Kusserow on Compliance: Compliance officers’ checklist—25 suggestions

Health care organizations are facing increasing risk of exposure to actions by government regulators or enforcement authorities. Government authorities are conducting aggressive investigations and taking actions to hold entities and responsible corporate executives more accountable. It is well understood that having an effective compliance program is a necessity to prevent and detect misconduct that could give rise to liabilities. Despite the abundance of guidance pertaining to corporate compliance, achieving a program that is effective in reducing the likelihood of unwanted events or actions that could give rise to liabilities remains a continuing challenge. The following are suggestions that Compliance Officers may wish to consider during the course of the year.

Ensure That…

  1. A charter for the Compliance Officer function provides proper empowerment and authority.
  2. Minutes of Board and executive oversight committee evidence proper support and oversight.
  3. A clear and consistent message is communicated to everyone that compliance applies to all, regardless of position.
  4. Program managers are engaged in ongoing monitoring over their areas, including risk identification, policies addressing those risks, training of their staff on them, and verifying they are adhering to them.
  5. The code of conduct (code) is written as the “Constitution” for the compliance program, setting forth commitments to the patients being served, staff performing the services, safety of the work environment, and adherence to applicable laws, regulations, and standards.
  6. The code is understandable by all employees; written at no higher than 10th grade level.
  7. Policies and procedures reflect in detail what must be followed to adhere to the code.
  8. Compliance program-related policies/procedures are up to date.
  9. A document management system that tracks changes, revisions, and recessions in policies.
  10. Adequate written guidance are in place for all risk-related aspects of the organization’s
  11. There is evidence that managers/executives are held responsible for supporting compliance.
  12. Adequate resources and support for the compliance program is evidenced in the record.
  13. Periodic independent assessments are made to evidence compliance program effectiveness.
  14. All deficiencies found in reviews are remediated quickly and documented.
  15. A test of the hotline to ensure calls are answered and reported promptly, accurately.
  16. Available metrics are used to confirm the hotline and other channels of communication are
  17. Compliance training and education effectively convey the commitment to compliance.
  18. There is evidence of employee understanding of compliance education programs.
  19. Employee participation in training is documented and filed.
  20. Policies address timely self-disclosures of overpayments and potential violations of law or regulation.
  21. Meaningful and consistent discipline occurs for conduct that violates the code.
  22. A process is in place to capture lessons learned from costly errors resulting from compliance weaknesses.
  23. Assessments are being conducted for all high-risk areas and corrective actions for identified weaknesses.
  24. Periodic surveys of employees to measure and evidence employee understanding of the compliance program; and in measuring the compliance culture of the organization.
  25. Compliance is included in management performance reviews and compensation.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Security management process is the foundation for compliance with HIPAA Security Rule

Security management process can be an organization’s biggest strength or biggest weakness, and most organizations lack one or all of the components that establish a security management process. In a Health Care Compliance Association (HCCA) webinar entitled, “Is Your Security Management Process Your Biggest Risk?” presenters Kezai Cook-Robinson and Ahmad M. Sabbarini of Ernst & Young LLP emphasized that a security management process is the foundation for an organization’s compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) (P.L. 104-191) Security Rule.

Under 45 C.F.R. Sec. 164.308(a)(1) a covered entity or business associate is required to implement policies and procedures to prevent, detect, contain, and correct security violations. This process requires covered entities and business associates to implement standards and required implementation specifications and to implement, when appropriate and reasonable, addressable implementation specifications through risk analysis, risk management, sanction policy, and information system activity review.

Risk analysis

Covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. This means, said the presenters, that covered entities and business associates must conduct an enterprise-wide risk analysis and develop a current, comprehensive, and thorough risk analysis of security risks and vulnerabilities to include the electronic personal health information (e-PHI) created, received, maintained, or transmitted by the organizations’ facilities and applications. This should be done periodically (calendar-based) and in response to events (event-based triggers).

As part of the risk analysis, organizations should conduct a comprehensive inventory of e-PHI. Assets can be grouped into a common grouping for purposes of the inventory—for example, if work stations have the same number and type of e-PHI, they can be grouped into one asset category. In addition, to save time and money, organizations should start with lists that have already created from financial statements and privacy compliance activities.

Risk management

Covered entities and business associates should establish and implement an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis. It should include a process and timeline for an organization’s implementation, evaluation, and revision of its risk remediation activities. The presenters noted that the higher the risk, the more robust controls are needed.

Sanctions policy and information system activity review

The security management process also requires covered entities and business associates to apply appropriate sanctions against workforce members who fail to comply with security policies and procedures and to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Documentation

“Document, document, document,” said Cook-Robinson, because “it does not exist unless it’s in writing.” She advised that covered entities and business associates document and keep as records the analyses, decision making, and rationale for overall risk assessments, as well as individual risk analyses for implemented safeguards.

NIST guidelines

Cook-Robinson and Sabbarini also advised organizations to align as necessary with the guidelines and frameworks that HHS leverages, including the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF) and NIST 800-30.

Addressing the challenges behavioral health patients present when in crisis

Access to proper treatment for patients with behavioral and mental health issues has become a major issue in the United States and has received attention from the public and Congress. But, there are unique issues when a behavioral health patient appears at a hospital emergency room and the hospital must abide by the Emergency Medical Treatment and Active Labor Act (EMTALA) (42 U.S.C. §1396dd). Catherine M. Greaves, counsel, and Kristin M. Roshelli of King & Spaulding, LLC addressed the challenges hospitals face in emergency situations with behavior health patients in a Health Care Compliance Association webinar held on July 25, 2017.

The behavioral health patient and EMTALA

When a patient comes to the hospital’s emergency department (ED) with a behavioral health condition and requests emergency treatment, the patient (1) may be a danger themselves or to others, (2) may lack orientation, which is interfering with his or her ability to meet basic needs such as nutrition or safety, or (3) may have an underlying mental illness. Patients may be suicidal or homicidal, assaultive or combative, delusional or psychotic, or experiencing withdrawal from drugs or alcohol.

Hospitals must ensure that EMTALA requirements are met, including conducting a medical screening as well as a psychiatric evaluation, properly stabilizing the behavioral health patient if a n emergency medical condition (EMC) exists, and addressing transfer issues, including the vehicle used to transfer have been addressed. In addition, the hospital must have policies and procedures that adequately reflect EMTALA requirements and must provide education and training on serving behavioral health patients for the ED and other hospital staff, including security. If the hospital is in a state that has laws requiring mental health patients to be evaluated and treated at designated facilities may clash with or be more stringent than EMTALA. Hospitals must not disregard EMTALA requirements.

Concerns specific to behavioral health patients

Greaves said that EDs have become the “de facto dumping grounds for psychiatric patients.” One out of 8 ED visits are for mental health disorders or substance abuse, which represents a large percentage when compared to the population as a whole. In addition, she pointed out a 2008 survey conducted by the American College of Emergency Physicians that found that 99 percent of emergency physicians reported admitting behavioral health patients daily. According to Greaves, much of this is due to the lack of available designated psychiatric hospital beds and the decrease in state facilities for behavioral health patients. Currently, there are only 14 beds available per 100,000 people, which represents a decrease of 90 percent since the 1990’s, and is the number of beds available in 1850. The optimal number of beds is 50 per 100,000.

MSE for behavioral health patients

MSE for behavioral health patients consists of two steps, an initial medical screening to rule out underlying medical/organic causes for symptoms followed by a psychiatric review once medical clearance has been determined. Greaves stressed the importance of conducting the medical screening examination before doing a psychiatric evaluation to rule out medical conditions that can trigger behavioral symptoms. As examples, she noted that drugs and alcohol can mask underlying medical conditions and infections, especially in the elderly, can trigger psychiatric behavior. She also emphasized that appropriate hospital personnel conduct screening.

Stabilization

Greaves noted that patients with behavioral health conditions are not quickly stabilized. Patients must be stabilized enough to tolerate a transfer or be discharged. Hospitals should consider whether the patient is protected and prevented from injuring or harming self or others; when using chemical or physical restraints, and is the underlying EMC stabilized. Although some patients refuse treatment, suicidal patients may not refuse medical and psychiatric evaluations and stabilizing treatment. If the patient is being transferred with restraint for stabilization, how long will the stability last and how long is the trip.

If the ED decides to transfer a patient that is not stable, the physician must explain the reason for the transfer and certify that the benefits outweigh the risk. The transfer, however, must comply with all of the other EMTALA regulations. Within the hospital’s capabilities, treatment must be provided to minimize the risk of harm, the receiving facility that agrees to accept the transfer must be contacted, and appropriate information must be sent to the receiving facility.

Transfer challenges

Behavioral health patients are transferred at higher rates than nonpsychiatric patients with much longer wait times for the transfer because of issues locating an available bed in a national shortage, insurance acceptance and prior authorization delays, and arranging transportation. When it comes to choosing the vehicle to transport behavioral health patients, there is no single method that is full proof. Hospitals should balance minimal interference with the patient’s dignity and self-respect, reduce the likelihood of harm to self or others, and prevent the transport experience from being perceived as a traumatic event.

Options for transportation include ambulance, police care, private vehicle, and a hybrid, but all present problems. An ambulance may not be a good choice because it is filled with objects that can be utilized to harm self or others and there is no barrier to protect the driver. A police car may traumatize the patient, a support person is not allowed, there is no established protocol for safe transport of behavioral health patients, and there is limited ability to intervene if a medical emergency occurs during transport. In addition, both ambulances and police vehicles brings a public cost. Private vehicles should not be used because family are generally not capable of providing appropriate care. Some states laws allow variations that make up a hybrid that may include the involvement of Mental Health Crisis Teams or unmarked police vehicles.

Preparation is key to HIPAA compliance for health IT vendors

Health IT vendors are not breach proof but should be “breach ready,” according to a Health Care Compliance Association webinar entitled, HIPAA: Marketing and Contracting Solutions for Health IT Vendors. William J. Roberts, partner at Shipman & Goodman LLP, discussed strategies for vendors to incorporate compliance with the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) into negotiations, agreements, and policies.

HIPAA landscape

HIPAA privacy continues to grow in importance for the health care sector, for both covered entities and their vendors. Roberts said that health IT vendors face two challenges: managing covered entity customers that have concerns about HIPAA compliance, a “major undertaking” when a vendor has thousands of covered entity customers, and a regulatory and enforcement landscape that is shifting its focus from covered entities to vendors (see 2017 OCR resolution agreements off to a strong start, June 30, 2017; Business associates no longer second to covered entities as OCR increases focus, November 22, 2016). He pointed out that 60 percent of business associates have suffered a data breach, and in 2016 HHS imposed a $650,000 penalty in the first HIPAA enforcement action against a business associate (see $650K payment, 6 year CAP resolve nursing home ePHI loss, July 1, 2016).

Pitches

A vendor should already have developed a formal HIPAA compliance program before reaching out to potential customers, and HIPAA compliance should be at the forefront of a vendor’s pitch or response to a request for proposals. The vendor should provide a summary of its HIPAA compliance policies, including its establishment, review, security, and training. A policy summary, said Roberts, is preferable to disclosing the policies themselves, which would be a “roadmap to being hacked.” Roberts also advised vendors to highlight certifications and set forth clear expectations for the privacy aspects of the proposed relationship.

Business associate agreements

The business associate agreement is a vendor’s first opportunity to make a good impression regarding its commitment to privacy. Vendors should have at least one template agreement, or more than one for different types of customers. Roberts advised knowing what a vendor can and cannot agree to before a negotiation and educating the sales team to avoid later back-pedaling on a promise. He also suggested empowering the customer by providing a “menu” of choices that are acceptable to the vendor—for example, barebones breach notice within five days or a more thorough notice at 15 days.

If customers are or might someday be substance abuse treatment providers, the vendor should consider this same approach for qualified service organization agreements. The vendor should review its customers and potential targets for the application of the “Part 2” confidentiality rules and include a provision in the agreement requiring the customer to notify the vendor of the customer’s status as a Part 2 program.

Data breach response

No human or service is perfect, and a vendor will probably have a data breach at some point, said Roberts, which makes a detailed data breach response plan “vital.” He identified the following elements of a breach response plan:

  • Develop an incident intake procedure.
  • Identify the leaders and members of the response team.
  • Rely on standard templates and standard works.
  • Consider a “playbook” and/or a breach reporting decision tool.
  • Develop a customer relations strategy before the breach occurs.
  • Have support vendors ready to act.

The vendor should not simply notify the customer that a breach has occurred; it should have a plan and proposal that it can offer the customer. The process should:

  • provide the covered entity the information it needs to fulfill its own legal obligations;
  • reassure the customer that the situation is under control and being handled properly;
  • inform the customer of steps the vendor has taken and is willing to take on behalf of the covered entity;
  • provide a “menu” of services available to the customer; and
  • create a plan for the future—a holistic look at what the company is doing, not just boilerplate language.