Presentation on theme: "OCR Has Called; Now What? Teresa Smithrud, Mercy Health System & Beth Malchetske, ThedaCare."— Presentation transcript:
OCR Has Called; Now What? Teresa Smithrud, Mercy Health System & Beth Malchetske, ThedaCare
Objectives Understanding the contact process made by the OCR Understanding the steps we had to take with actual examples. (Disclaimer: Experience has shown that we are not certain each investigation takes exact same path) Share the outcomes of our investigations Understanding the impact of those outcomes, what we do differently today because of these experiences. All learn together through audience participation in the discussion
Sources of Risk Triggers to watch for through other surveillance processes already existing within the organization. Calls or letters to Privacy Officer; Calls or letters to Admin, other key leaders, Patient surveys; Regulatory agency notices; Other notification; However, the first notification might come directly from the OCR
Investigatory Agencies Centers for Medicare Services (CMS) Office for Civil Rights (OCR); Department of Justice (DOJ); WI Health and Family Services; Today we’ll be focusing on OCR.
Secretary of HHS delegates the following duties to the Office for Civil Rights (OCR): Administer the HIPAA Privacy Standards; Administer the HIPAA Privacy Standards; Authority to impose Civil Monetary Penalties for failure to comply with HIPAA Privacy Standards; Authority to impose Civil Monetary Penalties for failure to comply with HIPAA Privacy Standards; Authority to make state law preemption determinations; and Authority to make state law preemption determinations; and Authority to make decisions regarding the interpretation, implementation and enforcement of the Privacy Standards. Authority to make decisions regarding the interpretation, implementation and enforcement of the Privacy Standards. 65 Fed. Reg. 82,381 (Dec. 28, 2000) 65 Fed. Reg. 82,381 (Dec. 28, 2000)
Types of OCR investigations Voluntary Non-voluntary Most seem to be “voluntary” OCR Offices in Chicago, Denver and Kansas City primarily handle WI cases.
When the Investigation Process Starts consider: Defining a central point of contact; Specify who contacts are in key departments; Determine if you need outside legal counsel to assist Determine if you need to notify your liability carrier Notify proper channels within your organization. (Think about compliance chair, risk manager, your boss, etc. )
Initial actions the OCR takes with an organization They will send you a letter; which will contain: Reassurance of thorough investigation; Assignment of investigation timeframe; Assignment of preliminary investigation category type. A contact person is noted within the letter so that you can ask clarifying questions. References to their statutory oversight, HIPAA regulations, etc. Transaction number which will need to be included with any correspondence or contact with them. Have it handy!
Next Steps: They will ask you to identify name of person from your organization that the OCR will be working with to resolve the matter. This is who will be doing the response and sharing the story with them. You have an opportunity to submit a statement of position on the matter—take a position! Don’t be wishy-washy. You’ll be asked for data: Number of admissions, discharges, number of patients served annually, number of beds, etc. Specific Policies and Procedures
Documentation You will want to start a file for the case for you to keep track of items such as: any email exchanges, recordation of phone conversations, holder for any correspondence. Expect that the PROCESS you used to investigate the matter will be brought into the submission to OCR. NOTE: Anything you send them may be disclosed under the Freedom of Information Act. Make note on your work calendar when things have to be turned in and have a follow up reminder process in place to assure you are getting information returned in a timely matter to you. Submissions of any corrections you have made to a patient’s record in relationship to the matter will be required. Proof of changes in computer systems, dates of any related education on their role that relates to the matter should all be expected. Think about how you will get that information to them. It must be a secured method! You don’t want to have a new breach.
So what specifically might I be asked to produce? Investigation Notes; What sanctions were applied internally; Risk Assessment; Number of patient visits; Specific policies and procedures relating to the claim being filed. Caution, as you share evidence or policies and procedures, be aware it can open the claim wider and more resolution / corrective action may be needed! (learning from co-mingled polices that accompanied a supporting piece of documentation I submitted)
Details to Watch Timeframes; Could a privacy inquiry also include a request for restrictions or amendment?; Follow-up; Was remedial education completed?; Was issue reviewed at next performance review?
OCR Response Timeframe: Initial: 15 days; Business days; Calendar days; Secondary: As agreed upon; Generally 14-21 days.
Ongoing investigation requests from OCR Generally, phone conversations; Take careful notes; Tell the “whole” story but answer just the questions asked—don’t add into it Respond if any known obstacles; Repeat information to the reviewer, for clarity; Secure a response date and method.
How are disagreements resolved? OCR may seek rebuttals from the patient; New information may be introduced; Insure that workforce entities do not conduct personal investigations; Insure no retaliation or perceived retaliation.
Categories of Response you can make to the OCR: Not a covered entity; Alleged violation did not occur as described by the complainant; Actions taken comply with the Rule; Prompt and effective action was taken to correct any (perceived) non-compliance.
Resources: OCR Website remediation actions can be found at: http://www.hhs.gov/ocr/privacy/h ipaa/enforcement/examples/inde x.html http://www.hhs.gov/ocr/privacy/h ipaa/enforcement/examples/inde x.html
Case study 1. Patient complaint received by OCR November 14, 2007. Patient complaint received by OCR November 14, 2007. Letter to the organization: March 24, 2008 Letter to the organization: March 24, 2008 Submission of first response; April 17, 2008 Submission of first response; April 17, 2008 Reply back: January 2010-handed off to another investigator from original one assigned. Clarification correspondence ensued back and forth. Reply back: January 2010-handed off to another investigator from original one assigned. Clarification correspondence ensued back and forth. Final response from us to OCR: June 2010 Final response from us to OCR: June 2010 Answer of acceptance of remedy: August 2010. Answer of acceptance of remedy: August 2010. At issue: Disclosure of a decedents record. At odds: “personal representative”
Cont. Patient expired unexpectedly at one of our hospitals. No surviving spouse. Adult sibling of the decedent requested and received medical records following our authorization being properly executed along with a copy of the death certificate. TC operated under the process of records disclosure if no surviving spouse to adult children or siblings of the decedent. (§146.81 (5) and §632.895 (d)) Complaint came from adult child of the decedent directly to OCR. Stating impermissible disclosure.
Wisconsin Applicable Law referenced on previous slide 146.81 (5): “Person authorized by the patient” means the parent, guardian, or legal custodian of a minor patient, as defined in s. 48.02 (8) and (11), the person vested with supervision of the child under s. 938.183 or 938.34 (4d), (4h), (4m), or (4n), the guardian of a patient adjudicated incompetent in this state, the personal representative, spouse, or domestic partner under ch. 770 of a deceased patient, any person authorized in writing by the patient or a health care agent designated by the patient as a principal under ch. 155 if the patient has been found to be incapacitated under s. 155.05 (2), except as limited by the power of attorney for health care instrument. If no spouse or domestic partner survives a deceased patient, “person authorized by the patient” also means an adult member of the deceased patient’s immediate family, as defined in s. 632.895 (1) (d). A court may appoint a temporary guardian for a patient believed incompetent to consent to the release of records under this section as the person authorized by the patient to decide upon the release of records, if no guardian has been appointed for the patient 632.895 (1) (d) “Immediate family” means the spouse, children, parents, grandparents, brothers and sisters of the insured and their spouses.
The debate We argued personal representative definition based on applicable law, which included Wisconsin applicable law. OCR Response: HIPAA prevails over Wisconsin law and that the personal representative must be specifically acting on the persons behalf. This was triggered because the authorization form the sister completed stated purpose as “personal” one of the selectable items on the form. OCR: We should have pursued to understand how they were acting on behalf of the patient. Personal was not explanatory to that definition. We argued whether the privacy rule imposes an affirmative obligation on a covered entity to determine the purpose of a disclosure to a personal representative of a deceased individual is relevant to the personal representation.
Debate continued Implementation specifications under HIPAA: deceased individuals. If under applicable law an executor, administrator or other person has authority to act on behalf of a deceased individual or of the individuals estate, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation. We tied Wisconsin applicable law to this implementation specification which would grant the sister to act on behalf of the decedent. In this same spec above it does not state the requirement to affirm the purpose of how the personal representative will use the information.
The result. We lose the debate, and must modify practices and submit new plan.
Process Changes Made: Authorization form now has requirement that they must disclose how they are acting on behalf of the patient. Policy narrative change to reflect the personal representative and action on behalf of patient. Training and education of staff and service vendor We had to assure the service vendor did NOT treat other release of information services customers the same way. This was a ThedaCare required policy and process change. We didn’t want to upturn all organizations. Sign off’s of understanding Notice to all managers at all sites, if question on action on behalf, seek counsel from Privacy official and or designees specifically identified. I made WHIMA policy and legislative team aware of results as it could impact many WI organizations.
The real impact— Families of patients We get complaints weekly from personal representatives about our need to know how they will be using the information to “act on behalf of patient” Their reply, “..but I got it from ______ who is…” right across the street, also a hospital, etc. “why do they do it different—aren’t the rules the same?” I have been very up front with these complainants to share our experience. Stating: We used to practice in the very same manner. However, a person filed a complaint under HIPAA to the Office of Civil Rights and the investigator there determined we were in violation and we are required to have this new step in the process to be compliant. Then they ask, so are others non compliant? My reply: I can’t comment on whether I feel another organization is compliant or not. I appreciate that you are receiving a different experience at ThedaCare because we have had this investigation resulting in having this step completed by you in order to be considered compliant.
Other OCR examples Family Billing Re-evaluating if we’ll continue family billing. We believe we will, but significantly modify process Guarantor Workers comp employer error EPIC FYI process Modified authorization forms. Faxing / Printing (non-OCR level, but an increasing pattern for us to closely watch) Return to work slips After Visit summaries
Lab Result Patient advised OCR that a copy of lab result was received by another patient; Patient alerted provider and received response and mitigation in less than 30 days; Patient filed with OCR; OCR accepted provider actions after multiple rounds of correspondence.
Spouse & Clinic Diagnosis Patient believes physician told patient’s spouse clinic diagnosis. Education records, investigation notes and policies were reviewed by OCR. OCR found no violation.
Employee-Patient Complainant: Patient who is also an employee believes that partners in various departments accessed, used, and disclosed information: Audit trails were clear. Outcome: No violation found. Multiple rounds of documentation response from Mercy to OCR.
Exam Room Privacy Patient believes privacy violated when another caregiver was brought into clinic exam room. Nurse practitioner was brought into room to assist with an out- of-control patient. Two rounds of OCR documentation; Case closed with no violation.
Meet alone or meet privately? Patient believes that Customer Relations (CR) employee violated privacy rights by refusing to meet with patient alone. CR employee offered several private ways of sharing input. Interview notes, policy revision, workforce re-education proof. OCR closed case after multiple rounds.
Media Report of Alleged Breach Cell phone picture of a patient x-ray allegedly posted on social media, though never confirmed. No identifiers were associated with the image; OCR agrees no breach. Inquiries from licensing agencies against individuals involved. State HFS Licensing Survey on behalf of CMS.
Billing statement to previous guarantor address: Patient bill sent to the guarantor’s address; Patient had achieved age of majority, though guarantor not updated in computer system; Patient lives in same building as former guarantor; OCR accepted provider voluntary plan of correction.
Mercy Case Take-Aways: Privacy Officer must be assured by department directors that follow-up actions have been successfully completed. Document actual completion of all actions submitted in terms of employee follow-up education or revising a policy or changing a patient-talking-script.
Mercy Case Take-Aways: Many cases will be successfully defended pursuant to strong investigative and documentation practices; Any case reviewed by OCR will trigger a review of many other privacy processes and documents. OCR reps are sometimes prescriptive regarding the specific content of policies and procedures.
Closing thoughts These investigations take time, effort and derail you from what you had scheduled. Be prepared for it when it happens. The investigation and process used by having OCR oversight however helps public trust to assure covered entities are meeting the rule Each investigation has been different, although some patterns are starting to emerge If they haven’t happened to you yet, they will! Why do we think that……..
March 17, 2011, HDM: The HHS Office for Civil Rights in its fiscal year 2010 budget request is asking for $46.7 million in funding, an increase of $5.6 million over the current level, and with 76 percent of the new funds going for increased enforcement of health information privacy and security rules. The request for increased funding includes $2.283 million for placement of a privacy advisor in each of OCR's 10 regional offices, $1 million for enforcement of the security rule and $1.335 million for investigation of breaches of health information. The breach notification rule has substantially increased the office's workload, according to an OCR report justifying its budget requests that was sent to congressional appropriations committees. http://www.healthdatamanagement.com/news/hipaa-privacy- security-breach-notification-office-for-civil-rights-42171-1.html