NEWS AND VIEWS FOR PTs
A complimentary newsletter from
MAILLY INGLETT & BARMAK, LLC
Educators and Consultants to Physical Therapists
MARCH, 2011 - Volume 2, Issue 3 |
|
|
|
|
|
Action Plan For Providers and Suppliers: Breach of Protected
Health Information |
The Philadelphia Inquirer recently reported that Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan, two regional and sizeable insurance companies, lost a portable computer drive containing sensitive client information at a community health fair. Neither insurance company is apologizing for having brought their members' unencrypted health information to the fair. "By having this information readily available, we are able to save lives," said Donna Burtanger, vice president of communications for the firms.
Apparently company officials realized on September 20, 2010 that a portable drive containing the records of 285,691 Medicaid clients was missing. When the companies announced the security breach, a statement said the records were on a "flash drive for use at community health fairs." Burtanger also disclosed "That flash drive was never intended to leave the building."
The two insurance companies service 400,000 eastern Pennsylvania members on medical assistance. The insurers, she said, had been working to improve a method for allowing encrypted patient information to be available to company representatives at local health events. The drive was being used at headquarters to test the new system, she said. However, the information on the missing portable drive was not encrypted. It was also reported that the two companies had embarked on an initiative to encrypt all company data, including data on devices such as laptops or flash drives that would be used outside the building.
The September 20 incident occurred before the initiative was completed. The insurance companies would set up a booth at a community fair and when a member of the insurance carrier stopped by the booth, a representative of the insurance companies would check to see what the member's health history was; e.g.; when the member's last mammogram was, and then schedule an appointment for a mammogram.
The representative was not sure where the flash drive was: lost, thrown away or possibly stolen. The majority of the missing records, 285,691, containing health-plan identification numbers and results of recent screenings, did not contain member names. A total of 2,203 records did contain names with varying combinations of addresses, member identification numbers, and telephone numbers. Names and all or part of Social Security numbers are included on 808 records. The representative said that free credit monitoring would be provided to those whose Social Security numbers were involved and that letters to members would be sent out announcing a toll-free number for assistance.
HIPAA and HITECH
What Constitutes a Breach of PHI?
The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) govern protected health information (PHI) privacy and security provisions. In summary, Covered Entities, such as the above mentioned insurance companies, have a duty to mitigate, to the extent practicable, any harmful effect known to the Covered Entity and / or Business Associate of a use or disclosure of PHI in violation of its policies and procedures or the requirements of HIPAA, HITECH and applicable regulations. If the Business Associate alone is aware of the breach, the Business Associate must report unauthorized uses, disclosures and security breaches to the Covered Entity. Many states also require notice to the affected individual in the event of improper use or disclosure of PHI.
A breach of PHI is defined as the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of the PHI. "Unsecured PHI" refers to PHI that is not secured in accordance with certain technology or methodology specifically identified by the Department of Health and Human Services that makes the PHI unreadable, unusable or indecipherable to unauthorized individuals. At this time, "secured" involves either encrypting or destroying the PHI.
What To Do If a Breach of PHI Occurs
If a breach does occur, the Covered Entity and / or the Business Associate must notify the affected individual (and the Business Associate must notify the Covered entity if the latter is unaware of the breach) within a reasonable amount of time but no later than sixty (60) days after the discovery of the breach.
Individuals must be notified promptly by first-class mail at the last known address of the individual or by electronic mail if the individual has agreed to such means. Notification must be on-going in one or more mailings as information about the breach becomes available.
If there is out-of-date or insufficient contact information regarding the individual whose PHI has been inappropriately used or disclosed, a substitute form of notice is deemed to be acceptable. For example, if there are ten (10) or more such individuals, a posting must be placed on the home page of the web-site of the Covered Entity and / or Business Associate involved or notice must be placed in major print or broadcast media in geographic areas where the affected individuals of the breach most likely reside. A toll-free telephone number should also be included in the media or web notices. Individuals can then call to determine if their PHI is included in the breach. Telephone calls may also be used to communicate notice to affected individuals if time is of the essence. If more than five hundred (500) individuals have been affected by the breach of unsecured PHI, notice must be provided to major media outlets serving the geographical area affected.
The Covered Entity must notify the Department of Health and Human Services (DHHS) of unsecured PHI that has been acquired or disclosed in a breach. If five hundred (500) individuals or more have been affected, then notice to DHHS must be immediate. If less than five hundred (500), then the Covered Entity may maintain a disclosure log and submit such a log annually to DHHS.
The notice of breach must include the following:
- a brief description of what happened including the date of the breach and the date of discovery of breach
- a description of the types of unsecured PHI involved in the breach;
- steps individuals affected by the breach should take to protect themselves from possible harm from the breach;
- a brief description of what the Covered Entity and/or Business Associate is doing to investigate the breach, mitigate losses and protect the individual from repeated breach;
- means for the affected individual to ask questions or information including a toll-free telephone, a web mailing address or e-mail address.
|
|
|
Question:
Do you know if an EOB is considered part of a patient's record and if so, does an ERA need to be downloaded and stored either in the patient's record or on a storage device?
Response:
The "patient record" for PT is defined in N.J.A.C. 13:39A-3.1:
(c) The patient record shall include, in addition to personal identifying information, consents and disclosures, at least the following information:
1. The full name, as it appears on the license, of the licensee who rendered care, identification of licensure status (PT or PTA), and license number. This information shall be legible and shall appear at least once on each page of the patient record;
2. Dates of all examinations, evaluations, physical therapy diagnoses, prognoses including the established plans of care, and interventions;
3. The findings of the examination including test results;
4. The conclusion of the evaluation;
5. The determination of the physical therapy diagnosis and prognosis;
6. Documentation of health care practitioner referrals, if any:
7. A plan of care establishing measurable goals of the intervention with stated time frames, the type of intervention, and the frequency and expected duration of intervention;
8. A contemporaneous note that accurately represents the services rendered during the treatment sessions including, but not limited to, the components of intervention, the patient's response to intervention and current status;
9. Progress notes in accordance with stated goals at a frequency consistent with physical therapy diagnosis, evaluative findings, prognosis and changes in the patient's conditions;
10 .The signature or initials and license number of the licensee who rendered care. If the licensee chooses to sign by means of initials, his or her complete signature and license number shall appear at
least once on every page;
11. Changes in the plan of care which shall be documented contemporaneously;
12. Communication with other health professionals relative to the patient's care;
13. A discharge summary which includes the reason for discharge from and outcome of physical therapy intervention relative to established goals at the time of discharge; and
14. Pertinent legal document(s)
As you see above, the regulation includes no definition for "pertinent legal documents", but an Explanation of Benefits (EOB) and Electronic Remittance Advice (ERA) certainly could arguably be described as such. More importantly, such records could certainly be requested in an administrative or legal proceeding, and could thus be considered "required" in the broadest sense. Furthermore, it is important to understand that documentation is always ones best, and sometimes only defense when one is accused of wrongdoing. The absence of such records can therefore be very damaging to that defense.
Given the above, it would likely be advisable to maintain such records, either electronically or in hard copy form, along with the patient records for a minimum of seven years. Perhaps most importantly; the determination of what constitutes a patient record, or what constitutes pertinent legal documents, is ultimately made by either administrative agencies and/or the courts.
Question:
Do the massage therapists have a practice act, rules and regulations? This massage therapist advertises laser therapy. I will report her to the BOPTE since infrared light is covered under our practice act and therefore she is practicing physical therapy.
http://www.lasertherapyandmassage.com/About_Me
Response:
Massage Therapists do have a practice act; which you may recall was amended last year to create licensure, their own Board, and will require new regulations to comply with the new Act. Their current law and regulations can be found in Subchapter 16 of the Nursing regulations, which can be accessed here: http://www.njconsumeraffairs.gov/massage/mbs_rules.htm .
Massage Therapists will continue to be regulated by the Board of Nursing until their own Board is created and regulations are adopted, but their current regulations prohibit "Treatment or diagnosis of illness, disease, impairment or disability."
Complaints or concerns regarding the activities of Massage Therapists can be filed using this form:
http://www.njconsumeraffairs.gov/complaint/masscom.pdf or via letter with similar information to this form. You may find that the Board of Physical Therapy disagrees with your assertion that using infrared light constitutes the practice of physical therapy, though that should not dissuade you from relaying your concerns to them.
Question:
Do you know how many hours of our continuing education can be done as online/home study?
Response:
As per NJ Administrative Code; a maximum of 10 of the required 30 hours of required continuing education may be completed in this manner, along with the other options listed below.
Reference:
N.J.A.C. 13:39A-9.3 Acceptable course offerings; credit hour calculation
(c) The Board shall grant a maximum of 10 of the mandatory 30 continuing education credits required in a biennial renewal period of licensed physical therapists and licensed physical therapist assistants from any or all of the following:
- Successful completion of videotape, audiotape, computer media, Internet, journal, or correspondence courses, programs or seminars: a maximum of 10 credits per course, program or seminar. The course, program or seminar shall include an examination at its end. Credit for correspondence and other individual study courses or programs shall be provided only in the renewal period in which the course is completed with a successful final examination;
- Successful completion of courses, programs or seminars consisting of hands-on demonstrations of instrumentation when accompanied by didactic lectures: one-half credit for each hour of attendance;
- Preparation and presentation of a Board-approved continuing professional education course, program or seminar: two credits for each hour of a new presentation up to a maximum of 10 credits. For purposes of this subsection, "new" means a course, program or seminar that the licensee has not taught previously in any educational setting. One credit for each hour of a presentation shall be given for subsequent sessions involving substantially identical subject matter up to a maximum of 10 credits, provided the original material has been updated and subject to the credit limits of N.J.A.C. 13:39A-9.3;
- Preparation of an educational or scientific article authored and published in a professional refereed journal: three credits per article as approved by the Board; or
- Courses, programs or seminars in physical therapy practice management: one credit for each hour of attendance.
|
|
|
|
|
Mailly Inglett & Barmak, LLC |
|
|
Ken Mailly, PT, MPA, NJ Lic. # NJ40QAOO335900
Ken is a graduate of the State University of New York at Downstate Medical Center, and completed his Master's in Public Administration at Seton Hall University, with a concentration in Health Care Policy and Management. He is also certified as an Ergonomic Specialist, and as a Rehabilitation Agency Medicare Surveyor.
In addition to his graduate studies, with well over 2,500 hours of continuing physical therapy education, Ken has amassed an extremely diverse and extensive knowledge of the clinical practice of physical therapy, rehabilitation, and practice management. Ken's primary clinical focus is in orthopedics, chronic soft tissue disorders, and management of patients with bleeding disorders.
Along with this clinical knowledge base, Ken has devoted the last 10 years to the study of regulation, legislation, and reimbursement for physical therapy & rehabilitation services. He has served as an expert witness, on behalf of both plaintiffs and defendants, in numerous malpractice cases. He has also been consulted on state, federal, and third party payer inquiries regarding physical therapy and rehabilitation billing, regulatory, and legal issues.
Ken is a partner in Mailly & Inglett Consulting. His focus is on compliance with professional standards, state and federal regulations, as well as practice management strategies.
Barry G. Inglett, PT, CHT, Cert. MDT, NJ Lic # NJ40QA00146200
Barry is a graduate of Columbia University, a Certified Hand Therapist and a Credentialed McKenzie Therapist. He is a physical therapist and co-owner of Wayne Physical Therapy & Spine Center, a private practice established in 1977. Barry is also a partner in Mailly & Inglett Consulting, working with both physical therapists and Payers.
Barry is a guest lecturer for UMDNJ's Physical Therapy Program as well as a clinical instructor for several colleges including Columbia University, New York University, Temple University, Stockton State College, Kean College and the University of Medicine and Dentistry's Physical Therapy Program. He is also an instructor for HMW (Human Mechanical Wellness) Seminars, specializing in mechanically oriented treatment programs for the spine and extremities.
Barry has been retained by numerous insurance companies as well as the New Jersey Attorney General's Office offering expert witness testimony in physical therapy practice. He has been involved in utilization review and reimbursement issues in physical therapy for over 20 years. Barry also instituted, and was retained as the lead expert, in the largest PT fraud case in NJ history (Cobo v. MTF). He also served as a physical therapy consultant from 1997-2005 for Horizon Healthcare running the NJ Plus pre-certification program. Barry has served on the New Jersey Board of Physical Therapy Examiners in the past for eight years and has also served as the Chairman of the Board of Physical Therapy Examiners.
David S. Barmak, Esq.
David S. Barmak, Esq. received a JD from Cornell University and a BA from Duke University. The Law Offices Of David S. Barmak, LLC was established in 1984. David is licensed to practice law and has clients in the states of New York, New Jersey, Pennsylvania and Connecticut.
David's legal focus is in the areas of corporate compliance, risk management, human resources and operational legal affairs.
David has a strong background in operations, having served as both the Associate Administrator and General Counsel for a large New York Certified Home Health Agency, initiating and directing a New York Licensed Home Care Services Agency as well as owning and operating a Durable Medical Equipment company. David also provides defense of enterprises, directors, officers and other professionals accused of misconduct.
For more information, please contact us:
|
|
| © Copyright, 2011. Mailly Inglett & Barmak, LLC. All rights reserved. No portion of these materials may be reproduced by any means without the advance permission of the author. |
|
|
|
