Is your e-PHI Secure? ONC and OCR Update HIPAA Security Risk Assessment Tool

October 2018 marks the 15th annual National Cyber Security Awareness Month. In honor of this occasion, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool to help covered entities and business associates comply with the HIPAA Security Rule. But remember, the HIPAA Security Rule does not require a “one-size-fits-all” approach to security.

Under the HIPAA Security Rule, a covered entity or business associate must “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information [e-PHI] held by the covered entity or business associate.” See 45 CFR § 164.308(a)(1)(ii). Failing to conduct a risk assessment can become a basis for significant monetary exposure to the OCR, such as this $750,000 settlement by a covered health care provider with OCR.

“An enterprise-wide risk analysis is not only a requirement of the HIPAA Security Rule, it is also an important process to help healthcare organizations understand their security posture to prevent costly data breaches,” stated ONC and OCR in their joint news release on the updated SRA Tool. Healthcare and non-healthcare organizations are increasingly seeing a similar risk assessment requirement under a growing body of state law, such as in California, Colorado, Massachusetts, New York, and Oregon.

Recognizing that conducting this enterprise-wide risk analysis can be a challenging task, the ONC and OCR developed a downloadable SRA Tool in 2014 to help covered entities and business associates identify risks and vulnerabilities to e-PHI. According to ONC and OCR, the October 2018 update to the SRA Tool improves usability and expands its application to a broader range of health data security risks. Still, the SRA Tool may not be the right fit for small and midsized covered entities and business associates. In fact the HIPAA Security Rule contemplates that covered entities and business associates may use any security measures that reasonably and appropriately implement the standards and implementation specifications. In doing so, they may take into account certain factors about their organization: (i) size, complexity, and capabilities, (ii) technical infrastructure, hardware, and software security capabilities, (iii) costs of security measures, and (iv) probability and criticality of potential risks to electronic protected health information.

Use of the SRA Tool is not required by the HIPAA Security Rule, and its use alone does not mean that an organization is compliant with the HIPAA Security Rule or other federal, state or local laws and regulations. However, it may help organizations in their efforts to comply with the HIPAA Security Rule requirement to conduct periodic security risk assessments.  Notably, while the SRA Tool may provide a basic outline for the risk assessment process, it does not provide substantive legal guidance as to how a covered entity or business associate is to navigate between the various standards that are either “required” or simply “addressable.”  While completing a risk assessment is a requirement under HIPAA, organizations should seek guidance from legal counsel as to how to complete such an assessment and how to develop and implement appropriate safeguards based on the results of the assessment.  Failing to do so could create significant liability for your organization.

Failing to conduct regular risk assessments could not only lead to a healthcare data breach, but it could also result in a covered entity or business associate being fined by the OCR. To learn more about how the firm can assist healthcare organizations with HIPAA compliance and data security, please contact your Jackson Lewis attorney.

“Doc, mind if I record this?” – Recording Visits Between Patients and Medical Providers

In today’s world, people are accustomed to accessing endless information with their mobile phone. Accessibility to their own conversations regarding their health may not be any different. What happens when a patient wants to use this technology to preserve his or her access to medical information by recording their medical appointment? A recent study by the Dartmouth Institute for Health Policy and Clinical Practice examined patient recordings of clinical encounters and found they are becoming more common. However, like many trends related to advances in technology, such recordings present an array of complex legal issues.

Patients and providers alike can benefit from recording medical visits. Recording visits may reduce patient stress about trying to remember everything said during the visit, leading to more focused exchanges of information between patient and provider. In addition, patients may choose to share recordings of provider visits with other providers and family members involved in their overall medical care. This can result in better comprehensive care for the patient. Healthcare organizations may be able to use visit recordings as part of their quality improvement and training programs. Visit recordings also could lead to more efficient adjudication and resolution of malpractice claims.

Healthcare providers considering allowing patients to record visits or implementing their own visit recording system must weigh the potential benefits discussed above against some possible pitfalls. For example, would recordings dilute the doctor-patient privilege? Might recordings make patients less inclined to be candid in their communications with the provider? Does the presence of recording devices create an undue risk of inadvertent invasion of the privacy of nearby patients? Healthcare providers also may want to consider whether their general patient population is likely to have a negative or a positive view on recording patient visits.

Despite the near ubiquitous presence of mobile phones with recording capability and the myriad issues this raises, the Dartmouth Institute for Health Policy and Clinical Practice study found that very few of even the largest health systems have developed policies to address these issues. Developing policies is important because recording visits raises several legal issues, including state laws on consent to recordings and HIPAA regulations on how recordings are transmitted and stored. Organizations also should consider whether different types of visits and recording media warrant different guidelines. For example, an organization may want to prohibit video recording of physical examinations or prohibit any recording of certain topics. Organizations also may consider posting signs in waiting rooms and hallways prohibiting recording to protect other patients’ privacy. When considering whether to record patient visits, healthcare providers also must determine the impact of privacy laws on their employees, and whether recording visits raises collective bargaining issues.

The healthcare industry should prepare for the growing trend of recording patient visits. It would be prudent for healthcare organizations to consider these complex issues on a systemic basis rather than addressing them on a case-by-case basis. Please contact a Jackson Lewis attorney if you have any questions about these and other legal developments.

New York State Enacted Budget Includes New Limits, Mandates for Licensed Home Care Services Agencies

The 2018-2019 New York State Budget seeks to advance the state’s strategic policies of encouraging the merger of existing Licensed Home Care Services Agencies (LHCSAs), reducing the number of new LHCSA providers entering the marketplace, and providing more state control over existing LHCSAs. Our colleagues in the Health Law and Transactions team provide details on the state freezing new LHCSAs and a registration requirement, among other provisions. You can read more about it here.

Class Certification Denied in Physician Equal Pay Lawsuit Under a Blanket Compensation Plan

An Illinois District Court recently denied certification of a class of female physicians claiming that their employer’s pay practices unlawfully discriminated against women in violation of Title VII, the Illinois Equal Pay Act, and the Illinois Civil Rights Act (Ahad v. Board of Trustees of Southern Illinois University).

Plaintiff alleged that the implementation of the defendant’s, Southern Illinois University Board of Trustees’, “compensation plan” resulted in pay disparity between male and female physicians.

In holding that the plaintiff failed to meet the Rule 23(a) requirements of “commonality” and “typicality,” the court held that the mere implementation of the compensation plan failed to form the “glue” needed to meet class certification standards. The Court found that the plaintiff failed to demonstrate how the facially gender-neutral compensation plan could have created disparate compensation results. While the plaintiff argued that the compensation plan delegated discretion to the department chairs based on objective criteria, the plaintiff failed to present any argument that those objective factors were in any way biased against women, or that the factors were the “cause” in pay disparity.

Plaintiff’s expert’s findings showed that female physicians were paid significantly less (a point that was directly contradicted by defendant’s expert), and the plaintiff argued that there was no other explanation for the alleged disparity. However, the Court held that the compensation plan, on its own, did not provide the necessary glue to show that adjudicating the claims on a class-wide basis would “produce a common answer to the questions of whether and why compensation for female physicians was lower…”

The court likewise held that the plaintiff’s expert statistical evidence failed to “turn the tides” of its analysis. Citing to the U.S. Supreme Court’s Holding in Wal-Mart Stores, Inc. v. Dukes, the court held that statistical evidence, on its own, “does not and cannot” satisfy the Rule 23(a) commonality requirement.

The court also noted that Rule 23(a)’s typicality requirement tends to merge with the requirement of commonality. Having already found that the plaintiff failed to show commonality, the court summarily held that typicality likewise was not satisfied.

This case provides employers with further authority that, where employees are subject to a blanket compensation policy that may (even with supporting statistical evidence) result in pay disparity, plaintiffs cannot maintain class claims solely on the existence and implementation of the policy in and of itself.

Five Things Human Resources Professionals Are Doing to Make a Difference in Healthcare

The American Society for Healthcare Human Resources Administration’s 54th Annual Conference & Exposition held on September 15-18, 2018 in Pittsburgh focused on empowering attendees to meet the new realities faced by health care human resources professionals. Here are the Jackson Lewis Healthcare Industry Team’s “Top 5” takeaways from the conference.

  1. Investing in Developing Physician Leaders Pays Off. Being a physician leader requires more than being a great practitioner. Conference attendees heard how executive coaching can help physicians develop strong leadership skills. One presenter shared metrics from her health system demonstrating significant return on the investment in executive coaching for physicians. Attendees also noted the importance of framing “coaching” as an organization’s commitment to helping a physician succeed rather than as a form of corrective action.
  2. Data Analytics Can Increase Recruiting Efficiency and Improve Employee Performance. Advanced data analytics can be leveraged in the recruitment process and to measure performance across several important recruitment metrics, including quality of hire. In addition, the data can be used to create and drive performance improvement initiatives.
  3. The #MeToo Movement is a Call to Examine and Improve Your Culture. Healthcare organizations are not immune from the #MeToo Movement. Therefore, organizations must develop effective anti-harassment programs, which include senior leaders modeling and communicating a culture of respect. Once the message is out, the organization should train the entire workforce and then carefully manage and monitor its anti-harassment procedures.
  4. HR Adds More Value When Partnering With Other Leaders. The healthcare industry faces many challenges, including recruiting and retaining highly skilled and engaged caregivers, ensuring respect and accountability in the workplace, and financial constraints tied to reimbursement rates. Several presentations highlighted the importance of human resources professionals partnering with other leaders to meet these challenges. Examples include collaborating with nurse leaders to better understand the implications of the ANCC Magnet Recognition program standards, working with medical staff leaders to confront troubling behaviors, and working with other C-Suite leaders to anticipate and avoid potential pitfalls in growing health systems.
  5. Addressing the Pay Equity Question. The last several years have brought a flurry of legislative activity to address the question of pay equity. In addition, many healthcare industry groups are raising awareness of pay inequality and calling for change. Human resources professionals can shepherd their organization through the process of identifying and correcting pay equity problems.

Seventh Circuit Holding in Sexual Orientation Fair Housing Lawsuit May Foreshadow Similar Claims Brought Against Health Care Providers

On August 27, 2018, the Seventh Circuit Court of Appeals reversed an Illinois District Court in holding that a seventy-year-old homosexual woman could maintain her Fair Housing Act (FHA) claims against retirement community, Glen St. Andrew Living Community, for failing to take reasonable steps to prevent the “torrent of physical and verbal abuse from other residents” allegedly suffered by the plaintiff because she is openly lesbian.

The plaintiff’s complaint alleges that she routinely reported incidents of rampant verbal and physical abuse from other residents of the nursing facility. According to the plaintiff, her complaints were dismissed, and she was branded a liar and continued to be discriminated against. The complaint further alleges that the nursing home retaliated against the plaintiff by providing her with less desirable amenities, barring her from common areas, halting her cleaning services, and even physically assaulting her.

The Court of Appeals cited to its 2017 decision in Hively v. Ivy Tech Community College of Indiana in holding that discrimination based on sexual orientation applies equally to claims under Title VII or the FHA.

Most notably, the Court of Appeals held, “Not only does [the FHA] create liability when a landlord intentionally discriminates against a tenant based on a protected characteristic; it also creates liability against a landlord that has actual notice of tenant-on-tenant harassment based on a protected status, yet chooses not to take any reasonable steps within its control to stop that harassment.” While the Court acknowledged that the plaintiff was in “uncharted territory,” it was satisfied by prior U.S. Supreme Court interpretation of analogous anti-discrimination statutes that the plaintiff’s claims were covered by the FHA.

Of most interest to the health care industry, the Court left the door open for analysis of sexual orientation claims against proprietors of traditional nursing homes and hospitals under anti-discrimination statutes. In dicta, the Court stated, “We say nothing about the situation in a setting that more closely resembles custodial care, such as skilled nursing facility, or an assisted living environment, or a hospital. Any of those are different enough that they should be saved for another day.”

The Court’s comment is telling, and based on its interpretation of the FHA in this case and its 2017 Hively decision, it is quite possible that, at least in the Seventh Circuit, a hospital or nursing care employer could be held liable for sexual orientation discrimination or retaliation claims for failing to adequately respond to harassment complaints made by patients.

Preparing for ICE Enforcement Actions at “Sensitive Locations”

ICE and CPB consider hospitals and other healthcare facilities to be sensitive locations where enforcement actions should be avoided without prior approval or unless there are exigent circumstances. Despite that policy, undocumented aliens continue to be arrested at medical facilities where they are receiving treatment or where they have accompanied ailing family members. Since the sensitive locations policy is only guidance, legislation has been introduced in both the Senate and the House to codify and therefore strengthen those policies. The Protecting Sensitive Locations Act was sponsored in the Senate by Senators Richard Blumenthal (D-CT) and Elizabeth Warren (D-MA) and by Representative Adriano Espaillat (D-NY) in the House to give greater protection to hospitals, medical facilities, schools, churches and courthouses and to eliminate the “climate of fear” that may prevent immigrants from seeking necessary care.

Here are some general tips on what to do in if ICE comes to your facility to gather information or arrest a patient or family member. Remember, an ICE enforcement action can have serious civil and criminal consequences for your patients, your staff and your facility. It is therefore essential to protect your rights and those of your patients and staff by consulting with counsel on these matters. The following overview is simply meant to provide medical facility employers with some basics to consider in advance of any enforcement action.

  1. Assign and prepare several staff members to be the contact person in case ICE arrives at your facility and make sure all receptionists know to notify a contact person if there is enforcement activity.
  2. Identify appropriate legal counsel in advance of any enforcement action and be sure that receptionists know to contact that attorney immediately for advice if ICE agents arrive on the premises.
  3. Ask the ICE officers to provide identification when they enter your facility.
  4. The assigned contact person should accompany the ICE officers at all times while they are at your facility and take notes of all actions.
  5. There is no obligation to collect information on immigration status. If you do not collect that information then you do not need to worry about being asked to disclose that information.
  6. During an enforcement action, staff should not engage in any activities that could be considered harboring or obstruction.
  7. Once the officers leave, there should be a full debriefing.
  8. Agents can look into anything that is in “plain view” in a public space. Make sure your staff understands that patient information must be protected everywhere in the facility–this includes paperwork and oral conversations.
  9. Without a warrant or probable cause, immigration officers cannot enter private areas absent consent of an authorized representative. Individuals can be vulnerable in public spaces within your facility where there is no expectation of privacy. You may want to consider establishing specific “private spaces” within your facility where there is an expectation of privacy. Access in those private areas would be limited to patients, family members and necessary staff. Policies, signage and barriers can be used to delimit these private areas.
  10. If ICE has obtained a warrant, the contact should examine it to ensure it is properly signed, review the specific premises to be searched and not allow agents to search areas outside of those specific premises unless they have probable cause.
  11. Your employees are not required to give any statements to ICE officers or allow themselves to be interrogated.
  12. Conduct training for staff members and make educational materials available to patients about their rights.

Labor Department Independent Contractors Guidance Targets Home Care, Nursing, Caregiver Registries

In its first substantive guidance on independent contractors, the Trump Administration has targeted misclassification in the healthcare industry. Our colleagues in the Staffing & Independent Workforce team offer details on the July 13, 2018 guidance to Wage and Hour Division field staff on determining whether home care, nurse, or caregiver registries are employers under the Fair Labor Standards Act. You can read it here.

Physician Pay Equity Issues Are Under the Microscope

As our blog reported on June 21, and as is the case across many industries, issues related to physician pay equity are receiving increased attention nationwide.

Doximity’s 2018 Physician Compensation Report (its second annual report) contained key national findings on the gender wage gap that point to widespread disparities in physician compensation:

  • The overall disparity increased from 26.5% in 2016 to 27.7% in 2017.
  • As was the case in 2016, “female physicians did not out-earn their male counterparts in any of the top 50 metro areas.”
  • More than half of these metro areas saw the gender wage gap increase in 2017 as compared to 2016.
  • In 2017, in 25 of these top 50 metro areas, the gap was greater than $100,000 (and the largest was $134,499 in Charleston, SC).
  • The tightest (smallest) gap in dollars was still more than $68,000 ($68,758 in Rochester, NY).

Separately, the Maryland State Medical Society (MedChi) recently conducted its own compensation survey.  After surveying 508 physicians, MedChi found that Maryland’s male physicians earn almost 50% more than its female physicians (an average salary of $335,000/year vs. $224,000).

Relatedly, Modern Healthcare reported last week that women are “still a rarity in high-paying surgical specialties.”  Doximity’s Report also contained data that physician compensation widely ranges by specialty – with surgery dominating the top slots (from the high of $662,755 for neurosurgery) – and different pediatric medicine specialties rounding out the bottom of the list (with a low of $191,735 for pediatric infectious disease).

While many healthcare organizations are tackling issues related to diversity and inclusion, the studies discussed above suggest they also should be examining the factors behind the gender pay gap and identifying means to address it.  This is especially important today as an increasing number of jurisdictions are enacting pay equity laws that impose significant penalties for violations, such as those enacted by enacted by California, Connecticut, Vermont, Oregon, and Massachusetts.  For more information about how your organization can be proactive regarding pay equity challenges, contact your Jackson Lewis attorney.

Fifth Circuit Permits Employee Allegedly Harassed by Patient to Proceed to Trial

A recent Fifth Circuit decision reminds healthcare employers that liability not only stems from potential harassment of employees by coworkers, but by patients as well. In Gardner v. CLC of Pascagoula, L.L.C. dba Plaza Community Living Center, 2018 U.S. App. LEXIS 17939 (5th Cir. June 29, 2018), the Fifth Circuit held that Kymberli Gardner, a former assisted living facility certified nursing assistant who was allegedly harassed by a patient, can proceed with her hostile work environment claim to trial. The Court reversed the district court’s grant of summary judgment in favor of the employer.

The patient at issue is an elderly man who resided in the employer’s assisted living facility and suffers from illnesses, such as dementia and Parkinson’s disease. Gardner and other female nurses complained to their supervisor about the patient’s inappropriate behavior, including repeated groping and lewd sexual comments. The plaintiff also asserts that, as a result of the patient’s behavior, she was required to take a leave of absence from work. The plaintiff alleges that, instead of taking action, her supervisor laughed at her concerns, and told her to “put [her] big girl panties on and go back to work.” Gardner later requested reassignment after an incident wherein she was reportedly punched by the patient three times while assisting him out of bed. The plaintiff’s request was denied and she was ultimately terminated based on her response to this incident, as she is alleged to have made inappropriate comments (including swearing and racial statements) and tried to hit the patient.

The Fifth Circuit overturned the lower court’s summary judgment finding in favor of the employer, concluding that a jury could find that these disputed facts satisfy the elements of a hostile work environment claim under Title VII of the Civil Rights Act of 1964 (Title VII). The Court emphasized the patient’s physical assaults, distinguishing “occasional inappropriate touching or minor slapping” from “persistent sexual harassment or violence with the risk of significant physical harm.” The Court held that under the facts presented, a “jury could conclude that an objectively reasonable caregiver would not expect a patient to grope her daily, injure her so badly she could not work for three months, and have her complaints met with laughter and dismissal by the administration.” The Court also noted the employer’s alleged lack of remedial measures in light of their knowledge of the patient’s conduct based on informal complaints, and that the behavior was recorded in the patient’s chart. In making this finding, the Court recognized the employer’s demonstrated ability to fix the situation, as the patient was later removed to an all-male facility after assaulting another patient.

This decision is another important reminder of the complexities facing healthcare employers in addressing hostile work environment claims, not just amongst employees but based on patient behavior as well. Healthcare employers must expand sexual harassment discussions beyond employee-employee interactions, and maintain a workplace culture where employees feel comfortable sharing their concerns. For more tips, see the prior Jackson Lewis blog post about making meaningful culture change in the healthcare industry amid the #TimesUp movement.