Kusserow on Compliance: Recap of the OCR’s 2017 HIPAA enforcement

The HHS Office for Civil Rights (OCR) HIPAA Privacy Rule enforcement has been steadily increasing since it began the effort in 2003. Over the years, OCR has received over 175,000 HIPAA complaints and initiated nearly 1,000 compliance reviews. OCR investigations have resolved nearly 30,000 cases by requiring changes in privacy practices, taking corrective actions, or providing technical assistance to HIPAA covered entities and their business associates. OCR has been enforcing the HIPAA Rules where an investigation indicates noncompliance by the covered entity or their business associate. OCR investigations have ranged widely and included national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices. To date, OCR has settled or imposed a civil money penalty in about 60 cases resulting in a total dollar amount of about $75,000,000. The average of enforcement penalties has been about $1.5 million per case. In another 12,000 cases, no violations were found. In another 25,000 cases, OCR intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation. In the balance of over 100,000 cases, OCR determined that the complaint did not present an eligible case for enforcement, because of lack of jurisdiction; complaints were untimely or withdrawn by the filer; or the activity described didn’t violate HIPAA;

 

Cases that OCR closes fall into five categories:

 

  1. Resolved without investigation. OCR closes these cases after determining that OCR lacks jurisdiction, or that the complaint, referral, breach report, news report, or other instigating event will not be investigated. These include situations where the organization is not a covered entity or business associate and/or no protected health information (PHI) is involved; the behavior does not implicate the HIPAA Rules; the complainant refuses to provide consent for his/her information to be disclosed as part of the investigation; or OCR otherwise decides not to investigate the allegations.

 

  1. Technical assistance only. OCR provides technical assistance to the covered entity, business associate, and complainant through early intervention by investigators located in headquarters or a regional office.

 

  1. Investigation determines no violation. OCR investigates and does not find any violations of the HIPAA rules.

 

  1. Investigation results corrective action obtained. OCR investigates and provides technical assistance to or requires the covered entity or business associate to make changes regarding HIPAA-related privacy and security policies, procedures, training, or safeguards. Corrective action closures include those cases in which OCR enters into a settlement agreement with a covered entity or business associate.

 

  1. Other. OCR may investigate a case if (1) DOJ is investigating the matter; (b) it was as result of a natural disaster; (c) it was investigated, prosecuted, and resolved by state authorities; or (d) the covered entity or business associate has taken adequate steps to comply with the HIPAA Rules, not warranting deploying additional resources.

 

Order of frequency of issues investigated

 

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Use or disclosure of more than the minimum necessary protected health information; and
  • Lack of administrative safeguards of electronic protected health information.

 

Most common types of entities resulting in corrective actions

 

  • General hospitals;
  • Private practices and physicians;
  • Outpatient facilities;
  • Pharmacies; and
  • Health plans (group health plans and health insurance issuers).

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Using experts to staff gaps in the compliance office

It is becoming increasingly common for changes in compliance programs to lead to “gaps” that can leave an organization without day to day management or support. This can result in serious problems and potential liability, especially at a time when mandatory compliance requirements are under development and there are increasing expectations for compliance by the Department of Justice (DOJ), HHS Office of Inspector General (OIG), and CMS. With the heightened enforcement environment, leaving such a gap can be risky. All this makes the problem of finding a suitable replacement of someone properly qualified in a timely manner a relatively high priority, but not an easy task. In many cases, the gap is not with the chief compliance officer, but compliance managers or other professionals in the office. In any case, the effort that goes into finding and hiring a properly experience and qualified person may be difficult and time consuming. The quick fix of designating someone internally to do the work, until a permanent replacement can be recruited, is unwise and may be downright dangerous. For smaller organizations, it is not likely there is anyone who is sufficiently qualified to carry out all the duties. It is also not good for someone to take on those duties temporarily and make decisions that may haunt them when they return to their old job. Also, making some decisions, when not properly trained or qualified, may create a potential problem for the organization. What is worse is selecting someone to take on the role of compliance officer as a temporary set of secondary duties to their current job. This will always lead the individual to continue giving priority to their regular job and do as little as possible in compliance. As such, it is not surprising that many turn to engaging temporary experts to fill the gap until suitable replacement can be found.

A properly qualified outside expert acting in a temporary capacity has a lot of advantages. They bring the experience of having served in other organizations and dealing with many of the same issues already addressed by prior jobs. Important also is that they have not be invested in any prior decisions, nor have they been aligned with any parties in the organization. Most importantly, they bring “fresh eyes” to the program. They can provide a lot of added benefits, such as:

  • Offering suggestions and giving guidance for improvements
  • Providing an independent assessment of the status of the compliance program
  • Making an assessment of high-risk areas that warrant attention
  • Giving ideas on building a firmer foundation for the compliance program
  • Reviewing adequacy of the existing code, compliance policies, and other guidance
  • Evaluating the quality and effectiveness of compliance training
  • Developing a “road map” for the incoming compliance officer to follow
  • Assisting in identifying and evaluating candidates for the permanent position
  • Assessing resources needed to effectively operate the compliance program
  • Identifying or building metrics that evidence compliance program effectiveness
  • Developing comprehensive briefings for management and board on the state of the program

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: The value of surveying compliance professionals

There is great value of knowing where you are in relation to others

When asked to participate in surveys, it is worthwhile to know its purpose and why it is worthwhile to participate in one. In short, surveys are a method of gathering information from individuals. They can serve a variety of purposes. The survey should be considered as another confidential communication channel that permits sharing information with others in the compliance arena. The objective of the Compliance Benchmark Survey designed for compliance professionals is to permit compliance professionals to participate as a network in understanding what challenges their colleagues in other healthcare organizations are facing and preparing for 2018. It is a data collection tool utilized to describe the current state of affairs facing compliance professionals in the real-world. As respondents share their thoughts and challenges anonymously with others, other compliance professionals benefit by knowing they are not alone in struggling to meet the challenges of compliance within their respective organizations.  The Survey taps into what compliance professionals are thinking and find useful information to assist in meeting challenges. Understanding what other compliance professionals are thinking and doing can assist in planning ahead to address the evolving challenges and expectations in an ever changing regulatory and enforcement environment. Results from the Survey can help proactively identify and respond to trends and issues confronting compliance professionals. This in turn may lead to a decision to shift priorities.

 

Benefits of Survey Participation

 

  1. It permits benchmarking your compliance efforts with other professionals at other healthcare organizations and gaining insights into developing a more effective compliance program.

 

  1. By participating in the Survey respondents will receive the analytical report of the results and a “free ticket” to a webinar hosted by a panel of compliance experts providing added feedback as to the significance of data collected and how it can be used in planning work for the upcoming year.

 

To join the network of compliance professionals in sharing their experience and concerns about meeting the challenges in 2018, click below:

 

Participate in the Survey

 


Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of
Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC
, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Getting ready to evidence program effectiveness in 2018

In its compliance guidance, the HHS Office of Inspector General (OIG) calls for periodic evaluation of compliance program effectiveness. This can be done by a full field evaluation by experts, however, there are other methods that can help accomplish this end. One way to evidence effectiveness is measuring the compliance culture of the organization with a compliance culture survey. However, to obtain meaningful results requires using a professionally developed and independently administered instrument. Internally developed surveys have little value and are often considered suspect by those asked to participate in the process.

Dr. Cornelia Dorschmid, PhD, advises that a culture survey should be professionally developed, tested, and validated in order to obtain reliable and useful results with the best results being anchored in a larger database for comparison of results. She was instrumental in developing the Compliance Benchmark Survey©, along with a PhD behavioral scientist and a former HHS Inspector General that has been in use since 1993. It uses a Likert Scale model, wherein respondents are asked to rate the question on a scale of one to five. Mean scores are computed for each item. Some questions items are reverse-scored to control for response set (the tendency to respond in a given pattern), “halo effect”.  The survey also includes items known as validators that ensure that respondents are being candid in their responses and not trying to manipulate the survey.

Jillian Bower Concepcion, VP for the Compliance Resource Center explained that the Compliance Benchmark Survey© has been widely used by hundreds of health care organizations with more than a half million employees surveyed. Results of this survey will assist identifying compliance program strengths, as well as opportunities for improvement. Reports present employee perceptions with respect to five different dimensions and four compliance themes. The results by question, panel, and overall results can be compared and benchmarked against the universe of those who used the survey.  The overall score level (i.e., sum of individual item scores) of the company is evaluated against the Health Care Compliance Index (HCCI©). An organization using the same survey over time can also benchmark their progress and measure improvement in the organization’s culture. For more information on compliance surveys, see https://www.complianceresource.com/publication-topics/compliance-surveys/

Steve Forman, CPA, a nationally recognized healthcare compliance consultant whose experience includes serving as an executive in the OIG and the CCO for one of the nation’s largest healthcare system has used the Compliance Benchmark Survey© since it was first introduced.  He has found survey results assist in identifying areas where attention is needed that is very useful in the maintenance and enhancing an effective compliance-program. The results can tell you the “what”, but not the “why” and as such he uses the information in talking to employees and conducting “focus group” meetings that can provide additional insights as to the full meaning of the information derived from the survey.

Al Bassett, JD, is another nationally recognized expert on healthcare compliance, who has been building and evaluating compliance program for over 15 years. Prior to his work in compliance, he was a Deputy Inspector General and FBI executive. He noted that he has found the survey is very valuable in assessing compliance program effectiveness. Results provide compliance officers with a road map to improving the program effectiveness and the costs of using the survey in evaluating the compliance program is only about only 10 percent of a full field assessment by experts.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.