Friday, May 27, 2016

Identifying Business Associates

Covered Entities & Business Associates
With business associates and business associate agreements (BAAs) coming under increased scrutiny in the latest round of HIPAA audits, some covered entities are wondering how to identify which vendors are considered business associates, and therefore require a BAA, and which vendors are not.
According to the Privacy Rule, a business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity (CE).
Business associate functions and activities include the following:
        Claims processing or administration;
        Data analysis;
        Processing or administration;
        Utilization review;
        Quality assurance;
        Benefit management;
        Practice management; and
Additionally, any entity that provides any of the following services involving the disclosure of PHI by a CE, is a business associate:
        Data aggregation;
        Accreditation; or
In addition, the Omnibus Rule includes a new definition of a business associate. A business associate is also defined as an individual or organization that creates, receives, maintains, or transmits PHI on behalf of a CE. In addition, four new categories were added to the definition:
        Health Information Exchanges;
        E-prescribing gateways;
        Data transmission services; and
        Entities that offer a personal health record to individuals on behalf of a CE.
The following is a list of sample business associates a CE may have. A BAA would need to be initiated for all of these vendors. Examples include
        IT companies that support health care providers;
        Electronic Health Record (EHR) system providers;
        Data centers, online backup companies, cloud service providers, even if they do not access data;
        Shredding companies;
        Insurance agents;
        A CPA firm whose accounting services to a health care provider involve access to PHI;
        An attorney whose legal services to a health plan or provider involve access to PHI;
        Any person or entity providing services to a business associate that requires access to PHI; and
        Data centers, online backup companies, cloud service providers, providing services to a business associate, even if they do not access data.
The Privacy rule also outlines situations where it is not necessary to enter into a BAA. Some examples of when a BAA is not required are the following:
        When a health care provider discloses PHI to a health plan for payment purposes, or when the health care provider simply accepts a discounted rate to participate in the health plan’s network.
        With persons or organizations (e.g., janitorial service or electrician) whose functions or services do not involve the use or disclosure of PHI, and where any access to PHI by such persons would be incidental, if at all.
        Among CEs who participate in an organized health care arrangement (OHCA) to make disclosures that relate to the joint health care activities of the OHCA.
        Where a group health plan purchases insurance from a health insurance issuer or HMO.
        Where one CE purchases a health plan product or other insurance, for example, reinsurance, from an insurer.
        With a person or organization that acts merely as a conduit for PHI, for example, the US Postal Service, certain private couriers, and their electronic equivalents.
        To disclose PHI to a researcher for research purposes, either with patient authorization, pursuant to a waiver, or as a limited data set.
        When a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or affects the transfer of funds for payment for health care or health plan premiums.
Also included are the following exceptions to the business associate standard. In these situations, a CE is not required to have a BAA or other written agreement in place before PHI may be disclosed to the person or entity.
        Disclosures by a covered entity to a health care provider for treatment of the individual;
        Disclosures to a health plan sponsor, such as an employer, by a group health plan, or by the health insurance issuer or HMO that provides the health insurance benefits or coverage for the group health plan, provided that the group health plan’s documents have been amended to limit the disclosures or one of the exceptions at 45 CFR 164.504(f) have been met;
        The collection and sharing of PHI by a health plan that is a public benefits program, such as Medicare, and an agency other than the agency administering the health plan, such as the Social Security Administration, that collects PHI to determine eligibility or enrollment, or determines eligibility or enrollment, for the government program, where the joint activities are authorized by law; and

        Patient safety organizations.

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Friday, May 20, 2016

Discussion Point: Releasing Patient Information to a Pharmacy, Relating to Drug Use

I have a question for all of you.

A Doctor's office received a fax from a pharmacy (for the sake of clarification, let’s just say it was CVS) asking questions about one of their patients. The Doctor's office had treated the patient for one specific procedure and had prescribed medication (non-refillable) relating only to that procedure. The Pharmacy’s fax listed numerous prescriptions from various other sources that seemed excessive they and were apparently concerned the patient may be abusing these prescriptions in one way or another. The pharmacy wanted the Doctor's office to answer a questioner about the patient, their treatment, diagnosis, etc. A pharmacy is considered a Covered Entity but do they have the right, under HIPAA, to ask the Dr. these types of questions about the patient that are not necessarily related to a specific Treatment per se?
What are your thoughts based on your understanding of HIPAA and what limits, if any, are there on what the pharmacy may ask of the practice?  Should the pharmacy be able to ask any questions they want or is there a limit or minimum necessary, before the Privacy boundary is crossed?

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

New Overtime Rule and You

New overtime rule could very likely affect your job directly or even indirectly

The United States Department of Labor has released the final rule on changes being made to overtime pay. This rule will be effective December 1, 2016.

Previous Rule:

If you were considered an exempt employee and got paid an annual salary of at least $23,660, you were not eligible for overtime pay if you worked more than 40 hours in a work week.

New Rule:

If you are considered an exempt employee and get paid an annual salary below $47,476 and above $23,660, you could now be eligible for overtime pay if you work more than 40 hours in a work week.

Options for the Employer:

Employers could respond to this new overtime rule in a variety of ways:
  1. Employers could begin paying overtime pay to the employees who now fit the new criteria. This could lead to a raise in cost of the organizations products/services.
  2. Employers could raise salaried employees pay to the new minimum of $47,476. This could lead to a raise in cost of the organizations products/services.
  3. Employers could reclassify the exempt salaried positions to full-time hourly positions. This would limit the ability of employee being able to work additional hours to accomplish their assigned duties.
  4. Employers could eliminate the affected positions that would otherwise be considered eligible for overtime pay. This would require the employer to redistribute those job duties to other employees within the organization.
  5. Employers could eliminate the affected positions and replace each of those positions with two part-time employee positions. This would also enable the organization to save on paying full-time benefits.
In order for a worker to be exempt from overtime, they must meet the criteria. For example, performing "executive" duties means supervising the work of two or more employees and "administrative" duties requires the exercise of discretion and independent judgment. For more information, please review the Department of Labors fact sheet on overtime exemption.

If you feel that you work in a position that could fall under these new overtime rules, please consult your Human Resource department or immediate supervisor. As always, be sure to review your state specific overtime rules.

These new overtime rules will have effect an estimated 4.5 million workers and have a residual effect on their co-workers and products/services.

Here is the new overtime rule as stated by the Department of Labor:
Key Provisions of the Final Rule
The Final Rule focuses primarily on updating the salary and compensation levels needed for Executive, Administrative and Professional workers to be exempt. Specifically, the Final Rule:
1.    Sets the standard salary level at the 40th percentile of earnings of full-time salaried workers in the lowest-wage Census Region, currently the South ($913 per week; $47,476 annually for a full-year worker);
2.    Sets the total annual compensation requirement for highly compensated employees (HCE) subject to a minimal duties test to the annual equivalent of the 90th percentile of full-time salaried workers nationally ($134,004); and
3.    Establishes a mechanism for automatically updating the salary and compensation levels every three years to maintain the levels at the above percentiles and to ensure that they continue to provide useful and effective tests for exemption.
Additionally, the Final Rule amends the salary basis test to allow employers to use nondiscretionary bonuses and incentive payments (including commissions) to satisfy up to 10 percent of the new standard salary level.
The effective date of the final rule is December 1, 2016. The initial increases to the standard salary level (from $455 to $913 per week) and HCE total annual compensation requirement (from $100,000 to $134,004 per year) will be effective on that date. Future automatic updates to those thresholds will occur every three years, beginning on January 1, 2020.

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Friday, May 13, 2016

Employee Breaks and Your Business

Breaks are important to your employees, but those breaks have an effect on your business.

Alice has been helping customers for nearly four hours straight. She gets into an argument with a customer. That argument escalates quickly and a supervisor then gets involved. Things are deescalated, the customer leaves angry, and Alice gets a tongue lashing from her supervisor.

The situation described above has been played out many times in many businesses. Ask yourself this question:

Who's at fault for the above situation?

Everyone will have his or her answer based on their own personal experiences and practices. My answer is simple; it is the supervisor's fault. People are human and they need to be recognized as such. Alice should have not been helping customers for nearly four hours without a break. Despise all of the training provided, it was the fault of the supervisor for not treating Alice as a human that lead to this situation.

Let's take a moment and see how employee breaks effect the business and the employees:

Effects of Breaks on Business
Employees are only productive when they are working. When employees are productive, business is able to get done. When an employee is on break, they are not being productive, but they are still getting paid (outside of a unpaid lunch break).

Effects of Breaks on Employees
When an employee goes on break, they are able to "wind down" and decompress. They take a few minutes to relax and socialize, read, get some refreshment, or step away. This helps employees feel rejuvenated and refreshed. Breaks are just as much mental as they are physical.

State laws vary with this issue. For example, one State says that an employer must give its employee a 10 minute break every four hours and a 30 minute lunch break if working more than six hours. Typical employment law does not take into account the various industries, the type of work being done, and the mental/physical stress on employees.

Perplexing Facts
  • Businesses want employees to be highly productive for the maximum time possible.
  • Most employees want to be highly productive and do quality work. If a business has employees that don't meet this criteria, then they should find ones who do.
  • Employees are humans and humans need time to re-energize, refocus, regroup, and refresh.
  • Employees who are given shorter periods of time to work between breaks are typically more productive, effective, energized, and focused. They tend to be highly productive.
  • Giving employees the opportunity to be highly productive and appreciating them as humans, will improve morale and decrease turnover. This saves the business money.
In order for businesses to achieve a high level of productivity from its employees and for employees to produce at a high level with high quality work, here is my recommendation:
  • Employees get a 10 minute break every 2 hours
  • Employees who work 8 hours should get a 30 minute unpaid lunch break every four hours
  • Employees who work six hours get one 10 minute break after two hours worked and another 20 minute food break after their next two hours
You should always check with local state laws before creating a break policy. In addition, some flexibility should be considered based on industry and type of work.

If a business treats their employees well, then it is more likely that those employees will treat the customers well!

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Am I a Good Compliance Officer?

What Does It Take To Be A Good Compliance Officer?

What makes a good Compliance Officer?  It’s a question every hiring manager, General Counsel and Board must consider when faced with the need or opportunity to bring that critical person into the business. 
The compliance profession is still in its infancy.  A couple of decades ago it started in the United States in the financial services and health care sectors, growing out of legal and audit and into its own role.  As the UK Bribery Act came into force and more multi-national organizations were stung with fines for failing to comply with all sorts of laws, companies began to hire compliance officers in order address the ever-increasing legal and regulatory expectations placed on them from all angles.  As compliance departments grow throughout Europe, Asia and South America, businesses must evaluate who to hire and how to determine what makes a good compliance officer.

What are the primary roles a compliance officer must undertake?

In many businesses, compliance is in charge of both compliance and ethics.  Compliance tends to deal with the policies and procedures that are put in place in order for the business to ensure compliance with the law.  Ethics revolves around doing the right thing, corporate values and training people to behave in a way that creates a culture of compliance.  While some organizations, particularly in financial services, separate the ethics and compliance elements, for most businesses compliance and ethics go hand-in-hand in one role. 

Compliance Officers are generally charged with three tasks: awareness, advice and reporting.  The Compliance Officer creates the compliance program and ensures that people throughout the organization are aware of it, which includes ensuring understanding of the law, rules and procedures enforced by the company.  Compliance Officers must also be able to advise on legal and compliant ways of conducting business, and then report to the business about program implementation and specific issues requiring resources or response.

What skills does a Compliance Officer need to have?

The most important thing a Compliance Officer needs is a deep understanding of the business.  Without a desire to know the business, the Compliance Officer will not be able to give helpful solutions to problems. 

Communication skills are also vital for a Compliance Officer.  Most Compliance Officers perform training or give updates to the employee population, managers or Board, so clear, compelling communication is essential.  Compliance Officers also need to be terrific listeners so that they can hear and understand the pressure points between the business and the law.  Compliance Officers must be persuasive and able to influence the business, especially when the procedures or policies may be unpopular or difficult but necessary. 

Lastly, Compliance Officers need to be skilled at designing simple and understandable procedures in order to mitigate the risks identified by the business.

How important is independence for a Compliance Officer?

Capacity for independent thought is crucial, as is a strong moral compass.  Although it is very important that the Compliance Officer be able to get along well with others in the business, there will invariably be times when the Compliance Officer must stand up for what is right, and not what is popular.  Ideally the Compliance Officer will have a direct reporting line to the Board and C-suite, so that any highly-contentious issue is dealt with at the highest levels of the business without the dilution of another function speaking for Compliance.  There is a strong trend right now in Financial Services and in U.S. enforcement actions to demand that the Compliance Department function outside the Legal Department.  This trend is likely to continue and is likely to become best practice throughout the world.

What else can a Compliance Officer do to be effective?

The best Compliance Officers are those who can embrace change.  The regulatory environment is an ever-evolving one, and just when a Compliance Officer thinks that the program is perfect, another law will come into force or an enforcement action will require the program to shift.  Compliance Officers need to be naturally curious with a can-do attitude.  If a Compliance Officer learns to say “no” effectively to the business using empathy and giving an explanation, it will go a long way toward building the trust that is critical for the Compliance Officer to maintain with management.

What role does enthusiasm or charisma play in becoming a good compliance officer?

Ideally Compliance Officers come to the job with a belief that what they are doing is important, valuable and helpful to the business.  It’s been said that the Compliance Department’s job is to protect the business in five years.  Therefore, short-term sales goals and actions which may create reputational risk must be eschewed in favour of long-term thinking about what is going to make the business sustainable and profitable in the future.  Compliance Officers who maintain a sense of mission, justice and proportionality will be successful.  A sense of purpose, enthusiasm for the job and natural charisma will draw people within the business to listen to the Compliance Officer, which can be helpful.

The definition of what makes a “good” Compliance Officer different when the person is working in a multi-national business?

Compliance roles inevitably become more complex when the business is multi-national.  Not only does the Compliance Officer have to manage differing, and sometimes competing laws, but there will also be questions of language and culture that can make the job more difficult.  Compliance Officers working in multi-national environments need to be incredibly attuned to the cultural differences within the countries in which their business operates.  A strong desire to learn about the other cultures will make a big difference.  People tend to listen to people who listen to them.  A good Compliance Officer in a multi-national company will be one who is aware that everyone comes with a set of expectations created by their culture of origin, and that listening and being aware is critical to the success of the compliance program in a multi-national environment.

What’s the number one way to determine whether or not you are, or have hired, a good Compliance Officer?

You know you are a good Compliance Officer if members of the business frequently come to you to proactively seek your advice.  If you’re providing smart, helpful counsel and engaging with them so that they trust you, then you are likely doing your job effectively.

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Wednesday, May 4, 2016

Do You Understand The HIPAA Security Risk Management Process?

Risk Analysis Requirements Under The Security Rule
The HIPAA Security Rule requires that covered entities (your practice) conduct a Security Risk Analysis/Assessment for your organization, at minimum, once per year. It is critical that practices perform the Security Risk Analysis for several reasons. Not only is it important to comply with HIPAA, Health and Human Services (HHS) and Office of Civil Rights' (OCR) rules and regulations, but also for what you should consider to be a more motivational reason, to protect your practice (and bank account) from what could become debilitating fines and penalties.

The Security Management Process standard in the Security Rule requires each organization to “implement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).), that apply to their particular practice. Risk Analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. This article will cover the Risk Analysis implementation specification of that standard. Section 164.308(a)(1)(ii)(A) states:
RISK ANALYSIS (Required). 

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization. (Each organization must evaluate for itself the most appropriate answers to the questions contained in your own Risk Analysis.) From the information gained while conduction your Risk Analysis you should prepare a Security Risk Action Plan documenting your findings, your conclusions and plans to address risk issues.

This Action Plan should identify the current state of your practice from 3 areas: Environmental, Facility and Hardware/Software controls, [aka human, natural, and environmental threats].  It should also correlate issues from high to low risk and prescribe plans of action to address these issues in priority as deemed necessary.  Document your plans based on those risk analysis findings and your practice's available resources to best approach the reduction of your higher risk level issues and document your best practice policies and procedures going forward to mitigate damage, disruption or loss of Protected Health Information (PHI). The Security Rule requires the Risk Analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).) The Risk Analysis documentation is a direct input to your Risk Action Plan and overall Risk Management Process.
The following questions are examples that your organization could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:

1. Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
2. What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit your e-PHI?
3. What are the human, natural, and environmental threats to information systems that contain e-PHI?

In addition to an express requirement to conduct a Risk Analysis, the Rule indicates that a Risk Analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications. For example, the Rule contains several implementation specifications that are labeled “addressable” rather than “required.” (68 FR 8334, 8336 (Feb. 20, 2003).) An addressable implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable and appropriate the organization must document why it is not reasonable and appropriate and adopt an equivalent measure if it is reasonable and appropriate to do so. (See 68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R. § 164.306(d)(3).)   

The OCR in recent months has acknowledged that providers are not making compliance implementation a priority to their practices. Thus, the increased risk of unauthorized access, use, and disclosure of protected (yet quite vulnerable) PHI is still a factor. Not to mention the risk of practices not appropriately implementing other critical areas of compliance, which also pose significant vulnerability to practices as well as the heightened risk of significant fines and penalties. While this information only briefly describes the risk to your practice, providers, workforce, and patients, the message to take away here is that the Office of Civil Rights means business - so much, in fact, that it was decided that the best and only way to make sure that practices understand the significance of compliance is for OCR (along with governing entities such as HIPAA, and others) to increase efforts of enforcement.

There is no such thing as "under the radar" or "off the grid" for practicing providers today. One component of enforcement is in HIPAA Security. It's a priority for HIPAA to ensure that potentially patient identifying and vulnerable information is secure. And rightfully so, when you consider the risk of potential identity theft, medical identity theft, and other dangers posed to patients due to the amount and types of information that health care providers have on each patient. Not to mention, the difficulty in finding the source of and stopping the effects of identity theft or medical identity theft, should that occur (which it does, all too often).
Organizations should use the information gleaned from their Risk Analysis as they, for example:
  1. Design appropriate personnel screening processes. (45 C.F.R. § 164.308(a)(3)(ii)(B).) 
  2. Identify what data to backup and how. (45 C.F.R. § 164.308(a)(7)(ii)(A).) 
  3. Decide whether and how to use encryption. (45 C.F.R. §§ 164.312(a)(2)(iv) and (e)(2)(ii).) 
  4. Address what data must be authenticated in particular situations to protect data integrity. (45 C.F.R. § 164.312(c)(2).)
  5. Determine the appropriate manner of protecting health information transmissions. (45 C.F.R. § 164.312(e)(1).)
Though there are other components of compliance, the Security Risk Analysis is one very essential component to compliance, and for many reasons. The Security Risk Assessment shows your practice's good faith effort in establishing and maintaining appropriate policies and procedures that meet guidelines and minimize risk to your practice, patients and their protected information. The Security Risk Analysis is required as a way for practices to show ongoing monitoring of critical business systems.

Enforcement of this area is at an all time high and will continue to gain steam. The best thing practices can do is to be proactive and show initiative. Also, note that the Security Risk Analysis/Assessment is also required for Meaningful Use attestation. Practices that are found to have received incentive payments through Meaningful Use but have not appropriately conducted a Security Risk Analysis/Assessment per attestation requirements are having to refund all of the incentive payments received as well as run the very high risk of more in depth investigations and other potential penalties.

Risk Analysis is the first step in an organization’s Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI. The outcome of the risk analysis process is a critical factor in assessing whether a required implementation specification or an equivalent measure is reasonable and appropriate. 

To subscribe to this blog, enter your email address:

Delivered by FeedBurner