019.
This latest PEPPER uses statistics for October 1, 2017 through September 30, 2018. To download your PEPPER, the Chief Executive Officer, President, Administrator, Compliance Officer, or Quality Assurance/Performance Improvement Officer needs to:
- Visit the PEPPER Resources Portal
- Enter your information. Note: A patient control number (UB04 form locator 03a) or medical record number (UB04 form locator 03b) from a claim for a traditional Medicare FFS beneficiary with a claim "from" or "through" date between July 1 - Sept. 30, 2018, will be required.
- Download your PEPPER!
If you need help, review the Secure PEPPER Access Guide.
Will you get your PEPPER? You should.
Last year, on average, less than half of providers viewed their PEPPER reports. For example:
- IL: 50.79%
- CA: 44.93%
- NY: 44.86%
(% of SNFs that accessed their PEPPER reports in the state between April 16, 2018 and March 20, 2019).
Providers who who don't download their PEPPERs are missing out on some valuable data.
Why PEPPER matters
Your PEPPER report can help you compare your organization to other providers, and determine whether you have been identified as an outlier at risk for improper payments. PEPPER considers a provider to be an outlier if its Target Areas are at or above the 80th percentile, or at or below the 20th percentile, depending on the area. If your PEPPER shows you are an outlier, an internal audit should be conducted to identify any improper payments or non-compliant practices. CMS is quick to point out that variances from the national data do not necessarily mean billing irregularities have occurred. However, it would be wise to determine why the government has identified you as an outlier.
In other words, the government is mining your data and evaluating your claims—and so should you. By incorporating PEPPER data into your compliance auditing strategy, you can identify potential areas of non-compliance that could make you a government target. And of course, a "good" PEPPER should not give you false confidence about your claims – MPA recommends conducting documentation reviews to ensure claims are appropriate, even if you aren't an outlier.
PEPPER comes once a year, but our attention to it should be ongoing. Don't wait for the report to be released in April. Work with your billing department to see what reports you can run internally to track the Target Areas as part of your compliance efforts. This way, there will be no surprises in April 2020.
MPA's Compliance and HIPAA training handbooks for healthcare staff are here!
Help your staff get HIPAA right, all day, every day.
MPA noticed that most HIPAA training doesn't cover the top calls we get: snooping, selfies, social media, and other common breaches.
This HIPAA training handbook won't tell your staff that HIPAA was enacted in 1996 - because that won't help your staff make good HIPAA decisions on a daily basis. This handbook will, however, provide common sense HIPAA information your staff need to succeed in healthcare.
Each chapter is accompanied by a mini-quiz to test staff knowledge.
Help your staff get compliance right, all day, every day.
MPA noticed that most compliance training does not cover the daily risks most healthcare staff encounter - or is written in legalese that is challenging for many healthcare employees.
This training handbook won't tell your staff that OIG stands for "Office of Inspector General," because that isn't going to help most of your staff understand compliance. This handbook will break down compliance concepts in simple, understandable chapters to help them do their jobs in a way that follows your compliance program.
Each chapter is accompanied by a mini-quiz to test staff knowledge.
Last week, my husband and our five year old daughter took our dog to the vet for a check-up. When they came home, my five year old was very excited to tell me that she got to talk to Dr. Julie about Abby's tooth cleaning and Jack's nail trimming.
Abby and Jack are my mother's cats, who, in case it isn't obvious, also see Dr. Julie.
I was astounded! Until my husband reminded me: "There's no HIPAA for cats, Margaret."
That's right. Of course!
But this got me thinking. If Abby and Jack were people, we would have a pretty big problem on our hands. My mother lives four minutes away. So do my nephews. So do my aunt and uncle. There's some overlap in doctors and dentists in our family (in addition to veterinarians). We bump into each other all over town.
And yet, thanks to HIPAA, we all expect and trust that our medical information will be kept private. Can you imagine it any other way? Can you imagine the chaos that would ensue if everyone discussed everyone else's tooth cleanings and nail trimmings all over town, as if we were cats?
Aristotle said what separates humans from the animals is rationality. I think it's HIPAA, too.
CBS 2 (Chicago) reported that potentially 60 Northwestern Memorial Hospital employees were terminated for accessing Jussie Smollett's medical records, without authorization, during a hospital stay following a highly publicized assault.
One terminated Northwestern employee reported she was fired after she "went into the charting system and started to search [Smollett]'s name." The fired employee did this out of "morbid curiosity." Others were potentially terminated for asking if the actor was admitted to the hospital under an alias.
Northwestern has not commented on the alleged firings, and we do not know for sure whether the firings occurred; if so, how many firings occurred; and whether HIPAA was violated.
But we do know that all healthcare providers struggle with the challenge of unauthorized access of patient records (also known as snooping). It happens with celebrities, and other high profile patients: car accident victims, employee relatives and friends, co-workers, and hometown heroes.
What you can do:
- Admit high profile patients under an alias.
- Limit access with your EHR controls.
- Monitor access regularly. Increase monitoring when you have a high-profile patient.
- Use alerts to warn users and your compliance team when access is exceeded.
- Have your breach analysis policy and decision tree nearby for when access is exceeded.
- Train staff on the consequences of exceeding accesses. One "morbid curiosity" click could cost them their job.
Need help reminding your staff not to snoop medical records? HIPAA Every Day, MPA's HIPAA training handbook for healthcare employees, addresses snooping.
The other day I stopped by my favorite local coffee shop for an afternoon pick-me-up. I ordered my guilty pleasure – a brown sugar rosemary latte – and sat down in the only available seat on the lobby couch to wait.
A few minutes later, a young woman came in and sat down next to me, opened her laptop, and began clack-clacking away (a common occurrence, as this coffee place is known as an unofficial co-working space).
I got up to get my latte, sat back down, and noticed that the woman was on the phone. I began reading an article about a recent HIPAA breach (in a moment you will learn the irony in this), and tried not to be distracted by her call. But, I couldn’t help but notice she seemed to be talking about a patient. She mentioned the patient’s name and birthday, and then scheduled an appointment for him. She went on to do this for several other patients. Then she called a few patients to check on their condition and well-being. I also couldn’t help but notice that she was typing information into some kind of EMR database.
If this was a cartoon, my head would have exploded at this moment.
When my disbelief faded into the reality that this person – perhaps some kind of case worker or social worker – was in fact discussing patients and their health care information – I had a sinking feeling in my stomach. Does this really happen? Am I on some kind of brainy reality TV show for HIPAA professionals? How could two people sitting on the same couch have such different reactions to these phone calls? How could I be so appalled – and this woman be oblivious and even pleased to be accomplishing so much?
I’ll tell you why: awareness and training.
I think about HIPAA all the time. I follow HIPAA settlements and headlines daily, blog about them, and build training programs and policies around them. So, I see HIPAA everywhere.
I don’t know what kind of HIPAA training my couch neighbor has had. It could be she was trained extensively and chose to ignore the advice. Or perhaps it is more likely that she wasn’t trained on HIPAA – or at least, not recently – and not on protecting patient privacy when working remotely.
What about your staff? Would they know what to do?
Compliance When Nobody is Watching
by Margaret Scavotto, JD, CHC
Everyone knows an effective compliance program needs leaders, policies, training, audits, reporting, investigations, corrective action, and discipline.
You probably already have these elements in place. You have policies and training to help your employees do the right thing. You have audits to verify that your employees are following compliance policies (and doing the right thing).
Read more here.
For Compliance Today: Copyright 2019 Compliance Today, a publication of the Health Care Compliance Association (HCCA).
Topics: Culture of Compliance
MPA scours OIG and OCR enforcement updates and news headlines so you don't have to.
Every month, we summarize enforcement trends and bring you the latest compliance and HIPAA developments, and deliver them to your inbox in our Monthly Compliance News Report.
Not yet a subscriber? Use coupon code NEWYEAR to save 25% off the price when you sign up.
You can read a sample report here.
Topics: Compliance Basics