First Healthcare Compliance CONNECT July 2018

CONNECT
An Exclusive Monthly Publication for Clients
HIPAA: Handling
Patient Requests for
Medical Records
July 2018
Important Questions
All Board Members
3Should Be Asking
Share Your
Success Story!
Compliance
Super Ninja
Do’s & Don’ts of
Medical Waste
1st Talk Compliance:
The Basics of Durable
Medical Equipment

Got a Minute? Please Rate Us!
Compliance Super Ninja
The health of our company depends on our best
clients spreading the word about us.
That’s you!
Share Your Success Story
An endorsement by you is the greatest compliment we
could receive! Please take a moment of your time to rate
us online so that others can benefit from your experience.
It’s a simple way to help us grow and improve.
Pam Larkin
Director of Revenue Cycle Management
Excelsior Orthopaedics
How would you describe your experience with First Healthcare Compliance?
My experience with First Healthcare has been extremely positive. The Company and its employees are
knowledgeable regarding compliance and provide automation and resources that enable our physician practice
to streamline compliance training and documentation requirements. They welcome client feedback and often
implement enhancements that have been suggested by users. Their service and responsiveness have exceeded
our expectations.
What do you enjoy most about working with with Excelsior Orthopaedics?
What I enjoy most about working for Excelsior Orthopaedics is the team of clinicians and employees that focus
on delivering quality care to our patients. Our organization is progressive and innovative. I personally oversee a
financial aspect of the business as well as having compliance responsibilities and learning something new every
day is my motivation.
Would you rather be able to talk with animals or speak all foreign languages, and why?
I would rather be able to talk with animals. I hear the human perspective every day but often wonder what my
dogs would have to say if they could talk.
We appreciate your support and look forward
to hearing from you!
Each month we highlight one exceptional compliance
professional chosen by our client services team. If our team
notices your compliance chops, you might be the next Ninja!
In This Issue:
Share Your Success Story
Compliance Super Ninja
3 Important Questions All Board Members Should Be Asking
Client FAQ Corner
HIPAA: Handling Patient Requests for Medical Record Restriction
New eBook: Fraud and Abuse in Medicare
1st Talk Compliance: The Basics of Durable Medical Equipment
New Training Modules
2 First Healthcare Compliance, LLC © 2018
Contact Toll Free: 888-54-FIRST 3

Client FAQ Corner
I just recieved a HIPAA Authorization for a patient record
that contains psychotherapy notes. How do I respond?
By Julie Sheppard, BSN, JD, CHC
1. Do board members have responsibilities related to compliance?
Yes, it’s well established that board members have responsibilities related to
the organization’s compliance program. Several credible sources illustrate the
important relationship of the board and the compliance program and highlight
an individual director’s potential liability:
- A landmark case found that directors are potentially liable for a breach of
duty to exercise appropriate attention if they knew or should have known
that employees were violating the law, declined to make a good faith effort
to prevent the violation, and the lack of action was the proximate cause of
damages. Effectively, oversight responsibilities extend to compliance programs
and failure to provide adequate oversight can render a director liable
for losses caused by non-compliance.
- The Yates Memo sets forth individual accountability for corporate wrongdoing
and recognizes individual accountability. The focus is on holding individuals
responsible for corporate misconduct and highlights enforcement priorities.
- In 2016 following a corporate resolution, the former CEO of Tuomey
Healthcare settled his own liability for $1 million and agreed to a four-year
period of exclusion from participating in federal health care programs.
- The Office of Inspector General provides references for board members with
Corporate Integrity Agreements and helpful reference documents that include
Practical Guidance for Boards on Compliance Oversight.
2. Should compliance officers report directly to the board?
We know that the board must ensure that the compliance program operate
in practice and not simply exist on paper, so it’s necessary to have a process
that ensures appropriate access to information. Structures vary among
organizations, but generally it’s a good idea to establish a direct reporting
relationship between the company’s Chief Compliance Officer and the board.
Effective board oversight includes asking the right questions of management
to determine that there are mechanisms in place to ensure timely reporting
of suspected violations and to evaluate and implement remedial measures.
Ideally, a risk-based reporting system, is used by those responsible for
the compliance function to provide reports to the board on a regular basis.
Fortunately, there are tools available to track and identify areas of compliance
concern in an efficient manner.
Regular meetings and reviews that provide a board with overall compliance
insight should lead to better results. A 2018 survey shows that compliance
officers meeting with the board more than four times per year is the norm.
3. How can board members mitigate risk and avoid liability?
Every board is responsible for ensuring that its organization complies with
laws and regulations. Obviously, this is necessary to protect patients and
public funds. A growing awareness of potential individual liability and the
relationship between the board and the compliance officer highlights the need
for an effective compliance program. Exercising oversight and monitoring of
the organization’s compliance program is essential to corporate governance.
And a director who acts in good faith may not be held liable for bad outcomes.
Follow these tips to detect non-compliance early and mitigate your risk:
- Follow OIG guidance and implement a robust compliance program
- Take steps to educate and inform board members about compliance
- Keep an eye out for risk areas and red flags and respond appropriately
- Stay engaged and communicate with management and the compliance
officer
Psychotherapy notes are primarily for personal use by the treating professional
and generally are not disclosed for other purposes. The provider should review the
definition of psychotherapy notes under HIPAA and remove any of this information
from the patient’s file before disclosure. Under HIPAA, psychotherapy notes is
defined as follows: Notes recorded (in any medium) by a health care provider who is
a mental health professional documenting or analyzing the contents of conversation
during a private counseling session or a group, joint, or family counseling
session and that are separated from the rest of the individual’s medical record.
Psychotherapy notes excludes medication prescription and monitoring, counseling
session start and stop times, the modalities and frequencies of treatment furnished,
results of clinical tests, and any summary of the following items: Diagnosis,
functional status, the treatment plan, symptoms, prognosis, and progress to date.
(See 45 CFR 164.501).
Do I need Safety Data Sheets (SDS) for cleaning
products?
SDS must be maintained for all hazardous chemicals and are obtained directly
from the manufacturer, distributor, or importer. This requirement includes
hazardous cleaning products. An exception exists for household consumer
products used for cleaning (if used in the same manner as a consumer would
use them) Such cleaning products do not require SDS to be maintained.
Explore the FAQs tab in your compliance solution to find
answers to your compliance questions!
4 First Healthcare Compliance, LLC © 2018
Contact Toll Free: 888-54-FIRST 5

Get the eBook!
Fraud and abuse can be a confusing part of Medicare compliance. Our latest eBook
can help you navigate these tricky waters and help protect your organization from
accidental infractions.
Read more about:
• Legal Statutes covering Fraud, Waste,
and Abuse
• Penalties of the False Claims Act
• Limitations of Stark Law
• Analysis of the OIG and DOJ Annual
Reports
Download your copy today!
6 First Healthcare Compliance, LLC © 2018
Contact Toll Free: 888-54-FIRST 7

COMPLIANCE WORD SEARCH
hosted by Catherine Short
Catherine Short talks with Jill Longo, Associate Corporate Counsel of Medical
Mutual of Ohio about The Basics of Durable Medical Equipment Compliance.
Join us for this episode as we discuss proper documentation and billing procedures
in order to distribute DME from your practice, how to implement compliance
measures in your practice with regard to DME, and what to do if you are audited or
investigated for DME billing.
Listen weekdays at
7:30am, 3:30 pm, 11:30pm ET
Check out our Show Page!
Looking for the latest compliance insights?
Subscribe to our feed and don’t miss a thing!
8 First Healthcare Compliance, LLC © 2018
Contact Toll Free: 888-54-FIRST 9

providers in order to treat or coordinate care for their patients.
reasonable safeguards, CEs should analyze their own needs and
CEs may disclose PHI (orally, on paper, by fax, or electronically) to
circumstances, such as the nature of the PHI it holds, and assess the
another provider for the treatment activities of that provider, without
potential risks to patients’ privacy. CEs should also take into account
needing patient consent or authorization.
the potential effects on patient care and may consider other issues,
45 CFR 164.506(c)(2).
such as the financial and administrative burden of implementing
Treatment is broadly defined to include:
particular safeguards.
- the provision, coordination, or management of health care and
Consider the following examples of appropriate administrative,
related services by one or more providers, including the coordination
technical, and physical safeguards:
or management of health care by a provider with a third party;
- Sign in sheet information is limited to the patient’s name, time of
- consultation between providers relating to a patient; or
arrival, and the patient’s doctor
- the referral of a patient for care from one provider to another.
- Fax machine is in a secure location and the “fax disclaimer” is on
45 CFR 164.501.
all outgoing faxes
The disclosing CE is responsible for the PHI until recipient CE has
- The Notice of Privacy Practices is on your web site and there is no
received the information. HIPAA requires disclosing the PHI to the
way to access PHI on that site
receiving CE in a permitted and secure manner, which includes
- All computer screens are turned away from the patient’s view
By Julie Sheppard, BSN, JD, CHC
Healthcare compliance professionals frequently face confusing situations about
sharing of protected health information (PHI). The Health Insurance Portability and
Accountability Act (HIPAA) supports the protection of privacy of medical records.
However, even when a patient does not authorize sharing of his record there are
permitted uses and disclosures such as for the purpose of treatment, payment or
healthcare operations (TPO).
The U.S. Department of Health and Human Services (HHS) Office of the National
Coordinator for Health IT (ONC) and the Office for Civil Rights (OCR) provide a series of
topical fact sheets on HIPAA Permitted Uses and Disclosures with examples of when
PHI can be exchanged under HIPAA without first requiring a specific authorization
from the patient. Please note that state laws may also apply.
Permitted Uses and Disclosures for Health Care Operations
The ONC issued a useful fact sheet explaining Permitted Uses and Disclosures for
Health Care Operations. For activities that fall within HIPAA’s definition of “health
care operations,” an entity covered by HIPAA (Covered Entity), such as a physician
or hospital, can disclose PHI to another Covered Entity (or a contractor working for
that covered entity, i.e., Business Associate). A Covered Entity (CE) can disclose
PHI (orally, on paper, by fax, or electronically) to another CE or that CE’s Business
Associate for the following subset of health care operations activities without needing
patient consent or authorization:
- Conducting quality assessment and improvement activities
- Developing clinical guidelines
- Conducting patient safety activities as defined in applicable regulations
- Conducting population-based activities relating to improving health or reducing
health care cost
- Developing protocols
- Conducting case management and care coordination (including care planning)
- Evaluating performance of health care providers and/or health plans
- Conducting training programs or credentialing activities
- Supporting fraud and abuse detection and compliance programs
45 CFR 164.501; 45 CFR 164.506(c)(4).
Three conditions must be met when sharing PHI for the purposes stated above:
- Both CEs must have or have had a relationship with the patient (can be a past or
present patient);
- The PHI requested must pertain to the relationship; and
- The discloser must disclose only the minimum information necessary for the
health care operation at hand.
What is meant by the term ‘minimum necessary’?
Covered entities are required to have reasonable minimum necessary policies and
procedures to limit how much PHI is used, disclosed, and requested for certain
purposes. Minimum necessary policies and procedures must also reasonably limit
who within the entity has access to PHI, and under what conditions, based on job
responsibilities and the nature of the business.
For example, the minimum necessary standard requires that a CE limit who within
the entity has access to PHI, based on who needs access to perform their job duties.
If a hospital employee is allowed to have routine, unimpeded access to patients’
medical records, where such access is not necessary for the employee to do his
job, the hospital is not applying the minimum necessary standard. Therefore, any
incidental use or disclosure that results from this practice, such as another worker
overhearing the hospital employee’s conversation about a patient’s condition, would
be an unlawful use or disclosure under the HIPAA Privacy Rule.
Minimum necessary standard is not required among physicians discussing a patient’s
medical chart for treatment purposes and does not apply to disclosures, including oral
disclosures, among health care providers for treatment purposes.
Join us on Social Media!
sending the PHI securely and taking reasonable steps to send it to the
right address. The receiving CE is responsible for safeguarding the
PHI and otherwise complying with HIPAA, including with respect to
subsequent uses or disclosures or any breaches that occur.
Common HIPAA Questions
Q. How should we ensure that we’re staying compliant with
HIPAA Privacy and Security Rules when sharing PHI for purposes
of treatment or operations?
Many issues are covered under HIPAA Privacy and Security. Here are
a few important reminders regarding permitted uses and disclosures:
- HIPAA Security Rule compliance requires disclosure of electronic
PHI by CEHRT.
- Address permitted uses and disclosures in your Notice of Privacy
Practices.
- Follow minimum necessary policies and procedures and apply
reasonable safeguards, as required by 45 CFR 164.502(a)(1)(iii).
Q. What are the reasonable safeguard requirements?
Reasonable safeguards vary from CE to CE depending on factors, such
as the size of the CE and the nature of its business. In implementing
- Screen savers are set to go on after a short period of inactivity
- No employee leaves his or her computer unattended while PHI is
visible on the screen
- Passwords are assigned only to those who should have access to
PHI on the computers
- Limit the information disclosed over a facility’s public announcement
system to the minimum necessary
- Outgoing mail only shows the minimum necessary information
- All correspondence containing PHI that is received or sent from the
facility is marked confidential
- Signs are posted to restrict patient access to particular areas and
to remind employees about confidentiality
- Talk quietly and do not use the full name of the patient if not
necessary and always use minimum necessary when discussing in
public areas
- E-mail “disclaimer” is on all outgoing messages
- Medical charts on exam room doors should be turned inward so
they do not have any visible information
- Medical records are set face down when not in use
The most comprehensive healthcare
compliance course yet!
The Fundamentals is a user-friendly, four-module
online course designed to help healthcare
professionals understand the essential principles
and practices of compliance.
- Contacting health care providers and patients with information about treatment
alternatives
- Reviewing qualifications of health care professionals
Permitted Uses and Disclosures for Treatment
The fact sheet titled ‘Permitted Uses and Disclosures: Exchange for Treatment’
explains how HIPAA supports sharing of PHI between and among health care
Visit 1sthcc.com/shop and
invest in yourself today!
10 First Healthcare Compliance, LLC © 2018
Contact Toll Free: 888-54-FIRST 11

New Training Modules Now Available!
Training
Moneytalks: Medicare Part A and Part B
Appeals
Concerned about GDPR compliance?
The UPIC Revolution: CMS Integrity
Auditors 2.0
Now featuring our
How To Compliance Series!
• HIPAA Security
• Radiation Safety
• OSHA for the Office Manager
• OSHA Hazard Communication Standard
Contact our Client Services Team with your questions!
888.54.FIRST or clientservices@1sthcc.com
12
First Healthcare Compliance, LLC © 2018