A Trio of OCR HIPAA Breach Resolutions: Is Your Organization HIPAA Compliant?

Over the past thirty days, the Office for Civil Rights (OCR) has reached three HIPAA breach resolutions, signaling to organizations that are covered entities and business associates under HIPAA, the importance of instituting basic best practices for data breach prevention and response. Our colleagues in the Workplace Privacy, Data Management & Security practice group discusses the need for healthcare organizations and their business associates to address basic best practices including: terminating employee access in a timely manner, maintaining proper business associate agreements, and having a plan for media relations. You can read it here.

Illinois Hospitals to Face Requirements Designed to Reduce Violence Against Nurses

The Illinois Health Care Violence Prevention Act mandates hospitals and other healthcare providers to comply with requirements aimed at protecting their workers from violence. Beginning January 1, 2019, healthcare providers in Illinois will need to implement specific violence-prevention policies outlined in the Act (Public Act 100-1051). Our Workplace Safety and Health colleagues offer details on the requirements. You can read more about it here.

One Solution to the Healthcare Talent Shortage Problem

Much has been written in recent years about the escalating talent shortage in the healthcare industry. According to a recent survey, the talent shortage is among the top issues for more than 90 percent of U.S. hospital executives (Economist Intelligence Unit, (http://healthcare.prudentialretirement.com/survey-highlights.php). The Association of American Medical Colleges forecasts a gap of between 40,000 and 105,000 physicians over the next 12 years, and nearly half of today’s registered nurses will reach retirement age within 2 years. (https://news.aamc.org/press-releases/article/workforce_projections_03142017/). The Bureau of Labor Statistics projects that 1.1 million additional nurses are needed to avoid further shortages. Much less has been written, however, on how to address the problem. Suggestions for employers include increasing pay and benefits, paying off student loans, enhancing work-life balance programs, providing more flextime, and other obvious incentives to attract qualified candidates.

What is often overlooked is the diversity factor. The U.S. has been undergoing a dramatic demographic shift over the past few decades. In addition to the aging population, racial and ethnic minorities have been inexorably growing as a percentage of the domestic population and workforce. By 2042, it is estimated that there will be no majority race/ethnic group. Is the healthcare industry capitalizing on this changing talent pool?

To the contrary, healthcare appears to be lagging behind in the diversity of its workforce. African Americans are currently about 13 percent of the U.S. population and workforce, and Hispanics, about 18 percent. But, as the U.S. Equal Employment Opportunity Commission reports, in U.S hospitals, African Americans comprise only 4.2 percent of executives, 8.1 percent of mid-level officials and managers, and 7.9 percent of professionals (for Hispanics, 3.1 percent, 6.0 percent, and 5.4 percent, respectively) (see chart, below). Many hospitals are located in urban areas rich in minority populations—e.g., African American population of Atlanta, 52 percent; Washington, D.C., 47 percent; Chicago 31 percent; New York, 24 percent; and Miami, 18 percent—all above the national percentage. Similarly, Miami’s Hispanic population is 69 percent, Los Angeles is 49 percent, and Chicago is 29 percent. While the statistics are not as reliable for the percent of these populations that are qualified for specific medical-related positions, it is clear that there is untapped talent that can be accessed to address the shortages.

How to attract this diverse talent? Here are a few suggestions to get you started:

  1. Create a Diversity and Inclusion (D&I) Strategic Plan that provides goals, responsibilities/accountabilities, and timetables for achieving milestones. Secure buy-in and visible support from the CEO and Executive Committee.
  2. Identify a corporate executive—such as a Chief D&I Officer—with responsibilities for design and execution of the Plan. Create a Diversity Council to provide guidance and support.
  3. Provide adequate budget and resources to the D&I Office to secure results.
  4. Use data analytics to identify the most significant gaps between incumbency and availability of diverse employees, and set targets for reducing the gaps. (If you are a Federal employer, you likely already prepare Affirmative Action Plans identifying such gaps.)
  5. Hold executives and managers accountable for D&I performance. Include D&I objectives in performance requirements and evaluations.
  6. Create Employee Resource Groups where identifiable groups, such as African Americans, Hispanics, Asians, older workers, employees with disabilities, LGBT, etc., can assist you in both outreaching to qualified candidates (“fishing in the right pond”), and enhancing corporate culture to welcome a more diverse workforce.
  7. Engage recruiters—internal and external—specializing in finding qualified diverse candidates, and regularly assess their performance at achieving your objectives.
  8. Talk to your workforce. Use individual interviews, focus groups, employee engagement surveys, and exit interviews to learn ways to improve the welcoming culture.
  9. Communicate your D&I message to the workforce and the public. Millennial candidates, among others, often look first at your website (as well as social media) to determine your workforce profile and culture.
  10. Conduct adverse impact analyses of your key employment functions (applicant flow rates; hiring; promotions; discipline; voluntary and involuntary terminations) and address any statistically significant impacts on identifiable groups.

Diversity programs can raise legal issues depending on how they are established and administered, so be sure you check with counsel regarding any specific initiative.

With a strong commitment to tapping diverse talent, hospitals and other healthcare providers should make progress in reducing the escalating shortage and continuing to provide first-rate healthcare to patients across the country. For more information about how your organization can take a proactive approach regarding its diversity and inclusion performance, contact your Jackson Lewis attorney, or a member of the Corporate Diversity Counseling team.

U.S. Department of Labor’s Investigation of Arizona Hospital Highlights Need for Awareness of Workplace Lactation Accommodation Laws and Policies

As the result of an investigation by the U.S. Department of Labor’s Wage and Hour Division (WHD), a hospital in Arizona was recently ordered to comply with the Fair Labor Standards Act (FLSA) requirement that employers must provide nursing mothers adequate time and space to express breast milk. The WHD announced on December 11 that it entered into a compliance agreement with Yuma Regional Medical Center requiring the employer to provide training to all supervisors, and to provide all employees returning from maternity leave with information about their right to express milk in the workplace. The investigation revealed that the hospital previously denied requests for breaks from nursing employees and failed to provide a private location in which to express breast milk in violation of the FLSA.

Section 7(r) of the FLSA, known as the Break Time for Nursing Mothers provision, requires employers to provide nursing employees with: 1) a reasonable break time to express breast milk each time the employee has such a need for one year after the birth of the child; and 2) a place other than a bathroom within which to express breast milk that is shielded from view and free from intrusion from coworkers and the public. The FLSA provides an exception to employers with 50 or fewer employees if providing the accommodation according to these requirements would “impose an undue hardship by causing the employer significant difficulty or expense when considered in relation to the size, financial resources, nature, or structure of the employer’s business.” Section 7(r) was enacted on March 23, 2010 following the passage of the Affordable Care Act.

Increasingly, however, many states and municipalities are passing more expansive laws that provide protections to nursing employees who are not covered under the FLSA. Jackson Lewis’ Government Relations group recently reported that in New York City, Mayor de Blasio is expected to sign legislation in the coming weeks that will require all private employers with at least four employees to provide lactation rooms to nursing mothers. In particular, employers would be required to equip the lactation room with an electrical outlet, a chair, a surface on which to place a breast pump and other personal items, and nearby access to running water and a refrigerator. The lactation room also must be located “within reasonable proximity” to the nursing mother’s work area. New York State Labor Law Section 206-c also prohibits discrimination or retaliation against nursing employees who request accommodations to express breast milk.

Twenty-nine states, as well as the District of Columbia and Puerto Rico, have laws recognizing the rights of nursing mothers to express breast milk in the workplace. Given the patchwork of laws addressing breastfeeding in the workplace, it is essential for employers to be aware of local and state laws when developing lactation room policies. To learn more about this evolving area of the law, please contact your Jackson Lewis attorney.

‘Tis the Season for Budget Negotiations: What is the Potential Impact of Another Government Shutdown on Healthcare?

With less than a week left on the December 21st deadline to reach a spending deal and avoid another government shutdown, tensions are high in Washington D.C. On Tuesday, President Trump stated he would refuse to sign a spending bill that did not contain a $5 billion allocation for a border wall.  It is questionable, however, whether such a bill would pass in the House or Senate. Thus, it is possible we will see the third shutdown of certain government agencies in this presidential term.

As background, Congress previously approved, and President Trump signed into law, five spending bills providing funding for about 75 percent of the federal government, including defense, education, labor, health and human services, the legislative branch, energy and water, military construction, and veterans affairs. There are still seven other spending bills that need legislative agreement, including those that provide funding for agriculture, the Food & Drug Administration, commerce, justice, science, interior and environment, state and foreign operations, Homeland Security, financial services, general government, transportation, and housing and urban development. Thus, certain agencies (such as the EEOC) are still at risk of shutdown and according to a fact sheet released by the Senate Appropriations Committee staff, more than 420,000 essential government workers would be expected to work without pay if a partial shutdown occurs.

For the healthcare industry, while a spending bill covering the Department of Health and Human Services was approved in September 2018, spending for other government agencies and departments that affect the healthcare industry have not. For example, the Food and Drug Administration would stop pharmaceutical testing; Drug Enforcement Administration agents would have to continue working as essential employees, but would have to wait until after the shutdown to receive a paycheck; and most of the National Science Foundation would close down. More information regarding the impact on the healthcare can be found in the Senate Appropriations Committee staff fact sheet.

5 Takeaways on Managing Challenging Physician Employment Situations

What should (or can) you do if a locally recognized “Best Physician” throws a scalpel in the direction of a nurse during surgery? What are a CMO and CNO’s obligations to investigate when he/she learns there is a “situation” between a doctor and a nurse? How do you balance patient safety and compliance with anti-discrimination laws when the medical staff revokes an impaired physician’s privileges?

Jackson Lewis attorneys Tiffany Buckley-Norwood (Detroit), Margaret J. Strange (Hartford) and Mary M. McCudden (Baltimore) discussed these scenarios and more during a two-part webinar series on challenging physician employment situations. The series delves into the unique problems that healthcare organizations face when navigating their obligations under the labyrinth of state and federal employment laws. Here are some key takeaways:

  1. Healthcare institutions are not immune to #MeToo. Claims of sexual harassment can arise out of comments about gender-based stereotypes that sometimes are made by members of the medical staff. When a medical staff addresses these comments and other misconduct, it is important that the medical staff shares this information with those who have a need to know, such as human resources and department chairs.
  2. Additional considerations come into play when situations involve medical residents. The Accreditation Council for Graduate Medical Education Common Program Requirements state that all medical residents must receive an employment contract and that the contract must contain grievance and due process provisions. Residency programs may also have obligations under Title IX in connection with their residency programs in addition to federal and state anti-discrimination laws that apply to non-resident physicians.
  3. Rates of substance abuse among physicians are slightly above the national average. Generally, state law requires physicians to report impaired colleagues to the physician licensing authority. These requirements vary by state. Some states also require healthcare institutions to report impaired physicians. When physicians with a history of substance abuse return to practice after a period of successful treatment and rehabilitation, healthcare institutions also must be aware of anti-discrimination laws protecting recovering addicts, such as the Americans with Disabilities Act. The webinar series includes a discussion of how to respond to suspected drug use.
  4.  Nearly one-third of all physicians in the U.S. are over the age of 60. Employed physicians are protected against discrimination by the Americans with Disabilities Act, the Age Discrimination in Employment Act (ADEA), companion state laws, and other anti-discrimination laws. Some courts have also extended protections under federal and state anti-discrimination laws to non-employed physicians. Healthcare entities should, therefore, exercise caution in utilizing age-based rules for mandatory cognitive or competency testing related to employment and medical staff privilege determinations.
  5. A healthcare organization must determine what kind of culture it wants to set. Human Resources and Medical Staff leadership need to work together to Model expected behavior; Message expectations; Manage situations; and Monitor the workplace.

You can view Part 1 and Part 2 of the series online today. To learn more about how the firm can assist healthcare organizations in addressing a challenging physician employment situation, including using Jackson Lewis’ EngageMD resources to coordinate the efforts of the medical staff and human resources, please contact your Jackson Lewis attorney.

Developing Best Practices for Addressing Workplace Violence in the Homecare and Assisted Living Settings

In the wake of a recent uptick in workplace violence based lawsuits against home care and assisted living providers, lawmakers introduced a bill in the U.S. House of Representatives on November 16th that would require health care and social services providers to write and implement workplace violence prevention plans. If signed into law, H.R. 7141—the Workplace Violence Prevention in Health Care and Social Services Act—would compel OSHA to create and enforce workplace safety standards pertaining to workplace violence.

As we previously reported, the Fifth Circuit recently held that an assisted living facility certified nursing assistant could proceed to trial with her hostile work environment claim stemming from alleged harassment and groping by an elderly patient. These developments serve as reminders that healthcare employers can seize the opportunity to develop best practices for addressing workplace violence in all forms.

Workplace violence is an often-misunderstood term of art. “Violence” often connotes physical acts, and many neglect to think of verbal acts or other behaviors that actually fall within the realm of workplace violence.

In the homecare realm, the patient’s home is a unique environment in which respect for the patient must be paramount. This intimate relationship can also be ripe for misunderstandings. Cultural differences or the patient’s medical conditions, such as dementia or Alzheimer’s disease, can influence what would normally be a benign interaction. Your organization’s employees at every level can learn to navigate these challenges tactfully to avoid potentially negative outcomes. In reality, the accused party could be the patient, the patient’s family member or friend, the caregiver, or any third party who enters the patient’s residence.

The following is a list of tips for addressing an accusation of workplace violence, regardless of the accused or accuser’s role in, or outside of, your organization:

  • Acknowledge that the accuser has raised a concern. Assure the accuser that the company takes all complaints seriously and will investigate the complaint.
  • Inform the accused of the nature of the complaint. Ask for their version of events. Keep an open mind while conducting the investigation.
  • Do not characterize the complaint as founded or unfounded until a full investigation has been completed.
  • If the charges of verbal workplace violence are serious (abusive language or threats of physical harm), and/or the accuser feels afraid for their safety, consider placing the accused on administrative leave with pay pending the outcome of the investigation.
  • Do not retaliate against any accuser or any other individual who participates in good faith in the investigation. Disciplinary or other adverse employment action against an employee who accuses another party of workplace violence or harassment opens the employer up to potential liability if the employee files a complaint with a state, federal or local agency, or a lawsuit in state or federal court.
  • Maintain an Anti-Workplace Violence Policy in your employee handbook. Review this policy at least yearly to ensure compliance with all applicable local, state and federal laws.

To learn more about the firm’s healthcare industry team and specifics about how we can help you, please contact your Jackson Lewis attorney.

Seven Fundamental Elements of an Effective Compliance Program

The American Health Lawyers Association’s Fundamentals of Health Law program held on November 11-13, 2018 in Chicago, Illinois centered on key health law topics and emerging trends in health care. One focus of the program was the need for healthcare organizations to promote a culture of compliance, which includes implementing an effective compliance program.

A compliance program is a formal statement of a healthcare organization’s coordinated, proactive efforts to prevent, detect, respond to, and report violations of laws, government regulations, and ethical rules.

The Office of the Inspector General (OIG) of the Department of Health and Human Services is tasked with combating fraud, waste, and abuse in healthcare. The OIG conducts the majority of healthcare investigations and has the authority to exclude providers from federally funded healthcare programs and to impose civil monetary penalties.

Additionally, the Patient Protection and Affordable Care Act 42 U.S.C. §18001 requires healthcare organizations to develop and implement formal compliance programs and provides an overview of the role of compliance in healthcare.

The OIG’s position is that healthcare organizations can reduce fraud, waste, and abuse liability through effective compliance programs. Compliance programs are not “one size fits all” and there is no “gold standard.”  The OIG allows and expects an organization to create a compliance program that is tailored to its unique needs. A compliance program must also include the OIG’s seven fundamental elements of an effective compliance program:

  1. Implementing written policies, procedures and standards of conduct. Policies and procedures should promote the organization’s commitment to compliance and address specific areas of risk. As noted in the OIG’s Supplemental Guidance for Hospitals, “[t]he purpose of compliance policies and procedures is to establish brightline rules that help employees carry out their job functions in a manner that ensures compliance with Federal health care program requirements and furthers the mission and objective of the hospital itself.”
  2. Designating a compliance officer and compliance committee. The compliance officer is charged with operating and monitoring the compliance program. The compliance committee should include members of key functions within the organization that can support and advise the compliance officer, such as legal, information technology, and privacy.
  3. Conducting effective training and education. At a minimum, all employees, physicians, and board members should receive training on fraud and abuse laws, as well as the compliance program.
  4. Developing effective lines of communication. Employees must feel comfortable reporting internally, and organizations should have multiple reporting avenues such as the compliance officer and an anonymous hotline. Organizations must also take all reports seriously, and conduct follow-up with the reporting employee. Whistle-blowers often file complaints with the OIG after reporting internally and receiving no follow-up from the compliance officer.
  5. Conducting internal monitoring and auditing. This involves an ongoing process of evaluation and assessment to deter bad behavior and ensure effectiveness of education and corrective action. The compliance program should also monitor compliance with privacy, and provide a risk assessment of potential privacy issues.
  6. Enforcing standards of conduct through well-publicized disciplinary guidelines. Standards of conduct outline an organization’s rules, responsibilities, proper practices, and/or expectations of its employees. Compliance should work with human resources and legal to ensure that the standards and consequences for violations are consistently enforced.
  7. Responding promptly to detected offenses and undertaking corrective action. Failure to ensure timely and effective remedial action for offenses can create additional exposure for the organization.

By implementing and following an effective compliance plan, healthcare organizations can avoid fraud, waste, and abuse liability. Failure to have an effective compliance program may result in:

  • Increased violations.
  • Undetected kickbacks and/or false claims.
  • Evidence of deliberate ignorance of false claims.
  • Entering into a mandated Corporate Integrity Agreement with the OIG.

Healthcare organizations should promote a culture of compliance at all levels inside the organization. Having an effective compliance program is an ongoing process. An effective compliance plan is not a static document, but is proactive, responsive, and changing with the needs of the organization.

Is your e-PHI Secure? ONC and OCR Update HIPAA Security Risk Assessment Tool

October 2018 marks the 15th annual National Cyber Security Awareness Month. In honor of this occasion, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool to help covered entities and business associates comply with the HIPAA Security Rule. But remember, the HIPAA Security Rule does not require a “one-size-fits-all” approach to security.

Under the HIPAA Security Rule, a covered entity or business associate must “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information [e-PHI] held by the covered entity or business associate.” See 45 CFR § 164.308(a)(1)(ii). Failing to conduct a risk assessment can become a basis for significant monetary exposure to the OCR, such as this $750,000 settlement by a covered health care provider with OCR.

“An enterprise-wide risk analysis is not only a requirement of the HIPAA Security Rule, it is also an important process to help healthcare organizations understand their security posture to prevent costly data breaches,” stated ONC and OCR in their joint news release on the updated SRA Tool. Healthcare and non-healthcare organizations are increasingly seeing a similar risk assessment requirement under a growing body of state law, such as in California, Colorado, Massachusetts, New York, and Oregon.

Recognizing that conducting this enterprise-wide risk analysis can be a challenging task, the ONC and OCR developed a downloadable SRA Tool in 2014 to help covered entities and business associates identify risks and vulnerabilities to e-PHI. According to ONC and OCR, the October 2018 update to the SRA Tool improves usability and expands its application to a broader range of health data security risks. Still, the SRA Tool may not be the right fit for small and midsized covered entities and business associates. In fact the HIPAA Security Rule contemplates that covered entities and business associates may use any security measures that reasonably and appropriately implement the standards and implementation specifications. In doing so, they may take into account certain factors about their organization: (i) size, complexity, and capabilities, (ii) technical infrastructure, hardware, and software security capabilities, (iii) costs of security measures, and (iv) probability and criticality of potential risks to electronic protected health information.

Use of the SRA Tool is not required by the HIPAA Security Rule, and its use alone does not mean that an organization is compliant with the HIPAA Security Rule or other federal, state or local laws and regulations. However, it may help organizations in their efforts to comply with the HIPAA Security Rule requirement to conduct periodic security risk assessments.  Notably, while the SRA Tool may provide a basic outline for the risk assessment process, it does not provide substantive legal guidance as to how a covered entity or business associate is to navigate between the various standards that are either “required” or simply “addressable.”  While completing a risk assessment is a requirement under HIPAA, organizations should seek guidance from legal counsel as to how to complete such an assessment and how to develop and implement appropriate safeguards based on the results of the assessment.  Failing to do so could create significant liability for your organization.

Failing to conduct regular risk assessments could not only lead to a healthcare data breach, but it could also result in a covered entity or business associate being fined by the OCR. To learn more about how the firm can assist healthcare organizations with HIPAA compliance and data security, please contact your Jackson Lewis attorney.

“Doc, mind if I record this?” – Recording Visits Between Patients and Medical Providers

In today’s world, people are accustomed to accessing endless information with their mobile phone. Accessibility to their own conversations regarding their health may not be any different. What happens when a patient wants to use this technology to preserve his or her access to medical information by recording their medical appointment? A recent study by the Dartmouth Institute for Health Policy and Clinical Practice examined patient recordings of clinical encounters and found they are becoming more common. However, like many trends related to advances in technology, such recordings present an array of complex legal issues.

Patients and providers alike can benefit from recording medical visits. Recording visits may reduce patient stress about trying to remember everything said during the visit, leading to more focused exchanges of information between patient and provider. In addition, patients may choose to share recordings of provider visits with other providers and family members involved in their overall medical care. This can result in better comprehensive care for the patient. Healthcare organizations may be able to use visit recordings as part of their quality improvement and training programs. Visit recordings also could lead to more efficient adjudication and resolution of malpractice claims.

Healthcare providers considering allowing patients to record visits or implementing their own visit recording system must weigh the potential benefits discussed above against some possible pitfalls. For example, would recordings dilute the doctor-patient privilege? Might recordings make patients less inclined to be candid in their communications with the provider? Does the presence of recording devices create an undue risk of inadvertent invasion of the privacy of nearby patients? Healthcare providers also may want to consider whether their general patient population is likely to have a negative or a positive view on recording patient visits.

Despite the near ubiquitous presence of mobile phones with recording capability and the myriad issues this raises, the Dartmouth Institute for Health Policy and Clinical Practice study found that very few of even the largest health systems have developed policies to address these issues. Developing policies is important because recording visits raises several legal issues, including state laws on consent to recordings and HIPAA regulations on how recordings are transmitted and stored. Organizations also should consider whether different types of visits and recording media warrant different guidelines. For example, an organization may want to prohibit video recording of physical examinations or prohibit any recording of certain topics. Organizations also may consider posting signs in waiting rooms and hallways prohibiting recording to protect other patients’ privacy. When considering whether to record patient visits, healthcare providers also must determine the impact of privacy laws on their employees, and whether recording visits raises collective bargaining issues.

The healthcare industry should prepare for the growing trend of recording patient visits. It would be prudent for healthcare organizations to consider these complex issues on a systemic basis rather than addressing them on a case-by-case basis. Please contact a Jackson Lewis attorney if you have any questions about these and other legal developments.