You Received a Letter from OCR, Now What?

OCR-LogoAt some point in time most group practices, hospitals or other provider organizations will receive a letter from the Office for Civil Rights (“OCR”). The letter will state that OCR received a complaint from a patient, employee or some other party with knowledge or information as to alleged acts at the healthcare organization. The letter will further state that the complaint alleges the organization is not in compliance with some aspect of the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, or some combination of those rules.

An initial response may well be panic because no organization wants to face an investigation by a government agency. Further, any hint that HIPAA could have been violated may conjure fears of becoming the next headline of an organization paying a major fine. After taking a moment to be panicked or worried, an organization should then get down to the business of responding to the letter. This process does not need to be scary and some foreknowledge and planning make it a lot more manageable.

For organizations that have not received an OCR letter or for those that have and need a refresher, this post will walk through the contents of a letter and some considerations for responding.

The first thing to note about an investigatory letter from the OCR is that it is a form document. There will not be much variation from one letter to the next other than identification of the recipient organization, the name of the complainant (if not anonymous), and possibly the nature of the complaint. Since the letter is a form, there is a lot of language explaining what HIPAA is, OCR’s responsibility for enforcing HIPAA, and a statement of the basis of OCR’s authority.  The first statement that will likely catch an organization’s attention is the time in which a response must be provided.  That time is 14 days following the organization’s receipt of the letter.

The 14 day period can and will fly by very quickly. The burden of responding will depend upon the type of violation since the type of violation will drive the scope of documents requested. However, the 14 day period is also not locked in stone. In many instances, OCR is willing to provide organizations additional time to respond. However, an extension can never be assumed or self-determined. Instead, organizations are well advised to reach out to the investigator or other designated official from OCR. Contacting and establishing a relationship with the OCR representative is helpful for many reasons. Opening a dialogue will demonstrate to the OCR representative that the organization takes the letter seriously and is addressing the issues raised. Additionally, during a conversation insight behind the complaint may be learned and an opportunity may exist to narrow the scope of the document request. All of these potential benefits are good because OCR should know what an organization is doing. Most importantly, the request for a response extension should be presented.

When asking for an extension, an organization should be reasonable and understand that asking for months to submit documents is unlikely to be accepted. Instead, make a reasonable assessment of how long it will take to gather the requested documents and be honest with the OCR representative. If an extension is granted, remain in contact with the OCR representative, which can help head off any problems in the event more time becomes necessary.

The second primary component of the letter is the actual document or data request. The request will specify the exact information that OCR wants to receive from the organization. The request could be focused upon a certain subset of policies and procedures that pertain to the nature of the complaint or could be as broad as the full scope of the organization’s HIPAA policies and procedures. No matter the exact scope, it is essential to carefully parse through the request and understand exactly what is being sought.

However, what happens if an organization does not have all of the requested documents or policies? Such a discovery offers an opportunity for the organization to address the issue and implement a change or update. Ignoring the discovery would not be suggested.

Preparing and submitting the actual response is the next step. An organization should not merely dump documents on OCR. To the contrary, an organization should take the response as an opportunity to prepare a written statement (which may be called for anyway by the request) and paint a picture for OCR. An organization should create the opportunity to take a hold of the narrative and provide background to OCR as to what happens within the organization. While any written response should always be ground in reality, there is the chance to frame actions in a certain way. For example, the written response could reveal that a particular document was not available prior to the response, but explaining the immediate action taken to fill in the gap shows that the organization is taking remedial action without needing a specific prompt from OCR.

The hardest part of the investigatory letter will be waiting once a response is submitted. OCR could simply resolve the complaint by finding that no non-compliance occurred, resolve through background resolution, seek more information, or find that a serious issue exists. Regardless of the outcome, being prepared ahead of time is essential and will help to reduce the fear and consternation that arise when any letter from OCR arrives in the mail.

Posted in Compliance, Health IT, HIPAA, HITECH, Regulations | Tagged , , , , , | 1 Comment

Reflections from HIMSS18

himss-sign-opening-day-712Every year the HIMSS Annual Conference generates a tremendous amount of opportunity, promise, hype and more. While many pronouncements are usually made at the conference, the question always arises what will stick following the conference. From that perspective, a few recurring themes from conversations at the conference stuck out in my mind.

The focus of my trips to HIMSS in 2016 and 2017 was privacy and security, but that changed this year. While I still had a number of privacy and security focused discussions, I also wanted to learn more about what is happening on the value based care front. With that in mind, I met with a number of individuals in the space or others who are considering how to develop tools to assist value based care.

One conversation was with Tom Bizzaro from First Databank. With Tom, the discussion focused more on the health policy side of the equation. Namely, what is or can be done by Congress and/or regulators within the Centers for Medicare and Medicaid Services. That conversation led down the path of determining that not much hope necessarily can be placed in those institutions. Since the beginning of 2017, the pace of pushing into value based care through Medicare has been slowing down.  The BPCI Advanced model may be a glimmer of hope, but any benefit remains to be seen until participants are actually in the program, which will not be for a fair amount of time. In what would become a recurring theme across a number of conversations, the issue of a unique patient identifier came up. The argument runs that without a unique identifier, many questions arise as to the accuracy and reliability of data about an individual. Even in closed systems, such as Kaiser in California, misalignment, and others issues arise with data. If that happens in a closed system, how can the larger healthcare ecosystem be trusted to attach the right data to the right person?

From a policy perspective, the issue is not really a desire for the government to have to develop the patient identifier so much as remove the barriers to doing so. A unique patient identifier has long been contemplated under federal law, but policy blocks any attempt to actually begin or otherwise pursue development. Following that point, Tom then brought up the not too long ago CHIME lead challenge on the unique patient identifier front. Many may remember the seemingly abrupt notification that the challenge was canceled without much detail provided as to why. The announcement becomes even more puzzling in light of Tom’s information that a winner was expected to be announced within 6 or8 weeks from the time the challenge was ended. Why? That is the open question on that front. Looping back to the value based care front, as already suggested, the patient identifier can help validate information, which is needed to establish a full continuum of care.

The unique patient identifier concept also factored into my discussion of value based care with Lidia Fonseca from Quest Quanum. Lidia also identified the need to have reliable data that follows a patient. Quest is in a somewhat different position in this regard from other entities because it interacts with so many patients, providers, and payors. It may be one of a handful of companies with such a diverse array of touchpoints that are always being accessed. Diving more into the value based care realm, Lidia hammered the need to focus on all of the sides that form healthcare (the patient, provider, and payor trifecta) and enable each side to access the information that it wants and/or needs. Examples of such information include transparency around cost for patients, ease of accessing and ordering services for providers by making tools fit seamlessly into workflows, and having claims and service information available and flowing between providers and payors. Combining those elements goes to shifting the focus of the healthcare industry from reacting to events to proactively trying to keep individuals healthy and ostensibly outside the walls of a traditional healthcare provider.

Discussion of shifting the underlying premise of the healthcare industry turned to also rethinking the design and purpose of the new technological tools being used. Lidia suggested that the electronic medical record, a common focal point for complaints, was not designed to support a value based care approach. The functional design of many EMRs was to support the creation of a medico-legal record and/or support billing. While some may disagree with the assertions, there is a fair amount of accuracy in the description. The accuracy is supported by the desire of some major EMR vendors to no longer be called “EMR vendors,” but instead to be thought of as a centralized workflow tool that brings all data points and separate pieces of the healthcare system together. If that end can be achieved, then maybe the technological tools will be in place to meaningfully support and drive value based care.

Coming around to design, Lidia’s description of her preferred role as a change agent struck me. Lidia described her role in many organizations as being the person to shake up operations and redesign old systems. She referenced design thinking, which takes empathy as a first step in creating tools. It is hard to argue with the suggestion to bring empathy into the process of recreating the EMR or even coming up with completely new tools. Regardless of the approach, the basic message was one of needing to embrace change and push to make it happen.

A third conversation that focused on value based care was with Mason Beard from Philips Wellcentive. Mason described a long-standing role in the realm of trying to drive value and meaning from data as well as shifting the manner in which care is delivered. Mason referenced the genesis of those efforts coming from Michigan in the early 2000s as well as the alternative quality contracts of Blue Cross in Massachusetts. Those designs arguably with some of the more recent forerunners of current value based care paradigms. The discussion with Mason focused on the need for creating new frameworks around relationships and not accepting the status quo. Examples of driving this change could include establishing new terms for arrangements between payors and providers and even potentially shifting solely to more direct relationships between employers and providers.

One more conversation bearing on value based care was with Carina Edwards from Imprivata. The conversation actually indirectly turned to value based care, but did loop the themes back around to the need for a patient identifier and seamless workflow between systems. Carina referenced the ability to pre-identify individuals before entering the healthcare system and then to validate their identity once the patient presents. If identity can be verified right from the start, such a scenario naturally fits into a value based care world because it enhances the continuum.

The rundown above focuses only on pre-scheduled meetings. The number of informal and/or impromptu discussions about value based care are too numerous to fully capture. However, the ideas that were the subject of those discussions aligned with the concepts discussed with Tom, Lidia, Mason, and Carina. The system must continue to change and that recognition is there.

The final thought from HIMSS at this point is to offer another means of thanks to Regina Holliday. After much delay on my part, I finally became a member of The Walking Gallery and received my jacket from Regina. The message of my jacket is that as a healthcare lawyer, I want to breakdown barriers that may be constructed by participants in the healthcare industry through a misunderstanding or misapplication of laws and regulations impacting healthcare. Innovation is possible and even encouraged by those laws and regulations. While the path may not be the one considered at first, there is a path and I want to educate others on the means of finding that path and/or serving as a guide.

Coming back to my initial statement, the mood during HIMSS is one of optimism and energy. It is hard to sustain those feelings throughout and across years. However, all must remember that the goal is to create a better system that results in better quality and respects everyone attached to the healthcare system.

Posted in Accountable Care Organization, Business, Health IT, Healthcare, Physicians, Value Based Care | Tagged , , , , , | 1 Comment

Monthly Data Breach Roundup: Hacking and Insiders in the Lead

databreachThe Breach Barometer published monthly through the joint effort of Protenus and provides a fair amount of insight into data breach happenings. As noted in the report, the findings are based upon information obtained through searching records and releases, not just looking at reports filed with the HHS Office for Civil Rights (“OCR”). By expanding beyond just OCR, the findings provide more insight than would otherwise be readily available.

Continuing the trend from last year, January 2018 saw an average of more than a breach per day. January saw a total of 37 breaches. As usual, hacking incidents and insider issues were the leading causes of the breaches.

Just considering the source of the breach does not tell the whole story though. As noted in the Breach Barometer, while January saw 12 insider incidents, those incidents only impacted 6,805 records, at least according to available figures. While the number of records that insiders accessed may not have been all that great, the fact that insiders are still inappropriately accessing information is troubling. One breach took over a year to detect and that individual reviewed a significant amount of personal information. That incident saw 1,309 records accessed over the course of 15 months. While that amounts to roughly 87 records per month, auditing may have been able to detect such activity. More tools are available in the marketplace to automate at least a portion of the review. Given the increasing availability of tools why are more not taking advantage? Can an argument be made that no using such a tool constitutes insufficient security practices? While that argument may not apply today, the story could be different in the very near future. Regardless of the technology that may be available now, organizations should not be ignoring insider risks.

As noted, the second leading cause of January data breaches was hacking.  Hacking accounted for 11 of the incidents and impacted 393,766 records. That total was over 80% of the records impacted in January. The causes of the hacks included phishing, ransomware and malware. Those causes do not present any surprises. Instead, the causes emphasize the fact that healthcare remains under attack and no relief is in sight. The high number of records is also consistent with previous reports since a hacking incident can easily spread across an entire system or eat up large chunks of data.

As with many previous versions of the bReach Barometer, the January report shows a lot of work remains to be done. No organization can feel secure and ongoing efforts are essential. While it is unrealistic to expect that a month will ever be breach-free, more can be done to reduce the frequency to less than a breach per day. Upping security and being aware of requirements are key and failure to do so could lead to the next HIPAA settlement headline.

Posted in Compliance, Health IT, HIPAA | Tagged , , , , , , | 1 Comment