OCR Enforcing Limits on Medical Records Fees

/in /by

The Office for Civil Rights (OCR) has published new information emphasizing patient right of access to records, along with fees that may be charged for printed and electronic copies.  It stresses that medical records fees must be cost-based and reasonable.

The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee to provide the individual (or the individual’s personal representative) with a copy of the individual’s PHI, or to direct the copy to a designated third party. The fee may include only the cost of certain labor, supplies, and postage as outlined below in a direct quotation of the OCR:

A covered entity may include reasonable labor costs associated only with the: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; and (2) labor to prepare an explanation or summary of the PHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged.

For example, labor for copying may include labor associated with the following, as necessary to copy and deliver the PHI in the form and format and manner requested or agreed to by the individual:

  • Photocopying paper PHI.
  • Scanning paper PHI into an electronic format.
  • Converting electronic information in one format to the format requested by or agreed to by the individual.
  • Transferring (e.g., uploading, downloading, attaching, burning) electronic PHI from a covered entity’s system to a web-based portal (where the PHI is not already maintained in or accessible through the portal), portable media, e-mail, app, personal health record, or other manner of delivery of the PHI.
  • Creating and executing a mailing or e-mail with the responsive PHI

While we allow labor costs for these limited activities, we note that as technology evolves and processes for converting and transferring files and formats become more automated, we expect labor costs to disappear or at least diminish in many cases.

In contrast, labor for copying does not include labor costs associated with:

  • Reviewing the request for access.
  • Searching for, retrieving, and otherwise preparing the responsive information for copying.  This includes labor to locate the appropriate designated record sets about the individual, to review the records to identify the PHI that is responsive to the request and to ensure the information relates to the correct individual, and to segregate, collect, compile, and otherwise prepare the responsive information for copying.

Further, while the Privacy Rule permits the limited fee described above, covered entities should provide individuals who request access to their information with copies of their PHI free of charge.  While covered entities should forgo fees for all individuals, not charging fees for access is particularly vital in cases where the financial situation of an individual requesting access would make it difficult or impossible for the individual to afford the fee.  Providing individuals with access to their health information is a necessary component of delivering and paying for health care. We will continue to monitor whether the fees that are being charged to individuals are creating barriers to this access, will take enforcement action where necessary, and will reassess as necessary the provisions in the Privacy Rule that permit these fees to be charged.

For complete information regarding limits on medical records fees, refer to the article on page two of the July issue of the American Practice Advisor® titled “OCR Emphasizes Limits on Medical Records Fees.”

Deadline to Obtain Reformatted Safety Data Sheets

/in /by

The Hazard Communication Standard Revision of 2012 required manufacturers of hazardous chemicals to reformat all safety data sheets to a standardized 16-section format.  This process was to have been completed by June 1, 2015.

The compliance date for employers to obtain the newly formatted safety data sheets was June 1, 2016.  If your practice has not already collected the new safety data sheets, you should begin requesting/searching for them now. We recommend searching for safety data sheets online, as many manufacturers will post them on their website.  If safety data sheets cannot be found online, you may request a copy from the manufacturer by letter.  Retain a copy of the letter to demonstrate your effort to comply with the requirement.

When revised safety data sheets are obtained, you may discard the original material safety data sheets, as long as the hazardous ingredients have not changed.

How to Respond to OCR Audit Requests

/in /by

Eagle Associates has prepared an article and a short video, both of which provide instruction on responding to communications from OCR regarding the audit program. You can either read the article, or watch the video.  You do not need to view both, as the content is the same.  Contact our office at (800) 777-2337 if you have any questions regarding the audit process.

Watch the video:

Preparing for a HIPAA Audit

 

Read the text:

HIPAA Audit Notices

Many practices have received an email from the Office for Civil Rights (OCR) asking to verify the practice information and contact.  The notice indicates that the practice is being entered into a pool of potential auditees for the HIPAA Privacy, Security and Breach Notification audit program.

It is important for your practice to respond to the notice in the time frame specified.  Failure to respond will not protect you from being audited, as OCR has indicated that it will use publicly available information to obtain the data it needs.  Responding to the notice does NOT mean you have been selected for an audit.

Communications from OCR will be sent via email and may be incorrectly classified as spam. If your entity’s spam filtering and virus protection are automatically enabled, OCR expects you to check your junk or spam email folder for emails from OCR.

Once your contact information has been verified, you will receive an email to complete a screening questionnaire.  Again, it is very important for you to complete the questionnaire in the specified time frame.  As with responding to the contact notice, receiving a questionnaire does NOT mean you have been selected for an audit as of yet.

Notice Content

The content of the verification email from OCR is as follows:

“According to our records, you are the primary contact OCR should use to reach Associated Surgeons and Physicians regarding its potential inclusion in the HIPAA Privacy, Security, and Breach Notification Rules Audit Program. We are attempting to verify this email address.

Please respond within fourteen (14) days as instructed below to either confirm your identity and email address or instead provide updated primary and secondary contact information.

If you ARE the primary contact for this organization, please select the following link YES. Once the link is selected, a browser window will open and your response will be recorded.

If you ARE NOT the primary contact for this organization, please select the following link NO. Once the link is selected, a browser window will open and your response will be recorded.

Thank you for your cooperation. If we do not receive a response from you we will use this email address for future communications with this entity. Failure to respond will not shield your organization from selection.”

Screening Questionnaire

The screening questionnaire is intended to gather data about the size, types, and operations of potential auditees for the HIPAA Privacy, Security and Breach Notification Audit Program. The data will be used with other information to help OCR select entities that reflect a variety of types, sizes, and locations for the next phase of the Audit Program.

Audit Selection

Covered entities and business associates will be notified of their selection for an audit on a rolling basis.

Please be aware that if your entity is selected for an audit, you will have ten (10) business days to respond with the requested documentation.

Business Associates List

When selected for an audit, selected entities must submit a list of all current business associates, with up to date contact information, within the 10-day response period.  OCR will use this information to compile a list of potential business associate subjects to audit.  OCR encourages entities to develop the business associate listing in advance to be able to meet the submission requirements.  The business associate listing should be submitted as a spreadsheet with columns that contain the name of the entity, type of service(s) provided, primary and secondary contact names, titles, emails, phone numbers, address, and website, if any.

A template for the spreadsheet is available at this link.

Desk/On-Site Audits

If you are selected for an audit, OCR will either:

  1. conduct a focused desk audit (an OCR review of submitted documentation) to determine evidence of your compliance with selected provisions of the Rules; or
  2. conduct a comprehensive on-site review of your compliance with applicable requirements of the HIPAA Rules, or
  3. follow up a desk audit with an on-site audit.

The audit protocols, which contain criteria the auditors will use, are available for review at this link.

OCR will assess whether to open a separate compliance review in cases where an audit indicates serious compliance issues or where a covered entity or business associate fails to cooperate with an audit.

Preparing for a Potential Audit

There are four major elements to demonstrating that you have made a reasonable effort to comply with HIPAA requirements:

  • Ensure that you have written policies addressing all of the requirements listed in HIPAA’s Privacy, Security, and Breach Notification Rules.
  • Document a self-auditing or other process that will prove your policies have been implemented (i.e., they are followed by members of the workforce) and that you maintain them in accordance with published updates for each Rule.
  • Ensure that you have documented training (content and participation) for new hire and annual training with the Privacy, Security, and Breach Notification Rules.
  • Ensure that you have documentation of annual Security Risk Analysis as required by the Security Rule.

Resources Available from Eagle Associates

Eagle Associates provides a complete solution for ensuring compliance with HIPAA requirements.  Our HIPAA Compliance System includes:

  • A completely written HIPAA policy manual with a full complement of HIPAA forms– this is not a fill-in-the-blank workbook.  We update the policy manual each year to ensure compliance with changes in regulations and new interpretations.
  • Eagle Associates is currently reviewing the OCR Audit Protocol to determine whether any policy revisions are necessary in advance of the audits.
  • An annual audit plan tool is available for completion to provide proof of policy implementation and regulatory updates.
  • Clients enrolled in Eagle’s Management Consulting Program will have documentation using monthly compliance activities instead of the annual audit plan.
  • Training materials and documentation for new hire and annual training for workforce members.
  • The HIPAA Compliance System includes a complete Security Risk Analysis tool for your use, and is updated each year.
  • Eagle provides Live Support for subscribing clients– this provides unlimited support at no additional cost for a practice.  Clients can call or email as often as needed with questions, problems, or incidents.

If you already subscribe to the HIPAA Compliance System, you will be notified of any necessary policy revisions in the coming weeks.  Remember that the above-mentioned resources are available in the Member Services area of our web site.  In the front of your HIPAA Policy manual, there is instruction on how to log in to Member Services.

Please contact our office at (800) 777-2337 if you have any questions, or need assistance.

Compliance is More than Training

/in /by

The following information provides a brief roadmap to achieving compliance, and is intended to help you understand the need to do more than employee training in order to avoid enforcement action from regulatory agencies.

Many practices view compliance training as the primary element for meeting regulatory requirements.  Although training is a key component, the reality is that compliance requires more than training.  Here are the basic major elements for ensuring compliance with any set of regulations:

Written Policies – Regulations, such as HIPAA and OSHA, require that you have written policies explaining your intent and process for meeting requirements.

Updates – Additionally, regulatory agencies require that you monitor for changes, new requirements, and new interpretations to ensure your policies remain current.

Training – All regulations include various requirements ranging from initial or new hire training to annual training on certain key elements.

Documentation – Records or documentation must be maintained.

Active Program – Having an active compliance program is a key element that you will not find specifically stated in a regulation, but can prevent the practice from being penalized if investigated. Regular audits help to ensure policies are being followed, and will ensure your compliance program remains active and relevant.

Note – These elements are provided for in Eagle Associates’ compliance programs. However, attention to provided updates, participation in employee training and use of included compliance tools is necessary to ensure your programs remain active.

Medicare Overpayment

/in /by

On February 12, 2016, the Centers for Medicare and Medicaid Services issued a Final Rule that specifies the time frame for reporting and returning overpayments.  A new Section 1128J(d)(1) of the Affordable Care Act requires a person who has received an overpayment under parts A or B of the Medicare program to report and return the overpayment to the Secretary, the state, an intermediary, a carrier, or a contractor, as appropriate, at the correct address, and to notify the Secretary, state, intermediary, carrier or contractor to whom the overpayment was returned in writing of the reason for the overpayment.

Overpayment is defined as:

any funds that a person has received or retained under title XVIII of the Act to which the person, after applicable reconciliation, is not entitled under such title.”

The Rule states that providers receiving funds under the programs must return overpayments by the later of:

  • 60 days after the date on which the overpayment was identified; or
  • the date any corresponding cost report is due, if applicable.

The Final Rule is effective March 14, 2016. Please refer to the April issue of the American Practice Advisor for more information.

Disclosure Requests for Legal Proceedings

/in /by

Disclosure of protected health information (PHI) for use in legal proceedings is permitted under certain circumstances.  If a covered entity receives a court order that is signed by a judge, requesting PHI, it should comply with the order and provide the information that is specifically requested.

If the practice receives a subpoena, discovery request, or other lawful process that is not accompanied by a signed order of the court, certain satisfactory assurances must be obtained from the requesting party prior to disclosure of the requested information.

In these instances, the requesting party must provide the practice with either of the following:

  • Satisfactory assurances that reasonable efforts have been made to give the individual (whose information has been requested) notice of the request; or
  • Satisfactory assurances that the party seeking such information has made reasonable efforts to secure a qualified protective order (see below) that will guard the confidentiality of the information.

Please refer to the article, Requests for Disclosure of PHI for Legal Proceedings, in the April issue of the Advisor®, for more information regarding satisfactory assurances and documentation requirements.