Tuesday, 11 October 2016 13:41

Medicare, you flunk the Hippocratic test

Written by

By Diane Evans

Publisher, MyHIPAA Guide

In a great paradox of 21st Century medicine, none other than Medicare is a violator of the timeless standard of medical ethics expressed in the Hippocratic rule: First do no harm.

The worst part? It’s that bonuses paid to physicians, from Medicare and Medicaid, are tied to activities that may actually harm some patients.

The issue relates to Electronic Health Records (EHRs). No question, electronic data holds the potential to greatly improve patient treatments based on proven results. However, it is also true that bad data can result in deadly mistakes. And therein lies the problem.

Currently, Medicare is pushing doctors to enter data and make medical decisions based on statistical analysis. Yet at the same time, health IT experts -- including some in the federal government -- are warning of hazards caused by shortcomings in EHR technology. The technology simply isn’t available yet to do the high-quality data analysis that Medicare is demanding prematurely.

Earlier this month, the federal agency responsible for healthcare technology hosted a webinar to address what the agency called “this important safety topic” of EHR usability. The webinar featured Dr. Andrew Gettinger, Executive Director of the federal Office of Clinical Quality and Safety, and Drs. Peter Provonost and Josh Rising from the Pew Charitable Trusts. The issues covered in the webinar are summed up on Pew’s website and include this warning:

“Although the United States has invested tens of billions of dollars to encourage providers to adopt electronic health records (EHRs), many clinicians have found that these systems have poor ‘usability.’ EHRs can put patients at risk of medical error, do little to enhance clinical care, and increase the time clinicians spend documenting patient care. Indeed, one study found that 15 percent of physicians reported that their EHR had caused a potential medication error within the past month.”

Fifteen percent within a month? That raises a huge question of how many people are being harmed - right now, today -- without anybody knowing about it.

In a blog post earlier this year, Kaiser Health News reported on the ease of medical mistakes happening with the slip of a mouse, creating particular concern in rushed emergency-room situations.

In a book on this topic, “The Digital Doctor: Hope, Hype and Harm at the Dawn of Medicine’s Computer Age,” Dr. Bob Wachter, Chief of Hospital Medicine at University of California San Francisco and the “Father of Hospitalist Medicine,” documents some of the harrowing real-life stories.

In one such incident, a teen narrowly escaped death following a hiccup in data processing. Quite routinely, a resident physician had learned she needed to make a change to her original orders for pediatric medication for a boy named Pablo Garcia. So, when the resident typed in 160 mg thinking that was the correct dose to be dispensed, the system changed it to 160 mg/kg. This, plus a series of seemingly minor events, culminated in Pablo taking a gigantic dose of pills.

In July 2015, in an effort to identify the root causes of EHR problems such as this, Pew Charitable Trusts, in collaboration with the Johns Hopkins Armstrong Institute for Patient Safety and Quality, convened a meeting of 70 experts, including EHR vendors, hospital representatives, clinicians, and patient safety advocates.

Following the meeting, Pew identified three primary issues:

1. Some EHR makers don’t fully assess usability of their products before delivering them to hospitals and doctors’ offices.

2.  There are no universal standards for measuring the safety and performance of EHR systems.

3. Heathcare providers fear the consequences of violating gag clauses that prohibit disclosure of problems involving their EHRs.

This latter point, relating to gag clauses commonly found in EHR contracts with health providers, means that the public can’t even intelligently assess the current state of EHR technology -- even though $30 billion in federal tax dollars subsidized the installation of EHRs!

Indeed, evidence is stacked high in support of everything Pew says.

Some examples:

  • A 2016 report by the nonprofit National Quality Forum (NQF) called for a coordinated effort to reduce risks associated with electronic health records, starting with an assessment of how well providers, vendors, and others are addressing IT-related safety concerns.
  • Also this year, the Journal of AHIMA reported on survey results indicating widespread problems in accurately matching individuals with their healthcare records. Duplicate records commonly exist, creating greater likelihood of errors in treating people.
  • In 2015, 36 professional associations raised questions about the very security of patient information contained in EHRs. In a letter to the feds, the associations raised concerns about poorly functioning EHRs resulting in “medical record errors, inaccurate documentation, lack of interoperability, slow performance, lost patient information, and safety concerns.”

Against this backdrop, Medicare persists in giving financial rewards to physicians for how well they score – by Medicare’s standards – in the use of EHRs. And the score-keeping gets into the minutia of everyday routines. For example, physicians get points (which can turn into real money) for generating and transmitting prescriptions electronically.

The end goal, ideally, is about creating a system that rewards doctors for treating patients based on best practices that can be confirmed by data.

However, at the moment, there is a foundational problem: The nation won’t even have the advanced technology for such comprehensive data analysis until 2024. That is by the government’s own estimate in a 2013 report titled, “Capturing High Quality Electronic Health Records Data to Support Performance Improvement.”

The report points to highly functioning EHRs as key to the implementation of payment reform tied to performance measures. It notes that “as the industry moves toward value-based reimbursement—reimbursement based on quality and cost measures—improving the quality of the data used for measurement is imperative.”

Meanwhile, contrary to red flags, Medicare keeps pressuring doctors to step up usage of EHRs in return for higher pay. Right now. Today.

If the functionality of EHR systems is in question, which it clearly is, then Medicare fails the Hippocratic test by forcing these systems to serve purposes they are currently incapable of serving. The only question is: In the process of data entry, how many people are suffering undocumented harm?

In a recent newsletter, the U.S. Office for Civil Rights (ORC) discussed the “insider threat” as one of the largest threats to the security of patient information within organizations. The agency noted that even some cyberattacks may be insider-driven.

According to a recent survey, conducted by Accenture and HfS Research, 69% of organizations surveyed reported experiences with malicious activity on the part of insiders, including current or former employees, contractors and business associates.

According to a survey conducted by the federal government, CSO Magazine, and Deloitte, common e-crimes committed by insiders include:

  • Unauthorized access to or use of organization information
  • Exposure of private or sensitive data
  • Installation of viruses, worms, or other malicious code

OCR says organizations should:

  • Consider insider threats in enterprise-wide risk assessments.
  • Document and enforce policies and controls.
  • Create awareness of insider threats in security training for employees.
  • Monitor and respond to suspicious or disruptive behavior.
  • Anticipate and manage negative issues in the work environment.
  • Implement strict password and account management policies and practices.
  • Enforce separation of duties and necessary-only access to PHI.
  • Define security in all cloud-services agreements, especially relating to access restrictions and monitoring capabilities.
  • Institute access controls and monitoring policies on privileged users.
  • Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
  • Monitor and control remote access from all points, including mobile devices.
  • Develop a comprehensive employee termination procedure.
  • Implement secure backup and recovery processes.
  • Formalize an insider threat program.
  • Establish a baseline of normal network device behavior.
  • Be especially vigilant regarding social media.

The U.S. Office for Civil Rights (OCR) says it is now working with its regional offices to more widely investigate the root causes of breaches affecting fewer than 500 individuals.”  The regional offices will still have discretion on which smaller breaches to investigate, but each office will increase its efforts to address these smaller breaches. 

Among other things, regional investigators will look for incidents involving inproper disposal or theft of unencrypted Protected Health Information (PHI), and inappropriate access to IT systems.

Here are examples of settlements in smaller breaches:

Catholic Health Care Services, relating to a business associate’s failure to safeguard nursing home residents’ PHI: $650,000.

St. Elizabeth’s Medical Center, relating to allegations that staff used an internet-based, document-sharing application to store PHI without having analyzed risks: $218,400.

Hospice of North Idaho, relating to an unencrypted laptop computer containing the electronic protected health information: $50,000.

While HIPAA rules require regular training of staff, it's not enough to simply go through the motions of attending a lecture or watching a video.  HIPAA education should address things that staff members working with ePHI really need to know.  And it should be re-enforced often.

 

Here are resources from MyHIPAA Guide that can help train staff in the following categories.  In addition, watch for our webinars on a variety of HIPAA subjects.

Social Media Guidelines for staff:

Online class, titled Social Media Rules for Healthcare Providers, accredited through our partner, Pedagogy Online Learning Systems.

A published guide on social media uses, from the National Council of State Boards of Nursing.

 

Risk Mitigation:

Security 101 videos on who to spot risks in your midst, and how to plan for natural disasters and interruptions

Basic security checklist for small practices

An advanced online course for compliance managers, titled Responsibilities for Managing HIPAA Compliance, accredited through our partner, Pedagogy Online Learning Systems.

Responsibilities for Managing HIPAA Compliance

 

Breach Reporting:

Instructions on how to report

 

Business Associates:

Information on who to hold accountable and how

 

Patient Rights:

Video on patient rights

 

 

 

 

In an unprecedented memo to state survey and credentialing agencies earlier this month, the Centers for Medicare & Medicaid Services directed state survey teams to begin enforcing federal privacy regulations to protect patients from social media abuses. The memo cites recent media reports as impetus for the crackdown.

In its memo, dated Aug. 5, 2016, CMS orders state survey teams to review nursing home policies and procedures related to social media abuses beginning in September, and continuing until all skilled nursing homes have been inspected. The memo points out that staff training alone is not enough, and that compliance must include plans for implementing daily practices that protect residents’ privacy. The memo defines “staff” as employees, consultants, contractors, volunteers and others who provide care services to residents.

Indeed, a growing number of  reports are exposing horrific examples of staff members taking embarrassing photos and videos of residents, and then sharing them with friends.  

ProPublica and the Washington Post have been especially out front on this issue. Here is some background to give you an idea of what is taking place:

In December 2015, reports co-published by ProPublica and the Washington Post revealed startling social media abuses within long-term care facilities. Indeed, the findings initially documented 37 incidents since 2012, exposing nursing home workers across the country for posting embarrassing photos of elderly residents on social media. In some cases, residents were partially or completely naked. At least 16 cases involved Snapchat, a social media platform where photos appear a few seconds, and then disappear.

Details of the incidents came from government reports, court cases and stories in the media.

An excerpt from one report on the ProPublica website:                                 

“In February 2014, a nursing assistant at Prestige Post-Acute and Rehab Center in Centralia, Wash., sent a co-worker a Snapchat video of a resident sitting on a bedside portable toilet with her pants below her knees while laughing and singing.”

This February at Autumn Care Center in Newark, Ohio, a nursing assistant recorded a video of residents lying in bed as they were coached to say, ‘I’m in love with the coco,’ the lyrics of a gangster rap song (‘coco’ is slang for cocaine). Across a female resident’s chest was a banner that read, ‘Got these hoes trained.’ It was shared on Snapchat.”

In the latter case, the woman’s son told federal investigators that his mother had worked as a church secretary for 30 years, and would have been mortified.

In some cases, employees have faced criminal charges. 

Meanwhile, in July, the U.S. Office for Civil Rights announced that federal audits have moved into “high gear” under the Health Information Portability and Accountability Act (HIPAA). Those federal audits are in addition to the inspections that state survey teams have now been ordered to conduct.

Case points to Business Associate Agreements as critical

 

When it comes to HIPAA enforcement, you can’t hide behind a cloak.  That is the message of the federal government’s settlement with the Archdiocese of Philadelphia.

The Diocese will pay $650,000 to settle potential violations under the Health Insurance Portability and Accountability Act (HIPAA), relating to the theft of a mobile device containing protected health information for 412 nursing home residents.

In this and other recent actions, the feds are underscoring an emphasis on holding Business Associates accountable for safeguarding patient information.

In the Philadelphia case, Catholic Health Care Services (CHCS), an agency of the Diocese, performed IT services as a business associate to six skilled nursing facilities.  Here is what happened, according to an announcement by the U. S. Office for Civil Rights (OCR):

In April 2014, ORC  initiated an investigation following the theft of a CHCS-issued employee iPhone.  The iPhone was unencrypted and was not password protected.  The information on the iPhone included social security numbers, information about diagnoses, medications and treatments, and names of family members and legal guardians.

Investigators found that CHCS had no policies addressing the removal of mobile devices containing patient information from its facility, and no risk analysis or risk management plan.

The feds signaled they went light on the settlement amount, saying they considered that CHCS provides much-needed services in the Philadelphia area.

The Resolution Agreement and Corrective Action Plan can be found on the OCR website at:http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/catholic-health-care-services/index.html.

Aug. 16, 2016 -- It's pretty easy to understand why the Centers for Medicare & Medicaid Services (CMS) just announced a crackdown on social media abuses against residents in skilled nursing homes.  It's because so many media reports are exposing horrible examples of staff members taking embarrassing photos and videos of residents, and then sharing them with friends.   Beginning Sept. 4, state survey and credentialing teams will begin a federally mandated crackdown to enforce protection measures for nursing home residents.

Here is some background to give you an idea of what is taking place:

In December 2015, reports co-published by ProPublica and the Washington Post revealed startling social media abuses within long-term care facilities. Indeed, the findings initially documented 37 incidents since 2012, exposing nursing home workers across the country for posting embarrassing photos of elderly residents on social media. In some cases, residents were partially or completely naked. At least 16 cases involved Snapchat, a social media platform where photos appear a few seconds, and then disappear.

Details of the incidents came from government reports, court cases and stories in the media.

An excerpt from one report on the ProPublica website:                                 

“In February 2014, a nursing assistant at Prestige Post-Acute and Rehab Center in Centralia, Wash., sent a co-worker a Snapchat video of a resident sitting on a bedside portable toilet with her pants below her knees while laughing and singing.”

This February at Autumn Care Center in Newark, Ohio, a nursing assistant recorded a video of residents lying in bed as they were coached to say, ‘I’m in love with the coco,’ the lyrics of a gangster rap song (‘coco’ is slang for cocaine). Across a female resident’s chest was a banner that read, ‘Got these hoes trained.’ It was shared on Snapchat.”

In the latter case, the woman’s son told federal investigators that his mother had worked as a church secretary for 30 years, and would have been mortified.

In some cases, employees have faced criminal charges, as the chart below indicates.

 

Social Media Abuses in Nursing Homes Chart

Meanwhile, in July, the U.S. Office for Civil Rights announced that federal audits have moved into “high gear” under the Health Information Portability and Accountability Act (HIPAA). Those federal audits are in addition to the inspections that state survey teams have now been ordered to conduct.

The charts below include examples of recent settlements under HIPAA:

Slides HIPAA Audits Go High Gear Large Providers

Compiled from government reports by MyHIPAA Guide

Slides HIPAA Audits Go High Gear Small Providers

Compiled from government reports by MyHIPAA Guide

CMS’ Missive to Skilled Nursing Homes: You’ve Got 30 Days

Crackdown on Social Media Abuses Begins Sept. 4, 2016

New Privacy Offerings Help Nursing Homes Meet Deadline

Aug. 15, 2016 -- In an unprecedented memo to state survey and credentialing agencies, the Centers for Medicare & Medicaid Services directed state survey teams to begin enforcing privacy policies and procedures to protect patients from social media abuses. The memo cited recent media reports of social media abuses. Some of those reports detail horrific examples of nursing home residents on public display, sometimes partially or fully naked. Incidents often involve patients with dementia -- with staff members taking photos or video of demeaning scenes, and then sharing them with friends.

In its memo, issued on Aug. 5, 2016, CMS orders state survey teams to review nursing home policies and procedures related to social media abuses beginning Sept. 4, 2016, and continuing until all skilled nursing homes have been inspected. The memo points out that staff training alone is not enough, and that compliance must include plans for implementing daily practices that protect residents’ privacy. The memo defines “staff” as employees, consultants, contractors, volunteers and others who provide care services to residents. 

In January 2016, MyHIPAA Guide, of Akron, Ohio, and Pedagogy Inc., of Troup, Texas, began working on a training and compliance program with special emphasis on social media abuses. Currently, two accredited online courses are available:

Responsibilities for Managing HIPAA Compliance offers training for managers putting compliance plans in place, and Social Media Rules for Nurses and Healthcare Providers educates staff on how abuses often happen, and how they can be prevented.

A bulk packages of seats in the two courses comes with a compliance service offering, called A Nursing Home’s Total Privacy Plan, offered by MyHIPAA Guide. This Total Privacy Plan gives nursing homes a complete compliance management program, including social media guidelines, a secure online whistleblower service, posters, monthly training webinars, and regular news updates on privacy requirements. 

The classes may also be purchased separately through Pedagogy.  Discounts are available for bulk purchases.

To learn more about social media abuses in nursing homes, click here.

Total Privacy Plan

Contact Diane Evans at This email address is being protected from spambots. You need JavaScript enabled to view it. for more details about A Nursing Home's Total Privacy Plan, or Capra Dalton at This email address is being protected from spambots. You need JavaScript enabled to view it. for information about purchasing courses separately.

Or click here to sign up now.

 

About MyHIPAA Guide: Visit MyHIPAAGuide.com, read about us in Crain’s Cleveland Business, or check out our guest viewpoint in the June issue of Compliance Today.

About Pedagogy Inc: Pedagogy offers nationally accredited online continuing education (CEU/CNE) courses and in-services for nurses, certified nursing assistants, CNA's, and other healthcare professionals.

Browse Pedagogy's class catalog to see all course descriptions and curriculum by subject category; courses may be purchased individually on the Pedagogy website.

Monday, 18 July 2016 11:03

Know Your Patients' Rights

Written by

By Diane Evans

Publisher, MyHIPAA Guide

Patients may have more rights over their health records than you realize.

Under today’s privacy rules, consent entails far more than a “check-the-box” exercise as in the past.  Yet, according to government sources, an estimated 27% of Americans aren’t even aware of their basic right to electronic copies of their medical records.

In a public awareness effort, the feds recently released information, including videos, to educate the public so people can make choices based on personal preferences. 

Meanwhile, here are some of the key points to keep in mind, based on information in a model Patient Privacy Notice published by the federal government:

·        Patients are permitted to see, or get an electronic or paper copy, of their medical record and other health information a doctor has about them.  Generally patients should expect to have copies of their records within 30 days of a request, and they may be charged a reasonable fee, based on allowable calculations.

·        Patients may ask their doctor to correct health information they believe is incorrect or incomplete.  The doctor may say no, but should offer a written explanation of why within 60 days.

·        Patients may ask for a list of the times their health information has been shared, who received it and why, going back six years..

·        If a patient pays out-of-pocket in full for a service or health care item, the patient can ask a doctor not to share that information with the patient’s health insurer.  The doctor should say yes unless a law requires the sharing of certain information.

·        If a patient has a legal guardian, or has given someone medical power of attorney, that person can exercise the patient’s rights and make choices about his or her health information.

In addition, a patient can ask to be contacted in a specific way, such as at an office phone or at a different mailing address.  In its Guide to Privacy and Security of Electronic Health Information, the feds tell health care providers they “must accommodate reasonable requests” from patients.  For example, a patient may request that appointment reminders be left on their work voicemail rather than home phone voicemail.

For those who prefer email communications, healthcare providers may send unencrypted emails. However, the patient should consent to unsecured emails based on an understanding of the risks.

There are certain things that HIPAA does not do, and these limitations should be understood as well, as detailed in a federally produced Fact Sheet titled Medical Privacy of Protected Health Information.

For example, the Fact Sheet points out tat healthcare providers can share protected health information, without a patient’s permission, with:  

·        Other professionals who are treating that individual;;

·        Health plans and other entities for billing and payment purposes;

·        Certain public health and safety officials, for situations such as disease prevention, product recalls, suspected abuse, neglect or domestic violence.

In addition, the Fact Sheet notes:

·        HIPAA does not prevent calls or visits to hospitals by a patient’s family or friends, the clergy, or anyone else. As long as the patient does not object, health care professionals may provide information to a patient’s family, friends, or anyone else identified by a patient as involved in his or her care.

 

·        Unless a patient objects, basic information such as the patient’s phone and room number may appear in a hospital directory.

 

·        Members of the clergy may access a patient’s religious affiliation if provided by the patient, and they do not have to ask for patients by name.

 

·        If a patient is incapacitated, healthcare providers may share information with a patient’s family or friends if they believe doing so is in the patient’s best interest.

 

One other thing to keep in mind:  Information sometimes slips out in ways that do not violate federal privacy rules.HIPAA does not eliminate all so-called “incidental disclosures” of patient information.  Incidental disclosures are considered acceptable if a healthcare provider has policies and procedures in place to reasonably safeguard protected  health information.  An incidental disclosure might happen if a hospital visitor overhears a provider’s confidential conversation taking place, or if someone glimpses a patient’s name on a sign-in sheet or nursing station whiteboard.

Throughout its published materials, the federal government clearly acknowledges that no one healthcare provider can totally eliminate the risk of unauthorized disclosures.  Privacy rules set out to reduce risk to the greatest extent reasonably possible.

 

Thursday, 14 July 2016 13:31

Get Info about Patient Rights

Written by

Here are resources to help clarify the rights of patients under HIPAA Rules:

Model Patient Privacy Notice, produced by the federal government, and containing a listing of your rights.

Explanation of how your doctor may calculate fees charged for copies of your health records.

In its Guide to Privacy and Security of Electronic Health Information, the feds tell health care providers they “must accommodate reasonable requests” from patients.

 

This Fact Sheet, titled Medical Privacy of Protected Health Information, offers a good overview of patient rights.

 

To learn more about incidental disclosures that are permissible under HIPAA, click here.

 

Some additional things to be aware of:

Page 5634 of the Privacy Rule states that: “Covered entities are permitted to send an individual unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.”
The important thing is the patients/guardians are advised of risks, and that they consent based on personal preference.

Also, be aware of this provision on Page 5634 of the Privacy Rule:

“Covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.”

Page 2 of 4

10 Step HIPAA Plan

  • Step 1: Make Sure you Must Comply with HIPAA +

    What's Inside:
    Lists of who is generally covered and who is not, plus contact for inquiries.
  • Step 2: Designate Team Leaders +

    What's Inside:
    • 7-page HIPAA basics
    • 62-page guide to security and privacy of ePHI
    • Compliance Charter Template
  • Step 3: Develop Security Policies & Procedures +

    What's Inside:
    Templates for Security Policies and Procedures
  • Step 4: Conduct a security risk analysis +

    What's Inside:
    INTRODUCTORY:
    • Guides
    • Short videos
    • Interactive quizzes on risk assessment and contingency preparation
    • 10 common myths

    ADVANCED:
    Interactive tutorial – 156 questions with fill-able PDFs for Windows or iPad. All material from federal sources.
  • Step 5: Develop an action plan +

    What's Inside:
    INTRODUCTORY:
    • 11-page overview on ePHI for small practices
    • 4-page Q&A addresses email with patients
    • Checklists

    ADVANCED:
    Toolkit on 45 implementation specifications
  • Step 6: Reduce Risks of a Breach +

    What's Inside:
    • Overview of expectations
    • Annual Work Plan Template
  • Step 7: Train the Team +

    What's Inside:
    • Form for reporting breach notification
    • Links to details on the notification process and what constitutes a breach.
    • Suite of Training Materials
  • Step 8: Customize Privacy Notices +

    What's Inside:
    FOR ALL:
    • Privacy notice templates to help achieve meaningful consent, in English & Spanish.

    INTRODUCTORY:
    • Professionals' guide covering 2013 updates on communications.

    ADVANCED:
    • Electronic toolkit with patient education and meaningful consent sample materials.
  • Step 9: Execute Business Associate Agreements +

    What's Inside:
    • Sample Business Associate Agreement (BAA) provisions
    • Suite of BA Management Tools
  • Step 10: Verify Compliance with HIPAA +

    What's Inside:
    INTRODUCTORY:
    • Tip sheets
    • Short videos
    • Overviews

    ADVANCED:
    • 94-page guide on the EHR incentive program
    • Beginners' toolkit on reporting to the government

    All from federal sources.
  • 1

Login

Member Access