It is common for covered entities and business associates to train employees at hire and (at least) annually. What’s not as common is including other parties in the organization’s HIPAA training program. Contracted staff, temp/agency staff, volunteers, board members, and students can be considered part of an organization’s workforce – meaning, they need to be trained on HIPAA. And, during the pandemic, many providers have expanded the types of individuals that are part of their team.
In March, CMS announced that it was suspending routine surveys for nursing homes during the pandemic, in order to focus on infection control and Immediate Jeopardy issues. However, CMS announced on Monday that this suspension is coming to an end.
In its memo to State Survey Agency Directors, titled: Enforcement Cases Held during the Prioritization Period and Revised Survey Prioritization, CMS announced that it is resuming onsite revisits and other surveys, and expanding its desk review.
In addition to the expanded surveys previously authorized for states entering Phase 3 of the Nursing Homes Reopening guidance, CMS is authorizing further survey expansion. The guidance states (direct quote):
MPA scours OIG, DOJ, FBI, and OCR enforcement updates and news headlines so you don't have to.
We summarize enforcement trends and deliver the latest compliance and HIPAA developments to your inbox with our Monthly Compliance News Report.
Coming to this month's issue:
- SNF chain billed for unnecessary therapy
- PPP loan fraud leads to criminal charges
- Physician assistant took kickbacks from pharmaceutical company
- Providers enter 5-figure settlements for employing excluded providers
- The OCR resolves two complaints with providers whose COVID-19 polices involved religious discrimination
- Nursing homes hit with ransomware
- sou can read a sample report here.
Topics: Compliance Basics
Watch Out for Fraudulent OCR Postcards
On August 6th, the OCR issued an Alert: Postcard Disguised as Official OCR Communication. This Alert warns covered entities and business associates that an impostor is sending postcards out, posing to be the OCR. The postcards ask the recipient go visit a website, call, or email “to take immediate action on a HIPAA Risk Assessment.” The postcard is not from the OCR; it is from a consulting company trying to sell services.
In June 2020, The Society of Corporate Compliance and Ethics and the Health Care Compliance Association published survey results: Compliance and the COVID-19 Pandemic.
This survey of compliance professionals found:
"The COVID-19 pandemic has upended countless organizations and how people work... compliance programs have also felt the impact. Teams have had to adjust the way they work to ensure that regulatory mandates are still met - all while staying on top of the myriad regulation changes meant to address the pandemic."
I think we can all agree it has not been easy.
Here is what your healthcare professional peers say about COVID-19's effect on compliance:
Sign up for the next webinar in MPA's Free Compliance Webinar Series:
August 11 at 11 a.m. CST: HIPAA & PR Pitfalls
The OCR has entered multiple HIPAA settlements with healthcare providers who violated HIPAA with public relations campaigns and media communications. This was an issue before COVID-19, and the pandemic has only increased media attention and the need for effective HIPAA protocols.
Learn how to stay on the good side of the news.
During the pandemic, healthcare providers have seen countless headlines announcing both HIPAA guidance related to COVID-19, and HIPAA breaches. For example:
- Health care providers can contact former COVID-19 patients about blood and plasma donation opportunities
- Cyber-scams skyrocket during the pandemic
- Football player Ezekiel Elliott's COVID-19 test results leaked to the media
- OCR issues guidance on when healthcare providers can provide media access during COVID-19
- Nurse investigated for sharing video about fellow nurse who died of COVID-19
- Privacy issues with no-contact temperature taking
If your HIPAA training hasn't changed in response to this guidance and headlines, that could be a problem.
The pandemic has led covered entities and business associates to rethink training.
For starters, in-services are not always practical right now. With more remote employees, and concerns about trying to contain spread of the virus, in-person, classroom-style training is not working for everyone.
Plus, many providers are dealing with an evolving workforce: more agency/temp staff, more healthcare professionals newly hired due to loosened education or certification requirements during COVID-19. All of these people need training - and providers have less time to train.
Compliance and HIPAA training does not have to be in the form of a live in-service to be effective.
MPA's Compliance and HIPAA Training Handbooks can help.
This guidance is used in two ways:
- Federal prosecutors conducting criminal investigations (such as into healthcare fraud) use it to evaluate a corporation’s compliance program. This evaluation can impact any financial penalties imposed.
- Corporations, including healthcare providers, use it to evaluate their own compliance programs.
Here are some of the DOJ’s June 2020 changes to its compliance evaluation guidance:
On June 11, CMS issued an alert warning nursing homes not to seize residents' CARES Act stimulus checks. Providers that do so could lose their Medicare and Medicaid contracts.
CMS cited resident rights laws in support of its warning:
- 42 CFR 483.12, Freedom from Abuse, Neglect and Exploitation (prohibition against misappropriation of resident property): "the deliberate misplacement, exploitation or wrongful, temporary, or permanent use of a resident's belongings or money without the resident's consent."
- 42 CFR 483.10, each resident has "the right to manage his or her financial affairs"; "The facility must not require residents to deposit their personal funds with the facility. If a resident chooses to deposit personal funds with the facility, upon written authorization of a resident, the facility must act as a fiduciary of the resident's funds and hold, safeguard, manage, and account for the personal funds of the resident deposited with the facility...."
The FTC issued a consumer alert advising Medicaid beneficiaries that nursing homes CANNOT require them to sign their CARES Act stimulus checks over to the nursing home. The FTC encourages residents who have been asked by nursing homes for their CARES Act checks to complaint to the state attorney general.
MPA has updated its Resident Rights Policy and Resident Rights Summary to reflect this alert. Subscribers to MPA's Nursing Home Compliance Program received an email with the new policy downloads today. Click here to subscribe.