Why Outsourcing is Healthcare’s Newest Compliance Tool

I recently had the chance to meet with a healthcare organization to discuss the issues facing midsize medical groups. As you might guess, HIPAA compliance made the top ten list.

Here’s what I learned. First, there is general acknowledgement that it takes time to keep current with HIPAA compliance tasks. Second, most administrators (particularly in organizations smaller than a hospital) have added duties of “Compliance Officer” to their already full plate of tasks and finally, compliance officers believe that they do not have the time nor skill sets to meet the objectives of strong privacy and security management.

You can probably see a good news/bad news story developing here! You’re right. Let’s start with the bad news first. HIPAA is not going away and in fact most predict it to follow other regulations (OSHA as an example). Already we are seeing a strengthening of enforcement – read more about  Providence Health & Services loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006. http://www.bizjournals.com/portland/stories/2008/07/21/daily9.html

In addition, a Senate bill (called HIPSA) has been introduced to significantly enhance the enforcement of HIPAA, read more at: http://www.bizjournals.com/memphis/stories/2007/10/22/focus4.html?b=1193025600%5E1537387

So what about the good news? Thanks to technology, coupled with experienced compliance specialists, outsourcing a compliance officer may be your newest compliance tool. Here’s how it works – to adequately manage HIPAA compliance, consultants like this author use a comprehensive Web-based program to create, manage and monitor the outsource client. In doing so, it allows the consultant to track all staff, manage polices & procedures and forms, monitor training and conduct a limited number of on-site visits to conduct a periodic gap assessment and report on the client’s compliance status.

The result,  you have a professional compliance officer managing your HIPAA compliance program, reducing administrative costs, increasing ability for the administrator to focus on core business activities and improved compliance excellence.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us

Business Associates and HIPAA – The Basics

In the Business Associate Category, we will be discussing issues that surface as organizations develop business relationships with outside agents and vendors. Let’s start with some basics first -

The HIPAA Privacy Rule applies only to covered entities (health plans, healthcare clearinghouses, and certain healthcare organizations). However, most healthcare organizations and health plans do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses (Business Associates).

The Privacy Rule allows covered entities and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.

Aside from the obvious users of identifiable health information (hospitals, clinics, nursing homes etc.), others may be referred to as Business Associates (agents and vendors) that also come in contact with identifiable health information. For Business Associates, HIPAA requires hospitals, clinics, insurance companies and others that use agents and vendors to use a Business Associate Agreement. The regulation states –

PART 164—SECURITY AND PRIVACY
(Business associate contracts or other arrangements)

§ 164.314 Organizational requirements.
(a)(1) Standard: Business associate contracts or other arrangements.(2) Implementation specifications (Required).

(i) Business associate contracts. The contract between a covered entity and a business associate must provide that the business associate will—

(A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart;

(B) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it;

(C) Report to the covered entity any security incident of which it becomes aware;

(D) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract… for complete regulation click here: http://www.hhs.gov/ocr/AdminSimpRegText.pdf

Watch for future posts on developing issues regarding Business Associates and the clients they serve.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us

Long-Term Care: Quality Training on Your Budget!

I recently read an interesting long-term care report on the topic of Driving for Quality in Long-Term Care: A Board of Directors Dashboard.

http://www.oig.hhs.gov/fraud/docs/complianceguidance/Roundtable013007.pdf

The report was the result of roundtable discussion involving 35 long-term care (LTC) professionals and 10 government representatives. The participants represented a wide spectrum of LTC organizations and professionals, including not-for-profit and for-profit organizations, multi-facility and single facility organizations, nationally and locally based organizations, clinicians, administrators, compliance officers, outside and corporate counsel, and monitors involved in OIG quality of care Corporate Integrity Agreements.

Breakout discussion groups were designed around three perspectives on the oversight of quality of care: (1) organizational commitment to quality; (2) processes related to monitoring and improving quality; and (3) outcome measures related to quality.

Some of the tools recommended to assist the board in evaluating these issues included:

  1. Promote Active Questioning by the Board – The board of directors needs to ask questions as to (1) why a quality problem occurred, and (2) what management is doing to fix the problem and to prevent it from happening again. Simply put, board members should not be afraid to ask difficult questions.
  2. Retain an Outside Expertise/Consultant – The board could engage an external expert or consultant to review the organization’s policies, procedures, and processes, as needed.
  3. Monitor Staff Training and Turnover – Lack of staff competency and high staff turnover could indicate that the organization’s processes are not adequate. Staff education should be provided on an ongoing basis due to staff turnovers and to ensure that the organization has trained, updated staff.

Based on my professional experience with long-term care organizations, I viewed the report as practical measures for board and management to effectively address organizational quality.

The idea of retaining outside expertise is another plus for the report, since consultants have the expertise to review organizational policies and procedures and in turn, share their findings and skills with the board and management.

Monitoring staff training and turnover caught my attention, since all too often training lacks the prioritization of other LTC business functions, yet training is the basis for quality care. To put training in perspective, imagine pilots, physicians or accountants lacking training or continuing education. Then apply that same concept to those who deal 24/7 with our loved ones.

The “Challenges and Opportunities” breakout group discussions related to broader issues of board of director involvement with quality of care and the use of a Quality of Care Dashboard. One of the challenges and opportunities suggested,  “Quality and financial data are interwoven. When a facility is having cash flow problems, the quality of care delivered may suffer. Similarly, care will suffer when there are insufficient funds for training, education, and staffing. Money and quality are two sides of the same coin. When board members are effectively monitoring the quality indicators at a facility, they will also be learning valuable information about the financial health of the entity” (emphasis added).

Bottom Line.
While it’s true that quality and financial data are generally interwoven, I see the opportunity for LTC board and management to engage consultants that are willing to partner in the goal of achieving quality, despite a tight budget – and that of course is the challenge.

Consultants can help to deliver compliance tools using Web-based programs that unify all locations and standardize such things as HIPAA policies & procedures, forms, required logs, reports, training and more.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us