Wednesday, February 21, 2018

HIPAA Breach Reporting Annual Deadline - March 1, 2018

HIPAA covered entities and their business associates are required provide notification following a breach of unsecured protected health information (PHI).

Healthcare Compliance Solutions Inc.
The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). The notice must be sent to the involved individuals as soon as reasonably possible but no later than 60 days after discovery of the breach. (45 CFR § 164.404).

Do I need to report it?

The timing of notice to HHS depends on the number of persons affected by the breach. If the breach involves 500 or more persons, the covered entity must notify HHS at the same time it notifies the individuals and it must also be reported to the media. If the breach involves less than 500 persons, the covered entity must report the breach to HHS no later than 60 days after the end of the calendar year in which the breach(s) were discovered (i.e. March 1, 2018 for breaches that occurred during 2017).

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.
Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.

There are three exceptions to the definition of “breach.”
  1. The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
  2. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
  3. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information.
Documentation. A covered entity is required to maintain documentation concerning its breach analysis and/or reporting for six years. (45 CFR §§ 164.414 and 164.530(j)).

Accounting Logs. Whether or not the breach is reportable to the individual or HHS, covered entities and business associates are still required to record impermissible disclosures in their accounting of disclosure log(s) as required by 45 CFR § 164.528. The log must record the date of the disclosure; name and address of the entity who received the PHI; a brief description of the PHI disclosed; and a brief statement of the reason for the disclosure. (45 CFR § 164.528(b)). If requested, the covered entity must disclose the log to the individual or the individual’s personal representative within 60 days. (Id. at 164.528(c)).

Avoid Reports by Avoiding Breaches. Of course, it is better to avoid a breach rather than respond to one. To that end, covered entities and business associates should ensure that they practice preventive medicine by, among other things, encrypting PHI when possible and implementing other required policies and administrative, technical, and physical safeguards to protect PHI. They should train and regularly remind workforce members concerning HIPAA obligations, periodically monitor compliance, and respond promptly to correct weaknesses.

Submitting a Notice of Breach to the HHS Secretary:

If you have any questions, you may call HHS OCR toll-free at: 1-800-368-1019, TDD: 1-800-537-7697 or send an email to OCRPrivacy@hhs.gov.



Important Note: Remember that while it may be relatively unlikely that not reporting small breaches will automatically invite an HHS investigation, if a non-reported breach or a trend of violations IS discovered, this could lead to a judgment of "Willful-Neglect", magnifying penalties and fines dramatically


Healthcare Compliance Solutions Inc.


To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Thursday, February 15, 2018

The Dragons of Healthcare Workplace Safety: HCS, SDS and GHS

Understanding The Hazardous Communication Standard, Safety Data Sheets (SDS), The Globally Harmonized System of Classification and Labeling of Chemicals (GHS) and how to properly implement them to insure workplace safety and comply with OSHA.
 HCSI OSHA Training

We at HCSI train healthcare professionals and their staff members on the Federal OSHA requirements for medical providers. Even though our training covers all required areas such and The Hazard Communication Standard, Safety Data Sheets, GHS labeling rules, etc., we occasionally get a frantic call from a confused practice manager or compliance officer after a friendly visit by an OSHA inspector.  Even though they were trained on these subjects, they invariably did not take the time to implement the training and translate it into the preparation of their site specific required safety and regulatory documentation. Once again, the classic saying, perhaps older then the dragons of ancient lore, rears it's ugly head... "If it wasn't documented, it never happened."
All hazardous chemicals found in the workplace/practice must be identified and a Master List must be compiled containing the names of products, their manufacturers and their chemical components. This Master List can be compiled from information gained from a list of OSHA regulated substances such as the NIOSH Pocket Guide to Chemical Hazards.

Safety Data Sheets (SDS) [previously called Material Safety Data Sheets (MSDS) which are now obsolete and superseded by the GHS Global Harmonized Standard implemented in 2013 replacing MSDSs with SDSs] are forms generally provided by chemical manufacturers that convey hazard-related information on chemicals and hazardous substances you use in your workplace.  It is important that employees know how to interpret the information found on each SDS, which describes the chemical composition, health and physical hazards and safe handling and emergency procedures for all products containing hazardous substances. 

In the U.S., the Occupational Safety and Health Administration (OSHA) requires that SDSs be readily available to all employees for potentially harmful substances handled in the workplace under the Hazard Communication regulation. The SDSs are also required to be made available to local fire departments and local and state emergency planning officials under Section 311 of the Emergency Planning and Community Right-to-Know Act. The American Chemical Society defines Chemical Abstracts Service Registry Numbers (CAS numbers) which provide a unique number for each chemical and are also used internationally in SDSs.

In 2012, the US adopted the 16 section Safety Data Sheet to replace Material Safety Data Sheets. This became effective on December 1, 2013. These new Safety Data Sheets comply with the Globally Harmonized System of Classification and Labeling of Chemicals (GHS). By June 1, 2015, employers were required to have their workplace labeling and hazard communication programs updated as necessary – including all MSDSs replaced with SDS-formatted documents.

Many companies offer the service of collecting, or writing and revising, data sheets to ensure they are up to date and available for their subscribers or users. Some jurisdictions impose an explicit duty of care that each SDS be regularly updated, usually every three to five years. However, when new information becomes available, the SDS must be revised without delay.

Hazard Communication Standard

The Hazard Communication Standard (HCS) is now aligned with the Globally Harmonized System of Classification and Labeling of Chemicals (GHS). This update to the Hazard Communication Standard (HCS) provides a common and coherent approach to classifying chemicals and communicating hazard information on labels and safety data sheets. This update will also help reduce trade barriers and result in productivity improvements for American businesses that regularly handle, store, and use hazardous chemicals while providing cost savings for American businesses that periodically update safety data sheets and labels for chemicals covered under the hazard communication standard.

In order to ensure chemical safety in the workplace, information about the identities and hazards of the chemicals must be available and understandable/(i.e. training provided) to workers. OSHA's Hazard Communication Standard (HCS) requires the development and dissemination of such information:

  • Chemical manufacturers and importers are required to evaluate the hazards of the chemicals they produce or import, and prepare labels and safety data sheets to convey the hazard information to their downstream customers;
  • All employers with hazardous chemicals in their workplaces must have labels and safety data sheets for their exposed workers, and train them to handle the chemicals appropriately. 
Major changes to the Hazard Communication Standard 
  • Hazard classification: Provides specific criteria for classification of health and physical hazards, as well as classification of mixtures.
  • Labels: Chemical manufacturers and importers will be required to provide a label that includes a harmonized signal word, pictogram, and hazard statement for each hazard class and category. Precautionary statements must also be provided.
  • Safety Data Sheets: Will now have a specified 16-section format.
  • Information and training: Employers are required to train workers on the new labels elements and safety data sheets format to facilitate recognition and understanding.
GHS Pictograms

As of June 1, 2015, the HCS requires that new SDSs to be in a uniform format, and include the section numbers, the headings, and associated information under the headings below:

Section 1, Identification includes product identifier; manufacturer or distributor name, address, phone number; emergency phone number; recommended use; restrictions on use.
Section 2, Hazard(s) identification includes all hazards regarding the chemical; required label elements.
Section 3, Composition/information on ingredients includes information on chemical ingredients; trade secret claims.
Section 4, First-aid measures includes important symptoms/effects, acute, delayed; required treatment.
Section 5, Fire-fighting measures lists suitable extinguishing techniques, equipment; chemical hazards from fire.
Section 6, Accidental release measures lists emergency procedures; protective equipment; proper methods of containment and cleanup.
Section 7, Handling and storage lists precautions for safe handling and storage, including incompatibilities.
Section 8, Exposure controls/personal protection lists OSHA’s Permissible Exposure Limits (PELs); ACGIH Threshold Limit Values (TLVs); and any other exposure limit used or recommended by the chemical manufacturer, importer, or employer preparing the SDS where available as well as appropriate engineering controls; personal protective equipment (PPE).
Section 9, Physical and chemical properties lists the chemical's characteristics.
Section 10, Stability and reactivity lists chemical stability and possibility of hazardous reactions.
Section 11, Toxicological information includes routes of exposure; related symptoms, acute and chronic effects; numerical measures of toxicity.
Section 12, Ecological information*
Section 13, Disposal considerations*
Section 14, Transport information*
Section 15, Regulatory information*
Section 16, Other information, includes the date of preparation or last revision.
*Note: Since other Agencies regulate this information, OSHA will not be enforcing Sections 12 through 15 (29 CFR 1910.1200(g)(2)).
Employers, please remember to periodically review and update your hazardous substance/chemicals Master List and ensure your SDSs reflect those changes and are readily accessible, readable and also understandable to your employees as well as any fire department personnel, inspectors and/or government officials. Annual OSHA training is also required to ensure your staff is educated, aware and updated on these and other vital workplace safety issues.

Protecting your employees, patients and your office's regulatory reputation is an ongoing process requiring diligence and oversight. You can not simply take an apprentice course in the basics of fending off dragons in the hopes of never encountering one of the dreaded beasts. The knighthood of compliance (OSHA or otherwise) requires the quest of discovering your office's site specific situations, knowing your procedures along with the discipline of documentation and the situational awareness to defend against the dragons of workplace safety and regulatory compliance. 

 HCSI


To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Monday, February 12, 2018

MIPS Reporting Deadlines Fast Approaching: 10 Things to Do and Know

 HCSI

MIPS Reporting Deadlines Fast Approaching:

10 Things to Do and Know

Deadlines are fast approaching if you plan to submit data for the 2017 Merit-based Incentive Payment System (MIPS) performance period. Don’t wait until the last minute to submit your data. Submit early and often. The two key dates are:


Now is the time to act. Here are the top 10 things you need to do and know if you are an eligible clinician. This list focuses on reporting via the qpp.cms.gov data submission feature, not on group reporting via the CMS Web Interface and not on individual reporting on Quality measures via claims submission data.

Claims Data Submission

If you plan to submit 2017 data for the Quality performance category via claims, you must do so by March 1, 2018.
Note: If you’re not sure if you are required to report for MIPS, enter your National Provider Identifier (NPI) in the MIPS Lookup Tool to find out whether you need to report. Additionally, if you know you are in a MIPS APM or Advanced APM, you can use the APM Lookup Tool.

1) Visit qpp.cms.gov and click on the “Sign-In” tab to use the data submission feature.

2) Check that your data are ready to submit. You can submit data for the Quality, Improvement Activities, and Advancing Care Information performance categories.

3) Have your CMS Enterprise Identity Management (EIDM) credentials ready, or get an EIDM account if you don’t have one. An EIDM account gives you a single ID to use across multiple CMS systems.

4) Sign in to the Quality Payment Program data submission feature using your EIDM account.

5) Begin submitting your data early. This will give you time to familiarize yourself with the data submission feature and prepare your data.

6) The data submission feature will recognize you and connect your NPI to associated Taxpayer Identification Numbers (TINs).

EIDM Tips

  • You can use your EIDM account to report for multiple NPIs associated with your EIDM.
  • If you’ve reported for legacy programs like the Physician Quality Reporting System (PQRS), you already have an EIDM account.
  • You can also use the EIDM Guide to get started.
7) Group practices:
  • A practice can report as a group or individually for each eligible clinician in the practice. You can switch from group to individual reporting, or vice versa, at any time.
  • The data submission feature will save all the data you enter for both individual eligible clinicians and a group, and CMS will use the data that results in a higher final score to calculate an individual MIPS-eligible clinician’s payment adjustment.
8) You can update your data up to the March 31 deadline. The data submission feature doesn’t have a “save” or “submit” button. Instead, it automatically updates as you enter data. You’ll see your initial scores by performance category, indicating that CMS has received your data. If your file doesn’t upload, you’ll get a message noting that issue.

9) You can submit data as often as you like. The data submission feature will help you identify any underperforming measures and any issues with your data. Starting your data entry early gives you time to resolve performance and data issues before the March 31 deadline.

10) For step-by-step instructions on how to submit MIPS data, check out this video and fact sheet.

If you are in an ACO or other APM, make sure you are working with your ACO or APM to make sure they have any patient information they need to report. Remember you need to report on Advancing Care Information measures on your own.

Questions about your participation status or MIPS data submission? 
Contact the Quality Payment Program Service Center via:
Email: qpp@cms.hhs.gov
Phone: 1-866-288-8292  (TTY: 1-877-715-6222)

Source(s): https://www.hcsiinc.comhttps://qpp.cms.gov/


To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Thursday, February 8, 2018

Protecting Doctors from Themselves

While practicing medicine, doctors must
protect their own integrity and reputation


It is a story that we were all shocked to hear about. USA Gymnastics Medical Professional and his inappropriate conduct with his patients and others. It is situations like this that make patients either grateful for or suspicious of the doctor they have.

Reality Time

When something so dramatic and public as the USA Gymnastics situation happens, it has numerous effects:
  1. Patients who are victims of such horrific acts may develop the courage to speak out and tell their story.
  2. Some people will begin looking for this type of situation in their life and find it, even if it does not exist.
  3. There are people who are looking for the social media spotlight and begin making accusations in order to gain attention.
What Can a Doctor Do?

It is vital that a doctor take appropriate steps to protect him or herself from a possibly career ending situation:
  • Continually communicate with the patient throughout their visit. They should know what the doctor is doing and why.
  • Have written policies and procedures in place that focus on harassment and inappropriate conduct within the office. These policies should also include appropriate interactions with patients. This training should include ALL staff members including doctors and be done annually as well being thoroughly documented.
  • Create a culture within the healthcare office of acting professionally and being current with all compliance laws.
  • Communicate with patients that if at anytime they do not feel comfortable with the doctor or other staff members, that they are welcome to have an additional person of the same gender in the room during their visit.
  • If the doctor does not feel comfortable being alone with the patient, then he or she should request and additional person (e.g. nurse or physician assistant) be present during the visit.
Possible Consequences

If a doctor is accused of some inappropriate behavior with a patient, then that doctor's reputation could be irrevocably damaged. It does not matter if the accusation has any truth to it, people will remember and the damage is done. It is best for the doctor to protect him or herself and avoid even the slightest hint of inappropriate behavior.

This type of situation cannot be taken lightly. Many doctors push away training, especially HR training, as inconvenient and a time waster. They do not understand that HR and other training's are in place for their protection. Documented HR and conduct training would play a key role in protecting a doctor and the reputation of the practice.

It is completely understandable that doctors want to focus only on practicing medicine, but they do not need to put themselves and their career at risk when doing so.



To subscribe to this blog, enter your email address:


Delivered by FeedBurner