New CMS Proposed Rule - Reducing Regulatory Burden For Healthcare Providers

On September 17, 2018, the Centers for Medicare and Medicaid Services (CMS) published a proposed rule to reduce burdensome regulations affecting healthcare providers as part of its "Patients Over Paperwork" initiative which began in 2017.   https://www.cms.gov/About-CMS/story-page/patients-over-paperwork.html

Healthcare experts agree that reducing unnecessary burden spent complying with regulations is critical to improving patient care and reducing the risk of clinician burnout.  One example is a study published in the Annals of Medicine which reported two hours of paperwork for every one hour of patient care.   http://annals.org/aim/fullarticle/2614079/putting-patients-first-reducing-administrative-tasks-health-care-position-paper.  In support of the "Patients Over Paperwork" initiative, CMS Administrator Seema Verma advocates that "we are committed to putting patients over paperwork while increasing quality of care, ensuring patient safety and bolstering program integrity."  As a result, this new CMS proposed rule seeks to eliminate a lengthy list of monitoring and reporting requirements across the agency's programs, saving healthcare providers approximately $178 million over the next three (3) years, including but not limited to the following: 

• Emergency programs.  Program review at least every two (2) years,  training at least annually,  greater flexibility in conducting annual testing exercises, elimination of duplicative documentation requirements.  
• Hospitals.  Multi-hospital systems to have unified and integrated quality, performance improvement and infection control programs, elimination of duplicative autopsy requirements, greater flexibility in establishing medical staff policies for outpatient pre-surgery/procedure patient assessments and authorized use of non-physician practitioners in psychiatric hospitals.  
• Critical Access Hospitals (CAH), Rural Health Centers (RHC) and Federally Qualified Health Centers (FQHC).  Removes duplicative CAH ownership disclosure requirements, and only requiring biennial (every other year) review of policies and procedures for CAH, RHC and FQHC.  
• Ambulatory Surgical Centers (ASC).  Elimination of duplicative requirements governing transfers agreements and medical staff's local hospital admitting privileges, removal of current patient history and physical (H&P) requirements with a proposal to require ASCs to adopt a policy that identifies those patient categories who require H&P prior to surgery.  
• Transplant Centers.    Eliminate duplicative requirements to submit data and other information more than once for "re-approval" by Medicare.  
• Hospices.  Eliminating duplicative requirements, thus streamlining he hiring and training process for nursing assistants. 
• Comprehensive Outpatient Rehabilitation Facilities (CORF).  Moving to annual, as opposed to quarterly, utilization review plans.  
• Community Mental Health Centers.  Relaxing the 30-day assessment requirements only for those CMHC clients who receive partial hospitalization program services.  
• Portable X-Ray Services.  Allows services to be ordered in writing, by telephone or by other electronic methods and modernizes technologist personnel requirements.  

This CMS proposed rule can be viewed in its entirety in the Federal Register, dated September 20, 2018, and comments may be submitted electronically until November 19, 2018.  https://www.federalregister.gov/d/2018-19599

If you have questions or require additional information, please contact me through Integrity Health Strategies at sziel@ihsconsultinggroup.com.  Thank you very much.  

On Wednesday, September 5, 2018, please join me for a 30-minute webinar at 12 noon (Eastern) to learn more about how to conduct a "real world" assessment of your organization's corporate compliance program and more importantly, how to breathe life into your program structure, process and outcomes.  Register online, using the link below.  Let's talk. 

https://www.kriegdevault.com/events/1263-register

HIPAA Assessments ... Here's Looking at You!

Whether you are the Privacy Officer, the Security Officer, or both, the question remains the same.  

When was the last time you scheduled a "walk through" of your work space for the sole purpose of looking into the "eyeballs" of your personnel and finding out what they are really doing (or not doing) to protect the privacy and security of your customers' health information?  

No, this is not the annual HIPAA security risk assessment.  No, this is not a surprise, mock survey in preparation for some third party visit.   Instead, you are simply showing up and letting your personnel know, first hand, that you really are interested in what they are actually doing to safeguard your customers' protected health information or "PHI."   Nothing more.  

In working with our HIPAA clients, we always recommend an annual HIPAA assessment calendar that sets out a series of compliance "questions" that will be reviewed -- one for each of the 12 months -- as part of an ongoing assessment process.  The calendar can always be updated (or supplemented) as new questions or issues arise through the year.    

For example, if this is January, then you may be in the HR department with the education coordinator reviewing a sample of personnel files to confirm that documentation exists to confirm completion of all new hire and annual HIPAA training.  In March, you may join a supervisor and walk through their department work space at the end of the business day to look for any printed copies of PHI that may have been left on a counter or on a fax machine or in a "shred" bucket under their desk, all for easy "view" by the after-hours cleaning staff, or otherwise.  .    

In April, you may make rounds with the medical records staff to query them about how they work through their checklist for subpoenas and other third party requests for records.  In August, you may meet with the CFO's contract manager to review a sample of vendor agreements that should include a fully executed Business Associate Agreement.  In June, you may seat yourself in a public waiting area with one of the admissions staff and listen for any "incidental" disclosures that could be overheard by other customers and their family members who are seated nearby.  

During September, you may request a current copy of your organization's "workstation" inventory  and confirm whether its up-to-date by conducting an assessment of all computing devices - whether owned by the organization or workforce, including desktops, laptops, tablets, smartphones and "any other devices that perform similar functions" and which are used on (or off) premises.   According to a May 2018 OCR Cyber Security Newsletter (link is https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-may-2018-workstation-security.pdf), the physical security of all such "workstations" requires a complete inventory, rigorous policies and ongoing training programs that communicate the reasonable safeguards necessary to protect these "workstations" -  encryption, strong passwords, secure use in public areas and secure storage when not in use.  These safeguards are especially important ifor those "workstations" that are mobile and used off-premises.  

Of course, HIPAA assessment worksheets can be used to score and report your observations to create a paper trail and to keep your leadership apprised, but it is the "eyeball" connection with your workforce that is truly the bottom line here.    

Raise the bar, raise the awareness and show up.  It only takes an hour once a month to get this done.  Here's looking at you -- in your hallways and offices -- very soon!

Susan E. Ziel, Consultant

Integrity Health Strategies

sziel@ihsconsultinggroup.com 

Wicked Problems

They are called "wicked" problems.   In our world, there are many examples.   Inequality, illiteracy, terrorism, poverty, homelessness, famine and disease.  

The literature is filled with discussions, definitions, models and frameworks, of course, but in an effort to dissect this literature,  I recently used an online tool to test my ability to explain "wicked" problems in a new way.   The tool only allows you to use the Ten Hundred  most commonly used words in the Oxford English Dictionary (Note: the word "Thousand" isn't on the list.)  The process was developed by scientists who wanted to help people in better describing and understanding hard ideas.  

The links to some of the relevant literature, in addition to the online editor tool itself, are set out at the conclusion of this, my "top ten" wicked problem list, which still makes me smile today.  Enjoy.    

1. A hard problem is a very large human problem.
2. A hard problem can't be fixed for many reasons. First, a hard problem has deep and dark corners. Second, a hard problem is not easily understood because there are missing words and ever-changing meanings. Third, there are too many people who can't come together and agree on how to fix it.
3. A type of hard problem is a world that can't grow food or find clean water. Another type is people who can't read or who always fight. Another type is people who have no money, no job or no home. Another type is people who are scared or sick.
4. Every hard problem happens because of another hard problem.
5. Different from hard problems, an easy problem can be understood and fixed. Even if not simple, an easy problem is like putting a human in a new place in the world or making children able to stop being sick.
6. Trying to fix an easy problem either works or it doesn't. Trying to fix a hard problem is not the same -- things either get better or they get worse -- which is not always easy to see or like.
7. Fixing a hard problem doesn't always last and it may cause or add to other hard problems, which makes most fixes hard to trust or accept, and easy to fight, for three reasons. First, humans often believe that the fix will only make the problem worse. Second, humans often believe that the fix is hard to do and it won't matter anyway. Third, humans often believe that the fix needs too much money and that we will lose more than we get in return.
8. The real world of trying to fix hard problems is just that - hard. The problems always continue, change and grow, and the fixes never completely work, and the humans do not agree on anything.
9. However, any human idea not to act or to try to fix a hard problem is also a big problem. 
10.  All we can do is work together, and to try as best we can to try the fix the hard problems and to make our way forward in this crazy, yet amazing, world.

How good are you in explaining the many "hard ideas" in health care or otherwise?   Give this tool your best shot next time you're working on a fresh message that just might reach your audience.  

Links:

Gawande, Atul (2012). "Something Wicked This Way Comes," The New Yorker (June 28, 2012).
Hirschman, Albert O. The Rhetoric of Reaction: Perversity, Futility and Jeopardy. Belknap Press (2004).
Kolko, Jon, Wicked Problems, Problems Worth Solving. Austin Center for Design (2012).
https://www.wickedproblems.com/
RIttel, Horst W. J.; Webber, Melvin, M. (1973). "Dilemmas in a General Theory of Planning", Policy Sciences 4: 155-169.
Up-Goer Five Text Editor:  http://splasho.com/upgoer5/

Recent OCR Resolution Agreement and HIPAA Corrective Action Plan ... Lessons Learned

During December 2017, the Health and Human Services' Office of Civil Rights ("OCR") entered into yet another Resolution Agreement after investigating a serious breach incident involving the electronic protected health information ("e-PHI") of over 2 million patients that was maintained by a Florida health care organization. https://www.hhs.gov/sites/default/files/21co-ra_cap.pdf   As with so many other past investigations, the OCR made findings that the organization lacked a thorough HIPAA security risk assessment or the necessary security measures and review procedures to safeguard the  e-PHI maintained on the organization's information system.  Lastly, the OCR determined that the organization had disclosed PHI to third party vendors, acting as business associates, without obtaining satisfactory assurances by way of written business associate agreements.

Under the terms of the Resolution Agreement, the organization was required to pay OCR $2,300,000 to settle the potential civil money penalties associated with the above violations.  Additionally, the Resolution Agreement required the organization to enter into a Corrective Action Plan ("CAP") for a two (2) year term that set forth the following terms and conditions:

1. Compliance Representative.  Designation of an individual Compliance Representative ("CR") responsible for the direction and oversight of the organization's CAP implementation; 
2. Security Risk Analysis/Risk Management Plan.  Completion of a thorough risk analysis and risk management plan and documentation of all security measures implemented to reduce all identified risks and vulnerabilities to a reasonable and appropriate level, all within 120 days of the CAP implementation date; 
3. Policies and Procedures.   Review and revision of certain of the organization's HIPAA policies and procedures with copies submitted to OCR within 90 days, subject to OCR approval; 
4. Distribution of Policies and Procedures to Workforce.  Adoption and distribution of OCR-approved policies and procedures to all existing and newly hired workforce who were subject to the requirements; 
5. Ongoing Review and Update of Policies and Procedures.    Routine review and update of these policies and procedures to reflect any changes in applicable requirements, the organization's operations or other OCR guidance; 
6. Business Associate Accounting/Agreements.  Completion of an accounting of all business associates, in addition to execution of all necessary business associate agreements, with copies submitted to the OCR within 120 days of the CAP implementation date; 
7. Written Plan for Internal Monitoring of CAP Compliance.    Adoption of a written plan to internally monitor the organization's compliance with the CAP, a copy to be submitted to OCR within 60 days of the CAP implementation date, subject to OCR approval, all of which requires ongoing review and update to reflect any changes in applicable requirements, the organization's operations or other OCR guidance; 
8. Assessor.    Selection and engagement of a duly qualified "assessor" within 60 days of the CAP implementation date, subject to OCR approval, who is responsible for implementing a written plan that complies with the "assessor's plan" requirements set out in the CAP, again subject to OCR approval, all of which shall result in ongoing assessor "reviews" that are submitted to OCR in regard to the organization's continuing compliance with the CAP; 
9. Record Retention.   Record retention obligations on the part of the organization, the compliance representative and the assessor; 
10. Validation Reviews. Agreement to permit OCR, in its discretion, to conduct any validation review necessary to confirm any assessor review or report; and
11. Mandated Reporting Obligations.    Internal reporting obligations that require all workforce with access to the organization's e-PHI databases to report to the compliance representative any violation of the organization's HIPAA related policies and procedures that come to their attention, all of which shall be investigated and reported to both the assessor and OCR to the extent any investigation confirms a violation that qualifies as a reportable event.  

Much like the terms and conditions of a Corporate Integrity Agreement, entered into by health care entities and the Health and Human Services' Office of Inspector General ("OIG") , this CAP sets out a very stringent process by which the health care organization is required to implement, monitor and update its HIPAA compliance program under the direction of a designated "compliance representative" and subject to the ongoing review of the OCR and an external "assessor" process.  For any HIPAA covered entity or business associate that has endured a reportable breach incident, the prompt implementation of an internal corrective action plan that incorporates many of these interventions may be a very useful (and proactive) risk management tool, even before any OCR investigation or other involvement becomes necessary.   Lessons learned.  

HIPAA Security ... Integrity Matters

The HIPAA Security Rule requires Covered Entities and their respective Business Associates to maintain certain Administrative, Physical and Technical safeguards to protect Electronic Protected Health Information ("e-PHI").  Specifically, these safeguards are designed to ensure the Confidentiality, Integrity and Availability of all e-PHI that is created, received, maintained or transmitted by the Covered Entity or its Business Associates.  45 CFR 306(a).

Whereas the Security Rule's Confidentiality requirements support those of the HIPAA Privacy Rule, the two additional goals  -- Integrity and Availability -- are also equally important.  According to the Security Rule, the term "Integrity" means that e-PHI is not altered or destroyed in an unauthorized manner.  The term "Availability" means that the e-PHI is accessible and usable on demand by an authorized person.  45 CFR 164.304.   

Beyond HIPAA, the term "integrity" hails from the Latin word "integer" and typically carries two definitions in most English dictionaries.  The first definition concerns a quality -- the quality of "being honest and having strong moral principles; moral uprightness."  The second definition concerns a state of being -- the state of "being whole or complete, undivided."   For purposes of this discussion, the second definition is most closely aligned with the Security Rule definition.  

HIPAA policies must specify the Administrative, Physical and Technical safeguards that have been adopted to safeguard the Integrity -- or the accuracy and completeness -- of a particular individual's e-PHI.  At a minimum, these policies should incorporate the following:  

1. A glossary of defined and capitalized terms that incorporates the definitions arising under HIPAA and any other more stringent requirements that hail from state law (e.g., Designated Record Set ("DRS"), e-PHI, Electronic Media, etc.) plus any Covered Entity-specific definitions which typically address, for example, such things as the "legal health record" which is different from the DRS and represents the official business record of the entity for evidentiary purposes (*); 
2. A provision that addresses the procedures for identifying and managing any erroneous or replaced e-PHI that has been relegated to an "obsolete" folder that technically remains a part of the legal health record;
3. A provision that incorporates the most stringent record retention requirements adopted by the covered entity, whether under HIPAA, state law or at the direction of the entity's  legal counsel (e.g. legal hold) and/or professional liability carrier (e.g. litigation); and
4. A provision that addresses the procedures for identifying and managing the destruction of any data following the expiration of all mandated record retention requirements.  

It remains my premise that the adoption of these and other HIPAA policies safeguards not only the state -- or the "big I" Integrity -- of the Covered Entity's information systems but also the quality -- or the "little i" integrity --  of those individuals who conduct patient care and related business operations on behalf of the Covered Entity, all in accordance with applicable requirements.  Truly a win-win in today's complex world.  

(*)  Note:  The DRS includes all PHI whereas the legal health record typically only includes the PHI used to make Treatment decisions.  For additional information, see AHIMA. "Fundamentals of the Legal Health Record and Designated Record Set." Journal of AHIMA 82, no.2 (February 2011): expanded online version.

That Tight Shoe

We brought in the New Year last eve, dining at one of our favorite little Italian restaurants, sitting at the bar eating probably the best Bucatini all’ Amatriciana in town.  We talked about the decision to look forward -- not back -- and to celebrate the many next generation(s) of family, friends, neighbors, students, colleagues, clients and others who continue to give meaning to our life. 

            
Trust me, it often requires intention (aka attitude) to celebrate the future and to shape our life experiences going forward.  To keep my momentum, I long ago posted a one-page chart from a well-worn book above my standing desk.  The chart lists numerous traits or symptoms that best describe both an “Open” and a “Contracted” life experience …

OPEN	CONTRACTED
Ease	Effort
Prevailing trust	Constant worry
Relaxed body	Congestion
“Can do” attitude”	“Can’t happen” attitude
Collaborative	Competitive
Curious, asking questions	Judgmental, defensive
Sees opportunities	Sees obstacles
Generous	Withholding
Willing to take risks	Hyper-cautious
Laughs easily at self	Takes self too seriously
Energized	Exhausted
Fighting FOR	Fighting AGAINST
Resilient	Resigned
Grateful	Keeping score
Releasing things easily	Hanging on
Makes clear requests and agreements	Unspoken or value expectations
Generative, accountable	Consumptive, “victim”
Wholehearted, courageous and bold	Conflicted, fearful and timid

Victoria Castle, The Trance of Scarcity (2007)

To celebrate the future is like taking off that tight shoe.  It is a choice that does not happen by itself -- it requires not only intention but also action, especially during these complex times.  For that, be bold and remember Mr. Wendell Berry’s words which always spur me on … “It may be that when we no longer know what to do, we have come to our real work and when we no longer know which way to go, we have begun our real journey.”   Happy New Year.