Friday, September 30, 2016

HHS Section 1557 Discrimination Clarification

HHS Nondiscrimination Provisions, Disability Provisions, and Language Provisions will have an effect on covered entities.

From the HHS website on Section 1557:

Section 1557 is the nondiscrimination provision of the Affordable Care Act (ACA). The law prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. Section 1557 builds on long-standing and familiar Federal civil rights laws: Title VI of the Civil Rights Act of 1964, Title IX of the Education Amendments of 1972, Section 504 of the Rehabilitation Act of 1973 and the Age Discrimination Act of 1975. Section 1557 extends nondiscrimination protections to individuals participating in:
  • Any health program or activity any part of which received funding from HHS
  • Any health program or activity that HHS itself administers
  • Health Insurance Marketplaces and all plans offered by issuers that participate in those Marketplaces.
The Nondiscrimination in Health Programs and Activities final rule implements Section 1557 of the Affordable Care Act, which is the first federal civil rights law to broadly prohibit discrimination on the basis of sex in federally funded health programs. Previously, civil rights laws enforced by HHS’s Office for Civil Rights (OCR) broadly barred discrimination based only on race, color, national origin, disability, or age.
“A central goal of the Affordable Care Act is to help all Americans access quality, affordable health care.  Today’s announcement is a key step toward realizing equity within our health care system and reaffirms this Administration's commitment to giving every American access to the health care they deserve," said HHS Secretary Sylvia M. Burwell.
The final rule helps consumers who are seeking to understand their rights and clarifies the responsibilities of health care providers and insurers that receive federal funds. The final rule also addresses the responsibilities of issuers that offer plans in the Health Insurance Marketplaces. Among other things, the final rule prohibits marketing practices or benefit designs that discriminate on the basis of race, color, national origin, sex, age, or disability. The final rule also prohibits discriminatory practices by health care providers, such as hospitals that accept Medicare or doctors who participate in the Medicaid program. 
The final rule prohibits sex discrimination in health care including by:
  • Requiring that women must be treated equally with men in the health care they receive.  Other provisions of the ACA bar certain types of sex discrimination in insurance, for example by prohibiting women from being charged more than men for coverage.  Under Section 1557, women are protected from discrimination not only in the health coverage they obtain but in the health services they seek from providers.
  • Prohibiting denial of health care or health coverage based on an individual’s sex, including discrimination based on pregnancy, gender identity, and sex stereotyping. 
It also includes important protections for individuals with disabilities and enhances language assistance for people with limited English proficiency including by:
  • Requiring covered entities to make electronic information and newly constructed or altered facilities accessible to individuals with disabilities and to provide appropriate auxiliary aids and services for individuals with disabilities.
  • Requiring covered entities to take reasonable steps to provide meaningful access to individuals with limited English proficiency.  Covered entities are also encouraged to develop language access plans.
While the final rule does not resolve whether discrimination on the basis of an individual’s sexual orientation status alone is a form of sex discrimination under Section 1557, the rule makes clear that OCR will evaluate complaints that allege sex discrimination related to an individual’s sexual orientation to determine if they involve the sorts of stereotyping that can be addressed under 1557. HHS supports prohibiting sexual orientation discrimination as a matter of policy and will continue to monitor legal developments on this issue.
The final rule states that where application of any requirement of the rule would violate applicable Federal statutes protecting religious freedom and conscience, that application will not be required.
For more information about Section 1557, including factsheets on key provisions and frequently asked questions, visit
*All of the information above was provided and is authored by HHS:
Below you will find a link that will take you to a sample of the postings you need:

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Monday, September 26, 2016

CMS Issues New Emergency Preparedness Rule

September is National Preparedness Month and CMS is Getting Involved  By Establishing New Emergency Preparedness Requirements for Medicare and Medicaid Health Care Providers.

The Centers for Medicare & Medicaid Services (CMS) has issued a final rule to establish consistent emergency preparedness requirements for health care providers participating in Medicare and Medicaid, stating that the regulation will increase patients’ safety during emergencies and ensure more coordinated response to natural and manmade disasters.
Are You Ready
“Over the past several years, and most recently in Louisiana, a number of natural and manmade disasters have put the health and safety of Medicare and Medicaid beneficiaries – and the public at large – at risk. These new requirements will require certain participating providers and suppliers to plan for disasters and coordinate with federal, state tribal, regional, and local emergency preparedness systems to ensure that facilities are adequately prepared to meet the needs of their patients during disasters and emergency situations,” the agency’s Sept. 8 news release stated.
“Situations like the recent flooding in Baton Rouge, Louisiana, remind us that in the event of an emergency, the first priority of health care providers and suppliers is to protect the health and safety of their patients,” said CMS Deputy Administrator and Chief Medical Officer Dr. Patrick Conway, M.D., MSc. “Preparation, planning, and one comprehensive approach for emergency preparedness is key. One life lost is one too many.”

“As people with medical needs are cared for in increasingly diverse settings, disaster preparedness is not only a responsibility of hospitals, but of many other providers and suppliers of health care services. Whether it’s trauma care or long-term nursing care or a home health service, patients’ needs for health care don’t stop when disasters strike; in fact, their needs often increase in the immediate aftermath of a disaster,” added Dr. Nicole Lurie, HHS’ assistant secretary for preparedness and response. “All parts of the health care system must be able to keep providing care through a disaster, both to save lives and to ensure that people can continue to function in their usual setting. Disasters tend to stress the entire health care system, and that’s not good for anyone.”
CMS reports that it reviewed current Medicare emergency preparedness regulations for providers and suppliers and concluded the regulatory requirements were not comprehensive enough to address the complexities of emergency preparedness; they did not address the need for communication to coordinate with other systems of care within cities or states; contingency planning; or training of personnel. So the final rule requires Medicare and Medicaid participating providers and suppliers to meet these four industry best practices:
1.Emergency plan: Based on a risk assessment, develop an emergency plan using an all-hazards approach focusing on capacities and capabilities that are critical to preparedness for a full spectrum of emergencies or disasters specific to the location of a provider or supplier.
2.Policies and procedures: Develop and implement policies and procedures based on the plan and risk assessment.
3.Communication plan: Develop and maintain a communication plan that complies with both federal and state laws.
4.Training and testing program: Develop and maintain training and testing programs, including initial and annual training, and conduct drills and exercises or participate in an actual incident that tests the plan.
CMS said these standards are adjusted to reflect the characteristics of each type of provider and supplier. For example, outpatient providers and suppliers such as ambulatory surgical centers and end-stage renal disease facilities won’t be required to have policies and procedures for provision of subsistence needs; hospitals, critical access hospitals, and long-term care facilities will be required to install and maintain emergency and standby power systems based on their emergency plan.
In response to comments, CMS removed the requirement for additional hours of generator testing, added flexibility to choose the type of exercise a facility conducts for its second annual testing requirement, and decided to allow a separately certified facility within a health care system to take part in that system’s unified emergency preparedness program.
The regulations will take effect on November 15, 2016.  Healthcare providers and suppliers affected by the rule must comply and implement all regulations one year after the effective date. More specific information about the Emergency Preparedness Rule can be found here.
Providers/Suppliers Facilities Impacted by the Emergency Preparedness Rule:
1. Hospitals
2. Religious Nonmedical Health Care Institutions (RNHCIs)
3. Ambulatory Surgical Centers (ASCs)
4. Hospices
5. Psychiatric Residential Treatment Facilities (PRTFs)
6. All-Inclusive Care for the Elderly (PACE)
7. Transplant Centers
8. Long-Term Care (LTC) Facilities
9. Intermediate Care Facilities for Individuals with Intellectual Disabilities (ICF/IID)
10. Home Health Agencies (HHAs)
11. Comprehensive Outpatient Rehabilitation Facilities (CORFs)
12. Critical Access Hospitals (CAHs)
13. Clinics, Rehabilitation Agencies, and Public Health Agencies as Providers of Outpatient Physical Therapy and Speech-Language Pathology Services
14. Community Mental Health Centers (CMHCs)
15. Organ Procurement Organizations (OPOs)
16. Rural Health Clinics (RHCs) and Federally Qualified Health Centers (FQHCs)

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Wednesday, September 7, 2016

Do You Know Who Your Employees Are?

This new monthly cyber awareness alert from the Department of Health and Human Services’ Office for Civil Rights (OCR) prods organizations to closely evaluate the risks their employees pose.

Insider threat is becoming one of the largest threats to organizations and some cyberattacks may be insider-driven. Although all insider threats are not malicious or intentional, the effect of these threats can be damaging to a Covered Entity and Business Associate and have a negative impact on the confidentiality, integrity, and availability of its ePHI. According to a survey recently conducted by Accenture and HfS Research, 69% of organization representatives surveyed had experienced an insider attempt or success at data theft or corruption. Further, it was reported by a Covered Entity that one of their employees had unauthorized access to 5,400 patient’s ePHI for almost 4 years.

US CERT defines a malicious insider threat as a current or former employee, contractor, or business partner who meets the following criteria:
  • has or had authorized access to an organization’s network, system, or data;
  • has intentionally exceeded or intentionally used that access in a manner that negatively, affected the confidentiality, integrity, or availability of the organization’s information; or information systems.

According to a survey conducted by U.S. Secret Service, CERT Insider Threat Center, CSO Magazine, and Deloitte, the most common e-crimes committed by insiders are:
  • unauthorized access to or use of organization information;
  • exposure of private or sensitive data;
  • installation of viruses, worms, or other malicious code;
  • theft of intellectual property.

Covered Entities and Business Associates should consider:
  • Developing policies and procedures to mitigate the possibility of theft of ePHI, sabotage of systems or devices containing ePHI, and fraud involving ePHI. These policies and procedures should enforce separation of duties and least privileges, while also applying rules that control and manage access, configuration changes, and authentication to information systems and applications that create, receive, maintain, or transmit ePHI.
  • Conducting screening processes on potential employees to determine if they are trustworthy and appropriate for the role for which they are being considered. Effective screening processes can be applied to allow for a range of implementations, from minimal to more stringent procedures based on the risk analysis performed by the entity and role of the potential employee. Examples of potential screening processes could include checks of the HHS OIG LEIE (List of Excluded Individuals and Entities) to check for health care fraud and related issues and criminal history checks to verify past criminal acts. When implementing a screening process, please be sure to review and comply with any applicable federal, state or local laws regarding the use of screening processes as part of the hiring process.
  • Following US CERT steps to protect ePHI from insider threats: 
1. Consider threats from insiders and business associates in enterprise-wide risk assessments.
2. Clearly document and consistently enforce policies and controls.
3. Incorporate insider threat awareness into periodic security training for all employees.
4. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
5. Anticipate and manage negative issues in the work environment.
6. Know your assets.
7. Implement strict password and account management policies and practices.
8. Enforce separation of duties and least privilege.
9. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
10. Institute stringent access controls and monitoring policies on privileged users.
11. Institutionalize system change controls.
12. Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
13. Monitor and control remote access from all end points, including mobile devices.
14. Develop a comprehensive employee termination procedure.
15. Implement secure backup and recovery processes.
16. Develop a formalized insider threat program.
17. Establish a baseline of normal network device behavior.
18. Be especially vigilant regarding social media.
19. Close the doors to unauthorized data exfiltration.

Source(s): US-CERT, HCSI 

To subscribe to this blog, enter your email address:

Delivered by FeedBurner