In This Issue
Scaling the Mountain of Patient Privacy
– Avoiding Privacy Breaches
Keeping Your Compliance Program
Healthy – Essentials of an Effective Evaluation Process
Scaling the Mountain of Patient
Privacy – Avoiding Privacy Breaches
by Pam Scott
Hospitals face ongoing
challenges in protecting the confidentiality and privacy of patient
information as technological advances increase the availability of and
threats to electronic information maintained by hospitals and other
providers. Sensitivity regarding the privacy of personal information has
heightened patients’ expectations of health care providers in this area.
Patients have reason to be concerned. It seems that every week the
headlines are filled with new horror stories:
-
sensitive personal data
of hundreds of thousands of individuals stolen by hackers from
corporate, institutional or government databases or servers;
-
laptops or disks
containing a myriad of patient health and personal information lost
or stolen from offices or employees’ homes or cars;
-
mass e-mails or online
postings at public websites of patients’ health histories; and
-
perhaps worst of all -
errant or disgruntled employees or contractors taking identifying
information and using it to run up huge credit card bills in
patients’ names.
No hospital wants its
patients or the organization itself to face such a nightmare. In this
information age, ensuring the privacy and security of patients’ personal
information is an inherent part of caring for their health and
well-being. It also is a necessary commitment for hospitals to avoid
potential regulatory sanctions or civil liability for breaches of health
care confidentiality or identity theft.
Hospitals are entrusted with
two broad categories of information that their patients expect them to
guard zealously: (1) health information and (2) personal identity
information. The confidentiality and security of patients’ health
information is governed in large part by federal privacy and security
regulations adopted pursuant to the Health Information Portability and
Accountability Act of 1996 (HIPAA) and North Carolina rules governing
patients’ rights. The privacy and security of patients’ other personal
information is protected by a growing body of law designed to thwart the
exponential growth of identity theft. North Carolina’s Identity Theft
Protection Act, adopted just last year, restricts the collection,
disclosure, and dissemination of personal identifying information that
can be used to access a person’s financial resources or to engage in
identity theft, such as a Social Security number, driver’s license
number, checking or savings account number, or credit or debit card
number.
Avoiding Privacy Breaches
- Common principles and strategies apply in preserving the
confidentiality of patients’ health information and personal identifying
information. Because each hospital is unique, there is no cookie-cutter
HIPAA compliance plan and privacy protection strategy that suits all
providers. However, there are a number of universal threads that can be
used to create a comprehensive and successful patient privacy strategy.
Hospitals can improve their efforts to protect patient information and
help avoid privacy breaches by taking the following steps:
The Human Factor
-
Orient and train all new
employees regarding the importance of patient privacy and the
policies and mechanisms your facility has established to protect
patients’ health care and personal identity information. Assign a
manager or other appropriate personnel to monitor new employees’
compliance with privacy and security protocols.
-
Create a culture of
awareness. Train all employees to be aware of and question potential
threats to patient data, such as strangers roaming the halls of the
administration offices, strangers or unauthorized individuals
seeking information regarding a particular patient, unusual
incidents involving the database or computer operations, policies
and procedures that are not as protective as they could be, and
co-workers who exhibit a cavalier attitude toward patient privacy.
-
Provide continuing
education regarding privacy and security policies and practices to
all employees at least once a year. Consider incorporating
role-playing exercises to actively test employees’ understanding of
privacy and security policies and mechanisms.
-
Restrict employees’ and
contractors’ access to only the patient information they need to
perform their jobs.
-
Immediately terminate
former employees’ and contractors’ access to the facility and its
computers.
Securing Patient Data
-
Develop and enforce
comprehensive privacy and security plans that meet the needs of your
organization and its patients, consulting with legal counsel and IT
specialists as appropriate. Routinely test and reassess privacy and
security policies, practices, and mechanisms.
-
Install and periodically
test firewalls and intrusion detection and prevention systems for
the facility’s computer network.
-
Secure laptops and
desktop computers with password protection and automatic log-off and
shutdown functions. Ensure passwords are periodically changed and
meet minimum standards to deter hacking. Implement physical
safeguards such as building security systems, locked doors, and
secure office areas with limited access.
-
Limit off-site access of
patient information to the absolute minimum necessary. Private
patient data should be made available only through a secure, remote
access to a secure network.
-
Limit employees’ removal
of patient data and records from the office to the absolute minimum
necessary. In the case of paper records, employees working off-site
should use copies and leave originals in the office. Keep track of
all patient data or records removed from the office. Patient data
and records should be stored in secure areas while in transit or in
employees’ homes.
-
When patient data must
be stored or created away from the facility’s secure database or
computer network, do not save patient information on computer hard
drives. Instead, store this information on portable media that can
be removed and securely stored away from desktops and laptops when
the computers are not in use.
-
Encrypt all patient
health and personal information stored on databases, networks,
backup tapes, and wireless devices.
-
Securely dispose of
patient information in accordance with a comprehensive record
retention and destruction policy. Shred paper records. Permanently
erase all patient information from computer hardware, backup tapes
and other software before disposing of or recycling them.
-
Create backups of
patient data and store at a secure location off-site.
By being attentive to these
privacy and security issues, hospitals can significantly enhance the
care they provide and give patients greater peace of mind regarding the
privacy of their personal information.
The next issue of
Corridors will include Part II of this article, which discusses what
to do when a privacy breach occurs.
Pam Scott is a member of
our Administrative Law Team. You may contact Pam at 919.783.2954 or
pscott@poynerspruill.com.
Top
Keeping Your Compliance Program
Healthy – Essentials of an Effective Evaluation Process
By
Chris Brewer
Hospitals have important responsibilities relating to corporate
compliance requirements that are unique to the health care industry.
Today’s operational environment, which requires hospitals to navigate
the complex laws and regulatory requirements governing health care
business practices, underscores both the necessity of having an
effective compliance program in place and the risks associated with
failing to implement and maintain such a program. These risks include
the laws against fraud and abuse, the False Claims Act, Sarbanes-Oxley,
and tax and securities laws, among many others.
A
compliance program incorporates standards and comprehensive strategies
designed to ensure the organization’s compliance with applicable laws,
regulations and policies. In the health care context, its primary
objectives are (1) to ensure that claims submitted to federal, state and
private payors are consistently accurate and defensible and (2) to
maintain quality of care and patient safety. In today’s regulatory
environment, it is not sufficient simply to put a good program in place
without following up at regular intervals with monitoring and auditing
that continue to test and confirm compliance.
Design and Implementation -
The Health Care Compliance Association’s
resource titled “Evaluating and Improving a Compliance Program” suggests
that an effective compliance program should be designed in a manner
which:
-
Addresses the organization’s business activities and consequent
risks;
-
Educates those persons whose jobs could have a material impact on
those risks;
-
Includes auditing and reporting functions designed to measure the
organization’s actual compliance and the effectiveness of the
program, and identifies problems as quickly and as efficiently as
possible;
-
Provides for the prompt remediation of problems that are identified;
and
-
Contains enforcement and discipline components that ensure employees
take their compliance responsibilities seriously.
Responsibilities within a Hospital
Organization - The hospital
compliance officer has the primary responsibility for developing and
implementing the compliance program. Executive management should support
the efforts of the compliance officer by providing adequate resources
and by ensuring that a well-designed compliance program is effectively
implemented. In exercising both its duty of care and oversight
functions, the Board of Directors has the obligation to monitor and
provide guidance during development of the compliance program and to
ensure that an effective plan is adopted.
Recent Developments
Ongoing Evaluation and Assessment -
While design and implementation are
obviously the critical first steps in building and operating an
effective compliance program, government enforcement and oversight
agencies have recently indicated an increased focus on the importance of
continuous evaluation and assessment and, when appropriate, taking steps
to enhance an existing compliance program. This includes the following:
-
The U.S. Department of Justice’s consideration of compliance-related
factors in making charging decisions, including “efforts to
implement an effective compliance program or to improve an existing
one;”
-
Compliance-related changes to the organizational Federal Sentencing
Guidelines include “ongoing active oversight and monitoring of the
compliance and ethics program;” and
-
The 2005 Supplemental Compliance Program Guidance for Hospitals from
the Office of the Inspector General (OIG) strongly advises hospitals
to “regularly review the implementation and execution of their
compliance elements” and provides guidance to assist hospitals “in
identifying significant risk areas and in evaluating and, as
necessary, redefining ongoing compliance efforts.”
DRA and Ethical Components - Whether
designing and implementing a new program or monitoring and revising an
existing one, hospitals that qualify as “covered entities” should comply
with the Deficit Reduction Act of 2005 (DRA). The DRA requires all
health care providers that “make or receive” annual Medicaid payments of
$5 million or more (“covered entities”) to provide their employees,
contractors, and agents: (1) detailed information in written policies
about the federal False Claims Act and any state laws pertaining to
civil or criminal penalties for making false claims and statements to
the government or its agents; and (2) information regarding the
organization’s compliance plan for detecting and preventing fraud and
abuse. Also, consistent with the latest changes in the Federal
Sentencing Guidelines, the compliance program should include a
significant ethics component. In its 2005 Guidance, the OIG recommends
that hospitals include a statement of the organization’s “ethical and
compliance principles” to guide its operations.
Quality of Care - The OIG suggests in
recently released guidance that an “effective” compliance program should
not only detect and deter legal violations but must be designed to
assess and maintain compliance in the quality of care arena as well. In
its recent guidance, titled “Corporate Responsibility and Health Care
Quality: A Resource for Health Care Boards of Directors” (released
jointly with the American Health Lawyers Association), the OIG states
that hospital directors have a “concomitant duty to recognize the
emerging legal and compliance issues associated with quality of care
initiatives, and to direct executive leadership to address these
issues.”
Evaluation and Assessment are
Critical
The
recent emphasis and importance given by government oversight agencies to
the evaluation and assessment of a health care organization’s compliance
program should serve as a mandate for every hospital to conduct regular,
in-depth examinations of its program to determine whether it is
operating effectively and accomplishing its intended goals. The OIG
recommends such a review “be conducted at least annually and should
include an assessment of each of the basic individual elements, as well
as the overall success of the program.” One goal of the evaluation
should be to identify deficiencies and problem areas and correct them
before they create a significant risk to the hospital.
Evaluation Process - Regardless of
the hospital’s decision to use internal or external resources to perform
auditing and monitoring functions, the persons assigned should be
well-trained and independent from the areas to be audited and must be
given the authority and access necessary to conduct a successful review.
A primary objective should be to look for concrete evidence proving that
the key elements of the hospital’s compliance program are functioning
effectively. Methods to accomplish this may include interviews with
department managers and staff, analysis of documents and records,
employee questionnaires, and on-site reviews.
Role of the Compliance Officer - The
compliance officer plays the key role in the evaluation and assessment
of the hospital’s compliance program. The compliance officer not only
must establish and oversee the auditing and mentoring plan but must
continuously review its effectiveness and make changes to the plan when
necessary. It is also the responsibility of the compliance officer to
report audit findings to management and the Board of Directors and to
work with them to ensure that appropriate corrective actions are
implemented to address any identified weaknesses or deficiencies.
Conducting a Risk Assessment
A
good place to begin is by conducting a risk assessment to identify
weaknesses or deficiencies that may pose a significant danger to the
hospital. Among other things, the assessment should include a review of
the following: (1) issues previously discovered and thought to be
corrected; (2) information gleaned from employee and consumer complaints
and surveys; (3) findings of any recent audits conducted by outside
agencies; (4) new regulatory guidance from oversight agencies and how
effectively it was communicated and implemented; and (5) available data
demonstrating how well the hospital complied with its own internal
policies and procedures, as well as those mandated by outside
authorities. Once risk areas have been identified and objectively
prioritized, the hospital can better design its evaluation process to
focus on and address the areas of greatest risk.
Monitoring Key Elements
In
addition to the areas identified by the risk assessment, the hospital’s
evaluation should examine the following key elements of its compliance
plan.
Policies and Procedures Including Standards of Conduct
-
Are they clear and understandable, and have they been adequately
distributed and communicated to staff?
-
Are they being followed in actual practice?
-
Are violations being detected and corrected?
-
Are responses and disciplinary actions appropriate?
-
Are there systems in place to identify needed modifications and
updates, and are those systems working?
Training and Evaluation
-
Have adequate training sessions been conducted by qualified trainers
covering appropriate topics, including changes in internal and
external policies and procedures?
-
Does the hospital have systems in place to measure the effectiveness
of its training programs?
-
Does the Compliance Department keep track of employee education to
ensure employees have completed required training and maintain
documentation to show that trainings were completed?
Effective Lines of Communication
-
Have enforcement and disciplinary standards been clearly and
effectively communicated?
-
Has the hospital created and fostered an environment that encourages
employees to report their concerns without fear of retaliation?
-
Have adequate mechanisms been provided for employees to communicate
concerns?
-
Are reports of suspected non-compliance adequately tracked and
documented to ensure they are fully and timely investigated and
addressed?
-
Are executive management and the Board of Directors provided
information on a regular basis regarding reports, inquiries, and
results of any investigations and corrective actions taken?
Response and Enforcement
-
Are reports of suspected non-compliance promptly and thoroughly
investigated?
-
Are employees, contractors, and medical and clinical staff
adequately screened and checked against appropriate databases?
-
When non-compliance is confirmed, is appropriate corrective action
taken, including measures to prevent recurrence?
-
Are disciplinary standards fairly and consistently enforced, and
enforcement actions thoroughly documented?
Benefits of an Effective Compliance
Program
Allocation of resources to an effective compliance program is a good
business investment. A hospital that has developed and implemented an
effective evaluation and assessment plan for its compliance program will
not only benefit from having met government oversight requirements, but
it will also reap the many benefits of a successful compliance program.
These benefits include:
-
Getting claims paid more promptly and efficiently by improving
claims accuracy and reducing denials;
-
Reducing exposure to federal and state criminal, civil and/or
administrative liability for fraudulent or false claims, and
reducing the likelihood of whistleblower lawsuits;
-
Reducing exposure to collateral consequences such as exclusion,
disbarment or similar sanctions at the federal and state level;
-
Enhancing quality of care and patient safety;
-
Improving communication within the hospital system and avoiding
duplication of effort;
-
Improving employee performance and morale by establishing and
enforcing high standards of operational and ethical behavior; and
-
Enhancing the hospital’s reputation in the community and promoting
public and investor confidence.
For
a hospital to design, implement and maintain an effective compliance
program requires significant energy and resources. However, a program
that prevents submission of false claims, addresses employees’ concerns
before they resort to whistleblower lawsuits, avoids the monetary and
non-monetary consequences of government enforcement actions, and
improves the quality of patient care represents a truly worthwhile
investment.
If
you are interested in obtaining copies of the resource materials
referenced in this article, please contact Chris Brewer, who will be
happy to provide information on how they may be easily accessed.
Available resources include: (1) Health Care Compliance Association’s
“Evaluating and Improving a Compliance Program – A Resource for Health
Care Board Members, Health Care Executives and Compliance Officers,”
April 2003; (2) USDHHS-OIG and American Health Lawyers Association’s (AHLA)
“An Integrated Approach to Corporate Compliance: A Resource for Health
Care Organization Boards of Directors,” July 2004; (3) USDHHS-OIG and
AHLA’s “Corporate Responsibility and Corporate Compliance: A Resource
for Health Care Boards of Directors;” (4) USDHHS-OIG’s “Supplemental
Compliance Program Guidance for Hospitals,” January 2005; (5) AHLA’s
“IRS ‘Good Governance’ Practices Analysis and Annotations,” May 2007;
and (6) USDHHS-OIG and AHLA’s “Corporate Responsibility and Health Care
Quality: A Resource for Health Care Boards of Directors,” June 2007.
Chris Brewer is a member
of our Health Care Team. You may contact Chris at 919.783. 2891 or
cbrewer@poynerspruill.com.
Top
|
