Click on the graphic to the right to view a pdf of this issue of Corridors.
On August 4, 2017, the Internal Revenue Service (IRS) released its first revocation of a hospital’s tax exemption under Internal Revenue Code (IRC) Section 501(c)(3) for failure to comply with Section 501(r) of the Affordable Care Act.
At the end of last year, OSHA began enforcing new regulatory rules expanding the requirements for employers reporting and submitting workplace injury and illness records. The new reporting requirements also contain new anti-retaliation regulations. These new provisions include the ability of OSHA compliance officers to issue citations to hospitals and other employers based upon alleged retaliation, even in the absence of any employee complaint. A citation can be issued solely based upon the written requirements of the employer’s safety plan.
Check those Form I-9s! It is a good time for hospitals and health systems to conduct an internal audit of I-9s because inspections and fines have not gone away and a new I-9 edition was published recently. In June 2017, an Administrative Law Judge in the Office of the Chief Administrative Hearing Officer fined a staffing company $276,000, reduced from the $367,000 originally imposed by Immigration and Customs Enforcement (ICE). While this is less than the highest fine of $605,250 imposed in 2015 on an events planning company for incomplete I-9s (there were only four missing I-9s out of 339 employees), the reason for the staffing company’s fine was a failure to produce the I-9s to ICE within three days of its request. So “Rule No. 1” to be taken from this latest large ICE fine: have complete I-9s ready and available for inspection at all times.
Apparently prompted by the recent wave of high-profile ransomware attacks, the Department of Health and Human Services’ Office of Civil Rights (OCR) has reminded hospitals, healthcare systems, and other covered entities and business associates of their cybersecurity obligations. The reminder follows a previous warning that unless the affected covered entity or business associate can establish that there is a low probability that personal health information (PHI) has been compromised, a breach is presumed to have occurred.