Security management process is the foundation for compliance with HIPAA Security Rule

Security management process can be an organization’s biggest strength or biggest weakness, and most organizations lack one or all of the components that establish a security management process. In a Health Care Compliance Association (HCCA) webinar entitled, “Is Your Security Management Process Your Biggest Risk?” presenters Kezai Cook-Robinson and Ahmad M. Sabbarini of Ernst & Young LLP emphasized that a security management process is the foundation for an organization’s compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) (P.L. 104-191) Security Rule.

Under 45 C.F.R. Sec. 164.308(a)(1) a covered entity or business associate is required to implement policies and procedures to prevent, detect, contain, and correct security violations. This process requires covered entities and business associates to implement standards and required implementation specifications and to implement, when appropriate and reasonable, addressable implementation specifications through risk analysis, risk management, sanction policy, and information system activity review.

Risk analysis

Covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. This means, said the presenters, that covered entities and business associates must conduct an enterprise-wide risk analysis and develop a current, comprehensive, and thorough risk analysis of security risks and vulnerabilities to include the electronic personal health information (e-PHI) created, received, maintained, or transmitted by the organizations’ facilities and applications. This should be done periodically (calendar-based) and in response to events (event-based triggers).

As part of the risk analysis, organizations should conduct a comprehensive inventory of e-PHI. Assets can be grouped into a common grouping for purposes of the inventory—for example, if work stations have the same number and type of e-PHI, they can be grouped into one asset category. In addition, to save time and money, organizations should start with lists that have already created from financial statements and privacy compliance activities.

Risk management

Covered entities and business associates should establish and implement an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis. It should include a process and timeline for an organization’s implementation, evaluation, and revision of its risk remediation activities. The presenters noted that the higher the risk, the more robust controls are needed.

Sanctions policy and information system activity review

The security management process also requires covered entities and business associates to apply appropriate sanctions against workforce members who fail to comply with security policies and procedures and to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Documentation

“Document, document, document,” said Cook-Robinson, because “it does not exist unless it’s in writing.” She advised that covered entities and business associates document and keep as records the analyses, decision making, and rationale for overall risk assessments, as well as individual risk analyses for implemented safeguards.

NIST guidelines

Cook-Robinson and Sabbarini also advised organizations to align as necessary with the guidelines and frameworks that HHS leverages, including the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF) and NIST 800-30.

Compliance programs should keep a sharp eye on all communications

Every word written or spoken in connection with a health care practice presents the potential for risk. At a Wolters Kluwer webinar entitled, Health Care Communication Risks—From a Compliance Perspective, two presenters pointed out various areas of concern and ways for compliance professionals to approach them. Robert Liles, managing partner at Liles Parker PLLC, and Paul Weidenfeld, chief legal officer of Exclusion Screening LLC, spoke from years of experience on topics such as criminal issues, administrative concerns, employment, and documentation.

Text messages

The presenters noted that smartphones, while convenient, have caused countless compliance issues. Communications as seemingly private and innocuous as a text message present a significant risk, as law enforcement can easily obtain information about texts that a service provider might tell a customer is unavailable. One example offered in the webinar told of a dentist who extracted a tooth from a sedated patient while on a hoverboard, then texted a video of the event to a friend; another example came from an office manager who texted her mother to tell her of pulling two teeth from a sedated patient.

Exam recordings

Many states have one-party consent laws for recording communications, and in such states only the party taping the conversation needs to know that it is being recorded. In these states, a patient might record a physician during an appointment or procedure without obtaining the physician’s permission. Such recordings can be used in malpractice cases, such as a recent case during which a physician made disparaging comments during a colonoscopy, before which a patient had started recording the procedure on his phone. The presenters suggested posting specific policies concerning such recordings, recommending language that prohibits use of recording devices unless specifically permitted by the provider.

Reducing risk

The presenters spoke of the seven elements to an effective compliance program identified by the HHS Office of Inspector General:

  • implementing written policies, procedures, and standards;
  • designating a compliance officer and committee;
  • conducting effective training an education;
  • developing effective communication;
  • enforcing standards;
  • conducting internal audits; and
  • responding promptly to detected offenses and developing corrective action.

One important piece of a program is a compliance hotline to allow employees an opportunity to report compliance issues. Employees should be able to do so anonymously, but also be able to provider his or her name with confidence in the organization’s confidentiality. Employees must be assured that they will not be retaliated against for reporting issues in the organization.

Hospital compliance programs need to integrate explanted device policy

Medicare requires that explanted medical devices—implantable devices that are removed due to recall, advisory, malfunction, failure, or early battery depletion—must be pursued by the provider as for free replacement or reduced charges under warranty. The failure to do so results in an overpayment for the provider or hospital, which must then be repaid to CMS. In a Health Care Compliance Association (HCCA) webinar, Jesse Schafer, Explant Control Manager, Mayo Clinic, and Peter Casady, CEO and Co-Founder, Champion Healthcare Technologies discussed best practices for medical device warranty credit failures and related HHS Office of Inspector General (OIG) audits.

Since 2010, the OIG has conducted six audits specifically for credit failures on medical device warranties, and found overpayments ranging between $30,000 and $300,000. In these cases, the warranty credit failures occurred because the hospitals:

  • did not pursue available credits;
  • did not report credits received;
  • did not have adequate internal control procedures to coordinate functions among various departments; or
  • relied upon the vendor to manage the device return and credit process (and gaps resulted).

Schafer recommended a workflow among various departments, including compliance, coding, clinical, pathology, supply chain / contracting logistics, accounts receivable, and patient financial services. Hospitals should (1) identify explanted devices that are eligible for warranty credits due to performance issues; (2) secure eligible explanted devices; (3) make sure the devices were returned to the vendor for warranty claims; (4) follow up on warranty claims to confirm approval; (5) make sure the provider then received credit or a no-charge replacement; and (6) adjust claims for credits that are greater or equal to 50 percent.

Hospitals falling short on implementing bar code medication administration

Ever noticed the steps nurses have to go through when they administer medications in the hospital? Scanning, typing, asking the patient for name and birthday – these steps protect patient health and hospitals from liability. Despite how useful these steps are for reducing medication errors, the Leapfrog Group found that not all hospitals are using them effectively.

Only 30 percent of hospitals are meeting standards

In the 2017 report on medication safety, Castlight Health analyzed hospital use of bar code medication administration (BCMA) and computer physician order entry (CPOE) systems. Although Leapfrog’s standard standards include implementation of a BCMA to cover 100 percent of a hospital’s intensive care and medical/surgical units, along with several important processes, only 30 percent of hospitals met all four of Leapfrog’s criteria.

BCMA systems

A BCMA system requires the administering nurse to scan a bar code on the patient’s wristband and then scan the bar code on the medication. This ensures that the “Five Rights of Medication Administration” are met: right patient, drug, dose, time, and route. The Leapfrog Group developed the first industry standard for BCMA adoption and included measurement elements in its 2016 hospital survey. One of Leapfrog’s standards requires scanning both bar codes for 95 percent of bedside administration in units with BCMA systems.

Findings

Although 97.8 reporting hospitals have a BCMA system in at least one inpatient unit connected to their electronic medication administration record, only 30 percent of the hospitals fully met the standard. A remaining 35 percent fulfilled three out of the four, and 26 percent met two of the criteria.

The most commonly unmet requirement was integration of Leapfrog’s seven decision support elements. These support elements are ensuring that the patient, medication, dose, and time are correct as well as checking for vital signs, performing a patient-specific allergy check, and having a second nurse perform a check. Out of these elements, the vital sign check was the most frequently lacking at 80 percent. Hospitals also failed to adhere to Leapfrog’s best practice processes and workaround prevention, which require (1) formal BCMA use committee; (2) back-up systems for hardware failure; (3) a help desk; (4) observation of BCMA users; and (5) engaging nursing leadership.

Reporting issues

In addition to the BCMA elements in the hospital survey, Leapfrog’s CPOE Evaluation Tool allows hospitals to download simulated data and input patient and medication combinations into their systems. Hospitals then track the alerts generated by the system and are scored based on correct alerts. Leapfrog noted that although more hospitals have been meeting the CPOE standards, an additional 26 percent of reporting hospitals failed to meet these standards. Only 22 percent of hospitals that reported CPOE and BCMA data fully met all standards. Leapfrog noted that some hospitals are not reporting their data at all, and noted that this can cause a serious gap in understanding hospital medication safety because Leapfrog is the only organization that publicly reports this data.