Protecting personal data beyond HIPAA

Safeguarding protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) is important, but what responsibilities do hospitals have to protect other types of personally identifiable information (PII)? What concrete steps can hospitals take to follow through on these responsibilities? Meg Grimaldi, Director of Compliance at Martin Luther King, Jr. Community Hospital in Los Angeles, and Sarah Bruno, Matthew Mills, and Jade Kelly, Partners at Arent Fox LLP, answered these questions in a Health Care Compliance Association (HCCA) webinar titled, “Navigating the Rest of the Iceberg: Privacy and Security Compliance Beyond HIPAA.”

Grimaldi began by reminding hospitals of the different types of information they encounter and the manner in which they encounter them. Aside from PHI gleaned through medical records, for example, hospitals may take in data used in accessing patient portals or submitted through event registrations and surveys. When gathering such information, hospitals must weigh the benefits of detriments of easy to use portals with the need to verity identity. User IDs, passwords, and personal questions are no longer sufficient to protect data; instead, hospitals should implement two-factor authentication—something a person knows, such as a User ID and password, with something a person has, such as a card or mobile device. Some hospitals may even consider utilizing biometrics. Hospitals should carefully consider the need to use cookies, which store data. If using cookies, session cookies are less risky because they do not save personal information beyond a single session. The use of long-term cookies must be carefully safeguarded.

The hospitals, themselves, may handle payment information or employee information submitted through secure portals, or may farm these duties out to third parties, but they remain no less responsible for the protection of the PII. Hospitals must ensure that business associate agreements (BAAs) or other contracts hold third parties accountable for handling types of data.

In general, hospitals should implement safeguards such as network segmentation, security scans, penetration testing, and encryption. In addition, they should routinely review software patching solutions, implement active alerts in intrusion detection systems, and periodically perform test backups. When data is no longer needed, hospitals should destroy it.

Bruno noted a need to categorize data as falling into the purview of specific laws, including HIPAA, the Children’s Online Privacy Protection Act of 1998 (COPPA) (P.L. 105-277), and various other federal and state laws, as well as industry standards. In addition, hospitals should take note that European countries accept a much broader definition of PII than the U.S., and that care should be taken the handling of information from European nationals. The hospital’s website should disclose its privacy practices. Mills discussed laws and industry standards that govern debtor data, including the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to provide their customers with notice of the institutions’ privacy practices and to safeguard sensitive data.

Kelly discussed hospitals responsibilities with respect to employee data, including noting in many cases that employee medical information should be kept separate from personnel files and accessed only by certain authorized individuals. Employer must also be sure to comply with the Fair Credit Reporting Act (15 USC § 1681 et seq.) and any applicable state laws.

Grimaldi discussed the need to inform employees of the location of PII policies and procedures and make sure they are easily accessible to employees. Hospitals should diversify training materials to discuss types of data beyond PHI so that they understand what must be protected. It is crucial for hospitals to use plain language, skipping jargon, abbreviations, and acronyms, to ensure that each employee understands what is being discussed. For example, many employees may understand the importance of not clicking on strange emails, but may not know that the tactic is referred to as “phishing” and may thus not understand directions about responses to phishing campaigns. It has been suggested that information needs to be communicated seven times before it is truly understood, so it is important to deliver information in various modes, including training, newsletters, and staff huddles. Hospitals should train employees in various social engineering techniques that are relevant to the particular organization.

Bruno noted that hospitals must create a culture in which employees feel comfortable letting the organization know about potential and actual breaches, which are inevitable, whether through a malicious hack or a lost laptop. Once a breach is identified, a number of individuals should be involved in the response, including the privacy officer, the head of marketing, and the chief information security officer (CISO).

Hospices beware, OIG is taking a closer look at patient care

Hospice has become one of the areas targeted for investigations by the Office of Inspector (OIG) and the Department of Justice (DOJ) in their common goal to reduce the vulnerabilities of the Medicare and Medicaid programs, including reducing improper payments and holding wrongdoers accountable, HHS Inspector General Daniel Levinson told attendees of the Health Care Compliance Association (HCCA) 20th Annual Compliance Institute. In light of the government’s focus on hospice services, a HCCA breakout session addressed the top five hospice risk areas and provided details of what compliance officers need to know and what they need to do.

The risk areas presenters Laura E. Ellis, Senior Counsel, HHS-OIG, Office of Counsel to the Inspector General (OCIG); Jason E. Christ, Member, and Serra I. Schlanger, Senior Associate, of Epstein Becker Green; and Lynn Strange, Chief Compliance Officer, Nathan Adelson Hospice identified, include: (1) eligibility and appropriateness, (2) financial arrangements with referral sources and medical directors, (3) the level of care, (4) documentation, and (5) governance and effective oversight. Other risks noted were problems with admitting a patient at the wrong time, families not being aware that the beneficiary is in hospice care, ensuring that marketing incentives do not include patients exceeding six months on an average length of stay, and risks specific to profit or nonprofit organizations.

Why focus on hospice? Risks and recommendations

The presenters noted that in 2013, Medicare expenditures for hospice services totaled about $15.1 billion which was more than a 40 percent increase in spending since 2000. Of that amount, nearly $9 billion was spent on patients with lengths of stay exceeding 180 days. From 2000 through 2012, the length of stay at the 90th percentile increased from 141 days to 246 days.

Eligibility and appropriateness of hospice benefits. Among the specific areas that the presenters identified that the government will be looking at in terms of eligibility, include whether the patient’s diagnosis and prognosis meet the eligibility requirements for admission, re-admission, and long lengths of stay; whether the hospice failed to discharge clinically ineligible patients; and the hospice’s live discharge rates. Presenters stressed that eligibility for admission or readmission must be supported in medical records, including the patient’s condition and prognosis. The presenters recommended that hospice providers audit and monitor high risk areas, evaluate data to identify trends and outliers, and review PEPPER reports and hospice CAP overpayment trends. The presenters also suggested that compliance officer look at reports on a monthly basis.

Financial arrangements and marketing practices. Financial arrangements include kickbacks to referral sources, swapping arrangements, arrangements with medical directors, and incentives tied to admissions and census goals. To mitigate risks in financial arrangements, the presenters suggested focusing training for marketing staff on interactions with referral sources and beneficiaries, contracting review for financial arrangements with referral sources, and evaluating internal compensation and incentives. Specifically, the presenters told listeners to look at relationships with other facilities, the qualifications of medical directors, and whether the hospice pays bonuses to the right people at the right time. Further, compliance officers should develop a good relationship with and provide for training for sales and marketing staff.

Levels and location of care. Presenters identified appropriateness of hospice general inpatient (GIP) care, use of continuous crisis care services, and services provided to beneficiaries in assisted living facilities (ALFs) and skilled nursing facilities (SNFs) as risk areas for hospices to keep on their radar. Auditing and monitoring higher levels of care, evaluating data to identify trends, investigating outliers, and increasing oversight of ALF and SNF patients will mitigate these risks, presenters said. They also recommended involving physicians in decisions regarding care.

Documentation. CMS will be looking at the adequacy of physician attestations, clinical documentation, financial records and any other documents that support claims for payment, the presenters noted. To ensure compliance, systems should be implemented to ensure timely certifications and face to face evaluation. In addition, hospice providers should operationalize documentation practices and provide documentation training for its staff member.

Governance and effective oversight. Risk areas at the Board level include failures to: (1) set compliance direction at the top, (2) take action early due to a  lack of knowledge, and (3) allocate sufficient resources. To mitigate risks to the hospice, presenters stressed that compliance officers meet with the Board regularly in executive session; develop a compliance dashboard for the Board; encourage questions and discussions, including feeding questions to the Board if none are asked to start the ball rolling; and involve executive leadership in risk identification and remediation. Lynn Strange, added that conducting an “external audit brings credibility to the Board.”


Kusserow on Compliance: OIG calls for more compliance expertise in reviewing CIAs

The HHS Office of the Inspector General (OIG) has recently increased oversight and accountability in their Corporate Integrity Agreements (CIAs). For years, a key requirement under CIAs involved engaging an Independent Review Organization (IRO) to oversee entity compliance with the substantive requirements. Years ago, IROs would also oversee the compliance program, but most have discontinued that practice and the government has relied upon the entity certifying/attesting to having implemented an effective compliance program.

More recently, the OIG has determined that enlisting an independent compliance expert to review the program is necessary. This also reinforced the increased emphasis on Board oversight of the entity. It is now common for a CIA to mandate that Boards engage a compliance expert to assist entities in meeting their obligation of the compliance program oversight. This is serious business as Board members are now being mandated to make certain personal certifications concerning the compliance program and compliance with the terms of the CIA. This was a topic widely discussed in sessions dealing with CIAs at the recent Health Care Compliance Association (HCCA) Compliance Institute in Las Vegas, Nevada.

Compliance experts engaged by Boards are required to have expertise in federal health care program compliance requirements and application of those requirements in order to develop a work plan. They must then issue a Compliance Program Review Report that addresses the defined issues, along with their recommendations for improvements or corrective actions. A copy of the report must be made part of each annual report under the CIA. Copies of materials provided by the compliance expert to the Board and minutes of meetings with them are to be made available to the OIG upon request.

All of this should not be surprising to anyone that has been following the OIG’s publicly stated positions on the subject. Calling for Boards to enlist compliance experts has been proposed by the OIG for some time. A year ago, the “Practical Guidance for Health Care Governing Boards on Compliance Oversight” was issued in conjunction with the American Health Lawyers Association (AHLA), HCCA, and the Association of Healthcare Internal Auditors (AHIA). It promoted the use of independent compliance experts by Boards and organizations to assist in evidencing an effective compliance program, as well as ensuring they meet all of their fiduciary duties and obligations in overseeing corporate compliance, whether or not a CIA is involved.

Steve Forman, CPA, who has years of experience as a compliance officer and has served on multiple occasions as a Board-engaged compliance expert observed that the Practical Guidance “provides almost identical language about Boards’ use of compliance experts as they do in CIAs today. Compliance Officers may be well advised to let their boards know about this trend.”

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.


What happens on social media doesn’t stay on social media, and other lessons learned at the #HCCAci

Social media was the issue of the day at the Health Care Compliance Association’s Compliance Institute (CI), which was held in Law Vegas, Nevada this year. Throughout the four-day event, health care compliance professionals tweeted, pinned, and “Instagram-ed” their way through the lectures, discussions, and networking events, while at the same time, ironically, learning a great deal about the growing popularity of social media and the dangers it may pose when it comes to your compliance program.

Even before the CI began, attendees were invited to follow the CI Pinterest page and begin to tweet and post pictures to Instagram using the hashtag #HCCAci. During the conference, social media savvy professionals were invited to network in a “Tweet Up” event; even after the conference was essentially over, participants let loose and posted pictures of their adventures in the City of Lights. As such, the role that social media plays in our current professional and personal realms was plain to see simply through the role it played at the CI this year alone.

At the general sessions that kicked off the conference both Dan Levinson, Inspector General (IG), and Leslie Caldwell, Assistant Attorney General of the Criminal Division of the Department of Justice (DOJ), noted that areas of health information security and privacy were among the most important areas to watch. In many of these arenas, according to Caldwell, the government is often behind the learning curve. As such, it would behoove compliance officers to look beyond the guidance put out by these agencies and into the future, with an eye to what new technologies are available and how they are being used.

Donald A. Sinko, Chief Integrity Officer at the Cleveland Clinic and a presenter at this year’s CI, once said that, “One of the greatest risks of social media is ignoring social media.” Presenters at breakout sessions at the CI took heed of that sentiment and focused many of their lectures and discussions on the role that social media and social media-related issues are playing in the compliance world. Most notably, Frank Ruelas, in a presentation “#HIPAA: How Social Media Impacts HIPAA Compliance,” drew lines between how many people use social media, for what purposes, and how those practices can lead to HIPAA breaches in the health care provider environment.

Ruelas encouraged audience members to volunteer their own stories about how social media affected their compliance officers, noting that it makes sense to think about social media–which is often driven by the youth population–and HIPAA together because HIPAA is a teenager itself. Ruelas concluded by urging compliance officers to “codify, illustrate, and judiciously enforce expectations” when it comes to social media use in the workplace in order to get closer to an effective compliance program. In a related presentation on emerging challenges in mHealth, David Holtzman and Web Hull, discussed how mobile health apps and wearables are playing a larger, and in some cases more concerning, role when it comes to health data privacy and security. As Hull put it, the biggest challenge concerning mHealth “is that what we are dealing with now is just the beginning.”

The second day of general sessions brought about a seeming round up of the issues discussed in the previous day’s general and breakout lectures from a somewhat surprising source. Cam Marston, a researcher of generational trends in the workplace and marketplace, spoke to the CI crowd about how individuals in different generations (baby boomers, “Gen Xers,” millennials, etc.) differ in terms of their backgrounds, the ways they were raised, how they act in the marketplace, and, most importantly, how their work attitudes and styles differ. The biggest gap between the generations with regard to work environment and marketplace is perhaps the issues involved with the advance of technology, including the growing popularity of the reliance on social media in our personal and professional lives.

In Ruelas’ social media discussion, one compliance officer in the audience mentioned that one of her employees was found to be taking pictures, that were perhaps in violation of HIPAA, and posting them on Snapchat, an image messaging app and social media outlet. She explained that in order to truly understand the problem she had asked younger people in her family to help explain Snapchat to her and had obtained the app for herself and started using it in an effort to understand how it functions. In this way, we can see how it possible to bridge the divide caused by social media use and embrace its existence in a health care setting. Ruelas explained to his audience, social media “runs through the veins” of its users and, therefore, assuming that they will not use it at work without having policies that explicitly prohibit or explain proper use of it is not a good avenue to go down.

As the role of social media takes up more of our lives, it takes more of our work as well. As such, it is promising to see how compliance professionals are embracing it as both a tool for their own networking and knowledge spreading and recognizing it as a potential outlet for compliance issues in the workplace. Although what happens in Vegas may stay in Vegas, what happens on social media is for the world to see, and, as such, compliance professionals should be on notice of that.