HHS Nondiscrimination Provisions, Disability Provisions, and Language Provisions will have an effect on covered entities.
From the HHS website on Section 1557:
Section 1557 is the nondiscrimination provision of the Affordable Care Act (ACA). The law prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. Section 1557 builds on long-standing and familiar Federal civil rights laws: Title VI of the Civil Rights Act of 1964, Title IX of the Education Amendments of 1972, Section 504 of the Rehabilitation Act of 1973 and the Age Discrimination Act of 1975. Section 1557 extends nondiscrimination protections to individuals participating in:
Any health program or activity any part of which received funding from HHS
Any health program or activity that HHS itself administers
Health Insurance Marketplaces and all plans offered by issuers that participate in those Marketplaces.
The Nondiscrimination in Health Programs and Activities final rule implements Section 1557 of the Affordable Care Act, which is the first federal civil rights law to broadly prohibit discrimination on the basis of sex in federally funded health programs. Previously, civil rights laws enforced by HHS’s Office for Civil Rights (OCR) broadly barred discrimination based only on race, color, national origin, disability, or age.
“A central goal of the Affordable Care Act is to help all Americans access quality, affordable health care. Today’s announcement is a key step toward realizing equity within our health care system and reaffirms this Administration's commitment to giving every American access to the health care they deserve," said HHS Secretary Sylvia M. Burwell.
The final rule helps consumers who are seeking to understand their rights and clarifies the responsibilities of health care providers and insurers that receive federal funds. The final rule also addresses the responsibilities of issuers that offer plans in the Health Insurance Marketplaces. Among other things, the final rule prohibits marketing practices or benefit designs that discriminate on the basis of race, color, national origin, sex, age, or disability. The final rule also prohibits discriminatory practices by health care providers, such as hospitals that accept Medicare or doctors who participate in the Medicaid program.
The final rule prohibits sex discrimination in health care including by:
Requiring that women must be treated equally with men in the health care they receive. Other provisions of the ACA bar certain types of sex discrimination in insurance, for example by prohibiting women from being charged more than men for coverage. Under Section 1557, women are protected from discrimination not only in the health coverage they obtain but in the health services they seek from providers.
Prohibiting denial of health care or health coverage based on an individual’s sex, including discrimination based on pregnancy, gender identity, and sex stereotyping.
It also includes important protections for individuals with disabilities and enhances language assistance for people with limited English proficiency including by:
Requiring covered entities to make electronic information and newly constructed or altered facilities accessible to individuals with disabilities and to provide appropriate auxiliary aids and services for individuals with disabilities.
Requiring covered entities to take reasonable steps to provide meaningful access to individuals with limited English proficiency. Covered entities are also encouraged to develop language access plans.
While the final rule does not resolve whether discrimination on the basis of an individual’s sexual orientation status alone is a form of sex discrimination under Section 1557, the rule makes clear that OCR will evaluate complaints that allege sex discrimination related to an individual’s sexual orientation to determine if they involve the sorts of stereotyping that can be addressed under 1557. HHS supports prohibiting sexual orientation discrimination as a matter of policy and will continue to monitor legal developments on this issue.
The final rule states that where application of any requirement of the rule would violate applicable Federal statutes protecting religious freedom and conscience, that application will not be required.
The Centers for Medicare & Medicaid
Services (CMS) has issued a final rule to establish consistent emergency
preparedness requirements for health care providers participating in Medicare
and Medicaid, stating that the regulation will increase patients’ safety during
emergencies and ensure more coordinated response to natural and manmade
“Over the past several years, and
most recently in Louisiana, a number of natural and manmade disasters have put
the health and safety of Medicare and Medicaid beneficiaries – and the public
at large – at risk. These new requirements will require certain participating
providers and suppliers to plan for disasters and coordinate with federal,
state tribal, regional, and local emergency preparedness systems to ensure that
facilities are adequately prepared to meet the needs of their patients during
disasters and emergency situations,” the agency’s Sept. 8 news release stated.
“Situations like the recent flooding
in Baton Rouge, Louisiana, remind us that in the event of an emergency, the
first priority of health care providers and suppliers is to protect the health
and safety of their patients,” said CMS Deputy Administrator and Chief Medical
Officer Dr. Patrick Conway, M.D., MSc. “Preparation, planning, and one
comprehensive approach for emergency preparedness is key. One life lost is one
too many.” “As people with medical needs are
cared for in increasingly diverse settings, disaster preparedness is not only a
responsibility of hospitals, but of many other providers and suppliers of
health care services. Whether it’s trauma care or long-term nursing care or a
home health service, patients’ needs for health care don’t stop when disasters
strike; in fact, their needs often increase in the immediate aftermath of a
disaster,” added Dr. Nicole Lurie, HHS’ assistant secretary for preparedness
and response. “All parts of the health care system must be able to keep
providing care through a disaster, both to save lives and to ensure that people
can continue to function in their usual setting. Disasters tend to stress the
entire health care system, and that’s not good for anyone.”
CMS reports that it reviewed current
Medicare emergency preparedness regulations for providers and suppliers and
concluded the regulatory requirements were not comprehensive enough to address
the complexities of emergency preparedness; they did not address the need for
communication to coordinate with other systems of care within cities or states;
contingency planning; or training of personnel. So the final rule requires
Medicare and Medicaid participating providers and suppliers to meet these four
industry best practices:
1.Emergency plan: Based on a risk
assessment, develop an emergency plan using an all-hazards approach focusing on
capacities and capabilities that are critical to preparedness for a full
spectrum of emergencies or disasters specific to the location of a provider or
2.Policies and procedures: Develop and
implement policies and procedures based on the plan and risk assessment.
3.Communication plan: Develop and maintain
a communication plan that complies with both federal and state laws.
4.Training and testing program:
Develop and maintain training and testing programs, including initial and
annual training, and conduct drills and exercises or participate in an actual
incident that tests the plan.
CMS said these standards are
adjusted to reflect the characteristics of each type of provider and supplier.
For example, outpatient providers and suppliers such as ambulatory surgical
centers and end-stage renal disease facilities won’t be required to have
policies and procedures for provision of subsistence needs; hospitals, critical
access hospitals, and long-term care facilities will be required to install and
maintain emergency and standby power systems based on their emergency plan.
In response to comments, CMS removed
the requirement for additional hours of generator testing, added flexibility to
choose the type of exercise a facility conducts for its second annual testing
requirement, and decided to allow a separately certified facility within a
health care system to take part in that system’s unified emergency preparedness
The regulations will take effect on
November 15, 2016. Healthcare providers
and suppliers affected by the rule must comply and implement all regulations
one year after the effective date. More specific information about the
Emergency Preparedness Rule can be found here.
Providers/Suppliers Facilities Impacted by the Emergency Preparedness Rule:
2. Religious Nonmedical Health Care Institutions (RNHCIs)
A crucial step in preparedness for your practice in the even of a emergency or disaster is a Risk Assessment.
A risk assessment is a process to identify potential hazards and analyze what could happen if a hazard occurs. A business impact analysis (BIA) is the process for determining the potential impacts resulting from the interruption of time sensitive or critical business processes.
As an employer, make sure your workplace has a building evacuation plan that is regularly practiced. The preparedness program is built on a foundation of management leadership, commitment and financial support. Without management commitment and financial support, it will be difficult to build the program, maintain resources and keep the program up-to-date.
Take a critical look at your heating, ventilation and air conditioning system to determine if it is secure or if it could feasibly be upgraded to better filter potential contaminants, and be sure you know how to turn it off if you need to.
Think about what to do if your employees can't go home.
There are numerous hazards to consider. For each hazard there are many possible scenarios that could unfold depending on timing, magnitude and location of the hazard. Consider hurricanes for an example:
A Hurricane forecast to make landfall near your business could change direction and go out to sea. The storm could intensify into a major hurricane and make landfall.
There are many “assets” at risk from hazards. First and foremost, injuries to people should be the first consideration of the risk assessment.Hazard scenarios that could cause significant injuries should be highlighted to ensure that appropriate emergency plans are in place. Many other physical assets may be at risk. These include buildings, information technology, utility systems, machinery, raw materials and patient records. The potential for environmental impact should also be considered. Consider the impact an incident could have on your relationships with customers, the surrounding community and other stakeholders. Consider situations that would cause patients to lose confidence in your organization and its services or protection of vital records.
As you conduct the risk assessment, look for vulnerabilities—weaknesses—that would make an asset more susceptible to damage from a hazard. Vulnerabilities include deficiencies in building construction, process systems, security, protection systems and loss prevention programs. They contribute to the severity of damage when an incident occurs. For example, a building without a fire sprinkler system could burn to the ground while a building with a properly designed, installed and maintained fire sprinkler system would suffer limited fire damage.
The impacts from hazards can be reduced by investing in mitigation. If there is a potential for significant impacts, then creating a mitigation strategy should be a high priority.
Use the FEMARisk Assessment Tool to complete your risk assessment. Instructions are provided on the form. Please also request the supplementary and supportive HCSI HIPPA Security Risk Analysis health checkup checklist to coincide with your office risk assessment or by clicking here HCSI Support - Risk Anlysis or entering your email address in the top right side of the blog. Source(s): http://www.hcsiinc.com, https://www.ready.gov/, http://www.fema.gov/
monthly cyber awareness alert from
the Department of Health and Human Services’ Office for Civil Rights (OCR) prods
organizations to closely evaluate the risks their employees pose.
Insider threat is becoming one
of the largest threats to organizations and some cyberattacks may be
insider-driven. Although all insider threats are not malicious or intentional,
the effect of these threats can be damaging to a Covered Entity and Business
Associate and have a negative impact on the confidentiality, integrity, and
availability of its ePHI. According to a survey recently conducted by Accenture
and HfS Research, 69% of organization representatives surveyed had experienced
an insider attempt or success at data theft or corruption. Further, it was
reported by a Covered Entity that one of their employees had unauthorized
access to 5,400 patient’s ePHI for almost 4 years.
US CERT defines a malicious
insider threat as a current or former employee, contractor, or business partner
who meets the following criteria:
has or had authorized
access to an organization’s network, system, or data;
has intentionally exceeded
or intentionally used that access in a manner that negatively, affected the
confidentiality, integrity, or availability of the organization’s information;
or information systems.
According to a survey
conducted by U.S. Secret Service, CERT Insider Threat Center, CSO Magazine, and
Deloitte, the most common e-crimes committed by insiders are:
access to or use of organization information;
of private or sensitive data;
of viruses, worms, or other malicious code;
theft of intellectual
Covered Entities and
Business Associates should consider:
policies and procedures to mitigate the possibility of theft of ePHI, sabotage
of systems or devices containing ePHI, and fraud involving ePHI. These policies
and procedures should enforce separation of duties and least privileges, while
also applying rules that control and manage access, configuration changes, and
authentication to information systems and applications that create, receive,
maintain, or transmit ePHI.
screening processes on potential employees to determine if they are trustworthy
and appropriate for the role for which they are being considered. Effective screening
processes can be applied to allow for a range of implementations, from minimal
to more stringent procedures based on the risk analysis performed by the entity
and role of the potential employee. Examples of potential screening processes
could include checks of the HHS OIG LEIE (List of Excluded Individuals and
Entities) to check for health care fraud and related issues and criminal
history checks to verify past criminal acts. When implementing a screening
process, please be sure to review and comply with any applicable federal, state
or local laws regarding the use of screening processes as part of the hiring
US CERT steps to protect ePHI from insider threats:
1. Consider threats from
insiders and business associates in enterprise-wide risk assessments.
2. Clearly document and
consistently enforce policies and controls.
3. Incorporate insider threat
awareness into periodic security training for all employees.
4. Beginning with the hiring
process, monitor and respond to suspicious or disruptive behavior.
5. Anticipate and manage
negative issues in the work environment.
6. Know your assets.
7. Implement strict password
and account management policies and practices.
8. Enforce separation of duties
and least privilege.
9. Define explicit security
agreements for any cloud services, especially access restrictions and
10. Institute stringent access
controls and monitoring policies on privileged users.
11. Institutionalize system
12. Use a log correlation
engine or security information and event management (SIEM) system to log,
monitor, and audit employee actions.
13. Monitor and control remote
access from all end points, including mobile devices.
14. Develop a comprehensive
employee termination procedure.
15. Implement secure backup and
16. Develop a formalized
insider threat program.
17. Establish a baseline of
normal network device behavior.
18. Be especially vigilant
regarding social media.
19. Close the doors to
unauthorized data exfiltration.
Understanding when to use a search committee enables it to become a valuable part of your recruiting efforts.
Steve has been very busy in his efforts to hire somebody for a high profile position within his organization. After spending endless hours sifting through resumes, conducting initial phone interviews, doing on-site interviews, and making the final hiring decision, Steve has finally hired a qualified candidate named Jeff. There was no argument that Jeff was qualified for the position, but Steve was only one opinion and only one view point. Within a few weeks of hiring Jeff, it was apparent to everyone around that Steve had missed something. Although qualified, Jeff was not a cultural fit for the organization. In fact, Jeff was pushing all the wrong buttons and going in all the wrong directions. Jeff was not a fit for the organization and Steve had to let him go. It was now time for Steve to begin the time consuming and costly hiring process all over again.
Could the above situation have been avoided? Maybe not entirely, but the likelihood of it happening could have been greatly reduced if Steve had utilized a search committee in his recruiting efforts.
What is a search committee?
A search committee is a group of individuals gathered together for the purpose of assisting an administrator or hiring manager in recruiting and screening candidates for a vacant position.
Why would I use a search committee?
By forming a search committee, the hiring manager is able to harness the large amount of work that comes with reviewing resumes, conducting initial interviews, and doing on-site interviews. In addition, a search committee provides consistency in reviewing each candidate and the entire hiring process benefits from having multiple perspectives.
When should I use a search committee?
It is best to utilize a search committee when hiring for senior level administrative positions and positions that will have a high public relations impact on your organization.
Who should be a part of a search committee?
Search committee's should be formed with the idea of having a diversity of ideas, opinions, and perceptions. Members of a search committee should include:
People who have valued knowledge about the vacant position
People who are respected
Representatives from areas that the new hire will impact
Representative from both genders
People of different races and cultural backgrounds
How many members should be on the search committee?
The size of the search committee should reflect the importance of the vacant position. With that being said, a search committee should not exceed 11 members nor have no fewer than three members. Keep in mind that the larger the search committee is, the more time it takes to complete the hiring process.
What are the duties of the search committee?
Search committee's should be active in:
Determining a timeline for the hiring process
Identifying where to advertise for the vacant position
Conduct initial interviews
Participate in on-site interviews
Help determine which candidates will advance to each stage of the hiring process
Help determine the final candidate selected to fill the vacant position
When utilizing a search committee to become part of the hiring process for a vacant position, you are opening a door to new ideas and perspectives. These different and sometimes new thoughts should be encouraged and discussed. It is the objective of the search committee to find and hire the candidate who no only can do the job, but would be the best fit for the organization and the culture within.
Policies Restricting Patient Recordings In Medical Settings
What are your opinions on a medical office or practice creating a policy to prevent/limit patients from making audio/video recordings in exam rooms or other common areas where HIPAA or patient privacy could be violated by improper use of these recordings?
Does the office or practice have free reign to create such a policy? What if any limitations might apply?
What about the patient? Do they have any "rights" providing them the freedom to be able to record a procedure or practitioner giving treatment instructions for example?
What about recordings in a maternity ward/nursery or during child birth? What about the potential for cell phones to disrupt sensitive medical equipment? What about patient's using apps like Pokemon Go and inadvertently or covertly overhearing and recording sensitive patient information?
What HIPAA regulations or legal ramifications might be evoked by such a situation? How does an office notify patients of and enforce such a policy? Should the office require patients to sign an acknowledgement of said policy or is a posted sign or notice adequate?
I would love to hear all your thoughts on this topic and any addition related issues that might come up that I have not already listed in the situations above.
Training is one of the essential cornerstones of any effective compliance program.
Training is an investment for any organization. That investment pays great dividends in the form of liability protection when it comes to compliance. However, with that being said, some organizations are still hesitant to train their employees or outright refuse to make this very important investment. When it comes to Federal and State compliance, the decision to train employees has been taken out of the hands of the organizations. For example, with HIPAA compliance, the Office for Civil Rights (OCR), states:
"§164.530(b)(1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity."
In the event of a HIPAA audit, the auditor will ask him or herself a discovery question:
"Does the covered entity train its work force and have a policies and procedures to ensure all members of the workforce receive necessary and appropriate training in a timely manner as provided for by the established performance criterion?"
In addition, the auditor will take the following action:
"Obtain and review such policies and procedures. Areas to review include training each new member of the workforce within a reasonable period of time and each member whose functions are affected by a material change in policies or procedures. From the population of new hires within the audit period, obtain and review a sample of documentation of necessary and appropriate training on the HIPAA Privacy Rule that has been provided and completed."
And finally, the auditor will:
"Obtain and review documentation that workforce members have been trained on material changes to policies and procedures required by the HITECH Act."
What is the above patter of the auditor?
As a mater of policy, require that all employees are being fully trained
Ensure that each organization has established policies and procedures
Verify that training is being done by obtaining documentation on training and policies/procedures
This similar pattern is followed by other government organizations. Documented compliance training is required in the areas of OSHA, Medicare, and other various areas where compliance is required.
When organizations give their employees the resources and information they need to be compliant with these various regulations, they begin to establish a culture of compliance within the organization.
Compliance training is not a request or addressable, it is REQUIRED!!!!!
Employee training is an investment worth making. However, compliance training is not just a good investment, it is liability protection that any organization cannot be without.
Documentation is one of the essential cornerstones of any effective compliance program.
Henry was understandably nervous on the day his office was being audited by the Office for Civil Rights (OCR). While still feeling some butterflies, he was confident that his compliance efforts will pass the HIPAA audit. Henry was then asked a series of questions:
Auditor- Does your office have establish policies and procedures?
Henry - Yes we do!
Auditor- Show them to me.
Henry - Here is a copy of our employee handbook.
Auditor - This does not contain the necessary written information.
Henry - I thought it was enough . . .
Auditor- Does your office train your employees continuously?
Henry - Yes we do!
Auditor - Show me the training documentation.
Henry - Our employees are trained on compliance every year at our annual "compliance and pizza" meeting.
Auditor - That is not what I asked for.
Henry - I thought it was enough . . .
Auditor - Show me your breach disclosure log.
Henry - Our breach disclosure log . . .
Auditor - Do you not have one?
Henry - I'm not even sure what that log is.
At this point in the audit, Henry's confidence has vanished and he is now thinking about the possibility of having to look for another job.
OCR has stated that it views compliance as an "ongoing journey". When you are on a journey, your attention is focused on what lies ahead. However, if you stop for a moment and look behind you, you will see past evidence of your journey in the form of footprints. If you turn around, you will be able to retrace your journey by following those footprints. If it was not for your footprints, you would not be able to retrace your journey back to where you started.
This same idea of retracing your footprints and being able to follow the history of your journey, applies to your "ongoing journey of compliance". However, rather then leaving footprints behind you, you leave a paper trail called, documentation. By keeping your documentation up-to-date, you have a history of your compliance activity and evidence of where you currently stand (policies and procedures).
There are numerous benefits to good documentation:
Paper Trail - This will be useful in demonstrating your compliance activity for an audit or possible protection against liability.
Compliance Story - It is not only about what you did and the final outcome, but rather what factors were a part of your decision making process and what lead you to make the final decision.
Hand-Me-Down - When an office changes Administrators or Compliance Officers, the newly appointed employee will be able to review previous documentation and have a better understanding of the organizations compliance history.
Employee "Misunderstandings" - Documentation of policies and procedures go a long way to eliminating the employee "misunderstandings" that tend to crop-up. If an employee says that they did not know the policy, you can refer to the written policy and their acknowledgement of it that they signed during their training.
During an audit by OCR, they are wanting to look at your "ongoing journey of compliance". If your documentation is done well and is up-to-date, then you won't have to shy away from their questions. Simply take their hand and guide them through the history of your "ongoing journey of compliance" by following your own footprints.
The U.S. Occupational Safety and Health Administration (OSHA) recently
issued a final rule that becomes effective January 1, 2017 requiring
healthcare industry employers to electronically submit to OSHA injury
and illness data from their OSHA logs. This information will then become
publicly available on the OSHA website.
As a corollary, and “to ensure the completeness and accuracy of injury and illness data,” the final rule also:
Creates an explicit requirement that employees must be informed of
their right to report work-related injuries and illnesses free from
Specifically requires that an employer's procedure for reporting
work-related injuries and illnesses must be reasonable and not deter or
discourage employees from reporting; and
Explicitly prohibits retaliation against employees for reporting work-related injuries or illnesses.
The requirement to report data applies to: (1) work locations with 250
or more employees, and (2) work locations with 20 to 249 employees in
specific “high-risk industries” identified in the rule. The rule
includes several types of healthcare industries in its definition of
high-risk industries. Specific healthcare industries that must comply
with this rule if they have 20 or more employees at a particular work
Ambulatory healthcare services;
General medical and surgical hospitals;
Psychiatric and substance abuse hospitals;
Specialty (except psychiatric and substance abuse) hospitals;
Nursing care facilities;
Residential mental retardation, mental health, and substance abuse facilities;
Community care facilities for the elderly; and
Other residential care facilities.
Businesses with 250 or more employees at a work location in industries
covered by the new recordkeeping regulation must submit information from
their 2016 Form 300A by July 1, 2017. These employers will also be
required to submit information from all 2017 forms (300A, 300, and 301)
by July 1, 2018. Starting in 2019, the information must be submitted by
March 2 each year. Businesses with 20-249 employees in high-risk
industries, including those healthcare industries mentioned above, must
submit information from their 2016 Form 300A by July 1, 2017, and their
2017 Form 300A by July 1, 2018. Starting in 2019, the information must
be submitted by March 2 each year.
OSHA will make the injury and illness data public. After removing any
Personally Identifiable Information that could be used to identify
individual employees, OSHA will post the data on its website, and anyone
will be able to download it. Employers in the above-referenced
high-risk industries (and those with 250 or more employees) should begin
planning now to ensure compliance with the January 1, 2017 reporting
The new rule also emphasizes that employees who report workplace
related injuries and illnesses may not be discriminated against or
retaliated against because they have reported such injuries or
illnesses. It provides OSHA with the authority to cite an employer for
retaliation even in the absence of any employee complaint. The
commentary to the rule says:
Employers must have a reasonable procedure for employees to report work-related injuries and illnesses.
Employers’ reporting procedures cannot deter or discourage reasonable
employees from accurately reporting a workplace injury or illness.
Blanket or automatic post-accident testing policies are prohibited and
will be viewed as taking an adverse action against, retaliating
against, or discouraging employees from reporting accidents.
Employers need not specifically suspect drug use before testing, but
there should be a reasonable possibility that drug use by a reporting
employee was a contributing factor to the reported injury or illness in
order for an employer to require testing, and, even then, the testing
should be limited to only the employee who caused the accident rather
than everyone involved.
Although the new rule does not prohibit all post-accident/post-injury
drug testing policies, OSHA’s position is that the circumstances of some
accidents make it unlikely that drug use was a contributing factor, and
therefore testing employees in these situations would be viewed as
retaliation. OSHA provides these examples of circumstances where
required drug testing would be suspect:
After an employee reports a bee sting;
When an employee has a repetitive strain injury;
After an injury caused by a lack of machine guarding; or
When a machine or tool malfunctions.
The rule acknowledges many employers implement
post-accident/post-injury drug testing policies because they are located
in states that offer workers’ compensation premium reductions for
enacting Drug Free Workplace Policies. Compliance with these workers’
compensation programs or other state or federal laws or regulations
requiring post-accident/post-injury or reasonable suspicion testing are
Employers must also specifically inform employees: (i) they have the
right to report work-related injuries and illnesses; and (ii) the
employer is prohibited from retaliating against employees for reporting
work-related injuries or illnesses. Employers also must establish a
reporting procedure that does not deter or discourage an employee from
reporting work-related injuries and illnesses. These posting and
reporting requirements are effective as of November 1, 2016.