Hospitals falling short on implementing bar code medication administration

Ever noticed the steps nurses have to go through when they administer medications in the hospital? Scanning, typing, asking the patient for name and birthday – these steps protect patient health and hospitals from liability. Despite how useful these steps are for reducing medication errors, the Leapfrog Group found that not all hospitals are using them effectively.

Only 30 percent of hospitals are meeting standards

In the 2017 report on medication safety, Castlight Health analyzed hospital use of bar code medication administration (BCMA) and computer physician order entry (CPOE) systems. Although Leapfrog’s standard standards include implementation of a BCMA to cover 100 percent of a hospital’s intensive care and medical/surgical units, along with several important processes, only 30 percent of hospitals met all four of Leapfrog’s criteria.

BCMA systems

A BCMA system requires the administering nurse to scan a bar code on the patient’s wristband and then scan the bar code on the medication. This ensures that the “Five Rights of Medication Administration” are met: right patient, drug, dose, time, and route. The Leapfrog Group developed the first industry standard for BCMA adoption and included measurement elements in its 2016 hospital survey. One of Leapfrog’s standards requires scanning both bar codes for 95 percent of bedside administration in units with BCMA systems.


Although 97.8 reporting hospitals have a BCMA system in at least one inpatient unit connected to their electronic medication administration record, only 30 percent of the hospitals fully met the standard. A remaining 35 percent fulfilled three out of the four, and 26 percent met two of the criteria.

The most commonly unmet requirement was integration of Leapfrog’s seven decision support elements. These support elements are ensuring that the patient, medication, dose, and time are correct as well as checking for vital signs, performing a patient-specific allergy check, and having a second nurse perform a check. Out of these elements, the vital sign check was the most frequently lacking at 80 percent. Hospitals also failed to adhere to Leapfrog’s best practice processes and workaround prevention, which require (1) formal BCMA use committee; (2) back-up systems for hardware failure; (3) a help desk; (4) observation of BCMA users; and (5) engaging nursing leadership.

Reporting issues

In addition to the BCMA elements in the hospital survey, Leapfrog’s CPOE Evaluation Tool allows hospitals to download simulated data and input patient and medication combinations into their systems. Hospitals then track the alerts generated by the system and are scored based on correct alerts. Leapfrog noted that although more hospitals have been meeting the CPOE standards, an additional 26 percent of reporting hospitals failed to meet these standards. Only 22 percent of hospitals that reported CPOE and BCMA data fully met all standards. Leapfrog noted that some hospitals are not reporting their data at all, and noted that this can cause a serious gap in understanding hospital medication safety because Leapfrog is the only organization that publicly reports this data.

Kusserow on Compliance: New analysis of OCR reports found 1800 large breaches over 7 years

In presentation at the Health Care Compliance Association (HCCA) entitled “OCR Enforcement Update,” HHS Office for Civil Rights (OCR) Senior Adviser Iliana Peters reported that the OCR continues to receive and resolve complaints of Health Insurance Portability and Accountability Act (P.L. 104-191) (HIPAA) violations of an increasing number. To date, the OCR has received 150,507 complaints, with 24,879 being resolved with corrective action measures or technical assistance.  She estimated that the OCR will receive about 17,000 complaints in 2017.

A new study published in JAMA Internal Medicine found since 2009 that 1,798 “large data breaches” involving patient information since 2009 had been reported by health care providers to the OCR.  Out of that number, 216 hospitals reported 257 data breaches, while 33 hospitals were found to have experienced multiple data breaches.  Of 141 acute care hospitals reporting breaches, 52 were major academic medical centers.  These numbers are misleading in that they represent only a small fraction of the total number of breaches, as indicated by Peters.  The reason is that smaller breaches are not required to be reported, and many breaches may not have been voluntarily reported.  The need for increased vigilance and internal controls are needed.

Latest OCR resolution

The OCR announced a resolution agreement based on the lack of a security management process to safeguard electronic protected health information (ePHI). Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC), has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $400,000 and implementing a corrective action plan. MCPN filed a breach report with the OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident. As with many of the reported large breaches, the OCR found that prior to the breach incident, there was no risk analysis to assess the risks and vulnerabilities in its ePHI environment and a corresponding failure to implement any associated risk management plans to address the risks and vulnerabilities identified in a risk analysis.

Reminder tips on HIPAA compliance

As a reminder, entities should perform the following recommended steps in order to comply with HIPAA.

  1. Perform a complete a security risk analysis that addresses ePHI vulnerabilities.
  2. Engage an outside expert to independently verify that Privacy/Security Officers are meeting obligations.
  3. Properly address identified risks with corrective action measures.
  4. Follow the basics in reviewing compliance for information security risks and PHI breaches.
  5. Verify that the Code of Conduct covers reporting HIPAA violations.
  6. Ensure that policies and procedures govern receipt and removal of laptops containing ePHI.
  7. Train the workforce on HIPAA policies and procedures, including reporting violations
  8. Ensure that all business associates (BAs) have signed BA agreements (BAAs), with contact information on file.
  9. Verify that controls cover gaining access to ePHI by workforce members and users.
  10. Encrypt and password protect all laptops and mobile devices.
  11. Implement safeguards to restrict access to unauthorized users.
  12. Validate effectiveness of internal controls, policies, and procedures
  13. Review adequacy of security processes to address potential ePHI risks and vulnerabilities.
  14. Ensure that a hotline is set up to receive HIPAA-related calls.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Physician practices get tips for effective communication, training, vetting

Compliance officers often encounter problems ensuring physician compliance within physician practices and face difficulties when communicating with physician practice groups. When addressing physician practice issues, Betty Baber-Kinsey, Physician Practice Compliance Officer, Tenet Healthcare, considers such things as how to get in front of potential issues before they occur, how physicians are employed, how to vet new products or new procedures, and coding and prescribing issues. Baber-Kinsey addressed these various issues at the 2017 Health Care Compliance Association Compliance Institute on March 26, 2017.

Effective communication

A compliance officer dealing with multiple physician practices is likely to face difficulties communicating across in part due to the makeup, size, and locations of the practices, Baber-Kinsey said. One decision that has to be made is whether the message is delivered in person or remotely. Baber-Kinsey suggested four methods of communication across practices. Messages can cascade down from the top executives or the board of directors to management and then staff, can be delivered through videos, or through web-ex sessions. Baber-Kinsey also recommended monthly recurring calls and bi-weekly operations calls. She noted that monthly practice managers meetings are recorded and minutes are taken.


Baber-Kinsey stressed that training was all about the buy-in. She approaches training in three ways: live training, computer courses with a test, and video training. Training topics include conflicts of interest, vendor relationships, the Yates Memo, and the Physician Payments Sunshine Act (Section 6002 of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) codified at Social Security Act Sec.1128G). Baber-Kinsey pointed out that video training works for new hires, for staff annual refresher training, and in specialized or targeted sessions. For annual refresher training she suggested incorporating multiple topics to reach all levels of employees within the practice, including physicians, clinical staff, billers, and coders. She suggested including videos from other sources to let the staff being trained know the issue is universal and does not apply only to them. It is important to include humor, she added.

Vetting new physicians

Baber-Kinsey uses a physician practices onboarding checklist to ensure that physicians are properly vetted. The checklist enables her to “know what they are getting before the [physicians] walk through the door.” The checklist provides who, what, and when or, as she put it, the “What, Documented, Billed.” The vetting process takes about 18 weeks. The first four weeks are involve business development and due diligence including credentialing and information technology (IT) assessments. Weeks 5 – 8 involve credentialing, human resources (HR) and IT operations. Weeks 9 – 12 involve operations, HR, and start of marketing. Weeks 13 – 16 involves operations and completion of credentialing. Baber-Kinsey emphasized that onboarding process is not finished until a billing clearance audit is completed and within goal, which means that the physician’s billing error rate is 5 percent or less.

Alternative lines of business

The latest trend for physicians is providing an alternative line of business, according to Baber-Kinsey.An alternative line of business means any items and/or products that may not fit into traditional lines of service for the primary or specialty care practice,” according to Baber-Kinsey. Examples of alternative lines of business include supplements, cosmetic procedures and services, and oncology infusion. Baber-Kinsey recommends getting in front of the alternative line of business before a physician is hired. Tenet Healthcare has a policy and procedure that addresses new and alternative lines of business.

Kusserow on Compliance: Compliance culture a key measure of program effectiveness

The compliance culture is the set of shared attitudes, values, goals, and practices that characterizes an institution or organization when it comes to compliance with laws, regulations, rules, standards, code of conduct, and policies.   Oversight agencies believe the compliance program should be a change agent in promoting a culture of compliance that creates an environment less likely to have regulatory or enforcement problems.  This means establishing a culture in which everyone in the work environment embraces and adheres to rules, regulations, laws, code of conduct, and policies.  The Department of Justice (DOJ) and the HHS Office of Inspector General (OIG) frequently encounter organizations with compliance programs that exist on paper, but that culturally failed to be effective in operation. Compliance officers should find means to evidence that the culture of the organization matches the compliance goals.

Positive compliance culture promotes good business

Carrie Kusserow, with over 15 years’ experience as a compliance officer and consultant, makes the case that a good compliance culture is also good for business and does not just serve as a “cost center.” She notes there are many positive benefits to be derived from the effort. She offered the following points in her argument.

  • Organizations are less likely to have liabilities, arising from wrongful behavior.
  • Evidence suggests compliance-committed organizations are more efficient.
  • Lower employee turnover occurs when the organization culture is to abide by rules and standards.
  • There exists greater employee commitment to compliance with laws, rule, code of conduct and policies.
  • Employees feel less pressure to compromise company standards to achieve company goals.
  • Employees are empowered to report wrongful behavior and misconduct internally, not externally.

Compliance culture surveys evidence compliance program effectiveness

Steve Forman, CPA has been using compliance culture surveys for the last 20 years, both as a compliance officer and as a compliance consultant. He believes that one of the best and most inexpensive methods for evaluating, evidencing, and benchmarking compliance program effectiveness is through a compliance culture survey that measures employee perceptions of ethical culture and/or the compliance program. He likes using this type of survey, alternately with a compliance knowledge survey that tests employee knowledge of the program. He points to the fact that the OIG recommends this in its Compliance Program Guidance, wherein it noted that “as part of the review process, the compliance officer or reviewers should consider techniques such as . . . using questionnaires (employee surveys) . . . developed to solicit impressions of a broad cross-section of . . . employees and staff.” Results from a professionally administered survey provide a very powerful and credible report to the compliance oversight committee, as well as to any outside authority questioning the program. They can also identify relative strengths in the compliance programs, as well as those areas requiring special attention that are invaluable for compliance officers.

Compliance survey benefits

Conducting a compliance survey provides numerous benefits to an organization.  For example, it can:

  • provide outcome measurements for the compliance program;
  • serve as critical evidence in determining the degree of effectiveness of the compliance program;
  • identify program strengths and potential weakness warranting attention;
  • evidence the extent of individual and leader commitment to compliance;
  • assess the current state of the compliance climate or culture of an organization;
  • communicate a positive message that employee opinions and perceptions are valued;
  • underscore organization commitment to employees;
  • increase management attention on what is being measured;
  • provide metrics as to progress in developing an effective compliance program;
  • benchmark compliance program effectiveness improvement;
  • signal the organization as to employee attitudes and perceptions;
  • tell employees that what they believe and understand is important; and
  • provide guidance as to where improvements are needed.

Benchmarking compliance program progress

Jillian Bower, with many years of experience in administering compliance surveys, as well as serving as interim compliance officer, notes the OIG compliance guidance says that “the existence of benchmarks that demonstrate implementation and achievements are essential to any effective compliance program.”  Surveys can be used to meet that standard. If the survey being used is anchored in a large database of users, the organization can benchmark them against that universe, viewed as very important by most organizations. Furthermore, an initial survey can establish a baseline from which future surveys can be used to benchmark progress of the compliance program. The surveys can benchmark and measure change in the compliance environment over a period of time. However, Bower warns it is inadvisable to use the same survey annually, as significant changes among the work force takes time to show results.

Alena Treen, of the Compliance Resource Center (CRC), has many years’ experience in administering compliance surveys. She explained that culture surveys focus on the beliefs and values which guide the thinking and behavior of employees within an organization. They are usually presented in a Likert Scale format that offer a series of gradation in which respondents are asked whether they “Strongly Disagree,” “Disagree,” are “Neutral,” “Agree,” or “Strongly Agree,” with the statement presented in each item. This is in contrast with a compliance knowledge survey designed to learn how much employees know about the program with questions answerable as yes or no. She notes it is highly advisable to use a valid and independently web-based administered survey that has been tested over many organizations and ensures participant confidentiality. Using a professional survey service specializing in health care compliance is surprisingly inexpensive and less costly than developing and delivering a survey in house that doesn’t carry the same level of credibility. The CRC has been using the Compliance Benchmark Survey© since 1993 and has been employed by hundreds of health care organizations and over a half million surveyed population. Treen normally deals with reports that are about 50 pages in length that provide advice on each topical area and question as to how improvements may be made.   Clients find that comparing their results with the universe to be the most beneficial information.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.