2018 OCR's Record Year for HIPAA Breaches - TTUHSC ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
April 2019
2018 OCR’s Record Year for HIPAA Breach- Immigration Compliance Update: I-9 & E-Verify
es….…...……..………………………...…………..1 Audit………………………………………..….….4-5
UTHSC-Misappropriate NIH Grants; Northwest-
Attestations: Split/Shared Visits……...………..2
ern-NIH Subrecipients………………...…………..6
Jussie Smollett Case & HIPAA Violations; Com-
Concurrent Critical Care Services............…….3 pliance Quiz…………….……………………….….7
2018 OCR’s Record Year for HIPAA Breaches
In 2018, 365 healthcare data breaches of 500 or more records were reported, up almost 2%
from the 358 data breaches reported in 2017 and 83% more breaches that 2010. Last year
also ended up being a record year for HIPAA enforcement actions. According to the Office
for Civil Rights (OCR) 10 cases were settled and one case granted summary judgment in a
Texas Tech University Health Sciences Center
case before an Administrative Law Judge totaling over $28 million from enforcement actions.
This far surpassed the previous record of just over $23 million in 2016.
The largest U.S. health data breach in history occurred in October 2018 when Anthem, Inc.
paid $16 million to the OCR after a series of cyberattacks between December 2, 2014 and
January 27, 2015 which led to almost 79 million individual’s PHI being stolen. They agreed to
a substantial corrective action plan in violations of the HIPAA rules.
In June 2018, a U.S. Department of Health and Human Services (HHS) Administrative Law
Judge ruled in favor of the OCR and required the University of Texas MD Anderson Cancer
Center to pay $4.3 million in civil money penalties and adopt a corrective action plan for
HIPAA violations.
OCR’s final settlement for 2018 was in December when Cottage Health of California agreed
to pay $3 million to the OCR and accept a corrective action plan to settle potential HIPAA vi-
olations concerning two breach reports of unsecured ePHI affecting over 62,500 individuals.
The charts below show you the causes and the locations of the breached PHI:
You can read the complete reports here and here.
The charts were originally published here: https://www.hipaajournal.com/analysis-of-healthcare-data-breaches/
1
April 2019
Attestations: Split/Shared Visits
Physicians often use the term "attestation" to refer to any kind of statement they insert into a
progress note for an encounter involving work by a resident, non-physician practitioner (NPP),
or scribe. However, for compliance and documentation purposes, "attestation" has a specific
meaning and there are distinct requirements for what a physician must "insert" into a progress
note. A visit in which a resident participated in patient care has different rules than one in
which a nurse practitioner was involved, while scribes require different attestation language
altogether.
What's an 'attestation'?
First, let's look at the term "attestation." For our purposes this is a statement by the physician
Texas Tech University Health Sciences Center
that they are declaring something to be true about the progress note. In the context of a resi-
dent-involved service, the physician attestation is a statement that the teaching physician de-
clares the progress note is in compliance with the applicable teaching physician rules. In the
context of a visit in which a scribe is performing the documentation, the attestation is a state-
ment that the scribe rules are being followed. Finally, under our definition of attestation, the
term doesn't apply to a split/shared visit in which a physician and NPP both see the patient
and "split" the visit. Instead, CMS rules state that each provider must contribute a "substantive
portion" of the key components of the visit, and the combined documentation must reflect this.
What's required for a split/shared visit?
The definition of split/shared visits by CMS is: “A split/shared E/M visit is defined by Medicare
Part B payment policy as a medically necessary encounter with a patient where the physician
and a qualified NPP each personally perform a substantive portion of an E/M visit face-to-face
with the same patient on the same date of service. A substantive portion of an E/M visit in-
volves all or some portion of the history, exam or medical decision making key components of
an E/M service. The physician and the qualified NPP must be in the same group practice or
be employed by the same employer.”
CMS contractors have often defined "substantive portion" as consisting of at least one of the
three key components of an E/M visit (the history, physical exam, and medical decision mak-
ing). Split/shared visits are allowed by Medicare and do not require that the physician and
NPP see the patient together; however, it's important to understand that the physician can't
satisfy the split/shared rules by inserting a generic "attestation." It's possible that a Medicare
contractor would find that this does not constitute a "substantive" contribution to the visit. Ide-
ally, the physician should document any pertinent findings in the history or exam they person-
ally perform, along with any changes to the plan of care they make.
Source: “Your NAMAS Weekly Auditing & Compliance Tip for February 1, 2019” by Grant
Huang, CPC, CPMA. DoctorsManagement, LLC.
To listen to this tip in its entirety: https://soundcloud.com/namas-354265535/020119-
attestations-teaching-physicians-vs-split-shared
2
April 2019
Concurrent Critical Care Services by
Physicians in Group Practice(s)
Concurrent Critical Care Services
Concurrent critical care services provided by each physician must be medically necessary
and not provided during the same instance of time. Medical record documentation must sup-
port the medical necessity of critical care services provided by each physician (or qualified
NPP). Each physician must accurately report the service(s) he/she provided to the patient in
accordance with any applicable global surgery rules or concurrent care rules. (Refer to Medi-
care Claims Processing Manual, Pub. 100-04, Chapter 12, §40, and the Medicare Benefit
Policy Manual, Pub. 100-02, Chapter 15, §30.)
Texas Tech University Health Sciences Center
The initial critical care time, billed as CPT code 99291, must be met by a single physician or
qualified NPP. This may be performed in a single period of time or be cumulative by the
same physician on the same calendar date. A history or physical exam performed by one
group partner for another group partner in order for the second group partner to make a
medical decision would not represent critical care services.
Subsequent critical care visits performed on the same calendar date are reported using CPT
code 99292. The service may represent aggregate time met by a single physician or physi-
cians in the same group practice with the same medical specialty in order to meet the dura-
tion of minutes required for CPT code 99292. The aggregated critical care visits must be
medically necessary and each aggregated visit must meet the definition of critical care in or-
der to combine the times.
Reporting Depends on Same or Different Provider Group & Specialty
If the two physicians are part of different groups and provide medically necessary critical
care at different times on the same date of service, each physician may report his or her indi-
vidual service, applying time-based critical care codes 99291 and 99292 in the usual man-
ner.
If two physicians or other qualified healthcare professionals within the same group, but of dif-
ferent specialties, provide critical care to the patient on the same date of service, each pro-
vider might be able to bill separately. Physicians in the same group practice who have differ-
ent medical specialties may bill and be paid without regard to their membership in the same
group.
Reporting requirements change if the two providers are members of the same group practice
and specialty. Physicians in the same group practice who have the same specialty may not
each report CPT initial critical care code 99291 for critical care services to the same patient
on the same calendar date. Medicare payment policy states that physicians in the same
group practice who are in the same specialty must bill and be paid as though each were the
single physician.
Source: https://www.aapc.com/blog/31668-revisit-critical-carereporting-for-multiple-providers/
3
April 2019
Immigration Compliance Update:
Internal I-9 & E-Verify Audit
On December 1, 2018, our Immigration Com- mize or eliminate the risk of non-compliance.
pliance & Services (ICS) team partnered with I’m a US citizen, born and raised. Why do I
our five HR Campus Offices to internally audit
have to do this?
Form I-9 documents for current employees.
The audit focuses on things: There are quite a few state and federal bene-
fits that require you to present documents to
Confirm that each employee’s electronic
establish your identity, citizenship or lawful
record contains a properly completed and presence in the USA. The driver’s license,
Texas Tech University Health Sciences Center
legible I-9. SSN, and passport processes are a few ex-
Ensure that each employee’s electronic amples. The I-9 is just another situation
record contains an E-Verify case resolu- where you must show you are entitled to a
tion showing authorization to work in the benefit – that benefit being employment in the
USA. USA.
Below are answers to some of the most fre- I just don’t remember ever completing an I-9?
quently asked questions about the audit, It’s a simple form and completed during the
Form I-9 and the E-Verify process: onboarding process so it likely doesn’t stand
What is a Form I-9? out in your memory. If you’ve been working at
TTUHSC for a number of years, it’s unlikely
Form I-9 (or I-9) is a two page, Dept. of
Homeland Security form that everyone work- that you’ll remember ever completing this
form. But you did. If the I-9 you completed
ing in the USA, for at least three business
has deficiencies (or if we can’t find it) we’ll
days, needs to complete to show that they
reach out by email to ask you to complete a
are lawfully entitled to work in the USA. US
new one. When you come to ICS or HR to
citizens, US residents and foreign national
employees are all required to complete an I-9 complete a new, error-free I-9, we’ll show you
the deficiencies in your previous I-9 if you
and present document to show that their
wish to review it.
identity and work authorization. I-9 comple-
tion has been required since November 6, Why can’t you just tell me what docu-
1986 and every person hired as of November ments I need to bring to complete an I-9?
7, 1986 must complete an I-9. Why do I have to pick from an entire page
of options?
When is an I-9 completed?
As unusual as it may seem, federal law for-
New employees complete their portion of the
bids the employer from requesting particular
I-9 on the first day of employment. The em-
ployer portion of the I-9 has to be completed documents. We are required to present you
with a list of acceptable I-9 documents and
by close of business on the fourth day of em-
you must select which ones to present to us.
ployment. It is best to have everything com-
We can help you understand the list, but we
pleted on the first day of employment to mini-
cannot tell you which documents to bring.
4
April 2019
Immigration Compliance Update:
Internal I-9 & E-Verify Audit
So, if I don’t complete an I-9…... that we reduce our audit risk significantly and
A US employer that hasn’t completed the law- better ensure that we won’t be fined even if a
ful hire process is subject to fines and penal- few slip-ups are found. Another benefit is
that, TTUHSC can continue to compete for
ties if you are hired without evidence of a
properly completed I-9 on record. If you have federal contracts, and maintain the federal
no authorization to work in the USA, the em- contracts we have, without worrying about
losing them because of I-9 deficiencies.
ployer is also subject to fines and penalties
Texas Tech University Health Sciences Center
for hiring unauthorized workers. What will ICS and HR be doing?
So, if I refuse to complete an I-9 even if I’m We’ve reviewed the I-9s for every single em-
lawfully in the USA and authorized to ployee hired between November 7, 1986 and
work…... August 31, 2015. (Texas state law required
You’re not providing any information that isn’t us to E-Verify all employees hired as of Sep-
tember 1, 2015 so that group was excluded
already in a government database. As a US
employer, TTUHSC has to record the neces- from the audit). An E-Verify case is created
for each I-9 that was properly completed. If
sary information on one document (the I-9).
Refusing to complete an I-9 puts TTUHSC at an I-9 has deficiencies, we are reaching out
risk because the institution is fined if there is to those employees and asking them to come
to ICS or HR to redo the I-9. If you get an
no I-9 on file and also fined if there is an I-9
email, please read it fully; gather the infor-
with deficiencies.
mation we need; and come to our offices to
How bad are those fines and penalties? complete your I-9. We only need 15 minutes
We can be fined up to $1,000 for every ques- of your time.
tion that is required to be answered but not If I get an email asking me to go to ICS or
answered on the I-9 form. There are over 50 HR…...
fields on an I-9 form and, usually at least 35
of them need to be completed by the employ- Please do so as soon as possible. If an I-9
ee and employer. About 15 for the employee has deficiencies, we are reaching out to those
employees and asking them to come to ICS
and the rest for the employer.
or HR to redo the I-9. If you get an email,
And why do I need an E-Verify case? please read it fully; gather the information we
TTUHSC is an E-Verify employer. We joined need; and come to our offices to complete
the program 10 years ago when we obtained your I-9. We only need 15 minutes of your
a federal contract that required us to do so. In time and we thank you for helping us suc-
2018, to ensure that we had absolutely no I-9 cessfully complete the audit.
compliance issues, we decided to E-Verify You’re cooperation is essential to our
our entire current workforce and correct any
and all I-9 deficiencies. The benefit of this is success!
5
April 2019
UT Health Science Center Pays More than $2.3 Mil-
lion to Resolve Allegations about
Misappropriated NIH Grants
The University of Texas Health Science Cen- They then stopped shipment of that material
ter (UTHSC) at Houston has paid and had Illumina establish a credit of
$2,396,769.76 to resolve allegations that its $1,198,384.88 for the material, from which
Human Genetics Center misappropriated the Genetics Center then used to purchase
grant funds the National Institutes of Health goods and services from October 2012
(NIH) provided. through to Dec. 31, 2017 after the close out
According to the U.S. Department of Justice, of the grant.
Texas Tech University Health Sciences Center
the Genetics Center wanted to draw down a This resulted in UTHSCH underreporting the
substantial portion of the money remaining on unobligated federal funds remaining on the
the grant before the end of the grant period grant which were not returned to NIH. This
so that it would not have to return unused misappropriation of federal funds deprived
funds to the NIH. To accomplish this, the NIH of grant funds to which it would have oth-
Center placed an order for a large quantity of erwise been entitled. These funds could have
genetic sequencing material from Illumina then been used for other grants.
Inc. just prior to the end of the subject grant.
Northwestern University Failed to Complete Re-
quired Risk Assessment for Subrecipients of NIH
grants, but Claimed Allowable Costs
The U.S. Department of Health and Human University is subject to the requirements set
Services (HHS) codified the Uniform Guid- forth in 45 CFR part 75 for subrecipient moni-
ance at 45 CFR part 75, which governs Fed- toring and Federal cost principles.
eral awards and award increments made on However, according to a report by the OIG
or after December 26, 2014. The new rule published in November 2018, Northwestern
requires a prime Federal award recipient to University did not always perform required
perform pre-award subrecipient risk assess- subaward risk assessments, but claimed al-
ments and to monitor the programmatic activ- lowable costs. During the review, OIG found
ities of subrecipients throughout the life of that Federal funds of approximately $9.7 mil-
each subaward. The Office of Inspector Gen- lion were awarded to subrecipients without
eral (OIG) of HHS did a review of colleges’
performing the required risk assessment by
and universities’ controls over the subcon- Northwestern. Northwestern has taken cor-
tracting of National Institutes of Health (NIH)rective actions such as establishing policy
grant and contract work in 2018. that addresses the management of
As the prime recipient of 229 NIH grant funds, subawards, and performing risk assessments
totaling more than $467 million, Northwestern on all subrecipients.
6April 2019
Jussie Smollett Case: 50 Northwestern Hospi-
tal Employees Fired For HIPAA Violations
At least 50 employees, including nurses, at name for another employee. Both were fired
Northwestern Memorial Hospital in Chicago, for violating HIPAA. According to NBC Chica-
have been fired after improperly reviewing the go, at least 50 employees were fired from
medical records of "Empire" actor Jussie various locations in the Northwestern system,
Smollett without authorization. and every employee who accessed Smollett’s
information in violation of HIPAA was termi-
Authorities said Smollett reported on Jan. 29
nated.
that he was physically attacked at a Subway
restaurant. Following the alleged attack, The HIPAA Privacy Rule allows for protected
Texas Tech University Health Sciences Center
Smollett was treated for bruises and facial patient information to be disclosed by cov-
lacerations at Northwestern Memorial Hospi- ered entities (CE) for the purposes of treat-
tal, where the curiosity of dozens of employ- ment, payment, and healthcare operations,
ees was piqued. A surgical nurse, identified and requires that CEs take steps to limit the
as Susan, stated to NBC Chicago that she disclosure of such information to the mini-
was simply curious and only searched the ac- mum necessary to accomplish the intended
tor's name in the system. Another employee purpose.
states she did a partial search of Smollett’s
Congratulations to Q1 Compliance Quiz Winners!
Cristina Hidalgo from Anesthesiology Lubbock
Cheyenne Howard from TDCJ Lubbock
Compliance Quiz this contribution in the medical record. (page
2)
Would you like to win TTUHSC swag? Please
read our newsletter, and take the compliance A. True B. False
quiz here. Individuals who correctly answer 2. US citizens, US residents and foreign na-
the questions will be entered into a drawing tional employees are all required to complete
for prizes! The last day to submit your an- an I-9 and present document to show that
swers is May 10, 2019. their identity and work authorization. (page 4)
1. A split/shared visit does not require the A. True B. False
physician and the NPP to see the patient to-
Submit your answers here! Please note that
gether, but the physician must perform a sub-
email participation is no longer valid.
stantive portion of the E/M visit and document
Questions or suggestions?
Email shen.wang@ttuhsc.edu
Click here to view the past issues of
the Compliance Newsletter.
7You can also read
