OIG Exclusion Search Tips

/in /by

If you participate with Medicare/Medicare Advantage/Medicaid programs, you must have a written Fraud, Waste and Abuse Prevention Program. One of the important elements of such a program is checking the Office of Inspector General (OIG) exclusions list. The OIG is the regulatory body that provides enforcement when fraud, waste and abuse is identified within the Medicare/Medicaid programs.

Exclusion checks should be performed prior to hire for potential candidates, and at intervals for existing staff, depending on the percentage of your overall revenue that is made up of Medicare/Medicaid claims. You can find the OIG exclusions search page here: https://oig.hhs.gov/exclusions/index.asp From this page, you are able to navigate to the exclusions search page, or the LEIE download page. The OIG has issued the following tips for searches.

• Because the Online Searchable Database and the Downloadable Database include only the name known to OIG at the time the individual was excluded, any former names used by the individual (e.g., maiden name, previous married name, etc.) should be searched in addition to the individual’s current name.

• In order to achieve the most accurate search results, enter only the first few letters of the first and last names.

• An individual with a hyphenated name should be checked under each of the last names in the hyphenated name (e.g., Jane Smith-Jones should be checked under Jane Smith and Jane Jones, in addition to Jane Smith-Jones).

• Maintain documentation of the initial name search performed and any additional searches conducted to verify results of potential name matches.

• If checking only a few names, use the Online Searchable Database to search up to five names at once.

• If checking many names, consider downloading the Downloadable Database into a spreadsheet or database program. This will enable the user to use that program’s search functions to crosscheck the names against the thousands of names on the LEIE. Verify the correct spelling of any names before starting a search.

• Always remember to take the final step of identity verification using the Social Security Number (SSN) for an individual or Employer Identification Number (EIN) for an entity. It is not sufficient to simply find a matching name on the LEIE.

• For a potential match using the Downloadable Database, verify the results by entering the SSN for an individual or EIN for an entity on the Online Searchable Database. (Note: The Privacy Act prohibits the distribution of SSNs so they cannot be included in the Downloadable Database).

• If a search result does not contain a DOB, UPIN, NPI, EIN, or SSN, it is not available from OIG. You should contact the Exclusions Branch at https://oig.hhs.gov/aboutoig/contact-us/#exclusions to determine if there is any other information available.

Hazard Communication Changes Part II

/in /by

The July 2024 issue of the Advisor introduced the Hazard Communication changes in an article on page 4.  Included in that article were the compliance dates. A large portion of the changes affect manufacturers and distributors of hazardous chemicals, who will have new duties regarding classification of chemicals.

Some definitions have been added or significantly modified, including:

“Immediate outer package” means the first package enclosing the container of hazardous chemical.

“Liquid” means a substance or mixture which at 122⁰F (50°C) has a vapor pressure of not more than 43.51 PSI (300 kPa (3 bar)), which is not completely gaseous at 68⁰F (20°C) and at a standard pressure of 14.69 PSI (101.3 kPa), and which has a melting point or initial melting point of 68 ⁰F (20°C) or less at a standard pressure of 14.69 PSI (101.3 kPa).

“Physical hazard” means a chemical that is classified as posing one of the following hazardous effects: explosive; flammable (gases, liquids, or solids); aerosols; oxidizer (gases, liquids, or solids); self-reactive; pyrophoric (liquids or solids); self-heating; organic peroxide; corrosive to metal; gas under pressure; in contact with water emits flammable gas; or desensitized explosive.

“Physician or other licensed health care professional (PLHCP)” means an individual whose legally permitted scope of practice (i.e., license, registration, or certification) allows the individual to independently provide or be delegated the responsibility to provide some or all of the health care services referenced in paragraph (i) of this section.

“Solid” means a substance or mixture which does not meet the definitions of liquid or gas.

Small Containers

For a container less than or equal to 100 ml capacity, the chemical manufacturer, importer, or distributor must include, at a minimum, the following information on the label of the container:

(A) Product identifier;

(B) Pictogram(s);

(C) Signal word;

(D) Chemical manufacturer’s name and phone number; and

(E) A statement that the full label information for the hazardous chemical is provided on the immediate outer package.

For a container less than or equal to 3 ml capacity, where the chemical manufacturer, importer, or distributor can demonstrate that any label interferes with the normal use of the container, no label is required, but the container must bear, at a minimum, the product identifier.

For all small containers (any less than or equal to 100 ml capacity), the immediate outer package must include:

(A) The full label information required for each hazardous chemical in the immediate outer package. The label must not be removed or defaced.

(B) A statement that the small container(s) inside must be stored in the immediate outer package bearing the complete label when not in use.

Safety Data Sheets

A minor change states that Safety Data Sheets (SDSs) may be kept in any form, including as operating procedures, and may be stored in such a way to cover groups of hazardous chemicals in a work area where it may be more appropriate to address the hazards of a process rather than individual hazardous chemicals. However, the employer shall ensure that in all cases the required information is provided for each hazardous chemical and is readily accessible during each work shift to employees when they are in their work area(s).  Many organizations wonder whether it is acceptable to store SDSs electronically, and the Rule says they may be kept in any form.  However, they must be available and accessible, which means that even if the power is out, they must still be available.  For that reason, many organizations continue to have SDSs in printed form, rather than solely electronically.

Pictograms

For “Hazards Not Otherwise Classified,” the exclamation mark pictogram is permitted (but not required) for HNOCs if the words “Hazard Not Otherwise Classified” or the letters “HNOC” appear below the pictogram. Pictograms may only appear once on a label. If multiple hazards require the use of the same pictogram, it may not appear a second time on the label.

Precautionary Statements

Precautionary statements may incorporate minor textual variations from those the text prescribed if these variations assist in communicating safety information (e.g., spelling variations, synonyms or other equivalent terms) and the safety advice is not diluted  or compromised. Any variations must be applied/used consistently on the label and in the safety data sheet. Where a substance or mixture is classified for a number of health hazards, this may trigger multiple precautionary statements relating to medical response, e.g., calling a poison center/doctor/…and getting medical advice/attention.

Hazard Statements

Employers and manufacturers will be required to update the hazard statements, response, storage and disposal information on product labels in several areas as directed in the appendices.

Trade Secrets

Manufacturers have long been able to claim trade secrets to avoid disclosing the exact concentrations of chemicals in the formulation of products.  However, a change to the rule now states that concentration ranges must now be provided on SDSs.  Also, the specific chemical identity and percentage exact concentration or concentration range must be made available to health professionals, employees, and designated representatives when needed for emergency or first aid treatment.

Finally, the appendices to the Standard have been greatly updated to assist manufacturers/distributors in properly classifying, identifying and labeling hazards.

Reproductive Health Care Privacy Rule – Attestation

/in /by

The June issue of the Advisor® included an introductory article on HIPAA’s Reproductive Health Care Privacy Rule. The Rule’s prohibition on certain uses and disclosures of PHI related to reproductive health care was discussed. This article will provide more detail regarding the new requirement for covered entities to obtain an attestation from a person requesting use or disclosure of PHI potentially related to reproductive health care in certain circumstances.

Prohibition on Use or Disclosure

To understand when an attestation is required, it is essential to understand the new prohibition on use or disclosure of PHI to investigate or impose liability on any person for seeking, obtaining, providing or facilitating reproductive healthcare. The prohibition and attestation requirements apply only to a requested use or disclosure of PHI potentially related to reproductive health care that is for purposes of: health oversight, judicial and administrative proceedings, law enforcement, and about decedents to coroners and medical examiners. These types of disclosures do not require a patient’s authorization or an opportunity to agree or object to the disclosure.

The prohibition applies if one or more of the following conditions exists:

  • the reproductive healthcare is lawful under the law of the state in which it is provided, under the circumstances in which it is provided;
  • the reproductive healthcare is protected, required, or authorized by Federal law, under the circumstances in which such health care is provided, regardless of the state in which it is provided; or
  • the presumption of lawfulness applies (see below).

 

For example, if a covered entity received a request from a law enforcement agency for PHI that is potentially related to reproductive health care, the covered entity must ensure that it will not be used for a prohibited purpose, such as investigating a patient, and obtain a valid attestation to that effect.

Presumption

A covered entity may presume that reproductive health care provided by another person is lawful unless the covered entity or business associate has any of the following:

  • Actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided, or

  • Information supplied by the person requesting the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive healthcare was not lawful under the specific circumstances in which it was provided.

If the requesting entity provides information that demonstrates a substantial factual basis that the reproductive health care was unlawful, they still must provide a valid attestation signifying that the purpose of the request is not one that is prohibited (i.e., that the purpose of the use or disclosure is not to investigate or impose liability on any person for the lawful provision of reproductive health care).

Required Elements and Other Obligations

A valid attestation must be written in plain language and contain the following elements:

  • A specific description of the information requested, including one of the following:

– The name of any individual(s) whose protected health information is sought, if practicable.

– If including the name(s) of any individual(s) whose PHI is sought is not practicable, a description of the class of individuals whose PHI is sought.

– The name or other specific identification of the person(s), or class of persons, who are requested to make the use or disclosure.

  • A clear statement that the use or disclosure is not for a purpose prohibited under §CFR 164.502(a)(5)(iii) (see Prohibition on Use or Disclosure section above).
  • A statement that a person may be subject to criminal penalties if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses such information to another person.
  • Signature of the person requesting the PHI, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative’s authority to act for the person must also be provided.

A valid attestation may be electronic, provided it meets the above requirements.

Defective Attestations

An attestation is not valid if the document has any of the following defects:

  • The attestation lacks a required element or statement (see list above).
  • The attestation contains an element or statement that is not required (see list above).
  • The attestation is combined with another document (except where another document is needed to reverse the presumption of lawfulness).
  • The covered entity or business associate has actual knowledge that material information in the attestation is false.
  • A reasonable covered entity or business associate in the same position would not believe that the attestation is true.

 

If additional documentation is necessary to support the statement that the disclosure is not for a prohibited purpose or to demonstrate that reproductive care was unlawful, it must not replace or substitute for any of the attestation’s required elements. The attestation itself must be clearly labeled, distinct from any surrounding text, and completed in its entirety. Additional documents may only be appended to the attestation.

A covered entity or business associate that uses or discloses PHI potentially related to reproductive health care for purposes of health oversight, judicial and administrative proceedings, law enforcement, and to coroners and medical examiners based upon a defective attestation is not in compliance.

If a covered entity or business associate discovers while using or disclosing PHI that any representation made in the attestation is materially false, leading to a use or disclosure that is prohibited, it must cease such use or disclosure. In addition, if a disclosure is made based on an attestation that contains misrepresentations or a defective attestation, this will be considered an impermissible disclosure and must be treated as a privacy breach. Notification of affected patient(s) and the Department of Health and Human Services (HHS) will most likely be required.

 

Other Requirements

Any conditions for disclosure that existed prior to the new final rule will still apply, in addition to the attestation requirement. For example, disclosures in response to a subpoena have always required that the covered entity receive satisfactory assurances that the requestor:

  • has made reasonable efforts to ensure the individual who is the subject of the information has been given sufficient notice of the request; or
  • has secured a qualified protective order that will guard the confidentiality of the information.

This type of disclosure will now also require the requesting person to provide a valid attestation if the PHI that is requested is potentially related to reproductive health care. The deadline for compliance with the attestation requirements is December 23, 2024.

HIPAA Compliance System Subscribers: Eagle Associates will provide a compliant attestation form along with HIPAA Manual policy revisions by September 1, 2024.

Hazard Communication Standard Changes

/in /by

On May 20, 2024, OSHA published a revised Final Rule for Hazard Communication. Although the rule takes effect on July 19, 2024, several provisions have compliance dates that occur much later, as shown in the table below. OSHA believes this update to the HCS will improve worker protections by clarifying existing regulatory requirements, incorporating new hazard classes and categories, and improving and streamlining precautionary statements.

Most of the changes affect manufacturers and distributors, who now have an increased burden with regard to classifying hazardous chemicals. Manufacturers and distributors will now need to include SDSs in the first shipment of a product and again if there are any changes made to the SDS. They can also tell purchasers where to find SDSs if they are maintained electronically.

One of the significant changes that will affect employers is that very small containers (less than or equal to 100ml capacity) that are too small for GHS labels must carry labels with the following at a minimum, and must remain/be stored inside immediate outer packaging that has the full GHS label:

• Product identifier;
• Pictogram(s);
• Signal word;
• Chemical manufacturer’s name and phone number; and
• A statement that the full label information for the hazardous chemical is provided on the immediate outer package.

Next month’s issue of the Advisor® will include another article detailing further information on changes within the final rule. See table below for compliance date requirements.

Compliance DateRequirement(s)Who
18 months after publicationUpdate labels and SDSs for substancesChemical manufacturers, importers, distributors
and employers
24 months after publication dateUpdate workplace labels, hazard communication program and training as necessaryEmployers
36 months after publication dateUpdate labels and SDSs for mixturesChemical manufacturers, importers, distributors
and employers
42 months after publication dateUpdate workplace labels, hazard communication program and training as necessaryEmployers
Transition Period – July 19, 2024 to above-noted compliance datesMay comply with either 29 CFR 1910.1200 (this final standard), or the previous (2012) standard, or bothChemical manufacturers, importers, distributors,
and employers

New HIPAA Reproductive Health Care Privacy Rule

/in /by

On April 26, 2024, the Department of Health and Human Services (HHS) published the HIPAA Privacy Rule to Support Reproductive Health Care Privacy. HHS states that the Privacy Rule was first promulgated, and continues to be enforced, to ensure that individuals are not afraid to seek health care or share important information with their healthcare providers because of a concern that their sensitive information will be disclosed outside of their relationship with their healthcare provider.

The new rule prohibits PHI from being used or disclosed for purposes of identifying, investigating, or imposing criminal, civil, or administrative liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive health care.

This regulatory change will require covered entities to modify their PHI disclosure policies to prohibit certain disclosures for:

  • healthcare oversight
  • judicial and administrative (legal) proceedings
  • law enforcement
  • to coroners and medical examiners regarding decedents.

In addition, covered entities must require a valid attestation from requestors even when all other Privacy Rule conditions are met for the disclosure. A valid attestation will include several required elements including a statement signifying that the requesting party will not use or disclose the PHI for prohibited purposes (e.g., investigating or imposing liability on any person), and a statement that the requesting party may be subject to criminal penalties if they obtain or disclose PHI in violation of HIPAA rules. The attestation must not include any other element or statement that is not specifically required and may not be combined with any other form.

Employee training will also be necessary to ensure that all workforce members avoid violating the new rules and resulting enforcement action. If a covered entity becomes aware that PHI was disclosed based upon a falsified attestation or in absence of a required attestation, notification of a breach to the individual, the Secretary of HHS, and in some cases, the media, will be required.

The date by which covered entities must comply with the majority of the final rule’s provisions is December 23, 2024 — apart from a requirement to revise the Notice of Privacy Practices with additional information, which must be completed by February 16, 2026.

If you would like to view the final rule as published in the Federal Register, please visit: https://www.federalregister.gov/documents/ 2024/04/26/2024-08503/hipaa-privacy-ruleto-support-reproductive-health-care-privacy

HIPAA Compliance System subscribers will be provided policy revisions for their HIPAA Manual and related forms before September 1, 2024. Updated Privacy Rule training, including the new reproductive healthcare privacy requirements, will be published on the normal schedule in November 2024.

Incentivizing Compliance

/in /by

Imposition of sanctions for violations of compliance policies is a requirement of OIG and HIPAA regulations, but reinforcement of positive contributions to a compliance program are not addressed. In its most recent General Compliance Program Guidance, the Office of Inspector General includes some suggestions for encouraging participation in an organization’s compliance program.

Although the participation and adherence to policies are an expected part of a workforce member’s duties, employers may wish to establish some incentives for the workforce member who goes above and beyond what is expected. In addition, if there are areas of workforce member participation or compliance that you would like to see improve, you might consider incentivizing them specifically.

The OIG guidance lists the following behaviors that organizations may want to incentivize:

  • the achievement of compliance goals that are specific to a department or a specific position description;
  • achievements that reduce compliance risk (e.g., a team that develops a process that reduces compliance risk or enhances compliant outcomes, or an individual who suggests a method of attaining a strategic goal with less risk); or
  • performance of compliance activities outside of the individual’s job description (e.g., mentoring of colleagues in compliant performance or performing as a compliance representative within their department).

Positive contributions should always be documented in workforce members’ employment records so that they may be recognized during regular performance reviews. Excellent compliance performance or significant contributions to the compliance program could be the basis for additional compensation, recognition, or other smaller forms of encouragement. The OIG states that “Through the thoughtful and deliberate use of incentives, an entity may reduce its compliance risk, enhance adherence to the entity’s compliance programs, and develop a positive association with the entity’s compliance culture.”