Preparation is key to HIPAA compliance for health IT vendors

Health IT vendors are not breach proof but should be “breach ready,” according to a Health Care Compliance Association webinar entitled, HIPAA: Marketing and Contracting Solutions for Health IT Vendors. William J. Roberts, partner at Shipman & Goodman LLP, discussed strategies for vendors to incorporate compliance with the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) into negotiations, agreements, and policies.

HIPAA landscape

HIPAA privacy continues to grow in importance for the health care sector, for both covered entities and their vendors. Roberts said that health IT vendors face two challenges: managing covered entity customers that have concerns about HIPAA compliance, a “major undertaking” when a vendor has thousands of covered entity customers, and a regulatory and enforcement landscape that is shifting its focus from covered entities to vendors (see 2017 OCR resolution agreements off to a strong start, June 30, 2017; Business associates no longer second to covered entities as OCR increases focus, November 22, 2016). He pointed out that 60 percent of business associates have suffered a data breach, and in 2016 HHS imposed a $650,000 penalty in the first HIPAA enforcement action against a business associate (see $650K payment, 6 year CAP resolve nursing home ePHI loss, July 1, 2016).

Pitches

A vendor should already have developed a formal HIPAA compliance program before reaching out to potential customers, and HIPAA compliance should be at the forefront of a vendor’s pitch or response to a request for proposals. The vendor should provide a summary of its HIPAA compliance policies, including its establishment, review, security, and training. A policy summary, said Roberts, is preferable to disclosing the policies themselves, which would be a “roadmap to being hacked.” Roberts also advised vendors to highlight certifications and set forth clear expectations for the privacy aspects of the proposed relationship.

Business associate agreements

The business associate agreement is a vendor’s first opportunity to make a good impression regarding its commitment to privacy. Vendors should have at least one template agreement, or more than one for different types of customers. Roberts advised knowing what a vendor can and cannot agree to before a negotiation and educating the sales team to avoid later back-pedaling on a promise. He also suggested empowering the customer by providing a “menu” of choices that are acceptable to the vendor—for example, barebones breach notice within five days or a more thorough notice at 15 days.

If customers are or might someday be substance abuse treatment providers, the vendor should consider this same approach for qualified service organization agreements. The vendor should review its customers and potential targets for the application of the “Part 2” confidentiality rules and include a provision in the agreement requiring the customer to notify the vendor of the customer’s status as a Part 2 program.

Data breach response

No human or service is perfect, and a vendor will probably have a data breach at some point, said Roberts, which makes a detailed data breach response plan “vital.” He identified the following elements of a breach response plan:

  • Develop an incident intake procedure.
  • Identify the leaders and members of the response team.
  • Rely on standard templates and standard works.
  • Consider a “playbook” and/or a breach reporting decision tool.
  • Develop a customer relations strategy before the breach occurs.
  • Have support vendors ready to act.

The vendor should not simply notify the customer that a breach has occurred; it should have a plan and proposal that it can offer the customer. The process should:

  • provide the covered entity the information it needs to fulfill its own legal obligations;
  • reassure the customer that the situation is under control and being handled properly;
  • inform the customer of steps the vendor has taken and is willing to take on behalf of the covered entity;
  • provide a “menu” of services available to the customer; and
  • create a plan for the future—a holistic look at what the company is doing, not just boilerplate language.

House Committee urged to extend funding for federal safety net programs

Extend funding for the Children’s Health Insurance Program (CHIP) to ensure continuity of coverage for children, particularly in light of the current uncertainty surrounding other sources of health coverage in the U.S., witnesses urged at a House Committee on Energy and Commerce hearing titled “Examining the Extension of Safety Net Health Programs.” The purpose of the hearing was to examine the extension of funding for two federal safety net health programs that provide health care and coverage for low-income adults and children, CHIP and the Community Health Center Fund (CHCF).

CHIP

CHIP is a program that provides health coverage to targeted low-income children and pregnant women in families that have annual income above Medicaid eligibility levels but have no health insurance. It is jointly financed by the federal government and states, and the states are responsible for administering the program. A memo from the committee majority staff states that in fiscal year (FY) 2015, 8.4 million children received CHIP-funded coverage.

Section 2101 of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) increased the CHIP enhanced federal medical assistance percentage (E-FMAP), which varies by state, by 23 percent from October 1, 2013 through September 30, 2019. Since the ACA did not include additional or extended funding for CHIP, MACRA extended funding through September 30, 2017. The Medicaid and CHIP Express Lane Option, Child Enrollment Contingency Fund, CHIP Qualifying State Option, and CHIP Outreach and Enrollment Grants also expire September 30, 2017.

At the hearing, Cindy Mann, partner at Manatt, Phelps & Phillips, touted the success of CHIP, which covers 8.9 million children nationwide. She stated that Congress must consider the overall level of funding for CHIP, in addition to the E-FMAP funds, which “are now fully integrated into states’ budgets and a key source of funding for sustaining CHIP.” She said that Congressional action is needed as soon as possible to ensure program continuity, budget certainty for states, and stable coverage for children, particularly those with special health care needs. She urged a five-year extension instead of two to provide needed stability (see Extend CHIP, protect DSH payments, MACPAC tells Congress, March 16, 2017).

Jami Snyder, Director of the Medicaid and CHIP programs for the state of Texas, noted that a decision to not reauthorize the CHIP program would result in a loss of over $1 billion in annual funding to the state of Texas and a loss of coverage for more than 380,000 Texas children.

Health Center Program

The Health Resources and Services Administration’s (HRSA) Health Center Program, authorized under Section 330 of the Public Health Service Act, awards grants to federally qualified health centers (FQHCs). The program is supported by discretionary appropriations and the CHCF, a mandatory multibillion-dollar fund established by Section 10503 of the ACA. The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) (P.L. 114-10) extended funding through fiscal year 2017. According to the staff memo, the CHCF represents over 70 percent of the Health Center Program’s FY 2016 funding.

Michael Holmes, the chief executive officer of Cook Area Health Services, an FQHC in Minnesota, testified that as a result of CHCF investments new FQHC were added in more than 1,100 communities. With the extension nearing its expiration date, he “strongly urged” Congress to renew funding for at least five years to allow FQHCs to provide a stable and reliable source of access to patients and recruit and retain a comprehensive health care workforce.

Webinar gives tips on navigating physician peer review process

Hospitals and compliance officers should know the reporting requirements of the Health Care Quality Improvement Act (HCQIA) (42 U.S.C §11101 et seq.) and be “very strict” in complying with the four standards to obtain immunity from damages. In a Health Care Compliance Association webinar entitled, Physician Peer Review: 10 Steps to Navigating the Process, Theresamarie Mantese and Fatima M. Bolyea, health care attorneys at Mantese Honigman, PC, gave practical tips on dealing with the process of physician peer review.

Federal and state reporting requirements

HCQIA (42 U.S.C. §11133) requires health care entities to report the following “reportable events” to the applicable state board of medical examiners: (1) a professional review action that adversely affects the clinical privileges of a physician for a period longer than 30 days; (2) the surrender of clinical privileges while the physician is under an investigation by the entity relating to possible incompetence or improper professional conduct, or in return for not conducting such an investigation or proceeding; or (3) in the case of a professional society, a professional review action by the professional society that adversely affects the membership of a physician in the society.

Mantese noted that it is important to know both federal and state requirements, since state requirements can be more stringent. For example, in Michigan reporting requirements are triggered when a disciplinary action affects a health professional’s privileges for more than 15 days.

Compliance officers must also clearly define “investigation” so that they know when reporting requirements are triggered. While the NPDB Guidebook defines “investigation” broadly, a general review of physicians for overall performance in relation to each other is not an investigation.

Immunity from damages

HCQIA (42 U.S.C. §11112(a)) provides that hospitals and other participants are immune from damages if the professional review action was taken: (1) in the reasonable belief that the action was in the furtherance of quality health care; (2) after a reasonable effort to obtain the facts of the matter; (3) after adequate notice and hearing procedures; and (4) in the reasonable belief that the action was warranted by the facts. Compliance officers should, said Mantese, be “very strict” is attempting to comply with these standards. She said the third prong is where the most litigation happens and one of physicians’ strongest arguments in challenging a professional review action.

HCQIA immunity applies to money damages only, not to equitable relief such as reinstatement or the striking of a report. Mantese said, however, that if immunity applies, a request for equitable relief usually fails, too.

Notices

Under 42 U.S.C. §11112(b), the hospital is required to give the physician notice of a proposed action. If the notice is deficient, the physician should challenge it. Mantese encouraged compliance officers to have a template of a notice to ensure that the fundamental features are included. She emphasized that each notice should be compliant, even if the same information is repeated across notices; several notices cannot be taken together to create completeness.

Hospital policies

The presenters emphasized the importance of adequate hospital policies and bylaws, including the appeal rights of physicians after a peer review hearing. For example, the bylaws are critical in determining what records the physician can obtain from the hospital. A fair hearing plan is also a good idea in case the physician claims that the hospital arbitrarily denied a request for documents. According to Mantese, hospitals should consider providing the physician with as much information as possible—the more information the physician has about an issue, the less likely he or she is to bring litigation, and the case is more likely to be dismissed if litigation does ensue.

Peer review hearing

If the physician requests a hearing on a timely basis, then a hearing must be held (as determined by the health care entity) before: (1) an arbitrator mutually acceptable to the physician and health care entity; (2) a hearing officer who is appointed by the entity and who is not in direct economic competition with the physician; or (3) a panel of individuals who are appointed by the entity are not in direct competition with the physician involved. A panel usually consists of other physicians on staff at the hospital.

During the hearing, the physician has the following rights: (1) representation by an attorney; (2) a record of the proceedings; (3) the ability to call, examine, and cross-examine witnesses; (4) to present relevant evidence regardless of its admissibility in a court of law; and (5) the ability to submit a written statement at the close of the hearing.

A question that usually emerges is whether the panel members are in direct economic competition with the physician. If the physician raises this issue and the hospital has a number of people to serve on the panel, it should simply replace that person.

The presenters strongly recommended having a court reporter at the hearing. Because a common point of contention is which party will cover the costs, they recommended splitting the cost between the provider and the physician. Mantese also emphasized that hearing “exhibits are very, very important.” One person should maintain control of the exhibits during the hearing, and no one should leave until all are marked and accounted for.

Post-hearing

After the hearing the parties should submit a brief written statement with proposed findings of fact. Pursuant to HCQIA, upon completion of the hearing, the physician involved has the right to receive (1) the written recommendation of the arbitrator, officer, or panel, including a statement of the basis for the recommendations; and (2) a written decision of the health care entity, including a statement of the basis for the decision.

Mental health services provider enters into $4M FCA settlement

A provider of in-home mental health services and two of its leaders agreed to pay a total of $4.5 million to settle allegations that they violated the federal False Claims Act (FCA) and the Minnesota False Claims Act by billing Medicaid for services that violated clinical supervision requirements. Under the agreement, Complementary Support Services (CSS) and related entities will pay $4 million, its president will pay $400,000, and an executive will pay $120,000.

According to Acting U.S. Attorney Gregory G. Brooker and Minnesota Attorney General Lori Swanson, CSS provided in-home mental health services to children and adults through two Medicaid programs that restrict reimbursement to time spent providing face-to-face services with the patient and prohibit reimbursement for a therapist’s time completing paperwork. Both programs also require a licensed therapist such as a social worker or psychologist to clinically supervise patient care to ensure that the services are appropriate and medically necessary.

Between 2007 and 2016, however, CSS failed to submit claims that reflected signature by licensed professionals serving as clinical supervisors. Instead, CSS’ president “batch signed” progress notes that formed the basis for billing Medicaid. In addition, CSS employees routinely added an extra billable unit for paperwork time for each client visit.

Local news reported that this case reflected a longstanding gap in Minnesota’s oversight of mental health services because CSS, like 200 other agencies, was unlicensed and not subject to routine regulatory oversight. In the wake of these allegations, the state began reviewing its oversight of mental health agencies.

As a part of the settlement, CSS is permanently excluded from participating in federal and state health care programs. The president agreed to an exclusion of at least eight years, and the executive agreed to an exclusion of at least five years.