CoP Interpretive Guidelines: Are You Compliant?
§ 484.60 Condition of participation: Care planning, coordination of services, and quality of care.Patients are accepted for treatment on the reasonable expectation that an HHA can meet the patient's medical, nursing, rehabilitative, and social needs in his or her place of residence. Each patient must receive an individualized written plan of care, including any revisions or additions. The individualized plan of care must specify the care and services necessary to meet the patient-specific needs as identified in the comprehensive assessment, including identification of the responsible discipline(s), and the measurable outcomes that the HHA anticipates will occur as a result of implementing and coordinating the plan of care. The individualized plan of care must also specify the patient and caregiver education and training. Services must be furnished in accordance with accepted standards of practice.
(a)Standard: Plan of care.Each patient must receive the home health services that are written in an individualized plan of care that identifies patient-specific measurable outcomes and goals, and which is established, periodically reviewed, and signed by a doctor of medicine, osteopathy, or podiatry acting within the scope of his or her state license, certification, or registration. If a physician refers a patient under a plan of care that cannot be completed until after an evaluation visit, the physician is consulted to approve additions or modifications to the original plan.
(2) The individualized plan of care must include the following:
(i) All pertinent diagnoses;
(ii) The patient's mental, psychosocial, and cognitive status;
(iii) The types of services, supplies, and equipment required;
(iv) The frequency and duration of visits to be made;
(vi) Rehabilitation potential;
(vii) Functional limitations;
(viii) Activities permitted;
(ix) Nutritional requirements;
(x) All medications and treatments;
(xi) Safety measures to protect against injury;
(xiii) Patient and caregiver education and training to facilitate timely discharge;
(xv) Information related to any advanced directives; and
(xvi) Any additional items the HHA or physician may choose to include.
(b)Standard: Conformance with physician orders.
(1) Drugs, services, and treatments are administered only as ordered by a physician.
(2) Influenza and pneumococcal vaccines may be administered per agency policy developed in consultation with a physician, and after an assessment of the patient to determine for contraindications.
(4) When services are provided on the basis of a physician's verbal orders, a nurse acting in accordance with state licensure requirements, or other qualified practitioner responsible for furnishing or supervising the ordered services, in accordance with state law and the HHA's policies, must document the orders in the patient's clinical record, and sign, date, and time the orders. Verbal orders must be authenticated and dated by the physician in accordance with applicable state laws and regulations, as well as the HHA's internal policies.
(c)Standard: Review and revision of the plan of care.
(1) The individualized plan of care must be reviewed and revised by the physician who is responsible for the home health plan of care and the HHA as frequently as the patient's condition or needs require, but no less frequently than once every 60 days, beginning with the start of care date. The HHA must promptly alert the relevant physician(s) to any changes in the patient's condition or needs that suggest that outcomes are not being achieved and/or that the plan of care should be altered.
(2) A revised plan of care must reflect current information from the patient's updated comprehensive assessment, and contain information concerning the patient's progress toward the measurable outcomes and goals identified by the HHA and patient in the plan of care.
(3) Revisions to the plan of care must be communicated as follows:
(i) Any revision to the plan of care due to a change in patient health status must be communicated to the patient, representative (if any), caregiver, and all physicians issuing orders for the HHA plan of care.
(ii) Any revisions related to plans for the patient's discharge must be communicated to the patient, representative, caregiver, all physicians issuing orders for the HHA plan of care, and the patient's primary care practitioner or other health care professional who will be responsible for providing care and services to the patient after discharge from the HHA (if any).
(d)Standard: Coordination of care. The HHA must:
(1) Assure communication with all physicians involved in the plan of care.
(3) Integrate services, whether services are provided directly or under arrangement, to assure the identification of patient needs and factors that could affect patient safety and treatment effectiveness and the coordination of care provided by all disciplines.
(5) Ensure that each patient, and his or her caregiver(s) where applicable, receive ongoing education and training provided by the u, as appropriate, regarding the care and services identified in the plan of care. The HHA must provide training, as necessary, to ensure a timely discharge.
(e)Standard: Written information to the patient. The HHA must provide the patient and caregiver with a copy of written instructions outlining:
(5) Name and contact information of the HHA clinical manager (Cornell Law School, 2018).
Need Help with your agency's Condition of participation (CoP) compliance?
For more information about how Select Data can ensure CoP Interpretive Guidelines have been met email firstname.lastname@example.org or call 800-332-0555.Resources Centers for Medicare & Medicaid Services (2018). Center for Clinical Standards and Quality /Quality, Safety & Oversight Group. Department of Human and Health Services. CMS.gov. Retrieved from: https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/Downloads/QSO-18-13-HHA-.pdf Cornell Law School (2018). 42 CFR 484.60 - Condition of participation: Care planning, coordination of services, and quality of care. Legal Information Institute. Retrieved from: https://www.law.cornell.edu/cfr/text/42/484.60
CoP Compliance: You Can't Do It Without Your Clinicians!
CMS expects Conditions of Participation (CoPs) 100% Compliance on January 13th.
CoPs Delayed a Proposed 6 Months!!!
Breathe a Sigh of Relief, but Don’t Relax as You Have Much Work to do.
- A patient-centered assessment with measureable outcomes.
- Patient-specific care planning and service delivery
- Agency-specific processes for Quality Assessment and Performance with active Governing Body involvement
We Do it Here: Don't Send Your PHI Offshore
At Select Data your medical coding stays on shore right here in America!
Call Select Data today to get more information on how our proprietary Assessment Review and Coding service can assist your agency in providing better patient and financial outcomes.
— Select Data, Inc. (@SelectDataInc) May 19, 2017
A Better Way To Code. Have You Outsourced Coding?
Are You Happy With It? Read This To See Why Outsourcing Is a Key Strategy for Your Agency's Success.
HIPAA Compliance Checklist: Is Your Agency's Documentation at Risk?
HIPAA Compliant Documentation Supports Your Agency's Services. Read this to find out.
Supporting HIPAA Compliant DocumentationHIPAA can be complex. As HIPAA compliance experts, Select Data has created a checklist to help you self-assess the status of your organization's compliance. With OCR/HHS HIPAA audits on the rise, there's never been a better time to understand what needs to be done to become HIPAA compliant and how far along in the process you already are. Select Data provides professional coding services to Home Health and Hospice agencies and are industry experts in the language of CMS. We assist agencies with the accurate representation of their patient. To find out how Select Data can help you improve coding accuracy check out our OASIS review and coding services. To download the HIPAA Compliance Checklist fill out the information below
HIPPA and Faxing: A Potentially Dangerous Combination
Thinking about sending PHI through your fax machine? Read this before you do.
The Right to Privacy
In 1890, Supreme Court Justices Samuel Warren and Louis Brandeis published “The Right to Privacy” in the Harvard Law Review. They defined privacy as the “right to be left alone.” Over 100 years later the Health Insurance Portability and Accountability Act (HIPAA) established a set of standards for protection of personal health information (PHI).
The world has changed greatly in that 100 years. There was and is a serious need to ensure accountability; to establish a national uniform baseline for privacy and uniform standards for transmission of health information. Today, almost everyone carries a smartphone and has a computer, laptops, and/or notebook to transmit words and images on a host of sites such as SnapChat, Twitter, Facebook, and YouTube for all to see…forever.
And, while there are many seminars and webinars regarding texting and the potential perils of using a mobile device to transmit patient information, no one is talking about faxing. It seems to be such a benign device. But, it is not. Breaches are on the rise. The Office of Civil Rights (OCR) is stepping up their audits.
Many agencies do not have adequate policies that cover the faxing process. First of all consider, is all the faxing done in your agency really necessary? Scanning and email or use of traditional postal service should be considered, if possible. It can be safer.
Consider setting up a “To be Faxed” sending bin close to the fax machine. This way faxing can be done when it is less busy in your agency office. This can reduce errors of transposed or incorrect digits because the sender’s mind may not be fully on the task.
Policy and Procedures For Home Health Agencies
Have a policy requiring reconfirmation of all fax numbers at least every 6-12 months. Your agency should fax an “Agency Fax Number Confirmation” sheet to all offices faxed routinely and confirm their fax number. Have them confirm, sign, date it and fax it back to your agency. Recently, an agency learned that certain numbers embedded in the EMR used had some outdated numbers. Your fax sheet should have your Agency name, phone number, fax number, address, and contact personnel if there is a question. It should include the legal warning as to what a person should do if the fax is sent to the wrong person or agency/company/practice. Include the person and number at your agency who should be contacted in case of a mistaken fax.
HIPAA HITECH has teeth now and the fines are significant. Your bottom line is fragile as is your agency’s reputation. Don’t jeopardize either with an inappropriately sent fax.
SourcesCenters for Medicare & Medicaid (2016). Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone? CMS.gov. Retrieved from: http://www.hhs.gov/hipaa/for-professionals/faq/482/does-hipaa-permit-a-doctor-to-share-patient-information-for-treatment-over-the-phone/ Centers for Medicare & Medicaid (2016). Can a physician’s office fax patient medical information to another physician’s office? CMS.gov. Retrieved from: http://www.hhs.gov/hipaa/for-professionals/faq/356/can-a-physicians-office-fax-patient-medical-information-to-another-physicans-office/
HIPAA Violations and Enforcement
The “American Recovery and Reinvestment Act of 2009” (ARRA) established a tiered civil penalty structure for HIPAA violations. The Secretary of the Department of Health and Human Services (HHS) still has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.
(42 USC § 1320d-5)
Civil Penalties for HIPPA Violations
The “American Recovery and Reinvestment Act of 2009”(ARRA) that was signed into law on February 17, 2009, established a tiered civil penalty structure for HIPAA violations (see below). The Secretary of the Department of Health and Human Services (HHS) still has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. The Secretary is still prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended).
|HIPAA Violation||Minimum Penalty||Maximum Penalty|
|Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA||$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)||$50,000 per violation, with an annual maximum of $1.5 million|
|HIPAA violation due to reasonable cause and not due to willful neglect||$1,000 per violation, with an annual maximum of $100,000 for repeat violations||$50,000 per violation, with an annual maximum of $1.5 million|
|HIPAA violation due to willful neglect but violation is corrected within the required time period||$10,000 per violation, with an annual maximum of $250,000 for repeat violations||$50,000 per violation, with an annual maximum of $1.5 million|
|HIPAA violation is due to willful neglect and is not corrected||$50,000 per violation, with an annual maximum of $1.5 million||$50,000 per violation, with an annual maximum of $1.5 million|
Criminal Penalties for HIPAA
In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.
Covered Entity and Specified Individuals
The DOJ concluded that the criminal penalties for a violation of HIPAA are directly applicable to covered entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the covered entity, where the covered entity is not an individual, may also be directly criminally liable under HIPAA in accordance with principles of "corporate criminal liability." Where an individual of a covered entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting.
The DOJ interpreted the "knowingly" element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that constitute an offense. Specific knowledge of an action being in violation of the HIPAA statute is not required.
The Department of Health and Human Services (DHHS) has the authority to exclude from participation in Medicare any covered entity that was not compliant with the transaction and code set standards by October 16, 2003 (where an extension was obtained and the covered entity is not small) (68 FR 48805).
The DHHS Office of Civil Rights (OCR) enforces the privacy standards, while the Centers for Medicare & Medicaid (CMS) enforces both the transaction and code set standards and the security standards (65 FR 18895). Enforcement of the civil monetary provisions has not yet been tasked to an agency.
Please refer to the AMA's FAQs on the privacy regulations for additional information on enforcement of the privacy standards.
No Private Cause of Action
While HIPAA protects the health information of individuals, it does not create a private cause of action for those aggrieved (65 FR 82566). State law, however, may provide other theories of liability.
Frequently Asked Questions
A PHR is an electronic health record that the consumer maintains. It contains identifiable health information usually maintained by the consumer, although a health care provider may facilitate its use and populate the record with permission of the consumer. PHR are becoming more widely used by consumers and PHR vendors are generally not covered by HIPAA. Companies such as Personal MD and Dossia serve Wal-Mart, AT&T, and Intel. Google has launched GoogleHealth and their competitor has initiated Microsoft HealthVault.
Because companies that are not covered entities or business associates of a CE that maintains health records are not federally liable for privacy or security, there is legislative movement to create law to change that fact. Because PHR, are under consumer control, there is greater privacy risk.
Protected Health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified by the Secretary Health and Human Services is not secure. If data is not encrypted or destroyed, it is not secure. Data that is truly encrypted or destroyed cannot be breached.
There are two types of data encryption
- Encrypting data at rest such as laptop and notebook hard drives and data bases
- Encrypting data in transit such as securing Web connections, VPNs, and wireless networks.
An electronic health record consists of health related information that is created, gathered, managed, and authorized by health care clinicians and personnel. The belief of the government is that widespread use of EHR will not occur until the public is assured that the privacy of their health information is secure. Hospital workers inappropriately accessing celebrity health information, such as that of Britney Spears has been an impetus to hold individuals, as well as facilities responsible for breaches of EHR.
A breach is an unauthorized acquisition, access, use, or disclosure of protected health information relating to failure to comply with organizational security or privacy policies, or violation of federal or state privacy and security regulations. Accessing information by an employee of a covered entity, in good faith, is not considered a breach.
We recommend requiring all employees to resign your agency’s privacy policies annually by employees. This act can become a reminder of the importance of privacy and confidentiality in the organization. Failure to comply with HIPAA can result in civil and criminal penalties.
HIPAA Basics for Providers
The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules were established to protect the privacy and security of health information and provide individuals with certain rights to their health information.
History of HIPPA
The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules were established to protect the privacy and security of health information and provide individuals with certain rights to their health information. Among other provisions, the Privacy Rule sets standards for when protected health information (PHI) may be used and disclosed, while the Security Rule requires safeguards to ensure only those who should have access to electronic protected health information (ePHI) will have access. The Breach Notification Rule requires HIPAA covered entities to notify the Department of Health & Human Services (HHS), affected individuals, and in some cases the media (and business associates to notify covered entities) of breaches of unsecured PHI. You play a vital role in protecting the privacy and security of patient information. This fact sheet gives a basic overview of the rules, the information protected by the rules, and who must comply with the rules.
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes standards for the protection of PHI held by covered entities and their business associates (defined below) and gives patients important rights with respect to their health information. Additionally, the Privacy Rule permits the use and disclosure of health information needed for patient care and other important purposes.
The Privacy Rule protects individually identifiable health information, called PHI, held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal. PHI includes information that relates to the following:
- The individual’s past, present, or future physical or mental health or condition; 2
- The provision of health care to the individual; or
- The past, present, or future payment for the provision of health care to the individual. PHI includes many common identifiers, such as name, address, birth date, and Social Security Number.
PHI includes many common identifiers, such as name, address, birth date, and Social Security Number.
HIPAA Security Rule
The Security Rule specifies safeguards that covered entities and their business associates must implement to protect the confidentiality, integrity, and availability of ePHI.
Covered entities and business associates must develop and implement policies and procedures to protect the security of ePHI that they create, receive, maintain, or transmit. Each entity must analyze the risks to the ePHI in its environment and create solutions appropriate for its own situation. What is reasonable and appropriate for a particular entity will depend on the nature of the entity’s business, as well as the entity’s size, complexity, and resources.
Frequently Asked Questions
The Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Most notifications must be provided without unreasonable delay and no later than 60 days following the discovery of a breach. Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to HHS in a log or other documentation annually. The Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate. Table 1 displays the notification timelines.
Table 1. Breach Notification Timelines
|Providing Notification To…||Breach Involved Fewer Than 500 Individuals||Breach Involved 500 or More Individuals|
|Individuals||No later than 60 days from discovery||No later than 60 days from discovery|
|HHS||Submit a log of all breaches once a year, no later than 60 days after end of calendar year||At same time as notice to individuals, no later than 60 days from discovery|
|Media||N/A||No later than 60 days from discovery|
Covered entities and business associates must follow HIPAA rules. If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA rules. For a complete definition of a covered entity and a business associate, refer to http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf on the U.S. Government Publishing Office website.
Covered entities electronically transmit health information. The following covered entities must follow HIPAA standards and requirements:
- Covered Health Care Providers: Any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard.
- Health Plans: Any individual or group plan that provides or pays the cost of health care.
- Health Care Clearinghouses: A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format, or vice versa.
A business associate is a person or organization, other than an employee of a covered entity, that performs certain functions on behalf of, or provides certain services to, a covered entity that involve access to PHI. A business associate can also be a subcontractor responsible for creating, receiving, maintaining, or transmitting PHI on behalf of another business associate. If a covered entity enlists the help of a business associate, a written contract or other arrangement between the two must:
- Detail the uses and disclosures of PHI the business associate may make; and
- Require that the business associate safeguard the PHI.
Health Care Provider
- Nursing homes
Covered Entities Health Plan
- Company health plans
- Government programs that pay for health care, such as Medicare, Medicaid, along with the military and veterans’ health care programs
- Health insurance companies
- Health Maintenance Organizations
Health Care Clearinghouse
- Billing services
- Community health management information systems
- Repricing companies
- Value-added networks
Business associates provide services to covered entities that include:
- Claims processing
- Data analysis
- Financial services
- Legal services
- Management administration
- Utilization review
NOTE: A covered entity can be a business associate of another covered entity.
The HHS Office for Civil Rights enforces the HIPAA Privacy, Security, and Breach Notification Rules. For more information on the enforcement process, visit http://www. hhs.gov/ocr/privacy/hipaa/enforcement on the HHS website. Violations may result in the imposition of civil monetary penalties. In some cases, criminal penalties may apply, enforced by the Department of Justice.
- Case example of a settlement: Two covered entities inadvertently posted ePHI for 6,800 individuals to the Internet, including patient status, vital signs, medications, and laboratory results. The investigation found that neither entity made efforts to assure the security of the server hosting the ePHI or confirm it contained adequate software protections. Neither entity developed an adequate risk management plan that addressed potential threats and hazards to ePHI. The entities agreed to pay a combined settlement of $4.8 million and enter into corrective action plans.
- Case example of a criminal prosecution: A former hospital employee pleaded guilty to criminal HIPAA charges after obtaining PHI with the intent to use it for personal gain. He faces up to 10 years in prison.
For more information about the HIPAA Privacy Rule and the HIPAA Security Rule, visit http://www.cms.gov/Regulations-and-Guidance/ HIPAA-Administrative-Simplification/HIPAAGenInfo/PrivacyandSecurity Standards.html on the Centers for Medicare & Medicaid Services (CMS) website or scan the Quick Response (QR) code on the right.
For some peace of mind, have a written information security program, an active HIPAA privacy program, and a living Corporate Compliance Program.