“WITH ALL DELIBERATE SPEED” – NOT AGAIN!
In the last century the United States Supreme Court, in perhaps one of its more unfortunate choices of words, ordered desegregation to proceed “with all deliberate speed”. In 1964 the Supreme Court noted that the term had been used to maintain segregation and ordered that desegregation move forward promptly.
CMS has chosen these same unfortunate words several generations later in the process of determining when a Medicare overpayment has been “identified”. In CMS’ proposed rule on reporting and returning of overpayments, CMS reacted to the concerns of many that the sixty day deadline for returning overpayments should not begin until an overpayment is actually revealed through a “reasonable inquiry”. CMS then requires that such reasonable inquiry occur with all deliberate speed.
Hopefully CMS will recognize its error and correct its rule before it is proposed as a final rule.
THE BIGGEST THREAT
We often discuss preventing or reporting thefts relating to the information of patients, whether PHI or financial. These discussions center on external threats such as thieves, hackers etc. Often, the greatest threat is from inside our own walls. In order to protect against the threat from those within, consider:
- Identifying your biggest threats. Resigning and terminating employees or employees who are already being evaluated or watched by HR should receive the most attention.
- Learn from past thefts or attacks what information is most important and subject to attack.
- Determine what information you have is the most valued and important and spend your time and money protecting that.
- Train your employees to recognize abnormal or predictive behavior which may indicate a threat not only to your employees, but to the information in your practice or hospital.
- Have in place a clear reporting system to locate, evaluate and react to the threat posed by your own employees as you do the same for outside contractors who have access inside your walls.
- Have in place a way to shut down/lock down all your information, (at least temporarily) to evaluate any particular thefts or attacks.
CHEAPER TO MEET HIPAA REGS. OR IGNORE HIPAA?
An Arizona medical practice recently agreed to pay $100,000.00 to settle a claim of HIPAA violations and also agreed to take corrective action implementing HIPAA compliant policies and procedures.
As is often the case, the violation occurred not through a typical breach, but in the practices attempt to create a patient friendly internet based calendar for posting clinical and surgical appointments for patients. While investigating whether the internet scheduler was HIPAA compliant, OCR determined that the practice had failed to implement any policies and procedures with regard to HIPAA, failed to train any employees on HIPAA, failed to identify and appoint a security official or risk analysis and generally had just ignored HIPAA. While I do not know exactly how much the practice saved by ignoring HIPAA, I suspect that it was less than the $100,000.00 immediate penalty and the costs of strict supervision and continuing oversight that will likely be imposed upon this practice for many years.
REACTING TO NEWS STORIES – OOPS!
A valuable lesson for physicians, group practices and hospitals was recently offered in California. A Redding, California hospital violated patient confidentiality by responding to a news story. The news story featured a patient statement and claim that the hospital was over billing Medicare. Apparently the hospital’s CEO and CMO disclosed some of the accusing patient’s medical information to media organizations in order to bolster their claim that they had not violated any Medicaid laws and had not over billed. The hospital also sent emails to its employees with details about the patient’s treatment in order to calm its employees about the claim of Medicare overbilling and to arm them to deal with comments that friends and families might make about the situation.
The first lesson to be learned is that hospitals and physicians cannot defend their position with the PHI truth in public or in the media. Even though the claims may be unfounded, the release of information without a court order or a consent puts you at risk, not your accuser. The second lesson to be learned is that you should have a strategy ready before public accusations, right or wrong, are made about you, your practice or your hospital. There are effective ways to respond to media inquiries on the subjects that do not violate HIPAA and do not put you at risk.
This newsletter is edited by Paul Wallace, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians in health practices in contract items, federal legal compliance, creation of practice entities, estate and wealth planning and similar issues. Please feel free to call if you have any questions about this newsletter or any other matter at (812) 402-1600 or firstname.lastname@example.org.