Viewing posts categorised under: HIPPA

CoP Interpretive Guidelines: Are You Compliant?

Admin
0 comments
Clinical Documentation Improvement, Clinical Practices, Compliance, Conditions of Participation (CoPs), HIPPA

CoP Interpretive Guidelines: Are You Compliant?

Are You Compliant With CoP §484.60?

 
Home Health Agency Condition of participation (CoP) went into effect January 13, 2018 (CMS, 2018). However, some agencies are still struggling when it comes to Condition of participation (CoP). According to the CoP Interpretive Guidelines, to be compliant with CoP §484.60, home health agencies must have established standards of practice issued by a nationally recognized organization with expertise in the field. If your organization fails to meet these minimum standards when audited, you may be assessed a monetary fine or lose your Medicare certification.

§ 484.60 Condition of participation: Care planning, coordination of services, and quality of care.

Patients are accepted for treatment on the reasonable expectation that an HHA can meet the patient's medical, nursing, rehabilitative, and social needs in his or her place of residence. Each patient must receive an individualized written plan of care, including any revisions or additions. The individualized plan of care must specify the care and services necessary to meet the patient-specific needs as identified in the comprehensive assessment, including identification of the responsible discipline(s), and the measurable outcomes that the HHA anticipates will occur as a result of implementing and coordinating the plan of care. The individualized plan of care must also specify the patient and caregiver education and training. Services must be furnished in accordance with accepted standards of practice.

(a)Standard: Plan of care.

Each patient must receive the home health services that are written in an individualized plan of care that identifies patient-specific measurable outcomes and goals, and which is established, periodically reviewed, and signed by a doctor of medicine, osteopathy, or podiatry acting within the scope of his or her state license, certification, or registration. If a physician refers a patient under a plan of care that cannot be completed until after an evaluation visit, the physician is consulted to approve additions or modifications to the original plan.

(2) The individualized plan of care must include the following:

(i) All pertinent diagnoses;

(ii) The patient's mental, psychosocial, and cognitive status;

(iii) The types of services, supplies, and equipment required;

(iv) The frequency and duration of visits to be made;

(v) Prognosis;

(vi) Rehabilitation potential;

(vii) Functional limitations;

(viii) Activities permitted;

(ix) Nutritional requirements;

(x) All medications and treatments;

(xi) Safety measures to protect against injury;

(xii) A description of the patient's risk for emergency department visits and hospital re-admission, and all necessary interventions to address the underlying risk factors.

(xiii) Patient and caregiver education and training to facilitate timely discharge;

(xiv) Patient-specific interventions and education; measurable outcomes and goals identified by the HHA and the patient;

(xv) Information related to any advanced directives; and

(xvi) Any additional items the HHA or physician may choose to include.

(3) All patient care orders, including verbal orders, must be recorded in the plan of care.

(b)Standard: Conformance with physician orders.

(1) Drugs, services, and treatments are administered only as ordered by a physician.

(2) Influenza and pneumococcal vaccines may be administered per agency policy developed in consultation with a physician, and after an assessment of the patient to determine for contraindications.

(3) Verbal orders must be accepted only by personnel authorized to do so by applicable state laws and regulations and by the HHA's internal policies.

(4) When services are provided on the basis of a physician's verbal orders, a nurse acting in accordance with state licensure requirements, or other qualified practitioner responsible for furnishing or supervising the ordered services, in accordance with state law and the HHA's policies, must document the orders in the patient's clinical record, and sign, date, and time the orders. Verbal orders must be authenticated and dated by the physician in accordance with applicable state laws and regulations, as well as the HHA's internal policies.

(c)Standard: Review and revision of the plan of care.

(1) The individualized plan of care must be reviewed and revised by the physician who is responsible for the home health plan of care and the HHA as frequently as the patient's condition or needs require, but no less frequently than once every 60 days, beginning with the start of care date. The HHA must promptly alert the relevant physician(s) to any changes in the patient's condition or needs that suggest that outcomes are not being achieved and/or that the plan of care should be altered.

(2) A revised plan of care must reflect current information from the patient's updated comprehensive assessment, and contain information concerning the patient's progress toward the measurable outcomes and goals identified by the HHA and patient in the plan of care.

(3) Revisions to the plan of care must be communicated as follows:

(i) Any revision to the plan of care due to a change in patient health status must be communicated to the patientrepresentative (if any), caregiver, and all physicians issuing orders for the HHA plan of care.

(ii) Any revisions related to plans for the patient's discharge must be communicated to the patientrepresentative, caregiver, all physicians issuing orders for the HHA plan of care, and the patient's primary care practitioner or other health care professional who will be responsible for providing care and services to the patient after discharge from the HHA (if any).

(d)Standard: Coordination of care. The HHA must:

(1) Assure communication with all physicians involved in the plan of care.

(2) Integrate orders from all physicians involved in the plan of care to assure the coordination of all services and interventions provided to the patient.

(3) Integrate services, whether services are provided directly or under arrangement, to assure the identification of patient needs and factors that could affect patient safety and treatment effectiveness and the coordination of care provided by all disciplines.

(4) Coordinate care delivery to meet the patient's needs, and involve the patientrepresentative (if any), and caregiver(s), as appropriate, in the coordination of care activities.

(5) Ensure that each patient, and his or her caregiver(s) where applicable, receive ongoing education and training provided by the u, as appropriate, regarding the care and services identified in the plan of care. The HHA must provide training, as necessary, to ensure a timely discharge.

(e)Standard: Written information to the patient. The HHA must provide the patient and caregiver with a copy of written instructions outlining:

(1) Visit schedule, including frequency of visits by HHA personnel and personnel acting on behalf of the HHA.

(2) Patient medication schedule/instructions, including: medication name, dosage and frequency and which medications will be administered by HHA personnel and personnel acting on behalf of the HHA.

(3) Any treatments to be administered by HHA personnel and personnel acting on behalf of the HHA, including therapy services.

(4) Any other pertinent instruction related to the patient's care and treatments that the HHA will provide, specific to the patient's care needs.

(5) Name and contact information of the HHA clinical manager (Cornell Law School, 2018).

Need Help with your agency's Condition of participation (CoP) compliance?

For more information about how Select Data can ensure CoP Interpretive Guidelines have been met email info@selectdata.com or call 800-332-0555.

Resources Centers for Medicare & Medicaid Services (2018). Center for Clinical Standards and Quality /Quality, Safety & Oversight Group. Department of Human and Health Services. CMS.gov. Retrieved from: https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/Downloads/QSO-18-13-HHA-.pdf Cornell Law School (2018). 42 CFR 484.60 - Condition of participation: Care planning, coordination of services, and quality of care. Legal Information Institute. Retrieved from: https://www.law.cornell.edu/cfr/text/42/484.60
Check out our FREE 30-minute webinar for OASIS-C2 corrections and more. Select Connects with Clinicians Click here to read more.
Select Data is committed to a strong compliance program that includes educating all personnel on mitigating HIPAA breaches. For more information about Select Data and their commitment to quality in Home Health and Hospice, call 1.800. 332.0555.

Read more

CoP Compliance – You Can’t Do It Without Your Clinicians!

Admin
0 comments
Clinical Documentation Improvement, Clinical Practices, Coding, Compliance, Conditions of Participation (CoPs), HIPPA, Uncategorized

CoP Compliance: You Can't Do It Without Your Clinicians!

CMS expects Conditions of Participation (CoPs) 100% Compliance on January 13th.

 
"January Funk" Shortly after ringing in the new year, people have been known to get the blues. Winters are cold, days are short, there’s not another holiday for months, and many people fall into what some call “The January Funk.” If you work in an industry that involves a lot of regulatory involvement, like healthcare, you may fall into a “January headache.” In healthcare, guidance, policy, and regulations are often updated, and new programs are launched at the beginning of the calendar year. For home health providers, saying “goodbye” to 2017 means saying “hello” to updated Conditions of Participation (CoPs) from CMS in 2018. After researching hundreds of pages of documentation, your head may be spinning as you lament over where to start. After all, just working in the home health business can keep your mind busy 24/7, never mind having more heaved onto your plate. With the new CoPs implementation quickly approaching, we’re in the warm up phase right now. If it hasn’t happened yet, it’s time for you to gather your team and start your pep talk. The success of any home health agency depends on teamwork. That’s now a new concept. Now is the time that your clinicians need to start wrapping their heads around how their life is going to be changing because of the updated regulations. Do you already have a plan in place for communicating to patients with limited English language skills? Do your clinicians know what the Patient’s Rights are? Since clinicians are just weeks away from having to give a verbal explanation of the Patient’s Rights to the patients, it’s time to start rehearsing. Clinician competency will be a key to your success, or the lack thereof will be the torpedo that sinks your battleship. Call your team together and let’s get the planning started. First, your team needs to know that these changes are coming, and that they are nothing to be afraid of. It seems that in healthcare when new policies (or regulatory changes) come around there is the feeling of impending doom. “What do we have to do now?” I recommend that you do an overview with your clinicians and let them know what exactly are the conditions of participation and why they are being updated. It’s time to discuss the paradigm shifts regarding CMS’s approach to patient care. It also may take a certain degree of convincing to get your long time veteran clinicians to buy into the idea of patient centered healthcare that is driven by the patient’s strengths and preferences. If your staff doesn’t buy into this new philosophy, there’s little chance that your patients are going to be convinced to shift their thinking. Eliminate Potential Anxiety For Your Clinicians After you get past the “why”, it’s time to get your paper out and start sketching out the “how.” Your clinicians need to clearly understand what part of their routine must change. What signatures do they need to get and when? What’s the phone number for the interpreter’s line? Are you going to publish your agency’s literature in different languages? How do you explain a patient’s right to people with different educational backgrounds and different cognitive ability? Your clinicians are much more likely to be compliant with the updated Conditions of Participation if you help eliminate some of the potential anxiety that accompanies change. Start talking about these things now. It’s not fair to throw clinicians into a new situation without the proper preparation. We’ve all been there, and we all know that it stinks to be there. Start coaching them now so they’re set up for success. Develop tools to get the job done right. Are there different fields that need to be custom added to your EMR so that the additional required information will have a home? If that’s not possible, you should work with your team to develop check lists (or worksheets) so that they are reminded of everything they need to ask or say during that home visit. Look at the tools you have now and decide what changes need to be made. When clinicians are forced to “do things on the fly” without the proper tools, they often find themselves jotting down random information in a disorganized and in a “non-HIPAA compliant” manner. Eventually, when this all of this becomes more familiar, your clinicians will probably develop their own system. While they’re just becoming accustomed to these new requirements, make sure they have the tools to be organized and efficient. Five-Day Window Coordination is a huge factor in the new Conditions of Participation. For coordination to be successful, good communication is a must. Unfortunately, communication is where many teams take shortcuts. The Clinical Manager role that is defined in the CoPs is immense. An agency’s Clinical Manager is only going to be successful if your team has a great communication plan. Communication about a patient’s care plan will be ongoing but it will be especially hectic at the time of admission. The communication plan among clinicians of different disciplines, multiple doctors’ offices, and the administrative staff, must be well thought out, organized and adhered to. Figure out how you’re going to manage all the information in the beginning five-day window, or your Clinical Manager may end up climbing out of the office window to escape. Practice, Practice, Practice! Finally, it’s time for your team to start practicing. There’s nothing that prevents you from implementing some of these changes before the beginning of the year. CMS expects you to be compliant with the updated Conditions of Participation 100% of the time on January 13th. Don’t wait until early one January morning to try and throw these ideas together. You’re not making a quick regulatory snack. You’re creating a huge feast of regulatory changes. Some of us know from experience that you shouldn’t be making your grocery list the day before Thanksgiving as your in-laws are in route to your home. Don’t wait until the beginning of January to bring in donuts for your clinical team so that you can “brainstorm this new thing.” Your clinicians are a key to your Conditions of Participation compliance. Invest in them. Train them. Listen to them. Invite them to join in on important conversations. Their success will lead to good patient outcomes. Isn’t that why we’re doing this after all? For more information about the implementation of the new Conditions of Participation please view our webinar from October. https://www.selectdata.com/clinicians-role-conditions-participation-cops-compliance-select-connect-clinicians/ For more information on this topic or on our USA based Document review and Coding Services or Revenue Cycle Management, please call Select Data at 1.800.332.0555.
Related Article - CoPs Breakdown On The QAPI Regulations
Check out our FREE 30-minute webinar for OASIS-C2 corrections and more. Select Connects with Clinicians Click here to read more.

Read more

CoPs Delayed a Proposed 6 Months. Breathe a Sigh of Relief, but Don’t Relax as You Have Much Work to do.

Admin
0 comments
Clinical Practices, Conditions of Participation (CoPs), Healthcare, HIPPA, Legislation, Uncategorized

CoPs Delayed a Proposed 6 Months!!!

Breathe a Sigh of Relief, but Don’t Relax as You Have Much Work to do.

 
CMS has proposed delaying the new Conditions of Participation (CoPs) for six months, until January 13, 2018.  QAPI  implementation would be required in July, 2018. Though a 60 day comment period is required, it is unlikely that home health agencies will complain and demand to implement the new CoPs sooner, so industry experts are saying we can presume the delay will occur. Agencies have expressed relief as the CoP changes were significant and many HHA expressed concern that there was inadequate time to prepare.  But don’t sit back with this postponement. You have much work to do. The Changes in General The organizational structure of the regulations was changed dividing the general provisions into three subparts: general provisions, patient care, and organizational environment. Certain CoPs were consolidated; i.e. Skilled Nursing, Therapy Services, and Medical Social Services were consolidated into Professional Services. Two CoPs were added; Quality Assessment and PI (QAPI) and Infection prevention and control. Many of the remaining standards were revised significantly: Patient Rights, Comprehensive Assessment, Care Planning/Care Coordination, Home Health Aide, Organization and Administration, Clinical Records, and Personnel Qualifications. The CMS Focus The focus is one of integrated care processes including:
  1. A patient-centered assessment with measureable outcomes.
  2. Patient-specific care planning and service delivery
  3. Agency-specific processes for Quality Assessment and Performance with active Governing Body involvement
  Transforming the CoPs CMS has found that directing a QA approach toward identifying providers that furnish poor quality or failed to meet minimum Federal standards does not always  work. CMS stated, “We have found that this problem-focused approach has inherent limits.” CMS wants to stimulate broad-based improvements in the quality of care delivered to all patients.  They want “Patient-centered, data-driven, outcome-oriented processes promoting high quality care for all patients at all times.” Surveyors are undergoing intensive new training. Some of the Action Items that an Agency May Need to Complete Intensive education for all personnel especially in the areas of patient rights, comprehensive assessment with ongoing POC updates, and patient engagement. Active patient involvement in their POC. New updated Patient Rights Forms with names and addresses and phone numbers of care givers.  Have space on the form for the Patient/Legal Representative to sign. Make certain the new CoP language is included in the Patient Rights form. Have copies of policies regarding admission, transfer, and discharge available for patients that reflect the new standards. Be certain the patient knows the Clinical Manager’s name and number to call with any clinical questions. It is now required under the CoPs to provide the Administrator’s name and number to call with any complaints. CMS is seeking a more “holistic patient assessment.” This means they expect the agency to develop a better understanding of the patient; knowing their strengths and abilities for active involvement in their own care plan and ultimate outcomes. How will your agency ensure this process?  Will it be Integrative Care Management?  Is education and training needed? Educate personnel to identify signs and symptoms of stress in the caregiver as well as how to speak with the caregiver re strain and burdens of care. Will you use a screening tool? Identify where you will note the education and training for patients and their specific needs. A one- size fits all care plan for a specific diagnosis will no longer be sufficient. How will revisions to the care plan be flagged so clinicians know they are working with the most current POC? The POC is to become an “evolving document.” CMS is stressing team care. The new CoPs require agencies to coordinate care delivery. How will your HH interdisciplinary team communicate? “Coordinated care requires communication with integration of orders with all physicians.” A patient hospital risk assessment is required for all HHA admissions.” All patient orders, including verbal orders must be recorded in the POC. They must have not only the date, but the time of the order noted. “The HHA must develop, implement, evaluate, and maintain an effective ongoing, HHA-wide, data-driven program. The HHA governing body must ensure that the program reflects the complexity of its organization and services, involves all HHA services including those services provided under contract or arrangement, focuses on indicators needed to improve outcomes, including hospital admissions and readmissions and takes actions that address the HHA performance across the spectrum of care including the prevention and reduction of medical errors. The HHA must maintain documentary evidence of the QAPI program and be able to demonstrate its operation to CMS.” A plan to educate/ consult with the Governing body re the new CoPs as well as each QAPI project is required. Agency must create new policies and procedures, modify and/or update certain old P&P in keeping with new CoPs and consolidation of certain old standards. Are new job description modifications needed? As to infection control; what new P&P are needed? What surveillance, identification, prevention, control, and investigation program will be put in place to meet the new standard?  Of course this will require further education and training for personnel. As to home health aides: What education and training modifications will be required to meet the new communication requirements? What changes will be needed to the policies, procedures, and job descriptions? What about your agency cybersecurity and Emergency Preparedness Plans? Your system must include a system of medical documentation that preserves patient information, protects confidentiality, and maintains availability of records. So, you may think of the postponement as a reprieve, but it is a short one. As you can see…there is much to do, so get started now. For assistance with your coding, documentation review, and revenue cycle management needs, contact Select Data at 1.800.332.0555. We are  100% USA based, here to assist you.
Related articles New Conditions of Participation (CoPs) and Your Agency Check out our FREE 30-minute webinar for OASIS-C2 corrections and more. Select Connects with Clinicians webinar on December 14, 2016. Click here to read more. Select Data is committed to a strong compliance program that includes educating all personnel on mitigating HIPAA breaches. For more information about Select Data and their commitment to quality in Home Health and Hospice, call 1.800. 332.0555.

Read more

We Do it Here: Don’t Send Your PHI Offshore

Admin
0 comments
HIPPA

We Do it Here: Don't Send Your PHI Offshore

At Select Data your medical coding stays on shore right here in America!

 
Select Data has provided Revenue Cycle Management (RCM) services to the home health and hospice industry for over 25 years; using proprietary internal processes developed on the principles supporting pay for performance. Select Data has always embodied the American Values of innovation and hard work by investing in our community and country through the hiring of American workers. Select Data clients have seen improved revenue, experienced up to a 40% reduction in reportable hospital readmissions, and achieved improvements in their STAR ratings. These results are achieved through Select Data’s unique process of accessing, abstracting, and analyzing each assessment. This analysis improves patient outcomes, “painting” a more accurate picture of the patient’s fragility and yielding agencies the full allowable reimbursement for billable services, while controlling utilization. The review team queries the agency for any inconsistent or incongruent information to ensure the accuracy of the recommendations and that all available data is captured to reflect the patient’s true medical fragility. The result is diagnosis coding to the highest level of specificity, a full OASIS review, and key process and treatment plan recommendations. Call Select Data today to get more information on how our proprietary Assessment Review and Coding service can assist your agency in providing better patient and financial outcomes.
Check out our FREE 30-minute webinar for OASIS-C2 corrections and more. Select Connects with Clinicians webinar. Click here to read more. Select Data is committed to a strong compliance program that includes educating all personnel on mitigating HIPAA breaches. For more information about Select Data and their commitment to quality in Home Health and Hospice, call 1.800. 332.0555.

Read more

A Better Way To Code. Have You Outsourced Coding?

Admin
0 comments
Coding, Compliance, HIPPA

A Better Way To Code. Have You Outsourced Coding?

Are You Happy With It? Read This To See Why Outsourcing Is a Key Strategy for Your Agency's Success.

 

With all the relentless regulatory and payment challenges facing Medicare Certified Home Health and Hospice Agencies, how you’re holding up? Have you outsourced coding? Are you happy with it? It’s no secret that outsourced coding has become a key strategy for agency success. In fact, a third of agencies larger than $500,000 in Medicare revenue today outsource their coding, a number that has more than tripled since 2014. If you have more than $3 million in Medicare reimbursement today, we can help you in a lot of ways. Select Data is one of the largest coding companies in Home Health and Hospice right here in America. Why? Because we partner with agencies like yours and commit to their success. Whether or not you’re already outsourcing, we urge you to consider Select Data. You’ll get our fast and accurate coding services with 24/7/365 coverage, your own team of American coders, HIPAA compliant integration with your EMR for efficiency and to keep your PHI secure and in the U.S. Don't send your PHI off shore.
For more information regarding OASIS Review and Coding services for your agency, contact Select Data 1.800.332.0555 or click here to view our OASIS Review and Coding services.
Check out our FREE 30-minute webinar for How Documentation Impacts Star Ratings. Select Connects with Clinicians webinar on February 15, 2017. Click here to read more.
 
Select Data is committed to a strong compliance program that includes educating all personnel on mitigating HIPAA breaches. For more information about Select Data and their commitment to quality in Home Health and Hospice, call 1.800. 332.0555.

Read more

HIPAA Compliance Checklist: Is Your Agency’s Documentation at Risk?

Admin
0 comments
Clinical Practices, Compliance, HIPPA

HIPAA Compliance Checklist: Is Your Agency's Documentation at Risk?

HIPAA Compliant Documentation Supports Your Agency's Services. Read this to find out.

 

Supporting HIPAA Compliant Documentation

HIPAA can be complex. As HIPAA compliance experts, Select Data has created a checklist to help you self-assess the status of your organization's compliance. With OCR/HHS HIPAA audits on the rise, there's never been a better time to understand what needs to be done to become HIPAA compliant and how far along in the process you already are. Select Data provides professional coding services to Home Health and Hospice agencies and are industry experts in the language of CMS. We assist agencies with the accurate representation of their patient. To find out how Select Data can help you improve coding accuracy check out our OASIS review and coding services. To download the HIPAA Compliance Checklist fill out the information below

Check out our FREE 30-minute webinar for OASIS-C2 corrections and more. Select Connects with Clinicians webinar on December 14, 2016. Click here to read more.
 
Select Data is committed to a strong compliance program that includes educating all personnel on mitigating HIPAA breaches. For more information about Select Data and their commitment to quality in Home Health and Hospice, call 1.800. 332.0555.

Read more

HIPAA and Faxing: A Potentially Dangerous Combination

Admin
0 comments
Clinical Practices, Compliance, HIPPA, HITECH

HIPPA and Faxing: A Potentially Dangerous Combination

Thinking about sending PHI through your fax machine? Read this before you do.

 

The Right to Privacy

In 1890, Supreme Court Justices Samuel Warren and Louis Brandeis published “The Right to Privacy” in the Harvard Law Review. They defined privacy as the “right to be left alone.” Over 100 years later the Health Insurance Portability and Accountability Act (HIPAA) established a set of standards for protection of personal health information (PHI).

The world has changed greatly in that 100 years. There was and is a serious need to ensure accountability; to establish a national uniform baseline for privacy and uniform standards for transmission of health information. Today, almost everyone carries a smartphone and has a computer, laptops, and/or notebook to transmit words and images on a host of sites such as SnapChat, Twitter, Facebook, and YouTube for all to see…forever.

And, while there are many seminars and webinars regarding texting and the potential perils of using a mobile device to transmit patient information, no one is talking about faxing. It seems to be such a benign device. But, it is not. Breaches are on the rise. The Office of Civil Rights (OCR) is stepping up their audits.

Many agencies do not have adequate policies that cover the faxing process. First of all consider, is all the faxing done in your agency really necessary? Scanning and email or use of traditional postal service should be considered, if possible. It can be safer.

Consider setting up a “To be Faxed” sending bin close to the fax machine. This way faxing can be done when it is less busy in your agency office. This can reduce errors of transposed or incorrect digits because the sender’s mind may not be fully on the task.

Policy and Procedures For Home Health Agencies

Have a policy requiring reconfirmation of all fax numbers at least every 6-12 months. Your agency should fax an “Agency Fax Number Confirmation” sheet to all offices faxed routinely and confirm their fax number. Have them confirm, sign, date it and fax it back to your agency. Recently, an agency learned that certain numbers embedded in the EMR used had some outdated numbers. Your fax sheet should have your Agency name, phone number, fax number, address, and contact personnel if there is a question. It should include the legal warning as to what a person should do if the fax is sent to the wrong person or agency/company/practice. Include the person and number at your agency who should be contacted in case of a mistaken fax.

HIPAA HITECH has teeth now and the fines are significant. Your bottom line is fragile as is your agency’s reputation. Don’t jeopardize either with an inappropriately sent fax.

Sources

Centers for Medicare & Medicaid (2016). Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone? CMS.gov. Retrieved from: http://www.hhs.gov/hipaa/for-professionals/faq/482/does-hipaa-permit-a-doctor-to-share-patient-information-for-treatment-over-the-phone/ Centers for Medicare & Medicaid (2016). Can a physician’s office fax patient medical information to another physician’s office? CMS.gov. Retrieved from: http://www.hhs.gov/hipaa/for-professionals/faq/356/can-a-physicians-office-fax-patient-medical-information-to-another-physicans-office/
Select Data is committed to a strong compliance program that includes educating all personnel on mitigating HIPAA breaches. For more information about Select Data and their commitment to quality in Home Health and Hospice, call 1.800. 332.0555.  

Read more

HIPAA Violations and Enforcement

Admin
0 comments
Compliance, HIPPA

HIPAA Violations and Enforcement

The “American Recovery and Reinvestment Act of 2009” (ARRA)  established a tiered civil penalty structure for HIPAA violations.  The Secretary of the Department of Health and Human Services (HHS) still has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.

 

(42 USC § 1320d-5)

Civil Penalties for HIPPA Violations

The “American Recovery and Reinvestment Act of 2009”(ARRA) that was signed into law on February 17, 2009, established a tiered civil penalty structure for HIPAA violations (see below).  The Secretary of the Department of Health and Human Services (HHS) still has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.  The Secretary is still prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended).

HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million

Criminal Penalties for HIPAA
In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.

Covered Entity and Specified Individuals

The DOJ concluded that the criminal penalties for a violation of HIPAA are directly applicable to covered entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the covered entity, where the covered entity is not an individual, may also be directly criminally liable under HIPAA in accordance with principles of "corporate criminal liability." Where an individual of a covered entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting.

Knowingly

The DOJ interpreted the "knowingly" element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that constitute an offense. Specific knowledge of an action being in violation of the HIPAA statute is not required.

Exclusion

The Department of Health and Human Services (DHHS) has the authority to exclude from participation in Medicare any covered entity that was not compliant with the transaction and code set standards by October 16, 2003 (where an extension was obtained and the covered entity is not small) (68 FR 48805).

Enforcing Agencies

The DHHS Office of Civil Rights (OCR) enforces the privacy standards, while the Centers for Medicare & Medicaid (CMS) enforces both the transaction and code set standards and the security standards (65 FR 18895). Enforcement of the civil monetary provisions has not yet been tasked to an agency.

Please refer to the AMA's FAQs on the privacy regulations for additional information on enforcement of the privacy standards.

No Private Cause of Action

While HIPAA protects the health information of individuals, it does not create a private cause of action for those aggrieved (65 FR 82566). State law, however, may provide other theories of liability.

Frequently Asked Questions

What is a Personal Health Record (PHR)?

A PHR is an electronic health record that the consumer maintains. It contains identifiable health information usually maintained by the consumer, although a health care provider may facilitate its use and populate the record with permission of the consumer. PHR are becoming more widely used by consumers and PHR vendors are generally not covered by HIPAA. Companies such as Personal MD and Dossia serve Wal-Mart, AT&T, and Intel. Google has launched GoogleHealth and their competitor has initiated Microsoft HealthVault.

Because companies that are not covered entities or business associates of a CE that maintains health records are not federally liable for privacy or security, there is legislative movement to create law to change that fact. Because PHR, are under consumer control, there is greater privacy risk.
Protected Health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified by the Secretary Health and Human Services is not secure. If data is not encrypted or destroyed, it is not secure. Data that is truly encrypted or destroyed cannot be breached.

There are two types of data encryption

  • Encrypting data at rest such as laptop and notebook hard drives and data bases
  • Encrypting data in transit such as securing Web connections, VPNs, and wireless networks.

What is an Electronic Health Record (EHR)?

An electronic health record consists of health related information that is created, gathered, managed, and authorized by health care clinicians and personnel. The belief of the government is that widespread use of EHR will not occur until the public is assured that the privacy of their health information is secure. Hospital workers inappropriately accessing celebrity health information, such as that of Britney Spears has been an impetus to hold individuals, as well as facilities responsible for breaches of EHR.

What is an Electronic Breach?

A breach is an unauthorized acquisition, access, use, or disclosure of protected health information relating to failure to comply with organizational security or privacy policies, or violation of federal or state privacy and security regulations. Accessing information by an employee of a covered entity, in good faith, is not considered a breach.

Helpful Tip


We recommend requiring all employees to resign your agency’s privacy policies annually by employees. This act can become a reminder of the importance of privacy and confidentiality in the organization. Failure to comply with HIPAA can result in civil and criminal penalties.

Read more

HIPAA Basics for Providers

Admin
0 comments
Compliance, HIPPA

HIPAA Basics for Providers

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules were established to protect the privacy and security of health information and provide individuals with certain rights to their health information.

 

History of HIPPA

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules were established to protect the privacy and security of health information and provide individuals with certain rights to their health information. Among other provisions, the Privacy Rule sets standards for when protected health information (PHI) may be used and disclosed, while the Security Rule requires safeguards to ensure only those who should have access to electronic protected health information (ePHI) will have access. The Breach Notification Rule requires HIPAA covered entities to notify the Department of Health & Human Services (HHS), affected individuals, and in some cases the media (and business associates to notify covered entities) of breaches of unsecured PHI. You play a vital role in protecting the privacy and security of patient information. This fact sheet gives a basic overview of the rules, the information protected by the rules, and who must comply with the rules.

HIPAA Privacy Rule

The HIPAA Privacy Rule establishes standards for the protection of PHI held by covered entities and their business associates (defined below) and gives patients important rights with respect to their health information. Additionally, the Privacy Rule permits the use and disclosure of health information needed for patient care and other important purposes.

Protected Information

The Privacy Rule protects individually identifiable health information, called PHI, held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal. PHI includes information that relates to the following:

  • The individual’s past, present, or future physical or mental health or condition; 2
  • The provision of health care to the individual; or
  • The past, present, or future payment for the provision of health care to the individual. PHI includes many common identifiers, such as name, address, birth date, and Social Security Number.

PHI includes many common identifiers, such as name, address, birth date, and Social Security Number.

HIPAA Security Rule

The Security Rule specifies safeguards that covered entities and their business associates must implement to protect the confidentiality, integrity, and availability of ePHI.

Implementation

Covered entities and business associates must develop and implement policies and procedures to protect the security of ePHI that they create, receive, maintain, or transmit. Each entity must analyze the risks to the ePHI in its environment and create solutions appropriate for its own situation. What is reasonable and appropriate for a particular entity will depend on the nature of the entity’s business, as well as the entity’s size, complexity, and resources.

Frequently Asked Questions

What is the HIPAA Breach Notification Rule?

The Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Most notifications must be provided without unreasonable delay and no later than 60 days following the discovery of a breach. Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to HHS in a log or other documentation annually. The Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate. Table 1 displays the notification timelines.

Table 1. Breach Notification Timelines

Providing Notification To… Breach Involved Fewer Than 500 Individuals Breach Involved 500 or More Individuals
Individuals No later than 60 days from discovery No later than 60 days from discovery
HHS Submit a log of all breaches once a year, no later than 60 days after end of calendar year At same time as notice to individuals, no later than 60 days from discovery
Media N/A No later than 60 days from discovery

Who Must Comply With HIPAA Rules?

Covered entities and business associates must follow HIPAA rules. If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA rules. For a complete definition of a covered entity and a business associate, refer to http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf on the U.S. Government Publishing Office website.

Who are Covered Entities?

Covered entities electronically transmit health information. The following covered entities must follow HIPAA standards and requirements:

  • Covered Health Care Providers: Any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard.
  • Health Plans: Any individual or group plan that provides or pays the cost of health care.
  • Health Care Clearinghouses: A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format, or vice versa.

Who are Business Associates?

A business associate is a person or organization, other than an employee of a covered entity, that performs certain functions on behalf of, or provides certain services to, a covered entity that involve access to PHI. A business associate can also be a subcontractor responsible for creating, receiving, maintaining, or transmitting PHI on behalf of another business associate. If a covered entity enlists the help of a business associate, a written contract or other arrangement between the two must:

  • Detail the uses and disclosures of PHI the business associate may make; and
  • Require that the business associate safeguard the PHI.

What Are Covered Entities and Business Associates?

Health Care Provider

This includes:

  • Chiropractors
  • Clinics
  • Dentists
  • Doctors
  • Nursing homes
  • Pharmacies

Covered Entities Health Plan

This includes:

  • Company health plans
  • Government programs that pay for health care, such as Medicare, Medicaid, along with the military and veterans’ health care programs
  • Health insurance companies
  • Health Maintenance Organizations

Health Care Clearinghouse

This includes:

  • Billing services
  • Community health management information systems
  • Repricing companies
  • Value-added networks

Business Associates

Business associates provide services to covered entities that include:

  • Accreditation
  • Billing
  • Claims processing
  • Consulting
  • Data analysis
  • Financial services
  • Legal services
  • Management administration
  • Utilization review

NOTE: A covered entity can be a business associate of another covered entity.

What Government Agency is Responsible for Enforcement?

The HHS Office for Civil Rights enforces the HIPAA Privacy, Security, and Breach Notification Rules. For more information on the enforcement process, visit http://www. hhs.gov/ocr/privacy/hipaa/enforcement on the HHS website. Violations may result in the imposition of civil monetary penalties. In some cases, criminal penalties may apply, enforced by the Department of Justice.

  • Case example of a settlement: Two covered entities inadvertently posted ePHI for 6,800 individuals to the Internet, including patient status, vital signs, medications, and laboratory results. The investigation found that neither entity made efforts to assure the security of the server hosting the ePHI or confirm it contained adequate software protections. Neither entity developed an adequate risk management plan that addressed potential threats and hazards to ePHI. The entities agreed to pay a combined settlement of $4.8 million and enter into corrective action plans.
  • Case example of a criminal prosecution: A former hospital employee pleaded guilty to criminal HIPAA charges after obtaining PHI with the intent to use it for personal gain. He faces up to 10 years in prison.

Where can I go for More information about HIPPA?

For more information about the HIPAA Privacy Rule and the HIPAA Security Rule, visit http://www.cms.gov/Regulations-and-Guidance/ HIPAA-Administrative-Simplification/HIPAAGenInfo/PrivacyandSecurity Standards.html on the Centers for Medicare & Medicaid Services (CMS) website or scan the Quick Response (QR) code on the right.

o.

Helpful Tip


For some peace of mind, have a written information security program, an active HIPAA privacy program, and a living Corporate Compliance Program.

Read more

Learn How

Select Data can improve your agency's productivity while increasing your profitablility...

370x275

WATCH DEMO

Article Categories