First Healthcare Compliance CONNECT July 2018
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>CONNECT</strong><br />
An Exclusive Monthly Publication for Clients<br />
HIPAA: Handling<br />
Patient Requests for<br />
Medical Records<br />
<strong>July</strong> <strong>2018</strong><br />
Important Questions<br />
All Board Members<br />
3Should Be Asking<br />
Share Your<br />
Success Story!<br />
<strong>Compliance</strong><br />
Super Ninja<br />
Do’s & Don’ts of<br />
Medical Waste<br />
1st Talk <strong>Compliance</strong>:<br />
The Basics of Durable<br />
Medical Equipment
Got a Minute? Please Rate Us!<br />
<strong>Compliance</strong> Super Ninja<br />
The health of our company depends on our best<br />
clients spreading the word about us.<br />
That’s you!<br />
Share Your Success Story<br />
An endorsement by you is the greatest compliment we<br />
could receive! Please take a moment of your time to rate<br />
us online so that others can benefit from your experience.<br />
It’s a simple way to help us grow and improve.<br />
Pam Larkin<br />
Director of Revenue Cycle Management<br />
Excelsior Orthopaedics<br />
How would you describe your experience with <strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>?<br />
My experience with <strong>First</strong> <strong>Healthcare</strong> has been extremely positive. The Company and its employees are<br />
knowledgeable regarding compliance and provide automation and resources that enable our physician practice<br />
to streamline compliance training and documentation requirements. They welcome client feedback and often<br />
implement enhancements that have been suggested by users. Their service and responsiveness have exceeded<br />
our expectations.<br />
What do you enjoy most about working with with Excelsior Orthopaedics?<br />
What I enjoy most about working for Excelsior Orthopaedics is the team of clinicians and employees that focus<br />
on delivering quality care to our patients. Our organization is progressive and innovative. I personally oversee a<br />
financial aspect of the business as well as having compliance responsibilities and learning something new every<br />
day is my motivation.<br />
Would you rather be able to talk with animals or speak all foreign languages, and why?<br />
I would rather be able to talk with animals. I hear the human perspective every day but often wonder what my<br />
dogs would have to say if they could talk.<br />
We appreciate your support and look forward<br />
to hearing from you!<br />
Each month we highlight one exceptional compliance<br />
professional chosen by our client services team. If our team<br />
notices your compliance chops, you might be the next Ninja!<br />
In This Issue:<br />
Share Your Success Story<br />
<strong>Compliance</strong> Super Ninja<br />
3 Important Questions All Board Members Should Be Asking<br />
Client FAQ Corner<br />
HIPAA: Handling Patient Requests for Medical Record Restriction<br />
New eBook: Fraud and Abuse in Medicare<br />
1st Talk <strong>Compliance</strong>: The Basics of Durable Medical Equipment<br />
New Training Modules<br />
2 <strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2018</strong><br />
Contact Toll Free: 888-54-FIRST 3
Client FAQ Corner<br />
I just recieved a HIPAA Authorization for a patient record<br />
that contains psychotherapy notes. How do I respond?<br />
By Julie Sheppard, BSN, JD, CHC<br />
1. Do board members have responsibilities related to compliance?<br />
Yes, it’s well established that board members have responsibilities related to<br />
the organization’s compliance program. Several credible sources illustrate the<br />
important relationship of the board and the compliance program and highlight<br />
an individual director’s potential liability:<br />
- A landmark case found that directors are potentially liable for a breach of<br />
duty to exercise appropriate attention if they knew or should have known<br />
that employees were violating the law, declined to make a good faith effort<br />
to prevent the violation, and the lack of action was the proximate cause of<br />
damages. Effectively, oversight responsibilities extend to compliance programs<br />
and failure to provide adequate oversight can render a director liable<br />
for losses caused by non-compliance.<br />
- The Yates Memo sets forth individual accountability for corporate wrongdoing<br />
and recognizes individual accountability. The focus is on holding individuals<br />
responsible for corporate misconduct and highlights enforcement priorities.<br />
- In 2016 following a corporate resolution, the former CEO of Tuomey<br />
<strong>Healthcare</strong> settled his own liability for $1 million and agreed to a four-year<br />
period of exclusion from participating in federal health care programs.<br />
- The Office of Inspector General provides references for board members with<br />
Corporate Integrity Agreements and helpful reference documents that include<br />
Practical Guidance for Boards on <strong>Compliance</strong> Oversight.<br />
2. Should compliance officers report directly to the board?<br />
We know that the board must ensure that the compliance program operate<br />
in practice and not simply exist on paper, so it’s necessary to have a process<br />
that ensures appropriate access to information. Structures vary among<br />
organizations, but generally it’s a good idea to establish a direct reporting<br />
relationship between the company’s Chief <strong>Compliance</strong> Officer and the board.<br />
Effective board oversight includes asking the right questions of management<br />
to determine that there are mechanisms in place to ensure timely reporting<br />
of suspected violations and to evaluate and implement remedial measures.<br />
Ideally, a risk-based reporting system, is used by those responsible for<br />
the compliance function to provide reports to the board on a regular basis.<br />
Fortunately, there are tools available to track and identify areas of compliance<br />
concern in an efficient manner.<br />
Regular meetings and reviews that provide a board with overall compliance<br />
insight should lead to better results. A <strong>2018</strong> survey shows that compliance<br />
officers meeting with the board more than four times per year is the norm.<br />
3. How can board members mitigate risk and avoid liability?<br />
Every board is responsible for ensuring that its organization complies with<br />
laws and regulations. Obviously, this is necessary to protect patients and<br />
public funds. A growing awareness of potential individual liability and the<br />
relationship between the board and the compliance officer highlights the need<br />
for an effective compliance program. Exercising oversight and monitoring of<br />
the organization’s compliance program is essential to corporate governance.<br />
And a director who acts in good faith may not be held liable for bad outcomes.<br />
Follow these tips to detect non-compliance early and mitigate your risk:<br />
- Follow OIG guidance and implement a robust compliance program<br />
- Take steps to educate and inform board members about compliance<br />
- Keep an eye out for risk areas and red flags and respond appropriately<br />
- Stay engaged and communicate with management and the compliance<br />
officer<br />
Psychotherapy notes are primarily for personal use by the treating professional<br />
and generally are not disclosed for other purposes. The provider should review the<br />
definition of psychotherapy notes under HIPAA and remove any of this information<br />
from the patient’s file before disclosure. Under HIPAA, psychotherapy notes is<br />
defined as follows: Notes recorded (in any medium) by a health care provider who is<br />
a mental health professional documenting or analyzing the contents of conversation<br />
during a private counseling session or a group, joint, or family counseling<br />
session and that are separated from the rest of the individual’s medical record.<br />
Psychotherapy notes excludes medication prescription and monitoring, counseling<br />
session start and stop times, the modalities and frequencies of treatment furnished,<br />
results of clinical tests, and any summary of the following items: Diagnosis,<br />
functional status, the treatment plan, symptoms, prognosis, and progress to date.<br />
(See 45 CFR 164.501).<br />
Do I need Safety Data Sheets (SDS) for cleaning<br />
products?<br />
SDS must be maintained for all hazardous chemicals and are obtained directly<br />
from the manufacturer, distributor, or importer. This requirement includes<br />
hazardous cleaning products. An exception exists for household consumer<br />
products used for cleaning (if used in the same manner as a consumer would<br />
use them) Such cleaning products do not require SDS to be maintained.<br />
Explore the FAQs tab in your compliance solution to find<br />
answers to your compliance questions!<br />
4 <strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2018</strong><br />
Contact Toll Free: 888-54-FIRST 5
Get the eBook!<br />
Fraud and abuse can be a confusing part of Medicare compliance. Our latest eBook<br />
can help you navigate these tricky waters and help protect your organization from<br />
accidental infractions.<br />
Read more about:<br />
• Legal Statutes covering Fraud, Waste,<br />
and Abuse<br />
• Penalties of the False Claims Act<br />
• Limitations of Stark Law<br />
• Analysis of the OIG and DOJ Annual<br />
Reports<br />
Download your copy today!<br />
6 <strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2018</strong><br />
Contact Toll Free: 888-54-FIRST 7
COMPLIANCE WORD SEARCH<br />
hosted by Catherine Short<br />
Catherine Short talks with Jill Longo, Associate Corporate Counsel of Medical<br />
Mutual of Ohio about The Basics of Durable Medical Equipment <strong>Compliance</strong>.<br />
Join us for this episode as we discuss proper documentation and billing procedures<br />
in order to distribute DME from your practice, how to implement compliance<br />
measures in your practice with regard to DME, and what to do if you are audited or<br />
investigated for DME billing.<br />
Listen weekdays at<br />
7:30am, 3:30 pm, 11:30pm ET<br />
Check out our Show Page!<br />
Looking for the latest compliance insights?<br />
Subscribe to our feed and don’t miss a thing!<br />
8 <strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2018</strong><br />
Contact Toll Free: 888-54-FIRST 9
providers in order to treat or coordinate care for their patients.<br />
reasonable safeguards, CEs should analyze their own needs and<br />
CEs may disclose PHI (orally, on paper, by fax, or electronically) to<br />
circumstances, such as the nature of the PHI it holds, and assess the<br />
another provider for the treatment activities of that provider, without<br />
potential risks to patients’ privacy. CEs should also take into account<br />
needing patient consent or authorization.<br />
the potential effects on patient care and may consider other issues,<br />
45 CFR 164.506(c)(2).<br />
such as the financial and administrative burden of implementing<br />
Treatment is broadly defined to include:<br />
particular safeguards.<br />
- the provision, coordination, or management of health care and<br />
Consider the following examples of appropriate administrative,<br />
related services by one or more providers, including the coordination<br />
technical, and physical safeguards:<br />
or management of health care by a provider with a third party;<br />
- Sign in sheet information is limited to the patient’s name, time of<br />
- consultation between providers relating to a patient; or<br />
arrival, and the patient’s doctor<br />
- the referral of a patient for care from one provider to another.<br />
- Fax machine is in a secure location and the “fax disclaimer” is on<br />
45 CFR 164.501.<br />
all outgoing faxes<br />
The disclosing CE is responsible for the PHI until recipient CE has<br />
- The Notice of Privacy Practices is on your web site and there is no<br />
received the information. HIPAA requires disclosing the PHI to the<br />
way to access PHI on that site<br />
receiving CE in a permitted and secure manner, which includes<br />
- All computer screens are turned away from the patient’s view<br />
By Julie Sheppard, BSN, JD, CHC<br />
<strong>Healthcare</strong> compliance professionals frequently face confusing situations about<br />
sharing of protected health information (PHI). The Health Insurance Portability and<br />
Accountability Act (HIPAA) supports the protection of privacy of medical records.<br />
However, even when a patient does not authorize sharing of his record there are<br />
permitted uses and disclosures such as for the purpose of treatment, payment or<br />
healthcare operations (TPO).<br />
The U.S. Department of Health and Human Services (HHS) Office of the National<br />
Coordinator for Health IT (ONC) and the Office for Civil Rights (OCR) provide a series of<br />
topical fact sheets on HIPAA Permitted Uses and Disclosures with examples of when<br />
PHI can be exchanged under HIPAA without first requiring a specific authorization<br />
from the patient. Please note that state laws may also apply.<br />
Permitted Uses and Disclosures for Health Care Operations<br />
The ONC issued a useful fact sheet explaining Permitted Uses and Disclosures for<br />
Health Care Operations. For activities that fall within HIPAA’s definition of “health<br />
care operations,” an entity covered by HIPAA (Covered Entity), such as a physician<br />
or hospital, can disclose PHI to another Covered Entity (or a contractor working for<br />
that covered entity, i.e., Business Associate). A Covered Entity (CE) can disclose<br />
PHI (orally, on paper, by fax, or electronically) to another CE or that CE’s Business<br />
Associate for the following subset of health care operations activities without needing<br />
patient consent or authorization:<br />
- Conducting quality assessment and improvement activities<br />
- Developing clinical guidelines<br />
- Conducting patient safety activities as defined in applicable regulations<br />
- Conducting population-based activities relating to improving health or reducing<br />
health care cost<br />
- Developing protocols<br />
- Conducting case management and care coordination (including care planning)<br />
- Evaluating performance of health care providers and/or health plans<br />
- Conducting training programs or credentialing activities<br />
- Supporting fraud and abuse detection and compliance programs<br />
45 CFR 164.501; 45 CFR 164.506(c)(4).<br />
Three conditions must be met when sharing PHI for the purposes stated above:<br />
- Both CEs must have or have had a relationship with the patient (can be a past or<br />
present patient);<br />
- The PHI requested must pertain to the relationship; and<br />
- The discloser must disclose only the minimum information necessary for the<br />
health care operation at hand.<br />
What is meant by the term ‘minimum necessary’?<br />
Covered entities are required to have reasonable minimum necessary policies and<br />
procedures to limit how much PHI is used, disclosed, and requested for certain<br />
purposes. Minimum necessary policies and procedures must also reasonably limit<br />
who within the entity has access to PHI, and under what conditions, based on job<br />
responsibilities and the nature of the business.<br />
For example, the minimum necessary standard requires that a CE limit who within<br />
the entity has access to PHI, based on who needs access to perform their job duties.<br />
If a hospital employee is allowed to have routine, unimpeded access to patients’<br />
medical records, where such access is not necessary for the employee to do his<br />
job, the hospital is not applying the minimum necessary standard. Therefore, any<br />
incidental use or disclosure that results from this practice, such as another worker<br />
overhearing the hospital employee’s conversation about a patient’s condition, would<br />
be an unlawful use or disclosure under the HIPAA Privacy Rule.<br />
Minimum necessary standard is not required among physicians discussing a patient’s<br />
medical chart for treatment purposes and does not apply to disclosures, including oral<br />
disclosures, among health care providers for treatment purposes.<br />
Join us on Social Media!<br />
sending the PHI securely and taking reasonable steps to send it to the<br />
right address. The receiving CE is responsible for safeguarding the<br />
PHI and otherwise complying with HIPAA, including with respect to<br />
subsequent uses or disclosures or any breaches that occur.<br />
Common HIPAA Questions<br />
Q. How should we ensure that we’re staying compliant with<br />
HIPAA Privacy and Security Rules when sharing PHI for purposes<br />
of treatment or operations?<br />
Many issues are covered under HIPAA Privacy and Security. Here are<br />
a few important reminders regarding permitted uses and disclosures:<br />
- HIPAA Security Rule compliance requires disclosure of electronic<br />
PHI by CEHRT.<br />
- Address permitted uses and disclosures in your Notice of Privacy<br />
Practices.<br />
- Follow minimum necessary policies and procedures and apply<br />
reasonable safeguards, as required by 45 CFR 164.502(a)(1)(iii).<br />
Q. What are the reasonable safeguard requirements?<br />
Reasonable safeguards vary from CE to CE depending on factors, such<br />
as the size of the CE and the nature of its business. In implementing<br />
- Screen savers are set to go on after a short period of inactivity<br />
- No employee leaves his or her computer unattended while PHI is<br />
visible on the screen<br />
- Passwords are assigned only to those who should have access to<br />
PHI on the computers<br />
- Limit the information disclosed over a facility’s public announcement<br />
system to the minimum necessary<br />
- Outgoing mail only shows the minimum necessary information<br />
- All correspondence containing PHI that is received or sent from the<br />
facility is marked confidential<br />
- Signs are posted to restrict patient access to particular areas and<br />
to remind employees about confidentiality<br />
- Talk quietly and do not use the full name of the patient if not<br />
necessary and always use minimum necessary when discussing in<br />
public areas<br />
- E-mail “disclaimer” is on all outgoing messages<br />
- Medical charts on exam room doors should be turned inward so<br />
they do not have any visible information<br />
- Medical records are set face down when not in use<br />
The most comprehensive healthcare<br />
compliance course yet!<br />
The Fundamentals is a user-friendly, four-module<br />
online course designed to help healthcare<br />
professionals understand the essential principles<br />
and practices of compliance.<br />
- Contacting health care providers and patients with information about treatment<br />
alternatives<br />
- Reviewing qualifications of health care professionals<br />
Permitted Uses and Disclosures for Treatment<br />
The fact sheet titled ‘Permitted Uses and Disclosures: Exchange for Treatment’<br />
explains how HIPAA supports sharing of PHI between and among health care<br />
Visit 1sthcc.com/shop and<br />
invest in yourself today!<br />
10 <strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2018</strong><br />
Contact Toll Free: 888-54-FIRST 11
New Training Modules Now Available!<br />
Training<br />
Moneytalks: Medicare Part A and Part B<br />
Appeals<br />
Concerned about GDPR compliance?<br />
The UPIC Revolution: CMS Integrity<br />
Auditors 2.0<br />
Now featuring our<br />
How To <strong>Compliance</strong> Series!<br />
• HIPAA Security<br />
• Radiation Safety<br />
• OSHA for the Office Manager<br />
• OSHA Hazard Communication Standard<br />
Contact our Client Services Team with your questions!<br />
888.54.FIRST or clientservices@1sthcc.com<br />
12<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2018</strong>