In a recent court case in of the state of Kentucky, Hereford v. Norton Healthcare, Inc. d/b/a Norton Audubon Hospital and Phyllis Vissman, (Ky. Ct. App. July 21, 2017) a nurse sued her employer after being fired for a HIPAA violation. A patient filed a complaint against the nurse because she was speaking too loudly and other patients could hear what she was saying. This case is about incidental disclosures and only using the minimum necessary to accomplish a job.
In this scenario, the nurse was helping other technicians prepare for a medical procedure. She told them to wear gloves because the patient had Hepatitis C. A patient filed a complaint because they felt she was too loud and other patients could hear her. This is considered a privacy violation. However, if she had kept her voice down so no one could hear her except the technicians, she would have been working within the rule.
To be clear, the HIPAA rule does allow for incidental disclosures that occur when you are doing your job correctly. For example, a couple of patients can be checking in at a front desk with partitions or dividers, and conversations may be heard. If the clerks are taking reasonable safeguards to speak quietly, then anything a patient hears would be considered an incidental disclosure and not a violation. In addition, when conducting business, only disclose the minimum amount of medical information you need to get the job done.
In contrast, if reasonable safeguards or the minimum necessary standard is not used, a violation of the privacy rule will occur. The courts ruled that the nurse did not take reasonable safeguards of speaking quietly to warn her colleagues to wear the gloves. Additionally, the courts found she did not use the minimum amount of protected health information to accomplish the necessary purpose. In other words, she could have simply reminded the colleagues to wear gloves without using the term Hepatitis C.
The best way to prevent these situations from occurring is to train your staff. A well-trained staff will be able to maneuver through different situations including what this nurse encountered without compromising a patient’s privacy. Therefore, ensure all staff are provided initial HIPAA training when they begin employment. You can also conduct periodic training and send out privacy reminders. While patient privacy is important, protecting the organization from litigation is important also. We at HIPAAtrek believe training is paramount to a robust HIPAA compliance program and have created a compliance software program to provide you all the tools you need, including HIPAA training. I invite you to look at how we can help your organization by contacting our Senior Account Representative, Theresa Zemcuznikov at email@example.com and let her know you want to see our training platform. Until then, happy HIPAA trekking.
CMS (Centers for Medicare and Medicaid Services) inappropriately paid $729.4 million in Meaningful Use incentives to healthcare providers over a three-year period due to the providers’ errors. These errors are a result of providers not being able to support their attestations of completing the measures and objectives as decided in the 2015 EHR Incentive Programs Final Rule. A couple examples of these attestations include completing the Security Risk Assessment and protecting electronic Protected Health Information (ePHI)). MIPS is a “pay-for-performance” program and it is independent of macroeconomic factors, upon which the earlier physician payment system was based. In order to qualify for MIPS, the healthcare entity must make a switch from paper records to electronic records.
Healthcare providers can choose from the Advanced Alternative Payment Models (APM) or MIPS, but most providers will choose MIPS. You should choose APM if 20% of your patients have Medicare or if 25% of your patients are Medicare reimbursables. You are eligible for MIPS if you bill more than $30k per year, provide care to 100 or more patients, and you are a physician, physician assistant, nurse practitioner, clinical nurse specialist, or a certified registered nurse anesthetist. You must start the paperwork between 1/1/2017 – 10/2/2017 and send in performance data by 3/31/2018. There will be a ninety-day attestation period in 2017 and payment adjustments for switching from paper to electronic records go into effect on 1/1/2019. If you do not participate, the result is a negative 4% adjustment in Medicare payments.
There are two options for reporting Advancing Care Information. Option 1 is the Advancing Care Information Objectives and Measures with 22 available reportable measures (7 are required including the security risk assessment). You can report the Advancing Care Information Objectives and Measures if you have technology that is certified to the 2015 edition or if you have a combination of technologies from the 2014 and 2015 editions that support these measures. Option 2 is the 2017 Advancing Care Information Transition Objectives and Measures with 13 available reportable measures (4 are required including the security risk assessment). You can report the 2017 Advancing Care Information Transition Objectives and Measures if you have technology that is certified to the 2015 edition or if you have technology certified to the 2014 edition or if you have a combination of technologies from the 2014 and 2015 editions.
Complementing MIPS with HIPAA brings about better patient engagement. Certified Electronic Health Record Technology (CEHRT) has enabled features such as availability of secure patient portals, encrypted text messages, and email products. Because of this, patient engagement tools sent electronically by regular (encrypted) email and text messaging include features such as appointment reminders, healthcare instructions, patient satisfaction surveys, and health and wellness newsletters and recall reminders. Since these are part of the regular use of technology in healthcare, HIPAA has enacted rules by which PHI can be sent by encrypted electronic transmission. Advancing Care Information of MIPS requires a HIPAA Security Risk Assessment, similar to the Meaningful Use clause. That is the strong link between MIPS and HIPAA. What if you don’t have CEHRT? You can apply for a Hardship Exception if you do not have CEHRT. Simply lacking CEHRT does not qualify the MIPS-eligible clinician or group for reweighting though. CEHRT is required for participation in the advancing care information performance category.
If you do have CEHRT, you must now conduct or review a Security Risk Analysis in accordance with the requirements in 45 CFR 164.308 (a)(1). Doing so will lead to securing ePHI for your Covered Entity or Business Associate. You must then conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. You must also address the security (to include encryption) of ePHI data created or maintained by certified EHR technology in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3). Then, you must implement security updates as necessary and correctly identify security deficiencies as part of the MIPS eligible clinician’s risk management process.
In our last blog, we wrote about the policies and procedures you needed to develop for your Rural Health Clinic (RHC) or Federally Qualified Health Center (FQHC). The policies and procedures are developed after you have conducted your all-hazards risk assessment. CMS wants you to have at minimum, policies for:
- Safe Evacuation
- Shelter in Place
- Preservation of Medical Documentation
- Using Volunteers
Your next step is to develop your communications plan. This is critical as “communication” is often severely hampered during an emergency. This can be a personnel problem caused by lack of training and preparation, or it can be a structural problem where communication systems are degraded or destroyed by the emergency or disaster. Preparing a plan and ensuring all understand it will lead to success should you have to implement it for an emergency.
In developing your communications plan, CMS wants you to have the names and contact information for:
- Individuals providing services under arrangement
- Patient’s physicians
- Other RHCs or hospitals
- State or local emergency agencies
You must also develop a system to correctly provide the general condition and location of patients under your care while still meeting the HIPAA privacy rules. Your plan should include the ability to notify the Incident Command Center about your needs and status during the emergency. You should have a recall roster so you can notify off duty personnel to report to duty as needed or to stay away. Your plan should also include a listing of communication avenues that have been tested and are compatible with other agencies you may need to contact. Remember, during an emergency, regular land lines or cell phones may not be operational, so you must plan ahead and consider other communication options such as HAM radios, Walkie-Talkies, or Radio Amateur Civil Emergency Services (RACES) to name a few.
CMS understands how critical it is for an RHC/FQHC to have a well thought out communications plan where staff have been trained and the plan has been tested. Don’t wait until the emergency is upon you. Develop your plan now and test it so you will be ready when a disaster strikes. Oh yes, don’t forget, someone must be in charge of activating your emergency communications plan. This is usually the clinic administrator or someone else you have designated in writing.
Remember to review your current HIPAA policies for areas where there is commonality or where you have already addressed some of the requirements of the Emergency Preparedness Communications Plan. We at HIPAAtrek are developing an RHC/FQHC Emergency Preparedness Plan Package that includes a HIPAA/Emergency Preparedness Crosswalk, Emergency Plan Checklist, Risk Assessment Form, Policies and much more, so stayed tuned to HIPAAtrek for future updates. In the meantime, start working on that Communications Plan!
By now you are well into developing your Emergency Preparedness Plan for your Rural Health Clinic (RHC) or Federally Qualified Health Center (FQHC). You conducted an all-hazards approach to your risk assessment. That is, you identified all probable hazards and developed response procedures for each type of hazard which include natural, man-made, and/or facility emergencies. Additionally, as you conducted your risk assessment, you took a facility-based approach. You concentrated on risks specific to your facility and your region; for instance, you developed plans for a blizzard in Colorado or a tidal wave in Hawaii. You may have also decided to use a community-based risk assessment where you use plans developed by other entities such as public health and emergency management agencies, or regional health care coalitions. All the while, you reviewed your current HIPAA policies to look for overlaps or areas of commonality so you can use what you have already developed and have in place. Your next step for your Emergency Preparedness is to implement your plan in policies and procedures.
Centers for Medicare and Medicaid Services (CMS) requires you to develop policies and procedures and review and update them if needed at least annually. The policies and procedures must align with the risk assessment and hazards identified during the risk assessment. You can choose to make them part of your facility’s Standard Operating Procedures or Operating Manual, however, CMS recommends you have a central place to house your emergency preparedness program documents. This will make it easy for CMS to review them should they conduct a survey.
There are four key issues CMS asks you address in your policy and procedures:
1. Safe evacuation
2. Shelter in place
3. Preserve Medical Documentation
4. Using Volunteers
1. Safe Evacuation: CMS wants you to develop an evacuation plan which considers the care and treatment needs of evacuees. The plan should also spell out staff responsibilities, transportation needs, and identify locations that will be used for evacuation. The evacuation protocols should address where the evacuees will go but also where the staff members go as many times the evacuation location for the two are different. What will your transportation needs look like? How many vehicles do you have? Will you use vehicles of opportunity to evacuate your patients and staff? If you are an RHC or FQHC, you must also place exit signs to guide patients and staff in the event of an evacuation from your facility.
2. Shelter in Place: CMS wants you to develop a plan to shelter in place for your patients, staff, and volunteers. Not every emergency allows you to evacuate your facility. The most common threat that requires a shelter in place decision is probably a tornado. Your policy and procedures should identify the criteria for determining which staff and patients will shelter in place before an evacuation. When developing your plan, don’t forget to consider the ability of your building to survive a disaster as well as what proactive steps you can take prior to a situation that requires you to shelter in place. These are critical decisions that need to be well thought out before an actual emergency occurs.
3. Preserve Medical Documentation: CMS requires that you establish a system of medical documentation that preserves patient information, ensure patient records are secure and kept confidential, and readily available to support continuity of care during and after an emergency. Your policy and procedures should explain how you will accomplish this as well as stay in compliance with the HIPAA privacy and security rule. That is to say, your procedures must show how you will protect the privacy and security of individual’s personal health records whether you have electronic or paper medical records.
4. Using Volunteers: CMS wants you to develop policy and procedures to use volunteers in an emergency and other staffing strategies. Your procedures should explain how you will use volunteers with different skill levels. For instance, you may have healthcare professionals who volunteer during an emergency. How will you provide privileging and credentialing process in an emergency that ensures the volunteers can perform services within their scope of practice and training? You will have to look at your state laws and regulations for guidance. You also have federal teams that may volunteer in an emergency and are federally designated health care professionals such as the Public Health Service (PHS) staff, National Disaster Medical System (NDMS) medical teams, Department of Defense (DOD) Nurse Corps, or the Medical Reserve Corps (MRC). Your policy and procedures should also spell out how you will use non-medical volunteers. These individuals will perform non-medical tasks during your emergency.
CMS requires you to develop policies and procedures and review them annually. This allows you to update them if needed. The policies and procedures must align with the risk assessment and hazards identified during your risk assessment and address safe evacuation of your patients and staff, sheltering in place, preserving medical documentation, and how you will use both medical professional and non-professional volunteers. CMS recommends you have a central place to house your emergency preparedness program documents. And remember to review your current HIPAA policies for areas where there is commonality or where you have already addressed some of the requirements of the Emergency Preparedness Plan.
We know many of you are currently rushing to meet the November 16, 2017 deadline for developing your Emergency Preparedness Plan for your Rural Health Clinic (RHC) or Federally Qualified Health Center (FQHC). As you do so, the Centers for Medicare & Medicaid Services (CMS) wants you to keep in mind these three key essentials for maintaining access to healthcare during disasters and emergencies;
- Safeguarding human resources
- Maintaining business continuity
- Protecting physical resources
In addition, your emergency preparedness plan will be made up of these four sections;
- Emergency Plan (including risk assessment)
- Policies and Procedures
- Communication Plan
- Training and Testing Program
In developing your emergency plan, you must first conduct a facility based risk assessment. You may already have some or most of this accomplished because you conducted the HIPAA security rule’s risk analysis and implemented a risk management plan. Nevertheless, CMS wants your risk assessment to take an all-hazards approach. An all-hazards approach looks at all possible emergencies and disasters and spells out the response procedures for each. You can’t depend on procedures for responding to one type of emergency to provide sufficient response for a different type of emergency. For instance, your procedures for an active shooter in your facility will not help you respond to a ransomware attack of your electronic health records. Makes sense, right? Your risk assessment and subsequent plan should identify and include procedures for natural, man-made, and/or facility emergencies. It should;
- Identify all business functions essential to the facility’s operations that should be continued during an emergency
- Identify all risks or emergencies that the facility may reasonably expect to confront
- Identify all contingencies for which the facility should plan
- Consider the facility’s geographic location
- Assessment of the extent to which natural or man-made emergencies may cause the facility to cease or limit operations
- Determination of what arrangements may be necessary with other health care facilities, or other entities that might be needed to ensure that essential services could be provided during an emergency
CMS uses the term “facility-based” to mean the risk assessment and emergency preparedness program is specific to your facility. This is important as this approach will more clearly identify as well as eliminate, natural disasters for your facility and area. For instance, an RHC in Florida should consider preparedness actions in the face of an approaching hurricane as opposed to an RHC in South Dakota which should consider capabilities after a three-day winter blizzard, which is more reasonable to expect. On the other hand, both RHCs should assess and develop plans to respond to a power outage which was not caused by a natural disaster, yet does require immediate response to continue operations. For instance, do you have backup generators and fuel to run the generators, thereby providing the power needed to run essential operations?
CMS allows you as an RHC to use a community-based risk assessment developed by other entities, such as public health agencies, emergency management agencies, and regional health care coalitions or you can use theirs while conducting your own facility-based assessment. If you use a community- based risk assessment and plan, you need to have a copy of it and you need to work with the organization that developed it to ensure it meets the needs of your facility’s emergency plan.
Again, you may have already addressed these emergencies and hazards while implementing your HIPAA plan and policies, so a review of your plan may only require additional considerations. We at HIPAAtrek believe that many of the CMS requirements are already addressed by the HIPAA security rule. We are currently putting together an Emergency Preparedness Plan and HIPAA security rule cross-walk so you don’t have to reinvent the wheel; so be on the lookout for it. Until then, review your current HIPAA security plan for similarities that meet the CMS Emergency Preparedness Plan requirements and/or begin to document your all-hazards risk assessment.