It is no surprise that providers recognize the significance of high patient satisfaction as patient-centric care models are on the rise. While more attention is given to tracking the patient experience, it is not only patient-centric care that is driving robust patient experience programs. High patient satisfaction ratings have become a central concern for providers across the country due to the tie to their potential bottom line. Patient satisfaction can have measurable consequences on hospital value based payments (HVBP). The HVBP program provides financial incentives to hospitals that provide higher levels of quality care to their patients.  There are both outpatient (OQR) and inpatient quality reporting (IQR) programs developed as a result of the Medicare Prescription Drug, Improvement and Modernization Act of 2003.  These programs are aimed at providing consumers with quality of care information to make more informed decisions about health care options, and to encourage hospitals and clinicians to improve the quality of inpatient care provided to patients. The hospital quality of care data is summarized and available to consumers on the Hospital Compare website.

The HVBP is heavily reliant upon the results of the inpatient quality report (IQR) which includes quarterly patient satisfaction survey data collected through the hospital consumer assessment of healthcare providers and systems patient satisfaction survey (HCAHPS) conducted by the Centers of Medicare & Medicaid Services (CMS). Thus, the need to prioritize patient satisfaction in any given organization is paramount to optimal HVBP payments.

Although it is impossible to exactly predict how a patient will respond to a survey, a compliant patient experience program will provide valuable insights that aid in gauging the probability of  positive patient survey responses. A key component of a strong patient experience program includes response and resolution of patient complaints immediately when they happen, along with on-going collection of patient experience data related to complaints and grievances. This data can serve as a valuable assessment tool in predicting survey responses. Therefore, it is important to collect data related to complaints and grievances regularly. First published in 1986, the Conditions of Participation (42 CFR 482) contains the health and safety requirements that hospitals must meet to participate in the Medicare and Medicaid programs. These regulations include provisions for the investigation and resolution of complaints and grievances for participating providers, CoP (§482.13, A-0118–A-0123).

As providers are gearing up to enhance their patient experience programs, they should be mindful of the nuances associated with tracking patient experience data for complaints and grievances. When data are not accurate, performance improvement initiatives can suffer and lead to less than optimum HVBP reimbursement. In our next publication, AMS will provide more insight to what constitutes a complaint and grievance.

As we round the corner into the final months of the year, we can begin to reflect on the most significant advances over the year. As predicted, technology in global healthcare has undergone an unprecedented transformation in 2019, and 2020 is not going to pale in comparison.  What’s hot is not only these advances in technology, but how they have driven the evolution of consumer-centric healthcare, shifting away from “what’s not”… in how we think about traditional notions of healthcare.

Walmart’s “every day low price” is the focus of their new 10,000 square foot healthcare services super center which opened this month in Atlanta, GA according to Forbes. Healthcare providers across the country have broadened their focus on the patient experience so significantly, that healthcare delivery from the patient’s standpoint has become a top priority. According to the Medical Group Management Association (MGMA), providers are enhancing their systems, expanding telehealth services, implementing patient portals, appointment reminders, kiosk patient check-in, online bill payment, and data analytics tools.

As consumer-centric care expands, organizations are balancing competing priorities while concerns that their systems and EHR data are not only convenient for patients, but are efficient, safe, and secure.  These concerns are real with no reprieve on the horizon.  In August 2018, Applied Management Systems, Inc (AMS) published a list of the “Top 10 Hot Button Issues in HIM, Compliance, Risk, HIPAA, Quality” listing HIPAA and Cyber-Security at the top of the list and the Office of Inspector General (OIG) Work Plan came in at number seven.  A year later, the OIG added “Use of Telehealth to Provide Behavioral Health Services in Medicaid Managed Care” to its work plan for 2020.  This comes on the heels of an August 31, 2019 report by the Department of Health and Human Services (HHS), which published that the Office of Civil Rights (OCR) had investigated and resolved over 27,225 cases in 2019 requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates.  This resulted in civil money penalties of $102,681,582 involving 65 cases.

These statistics underscore the importance of robust regulatory compliance and risk management programs. Providers have dedicated teams to updating policies and procedures, performing audits, tightening oversight and updating work-plans with an effort to maintain organizational efficiency[1]. As consumers gain more access and control over their care, providers are moving away from traditional roles and redefining them to adjust for new and increasing workflows because the status quo is just not enough.

[1] If you are a provider in need of interim management or project support in please consider AMS as a preferred resource for all of your labor resource utilization, HIM, Compliance, Risk, HIPAA, and Quality needs.

Cyber-security incident prevention has been at the top of the list of Health IT agendas in recent years, and pressure will only grow more intense as we turn the corner into 2020.  An explosion of systems exploitation in recent months has caused Health IT professionals to be more vigilant than ever to implement procedures to monitor, track and test their systems for vulnerabilities and threats on a regular basis.  The Office of Civil Rights (OCR) issued a Spring 2019 OCR Cybersecurity Newsletter which provided information relevant to the recent zero-day exploit[1] (“Zero Day”) or and advanced persistent threat[2] (“APT”) recently occurring across the globe. Both pose serious and dangerous threats to our information and operations, so it is not enough to simply know the difference between a zero-day and an APT, but to prevent the exploits behind these threats from launching more assaults.

Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (the “security rule”), covered entities and business associates are required to conduct on going risk assessments (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii) to ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards.   The purpose of the security risk assessment (SRA) is to identify areas where an organization’s protected health information (PHI) could be at risk.  Examples of circumstances that could lead to vulnerabilities or threats include, but are not limited to planned or actual changes in ownership, operations, workflows, technology, turn-over of key staff or following a known or suspected security incident.

The SRA and timely response to SRA results will allow an organization to mitigate damage and reduce the associated risks to reasonable and appropriate levels.  Some vendors offer tools that assist in this process that can be very effective.  The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR), developed a free SRA tool which assists organizations with evaluation of their SRA practices.  This tool should be used as a supplement to the SRA documentation that each organization collects during its SRA process.   It allows the user to answer questions and rate its current state, while offering guidance on the most effective protections.  The tool also allows the user to input assets which is highly useful in maintaining an inventory of technical assets[3], along with current disposal, encryption, data and activity status of assets.   

The security rule is not prescriptive in specifying an exact frequency in which an SRA should be conducted because each organization’s frequency will vary depending upon their specific circumstances.   However, AMS recommends as a rule of thumb, that an SRA should occur at least annually with ongoing reevaluation, and whenever the organization has an event or circumstance that could lead to a security vulnerability or threat.

[1] The “zero day” exploit or attack takes advantage of a previously unknown hardware, firmware, or software vulnerability.

[2] The APT is a long-term cybersecurity attack that continuously attempts to find and exploit vulnerabilities in a target’s information systems to steal information or disrupt the target’s operations.

[3] Examples of asset types include laptops, desktops, PDAs, printers, copiers, facsimile, and other clinical devices such as EKG/EEG/ECG, ultrasonography and radiological equipment.

Everyone knows that nurse staffing is critical to the care and outcomes of patients.  Massachusetts passed a law in 2014 requiring a maximum of two patients for every nurse in intensive care units[1]. California is currently the only state with hospital-wide required minimum nurse-to-patient ratios.

Aside from mandated ratios, state staffing laws in nursing tend to fall into one of two other buckets[2]:

  • The first is to require hospitals to have nurse-driven staffing committees[3]that develop unique staffing plans.
  • The second requires facilities to disclose staffing levels to the public or regulatory body[4].

Minimum staffing regulations however, are not only relevant to hospital-based nursing; as examples, they also apply to infection control, daycare and hospital-based schools in some states. So how does this impact AMS’ approach to benchmarking?

AMS’ benchmark development approach involves a combination of art and management science. AMS has an extensive benchmarking database that consists of benchmarking projects performed on-site at hospitals and for healthcare clients throughout the United States. Factors such as minimum staffing requirements must be considered in the labor benchmarking analysis and development process.  AMS’ comparative database considers state-specific regulations. In particular, the database incorporates mandatory staff-to-patient ratios whenever required by law.  AMS focuses on determining and validating the operational intricacies and unique demands of the departments it assesses and incorporates those into our best-practice benchmark developed ranges.

Minimum staffing regulations underscore how vital a thorough understanding of the regulations that pertain to each state are when developing labor benchmarks. Adherence to these rules ensures that healthcare providers in each state are compliant, furthering the provision of quality care, and performance improvement.

[1] An attempt to broadly regulate nurse-to-patient ratios in Massachusetts was struck down in 2018.

[2] About 35% of states also prohibit or limit the amount of mandatory overtime assigned to nurses.

[3] CT, IL, NV, OH, OR, TX, WA

[4] IL, NJ, NY, RI, VT

Healthcare entities that accept credit card payments are subject to PCI-DSS requirements.  PCI-DSS provides “mandated” requirements for the protection and security of credit card transactions. It is not a law. Rather, it was born out of collaboration between major credit card brands (Visa, MasterCard, American Express, Discover and JCB-Japan Credit Bureau) to regulate and prevent credit card data breaches. The requirements are mandated for any vendor or entity that accepts credit card payments regardless of size or number of transactions, and compliance is monitored by this same group (Payment Card Industry Security Standards Council-“Council”) of credit card brands. Technically, the group cannot “force” a vendor to comply with the requirements but can limit or prohibit a vendor’s ability to process credit card transactions and, hence, impede cash flow.

PCI-DSS focuses on “descriptive” steps to follow to ensure the security of the stored credit card data, audit mechanisms, suggested breach protocols and pre-determined fines for noncompliance. If followed, these actions would be part of the Healthcare entities’ response to the HIPAA Security standards.

HIPAA is much more encompassing. Compliance is mandated by federal law, requires risk assessments, policies/procedures for administrative, physical and technical safeguards, use of Business Associate Agreements and includes breach protocols, fines, and civil/criminal actions for noncompliance.

Yes, PCI-DSS impacts healthcare. Yes, PCI-DSS activities may be part of a healthcare entity’s HIPAA Security Plan. No, PCI-DSS compliance does not equate to HIPAA Security Compliance and vice versa because the HIPAA plan may not prescribe every step mandated by the council. Instead, it is best to view both through its’ own set of rules!

For more information on complying with PCI-DSS, please contact Linda Mancini at 781-272-8001

The Gramm Leach Bliley Act (GLBA) of 1999 (Pub. L 106-102, 113 Stat.1338) has two parts.

The first allows for the consolidation/merger of financial institutions such as banks, insurance companies and investment/security firms.

The second regulates the use, disclosure (sharing) and security of the massive amounts of personal information (which includes health records) that will result from these mergers/consolidations by mandating adherence to the following three rules.

  1. Financial Privacy
    • Enforced by Federal Trade Commission,
    • Privacy Agreements (signed by both parties, lists use of, types of, parties who will receive/share personal information), and
    • Opt Out Clauses to include details as to when a consumer may and may not opt out.
  2. Safeguard
    • Written security plan for all personal information,
    • Plan must be “managed” by at least one “dedicated” employee, and
    • Plan must be continuously monitored for “future” threats.
  3. Pretexting Provisions
    • Financial institutions must monitor and prevent disclosure of personal information to unauthorized parties (i.e. unauthorized individual attempts to access by phone, text, email and personal appearance).

While GLBA expands consumer protections pertinent to the security of health information, it does not invoke HIPAA privacy regulations pertinent to entities who may/may not receive health information.  Instead, the consumer must go through “opt out” provisions.  This is of concern because the average consumer may not be aware of HIPAA purpose/protections (i.e. minimum necessary) and the potential ramifications if not followed.

For more information on Gramm Leach Bliley’s impact on healthcare law, please contact Linda Mancini at 781-272-8001.

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, (Public Law 111-203), contains a “sweeping series of core provisions” to reform federal oversight of the financial services industry. The Act includes amendments to existing consumer protection, banking, derivatives and securities industries.

Dodd-Frank was not written with the healthcare sector in mind and does not contain any general provisions applicable to healthcare. However, there may be a “spillover” effect.

This Act was a “one of a kind sweeping endeavor” by Congress to “fix” a facet of an industry that appeared to be broken. Can the same argument be made for the healthcare industry? If yes, Congress may decide to make the same type of sweeping changes to healthcare especially in the not for profit sector which faces similar risk and transparency issues.

In fact, the following four provisions of the Act may be readily transferred to the not for profit healthcare industry at a moment’s notice.

  1. Enterprise Risk Management (ERM) – Regulate systemic risk; establish risk monitoring committees with independent directors (Financial Stability Oversight Councils), adoption of board-level ERM activity towards “best practices” level.
  2. Corporate Governance – Regulations promulgated by federal government (traditionally purview of state), promote board independence and decrease conflicts of interest with increased public disclosure; consider views of community and constituent groups on executive salaries (i.e. role similar to shareholders).
  3. Corporate Compliance – Increased emphasis on whistleblowers and protections (increased rewards, can sue in federal court without having to exhaust available administrative remedies).
  4. Executive Compensation – Need to consider feedback from compensation committees/ independent advisors/community/constituents and to, publicly, report the “ratio of the total compensation of the CEO to the median employee compensation

Please refer to the law for details pertinent to the four provisions cited.

For more information on the Dodd-Frank Act’s application to healthcare, please contact Linda Mancini at (781) 272-8001.

The Sarbanes-Oxley (SOX) Act of 2002 (Public Law 107-204) was designed to protect the interests of investors and enhance corporate oversight and accountability of public traded companies.  Specifically, SOX mandates auditing, quality control, ethics, detailed/timely disclosures and independent /informed authentication of all financial statements.

To date, there are only two provisions of SOX that apply directly to HealthCare (Non-Profit) Organizations — whistleblower protections and retention of all documentation pertinent to an investigation. However, the healthcare legal industry is advising hospitals to look at SOX as “best practice” and adhere to as many provisions as possible.

This advice is based on increasing challenges to the tax exempt status and increased regulations passed by state legislatures and Attorneys General. Currently, 20 states are involved in class action suits claiming that hospitals haven’t provided enough “charity care” to justify tax exempt statuses.  In addition, many state legislatures have passed healthcare financial accountability legislation that is stricter than SOX.

For more information on the Sarbanes-Oxley Act’s relevance to healthcare, please contact Linda Mancini at (781) 272-8001.

What is an expectation to privacy?  The Fourth Amendment provides this constitutional right. An expectation of privacy is related to, but is not the same as, a right to privacy, a much broader concept which is found in many privacy laws. In general, one cannot have a reasonable expectation of privacy in things held out to the public. But, what about email and other electronic communications/information?

The Stored Communications Act (SCA) was enacted in 1986 to provide “Fourth-Amendment” like privacy protection (search warrant, probable cause) to email and other digital communications stored on the internet. The Fourth Amendment to the U.S. Constitution protects the people’s rights to “be secure in their persons, houses, papers and effects, against unreasonable searches and seizures.” It is seen as a right that extends to people only and not places. In many cases, the Fourth Amendment doctrine has held that users relinquish “any expectation of privacy” when they entrust the security of online information to a third-party Internet Service Provider (IPS).

The SCA holds that ISPs will be criminally liable for disclosure of the contents of any communication which is carried or maintained on its service to any person or entity without proper authorization or a search warrant and court order. ISPs are allowed to share non-content information such as log data and name/address of email recipient to anyone other than a governmental entity.

The SCA is a starting point for any questions we may receive in our AMS capacities pertinent to “non-patient care” email/electronic communication privacy.

For more information on the Stored Communications Act, please contact Linda Mancini at (781) 272-8001.

The March 18, 2019 post of Legal Topics in Healthcare provided a definition of Cooperation Credit when undergoing a False Claims Act (FCA), HIPAA Investigation or the like.  In 2015, Deputy Attorney General Yates issued a memorandum detailing a policy on “individual accountability”.  The memo, Individual Accountability for Corporate Wrongdoing, is known as the “Yates Memo.”

This memo essentially limited the availability of cooperation credit to only those organizations that provide the Department of Justice (DOJ) all relevant facts relating the individuals responsible for the misconduct. Individual accountability addresses DOJ concern that too many individuals evaded punishment for wrongdoing related to the financial crisis, but this policy has significant implications for healthcare providers and their employees.  Prior to the Yates Memo, cooperation credit was potentially available under DOJ policy even if an organization failed to disclose basic facts about its employee(s) involvement in criminal misconduct.

For more information on the Yates Memo, please contact Linda Mancini at (781) 272-8001.