Health Care Matters

A Complimentary Newsletter From:

Law Offices Of David S. Barmak, LLC

Partners to Skilled Nursing Facilities

Volume 10, Issue 5                               ADVERTISEMENT                           AUGUST 2009

In This Issue
HIPAA - Introduction to Data Security
Effective Compliance with HIPAA Requires More Than Initial Training
Privacy, Security and Compliance Officers: Who's Responsible for What?
Effective Compliance Plans Forestall Government Investigations
Compliance Officer Q&A
David S. Barmak, Esq. 
David Photo
Licensed to practice law in the States of New Jersey, New York, Connecticut and Pennsylvania 
 
HIPAA - Introduction to Data Security
Data security, as it relates to the HIPAA, involves the protection of individual health data through the implementation of policies/procedures and technologies that assure data integrity, confidentiality, and availability.  Individual health data includes any information that can be used to link a person to their medical records.  This information includes the patient's name, telephone number, social security number, medical record number, photographs, geographic region, and specific dates; such as birth, admission, discharge, or death.  The HIPAA security standard organizes the data security requirements into four main groups: (1) Administrative Procedures, (2) Physical Safeguards, (3) Technical Security Services, and (4) Technical Security Mechanisms.
 
(1) Administrative Procedures defines where individual health data are located and specifies formal procedures to protect these data.  Some of the processes included are the creation of a contingency plan to guarantee secure data backup and recovery, granting additional data access rights, incident handling, and employee termination procedures.  This section also covers policies and procedures for the ongoing maintenance of a secure information technology configuration including computer virus scanning and the routine evaluation of emerging vulnerabilities.
 
(2) Physical Safeguards - Many organizations already have some Physical Safeguards in place in the form of card access to buildings and formal visitor sign-in procedures.  This section expands upon these requirements by specifying additional measures to protect and recover data from physical disasters and intrusion.  One example of a procedure mandated by this section is the handling of data backup tapes.  With today's technology, your organization's entire patient database (not to mention other sensitive company information) can be stored on one magnetic tape that can easily fit into someone's shirt pocket.  You may have the ultimate security plan in place but if backup tapes are kept in relatively insecure places (near the server, on your desk, in your car, even in your own home) a malicious visitor can walk away with your entire organization's data.
 
(3) Technical Security Services and (4) Mechanisms protect the access and transmission of sensitive data.  Data access is controlled by the three 'A's: Authentication, Authorization, and Auditing.  Authentication services control who is allowed access to the network by requiring a unique user identity and one or more access control features (such as a password and/or fingerprint).  Authorization requirements define that different levels of data access can be assigned to different user identities.  Auditing control specifies that systems are in place to record all access to sensitive data and other critical system activity (such as the unauthorized modification of data access rights).  Finally, sensitive data that is transmitted outside of your corporate network must be encrypted so unintended recipients cannot read or alter the data.  
 
New computer network vulnerabilities are discovered every day.  These vulnerabilities can come from malicious hackers who exploit inherent flaws in existing software or changes to your infrastructure which obsolete existing security precautions.  Maintaining data security is a journey, not a destination.  Consistent and aggressive diligence is required to ensure the integrity, confidentiality, and availability of your data.
Effective Compliance with HIPAA Requires More Than Initial Training
Although your facility may have had a HIPAA Privacy training program, there are a number of reasons you should consider to hold both a refresher course for those already trained, and sessions for staff hired after the original training program.  Your budget may be tight this year, but money spent on training is assuredly less than the cost of questions raised as a result of the State Department of Health's survey, which includes compliance with privacy items or a potential investigation if a complaint is made with the Department of Health and Human Services' Office of Civil Rights. 
 
If litigation were to arise as a result of injury to a patient in a nursing home or assisted living facility, there is also a potential breach of privacy claim to be made by the resident's attorney.  In this hypothetical case, the expected baseline of compliance with privacy will be HIPAA rules and regulations.  If the facility can't prove that it met the minimum standards required by the federal HIPAA law, then a jury might find that the facility did not adequately protect the resident's privacy.  The jury will then have to decide if the breach of privacy is compensable.  The most effective way to defend a facility would be to have the Privacy Officer get on the stand and say that the facility met the minimum guidelines required by HIPAA and perhaps more.  HIPAA requires effective protection of resident privacy.  Clearly that requires on-going training.  But if the Privacy Officer can attest to on-going training, updating policies and procedures, using an outside consultant/lawyer to ensure compliance through periodic (even annual) auditing, and monitoring by the staff on a periodic basis (in-between the annual audits), then it would be likely that a jury will, even if it  finds there has  been a breach of privacy, not find a reckless approach to protecting the resident's privacy, but a concerted effort to protect privacy and that "mistakes happen".
 
Primarily, the HIPAA regulations require "effective" compliance programs.  Effective compliance can only be had by:
  1. Training new employees;
  2. Retraining employees who have already been trained;
  3. Continually updating policies and procedures;
  4. Monitoring compliance.
Litigation Results and Annual Surveys
 
With litigation now underway, the courts are interpreting actual compliance with the HIPAA regulations that took effect in April 2003.  When these decisions are handed down, my offices will keep you informed of their impact on your compliance procedures.  In addition to the changes these decisions may require, the State Department of Health annual surveys are focusing on compliance with HIPAA:
  1. Are there policies and procedures in place?
  2. Are staff acting properly and in accordance with policies and procedures?
  3. Are active and discharged medical records kept in a secure location and is access to those recordmonitored?
  4. Are protected "passwords" in place to limit access to resident data in your computer system?
  5. When nurses give medications, is the med-book left unattended?
  6. Are consent forms given by residents in the medical record, and are there assurances that they were obtained from residents?

 Response to Requests for Medical Records

Some clients have told me that they are no longer honoring subpoenas from lawyers for medical records.  Instead, they insist on an explicit authorization from the patient or a court order.  If you have questions as to whether you should require a subpoena or court order, you should consult your legal counsel.
Privacy, Security and Compliance Officers: Who's Responsible for What?
Just when we thought we understood what it meant to be a Compliance Officer, we are now faced not only with understanding the role of a Privacy Officer but also the role of a Security Officer!  Let's see if we can define and differentiate among these roles.
 
Privacy Officer (PO):  Under the Health Insurance Portability and Accountability Act (HIPAA), the Privacy Officer is responsible for:
  • Acting as the focal point among the staff for privacy compliance-related activities and responsibilities;
  • Developing and implementing policies and procedures that are consistent with privacy laws and regulations.  To do so, the PO will need to ensure that federal and state privacy, security and confidentiality laws and regulations are adhered to.  In this capacity, the PO will need to coordinate efforts with the Security Officer (SO) in evaluating and monitoring operations and systems development that comply with privacy and security requirements.
  • Developing and implementing training programs in the area of privacy.  The PO will need to coordinate such programs with the SO with respect to security training programs.
  • Monitoring the effectiveness of the privacy program.  Coordination with the Quality Improvement Program Director is essential.
  • Coordinating efforts with the Compliance Officer (CO), the SO and the Human Resources Director to develop appropriate sanctions for both employees and business associates who do not comply with the privacy policies and procedures.
  • Coordinating with the CO, SO and possibly other department heads regarding the investigation and resolution of patient complaints involving the area of privacy.
  • Participating as a member of the Compliance Committee.
Security Officer (SO):  Under the Health Insurance Portability and Accountability Act, the Security Officer is responsible for:
  • Acting as the focal point among both the technology and non-technology staff for information security compliance-related activities and responsibilities;
  • Developing and implementing policies and procedures that are consistent with information security laws and regulations.  To do so, the SO will need to ensure that security standards are compliant with federal and state laws and regulations as they relate to health information.  In this capacity, the SO will need to coordinate efforts with the Privacy Officer (PO) in evaluating and monitoring operations and systems development that adhere to privacy and security requirements. 
  •  Security policies and procedures will need to focus on, among other things:  Administrative security (e.g.; processing records); Personnel security (e.g.; ensuring that personnel have access to only confidential information that they have authorization to access); Physical safeguards (e.g.; control access to information media and workstations); Technical safeguards (e.g.; access and authorization; and emergency procedures).
  • Developing and implementing training programs in the area of security.  The SO will need to coordinate such programs with the PO with respect to security training programs.
  • Monitoring the effectiveness of the security program.  Coordination with the PO is essential.
  • Coordinating efforts with the Compliance Officer (CO), the PO and the Human Resources Director to develop appropriate sanctions for both employees and business associates who do not comply with the security policies and procedures.
  • Coordinating with the CO, PO and possibly other department heads regarding the investigation and resolution of privacy complaints involving the area of security.
  • Participating as a member of the Compliance Committee.

Compliance Officer (CO):  Under the Health Insurance Portability and Accountability Act, the Compliance Officer is responsible for:

  • Acting as the focal point among the staff for fraud and abuse compliance-related activities and responsibilities;
  • Developing and implementing policies and procedures that are consistent with fraud and abuse laws and regulations.  To do so, the CO will need to ensure that federal and state fraud and abuse laws and regulations are adhered to.  In this capacity, the CO will need to coordinate efforts with the SO and PO in evaluating and monitoring operations and systems development that adhere to privacy and security requirements.
  • Developing and implementing training programs in the area of fraud and abuse.  The CO will need to coordinate such programs with the SO with respect to security training programs.
  • Monitoring the effectiveness of the privacy program.  Coordination with the Quality Improvement Program Director is essential.
  • Coordinating efforts with the PO, the SO and the Human Resources Director to develop appropriate sanctions for both employees and business associates who do not comply with the privacy policies and procedures.
  • Coordinating with the PO, the SO and possibly other department heads regarding the investigation and resolution of patient complaints involving the area of privacy.
  • Participating as a member of the Compliance Committee.

Bear in mind that there is no requirement that each of these roles be filled by a different individual.  Depending upon the size of your office or facility, the most practical and economical decision may be to have one individual handle all three roles.  The key is effectiveness.  The approach taken should support the most effective compliance program.

Effective Compliance Plans Forestall Government Investigations
How does a health care provider best protect itself from a government fraud and abuse investigation?  Whether the investigation was the result of an innocent mistake or initiated under a whistle blower lawsuit ("qui tam"), the provider's degree of readiness to carry out its plan of action can make the difference between getting the government to walk away from an investigation rather than having to prove the provider's innocence at trial.
 
The best protection against a government enforcement action is to develop and implement an effective compliance plan.  The next best protection is to develop and train  employees on a plan of action for dealing with a government fraud and abuse investigation.  
 
Be prepared
 
Prior to any government investigation for fraud and abuse, the health care provider must have its policies and procedures, as well as its response team, in place.
 
Policies and procedures must be developed to address basic issues such as what to do when the federal agents present themselves at the receptionist's desk.  In such a situation, certainly the employer should be notified immediately.  However, the provider's attorney should also be notified immediately.  The attorney has many responsibilities under such circumstances, and time is of the essence when dealing with an impatient government agent.
 
Assemble the interdisciplinary team in advance
  
Who constitutes the team that will best protect the provider's interests during and following a government investigation?  All employees must know that during a government investigation, the provider's attorney will take control of the situation.  The provider's attorney, however, must be knowledgeable about how to deal with such investigations.  It is important for the attorney to also be able to assemble and command an interdisciplinary team of health care professionals who will assist the provider during this investigation.  Such professionals include, but are not limited to, a clinical and documentation expert, a certified coder and a forensic accountant.  All of these professionals would be brought in under the auspice of the attorney in order to preserve the attorney - client privilege as it relates to the work done by these professionals.  If a provider does not have a relationship with such an attorney, a relationship should be established now-far in advance of a possible government investigation.  Waiting until the need for such an attorney arises will not work.  The government agent will, it is assumed, have a valid search warrant and subpoena.  These court-approved documents do not give the provider time to interview and assemble a brand new defense team.  All such defense decisions and efforts must be put in place prior to the government's arrival.
 
Next steps for the staff
 
The government is at the door. The receptionist has called the employer and the attorney.  What next?  A plan must be in place that calls for notifying all employees that a government investigation is underway.  If a compliance plan has been implemented, then all employees will already be rehearsed as to what to do.  If a compliance plan has not been implemented, than at least a procedure must have been prepared and adopted to communicate immediately to all employees:  "The provider plans on cooperating fully with the government investigation.  All questions and concerns must be addressed directly with our attorney."  
 
Immediate concerns
  • Press inquiries:  Direct to the attorney.  Terse statements of denial from an experienced attorney are critical during a government investigation.
  • Search warrants and subpoenas:  Direct to the attorney.  The attorney must determine the validity and scope of the search warrant and subpoena.  If there is no valid search warrant, the government's investigation should stop there.  If the attorney is not on the scene and the employees acquiesce to the government agents' requests to review and seize documents, the lack of a search warrant will matter little after the employees have consented to the government's requests.  A subpoena for records does not warrant a search of the provider's office or facility.  It is critical for the attorney to review carefully the scope and breadth of the search warrant or subpoena.
  • Record destruction or loss:  The provider must meticulously record all documents that are handed over to the government. Videotaping this action may be helpful to further record not only that which is given to the government but also to record government behavior that may or may not be deemed illegal upon later review.
  • Employee protection:  The attorney will advise the employees that they do not need to answer the questions of the government's agents; however, a direct admonishment or command to not do so may risk an obstruction of justice charge against not only the provider but the attorney.  Nevertheless, the attorney is needed to ensure that the government's agents do not intimidate the employees.
  • Communication with key employees:  While information shared with key employees may have initially been deemed protected as confidential, the provider may choose to disclose that information to the government.  Again, this is a decision requiring attorney advice. The important point is that the attorney represents the provider, not the key employees.  Therefore, key employees may be advised to hire their own attorneys.  This highlights the importance of determining much earlier what communications from whom will be protected under the attorney-client privilege.  

Cooperation is best accomplished by advance planning.  

It is critical for the provider to appear willing to cooperate with the government agents.  Such an approach may hasten agent recognition that an innocent mistake was made and may prompt the government to walk away.  No broad investigation, no adverse rulings, no adverse publicity.  At the same time, a thoroughly prepared plan shared with all of the employees as part of a compliance plan (ideally) maximizes the provider's ability to protect its interests while appearing to cooperate fully with the government. 
 
Unfortunately, lack of planning can result in an innocent mistake easily and quickly snowballing into charges of obstruction of justice or witness tampering.  That is not in the provider's best interests.  The government always wins in such situations, even when it loses.  Time, money, and public relations are just some of the costs involved in achieving such a pyrrhic victory.  In other words, we don't want to win the battle but lose the war.
Compliance Officer Q & A
Question:   Every 3 months our facility's Compliance Attorney and I conduct a Compliance Committee meeting which is made up of all of our department heads. Afterwards, my administrator and I receive a Compliance Program Work Plan from our Compliance Attorney. What am I supposed to do with this Work Plan?
 
Answer:
   A Corporate Compliance Program must, in reality and in perception, be dynamic and not static. To ensure this, it is very important that after your Compliance Attorney and you meet with your Compliance Committee, you carefully review the Compliance Program Work Plan submitted to you by your Compliance Attorney. Check to see that every compliance issue that was discussed with your Compliance Attorney and Compliance Committee is listed on the Compliance Program Work Plan. Check also to ensure that the Compliance Program Work Plan reflects every compliance issue that was completed as well as all next steps are listed. For example, an Activities Director at a skilled nursing facility complained that the subacute unit was not providing patient intake information to her staff on a timely basis. By the time the Activities Department received the information the sub-acute patient was ready for discharge. The Activities Director was very concerned that not only was her staff not making the sub-acute stay as meaningful, helpful and interesting as possible, she was concerned that the facility might be accused of substandard quality of care for lack of her department's timely participation. With the help of the Compliance Committee the issue was resolved. This issue and its resolution were identified as "Completed" on the Compliance Program Work Plan. If and when the federal and/or state authorities investigate this facility for substandard quality of care, (which is the Office of Inspector General's top priority for skilled nursing homes), this facility will be able to point to this and numerous other examples of "Completed" efforts to address substandard quality of care allegations in order to negate any accusation of intent, thereby eliminating any possible criminality. Criminal accusations bring potential prison terms and debarment from Medicare and Medicaid. Civil accusations bring potential monetary fines. The latter is certainly more preferable than the former! When you receive the Compliance Program Work Plan, review and discuss it with your administrator and your Compliance Attorney. Look to ensure that it is accurate, complete and adequate as a roadmap to move forward until the next Compliance Committee meeting.
Law Offices Of David S. Barmak, LLC
David Barmak established his health care law firm in 1984 to deliver legal services, both in transactions and litigation, to organizations and professional practitioners in the health care field.  We call this approach "Enterprise-Wide Risk Management" because it includes three important facets:
  1. Counsel and advisement on all aspects of legal risk, from setting up the entity to corporate governance and compliance;
  2. Protection of your practice or business through litigation prosecution or defense in the Courts; as well as regulatory compliance and licensure issues before government agencies; and
  3. Operations improvement through the implementation of enterprise-wise onsite audits, programs and training seminars in the areas of, but not limited to, Fraud and Abuse, HIPAA Privacy and Data Security, Employment, A/R Management, Emergency Preparedness, and Workplace Violence.

David S. Barmak, Esq. received his JD from Cornell University and BA from Duke University.  He is licensed to practice and serves clients in the States of New Jersey, New York, Connecticut and Pennsylvania.  Before making your choice of attorney, you should give this matter careful thought.  The selection of an attorney is an important decision.  The recipient may, if the newsletter is inaccurate or misleading, report the same to the Committee on Attorney Advertising. 

For more information, please contact us:
Telephone (609) 688-0055
Fax (609) 688-1199
Disclaimer:  The contents of this newsletter are presented as general information.  Legal advice and opinion can only be provided upon individual consultation.
        � 2009.  All Rights Reserved.