Experts weigh in on LTC requirements for patient care, provider compliance

On October 4, 2016, CMS issue a Final rule making extensive changes to long term care facilities (LTCFs) requirements of participation (ROP) with the goal of aligning LTCF requirements with current clinical practice standards to improve resident safety and the quality and effectiveness of the care and services delivered to residents. Kris D’Ann Maples, in-house counsel at Hillcrest Health Services and Lyn Bentley, MSW, Vice President, Quality and Regulatory Affairs, American Health Care Association (AHCA), addressed significant provisions of the new rules that will impact health care providers at the 2017 Health Care Compliance Association Compliance Institute on March 26, 2017.

The Final rule

The new requirements (81 FR 68688, October 4, 2016) represent the first significant revision of LTCF requirements for Medicare and Medicaid since 1991. The revised requirements are aimed at reducing unnecessary hospitalizations and health care acquired infections, improving behavioral health care, safeguarding LTCFs residents from the use of unnecessary psychotropic drugs, enhancing care planning, and improving quality assurance and performance improvement. In addition to the changes to the requirements, CMS is developing a new survey process that will go into effect November 2017. The new survey process incorporates the new requirements and merges with the quality indicator system. The LTC rules take effect in three phases. Phase 1 took effect November 28, 2016, Phase 2 will take effect November 28, 2017, and Phase 3 is scheduled for November 28, 2018.

Maples told attendees to be on the alert to changes in the regulations prior to implementation dates based on the current administration’s plan to abolish the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148). Section 6102(b) of the ACA amended Social Security Act Sec. 1128I, and mandated the operating organization have a compliance and ethics program in place. Such programs must be effective in preventing and detecting criminal, civil, and administrative violations under the Social Security Act and promoting quality of care consistent with the regulations promulgated by the HHS Secretary working with the HHS Office of Inspector General (OIG).

Themes of the rule

Bentley noted that the Final rule reflects the dramatic cultural and technology changes over three decades. She recommended providers closely read the new definitions CMS included in the Final rule, emphasizing that CMS has changed the definition of a number of terms. Among the themes identified by Bentley are patient centered-care, facility based-responsibility, quality of care and quality of life, and the changing patient population, which includes patients with behavioral health issues. Regarding facility-based responsibilities, Bentley pointed out that LTCFs must know the center, patients and staff, which requires a competency-based approach.

Residents’ rights

Bentley added that the new rule that requires LTCFs to establish a grievance policy, notify residents how and where to file a grievance, and identify a grievance officer who would be responsible for grievance process. Among the grievance officer’s responsibilities are receiving and tracking grievances, leading investigations, maintaining confidentiality, meeting documentation requirements, and issuing decisions to the resident. In addition, the grievance officer must coordinate with state and federal agencies and meet state and federal laws and regulations (42 C.F.R. Sec. 483.10(j)). The regulation also includes additional notification requirements.

Significant is use of the word “willful” in the definition of abuse as it relates to the regulation addressing freedom from abuse, neglect, and exploitation (42 C.F.R. Sec. 483.12). Bentley specifically pointed out that “willful” in the definition means that “the individual acted deliberately, not that the individual intended to inflict injury or harm.” According to the Bentley, the term “willful” as used in the definition could raise serious questions about behavior that would not be considered abuse. For example, if a nurse is bathing a patient in one bed and she sees the patient in nearby bed about to fall, while preventing the patient about to fall from falling, the other patient might try to get out of bed and fall. In this case, the nurse’s actions were deliberate and there was no intention to inflict injury or harm to the patient that she was bathing.

Compliance and Ethics rules

New regulations (42 C.F.R. Sec. 483.85) require the operating organization for each LTCF to have a compliance and ethics program that meets certain requirements in the rule by November 28, 2017 (Phase 2), and the other requirements implemented by November 28, 2019 (Phase 3). Maples explained that the Final rule codifies the OIG compliance program guidance from 2000 and 2008 and that compliance will be part of the survey process going forward.

Maples identified the minimum components of a compliance program, which must be in place by November 28, 2017. These components include:

1. written compliance and ethics standards; policies and procedures that reduce the prospect of criminal, civil, and administrative violations under the law and promote quality of care;
2. corrective/disciplinary standards that outline consequences of committing violations, are enforced consistently, and provide consequences for failure to detect or report a violation;
3. the designation of a “high level” individual” in the organization who oversees compliance and ethics program;
4. sufficient resources and authority given the designated high level individual to reasonably assure program standards are met;
5. effectively communicate standards policies and procedures, including mandatory training; and
6. taking reasonable steps after a violation.

According to Maples, by the Phase 3 effective date, LTCFs must have had an annual review of the program to make any changes to reflect changes in applicable laws and regulations and improve performance promoting quality of care and deterring False Claims Act violations. LTCFs that have five or more facilities must conduct annual compliance training for all staff member, designate a compliance officer whose major responsibility in operating the compliance program requires the individual to report directly to the organizations governing body and cannot report to the general counsel, chief operating officer, or chief operating officer.

Physician practices get tips for effective communication, training, vetting

Compliance officers often encounter problems ensuring physician compliance within physician practices and face difficulties when communicating with physician practice groups. When addressing physician practice issues, Betty Baber-Kinsey, Physician Practice Compliance Officer, Tenet Healthcare, considers such things as how to get in front of potential issues before they occur, how physicians are employed, how to vet new products or new procedures, and coding and prescribing issues. Baber-Kinsey addressed these various issues at the 2017 Health Care Compliance Association Compliance Institute on March 26, 2017.

Effective communication

A compliance officer dealing with multiple physician practices is likely to face difficulties communicating across in part due to the makeup, size, and locations of the practices, Baber-Kinsey said. One decision that has to be made is whether the message is delivered in person or remotely. Baber-Kinsey suggested four methods of communication across practices. Messages can cascade down from the top executives or the board of directors to management and then staff, can be delivered through videos, or through web-ex sessions. Baber-Kinsey also recommended monthly recurring calls and bi-weekly operations calls. She noted that monthly practice managers meetings are recorded and minutes are taken.

Training

Baber-Kinsey stressed that training was all about the buy-in. She approaches training in three ways: live training, computer courses with a test, and video training. Training topics include conflicts of interest, vendor relationships, the Yates Memo, and the Physician Payments Sunshine Act (Section 6002 of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) codified at Social Security Act Sec.1128G). Baber-Kinsey pointed out that video training works for new hires, for staff annual refresher training, and in specialized or targeted sessions. For annual refresher training she suggested incorporating multiple topics to reach all levels of employees within the practice, including physicians, clinical staff, billers, and coders. She suggested including videos from other sources to let the staff being trained know the issue is universal and does not apply only to them. It is important to include humor, she added.

Vetting new physicians

Baber-Kinsey uses a physician practices onboarding checklist to ensure that physicians are properly vetted. The checklist enables her to “know what they are getting before the [physicians] walk through the door.” The checklist provides who, what, and when or, as she put it, the “What, Documented, Billed.” The vetting process takes about 18 weeks. The first four weeks are involve business development and due diligence including credentialing and information technology (IT) assessments. Weeks 5 – 8 involve credentialing, human resources (HR) and IT operations. Weeks 9 – 12 involve operations, HR, and start of marketing. Weeks 13 – 16 involves operations and completion of credentialing. Baber-Kinsey emphasized that onboarding process is not finished until a billing clearance audit is completed and within goal, which means that the physician’s billing error rate is 5 percent or less.

Alternative lines of business

The latest trend for physicians is providing an alternative line of business, according to Baber-Kinsey.An alternative line of business means any items and/or products that may not fit into traditional lines of service for the primary or specialty care practice,” according to Baber-Kinsey. Examples of alternative lines of business include supplements, cosmetic procedures and services, and oncology infusion. Baber-Kinsey recommends getting in front of the alternative line of business before a physician is hired. Tenet Healthcare has a policy and procedure that addresses new and alternative lines of business.

Kusserow on Compliance: OCR enforcement update at the HCCA Compliance Institute

“OCR Enforcement Update” was the topic of the presentation by Iliana Peters, HHS Office for Civil Rights (OCR) Senior Adviser for HIPAA Compliance and Enforcement at the Health Care Compliance Association (HCCA) Compliance Institute. She provided an update on enforcement, current trends, and breach reporting statistics.  Peters stated that the OCR continues to receive and resolve complaints of Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191)  violations of an increasing number.  She cited that OCR has received 150,507 complaints to date, with 24,879 being resolved with corrective action measures or technical assistance.  At the rate of reports being received, the OCR is estimating receiving 17,000 complaints in 2017.  She said that this year OCR has placed a major priority on privacy issues and will be issuing guidance on this, ranging from social media privacy, certification of electronic health record technology, and the rationale for penalty assessment. She spoke about OCR’s Phase 2 audits that are underway, involving 166 covered entities (CEs) and 43 business associates (BAs). These audits are to ensure CEs’ and BAs’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules that include mobile device compliance.  They address privacy, security, and breach notification audits. It is expected that among the results of this effort will be increases in  monetary penalties this year.  Phase 3 will follow the same general approach currently being used, which includes review of control rules for privacy protection, breach notification, and security management.

In her comments about what the OCR has learned from its audits and investigations, Peters made the point that most HIPAA breaches still commonly occur as a result of poor controls over systems containing protected health information (PHI). A particular vulnerability has been mobile devices, such as laptops computers, that failed to be properly protected with encryption and password.

OCR advice

 Peters provided in her slide presentation considerable advice as what CEs and BAs should do to prevent breaches and other HIPAA-related problems. CEs and BAs should:

  • ensure that changes in systems are updated or patched for HIPAA security;
  • determine what safeguards are in place;
  • review OCR guidance on ransomware and cloud computing;
  • conduct accurate and through assessments of potential PHI vulnerabilities;
  • review for proliferation of electronic PHI (ePHI) within an organization;
  • implement policies and procedures regarding appropriate access to ePHI;
  • establish controls to guard against unauthorized access;
  • implement policies concerning secure disposal of PHI and ePHI;
  • ensure disposal procedures for electronic devices or clearing, purging, or destruction;
  • screen appropriately everyone in the work area against the OIG’s List of Excluded Individuals and Entities (LEIE);
  • ensure departing employees’ access to PHI is revoked;
  • identify all ePHI created, maintained, received or transmitted by the organization;
  • review controls for PHI involving electronic health records (EHRs), billing systems, documents/spreadsheets, database systems, and all servers (web, fax, backup, Cloud, email, texting, etc.);
  • ensure security measures are sufficient to reduce risks and vulnerabilities;
  • investigate/resolve breaches or potential breaches identified in audits, evaluations, or reviews;
  • verify that corrective action measures were taken and controls are being followed;
  • ensure when transmitting ePHI that the information is encrypted;
  • ensure explicit policies and procedures for all controls implemented; and
  • review system patches, router and software, and anti-virus and malware software.

Expert tips to meet HIPAA compliance requirements

Carrie Kusserow, MA, CHC, CHPC, CCEP, is a HIPAA expert with over 20 years of compliance officer and consultant experience. She pointed out that the OCR finds that most HIPAA breaches still commonly occur as a result of poor or lapsed controls over systems with PHI.  She noted that Iliana Peters stated that the OCR often encounters situations where established internal controls were not followed; in many cases, discoveries of breaches within organizations were not promptly investigated.  Also, most of the breaches currently being reported involve mobile devices, specifically laptop computers, and a failure to properly encrypt and password protect PHI. Kusserow offered additional tips and suggestions to those offered in the OCR presentation, particularly as it relates to mobile devices.

  • Conduct a complete security risk analysis that addresses ePHI vulnerabilities.
  • Ensure the Code of Conduct covers reporting of HIPAA violations.
  • Validate effectiveness of internal controls, policies, and procedures.
  • Maintain an up-to-date list of BAs that includes contact information.
  • Ensure identified risks have been properly addressed with corrective action measures.
  • Develop corrective action plans to promptly address any weaknesses or breaches identified.
  • Follow the basics in prevention of information security risks and PHI breaches.
  • Ensure policies/procedures  govern receipt and removal of laptops containing ePHI.
  • Verify workforce member and user controls for gaining access to ePHI.
  • Verify laptops and other mobile devices are properly encrypted and password protected.
  • Implement safeguards to restrict access to unauthorized users.
  • Review adequacy of security processes to address potential ePHI risks and vulnerabilities.
  • Ensure the hotline is set up to receive HIPAA-related calls.
  • Verify that all BAs have signed business associate agreements.
  • Train the workforce on HIPAA policies/procedures, including reporting violations.
  • Investigate complaints, allegations, and reports of non-compliance promptly and thoroughly.
  • Engage outside experts to independently verify controls are adequate and being followed.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Protecting personal data beyond HIPAA

Safeguarding protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) is important, but what responsibilities do hospitals have to protect other types of personally identifiable information (PII)? What concrete steps can hospitals take to follow through on these responsibilities? Meg Grimaldi, Director of Compliance at Martin Luther King, Jr. Community Hospital in Los Angeles, and Sarah Bruno, Matthew Mills, and Jade Kelly, Partners at Arent Fox LLP, answered these questions in a Health Care Compliance Association (HCCA) webinar titled, “Navigating the Rest of the Iceberg: Privacy and Security Compliance Beyond HIPAA.”

Grimaldi began by reminding hospitals of the different types of information they encounter and the manner in which they encounter them. Aside from PHI gleaned through medical records, for example, hospitals may take in data used in accessing patient portals or submitted through event registrations and surveys. When gathering such information, hospitals must weigh the benefits of detriments of easy to use portals with the need to verity identity. User IDs, passwords, and personal questions are no longer sufficient to protect data; instead, hospitals should implement two-factor authentication—something a person knows, such as a User ID and password, with something a person has, such as a card or mobile device. Some hospitals may even consider utilizing biometrics. Hospitals should carefully consider the need to use cookies, which store data. If using cookies, session cookies are less risky because they do not save personal information beyond a single session. The use of long-term cookies must be carefully safeguarded.

The hospitals, themselves, may handle payment information or employee information submitted through secure portals, or may farm these duties out to third parties, but they remain no less responsible for the protection of the PII. Hospitals must ensure that business associate agreements (BAAs) or other contracts hold third parties accountable for handling types of data.

In general, hospitals should implement safeguards such as network segmentation, security scans, penetration testing, and encryption. In addition, they should routinely review software patching solutions, implement active alerts in intrusion detection systems, and periodically perform test backups. When data is no longer needed, hospitals should destroy it.

Bruno noted a need to categorize data as falling into the purview of specific laws, including HIPAA, the Children’s Online Privacy Protection Act of 1998 (COPPA) (P.L. 105-277), and various other federal and state laws, as well as industry standards. In addition, hospitals should take note that European countries accept a much broader definition of PII than the U.S., and that care should be taken the handling of information from European nationals. The hospital’s website should disclose its privacy practices. Mills discussed laws and industry standards that govern debtor data, including the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to provide their customers with notice of the institutions’ privacy practices and to safeguard sensitive data.

Kelly discussed hospitals responsibilities with respect to employee data, including noting in many cases that employee medical information should be kept separate from personnel files and accessed only by certain authorized individuals. Employer must also be sure to comply with the Fair Credit Reporting Act (15 USC § 1681 et seq.) and any applicable state laws.

Grimaldi discussed the need to inform employees of the location of PII policies and procedures and make sure they are easily accessible to employees. Hospitals should diversify training materials to discuss types of data beyond PHI so that they understand what must be protected. It is crucial for hospitals to use plain language, skipping jargon, abbreviations, and acronyms, to ensure that each employee understands what is being discussed. For example, many employees may understand the importance of not clicking on strange emails, but may not know that the tactic is referred to as “phishing” and may thus not understand directions about responses to phishing campaigns. It has been suggested that information needs to be communicated seven times before it is truly understood, so it is important to deliver information in various modes, including training, newsletters, and staff huddles. Hospitals should train employees in various social engineering techniques that are relevant to the particular organization.

Bruno noted that hospitals must create a culture in which employees feel comfortable letting the organization know about potential and actual breaches, which are inevitable, whether through a malicious hack or a lost laptop. Once a breach is identified, a number of individuals should be involved in the response, including the privacy officer, the head of marketing, and the chief information security officer (CISO).