Tag Archive for: Mary Holloway Richard

In this article, Oklahoma City healthcare attorney Mary Holloway Richard discusses how safeguarding patients’ electronic health information is an employment matter and how companies can enact HIPAA rules with their employees.

Q: In preparation for an employee or other members of a health care company’s workforce quitting, what preventive steps can be taken to ensure that patients’ health information is protected?

A: Two particular measures are critical to health care providers, in their role as employers, to protect the private patient information. Those are preparation and training. First, advance preparation is essential. Administrative, technical and physical safeguards are mandated by HIPAA (the Health Insurance Portability and Accountability Act) and its amendments, and just as we recommend with regard to all types of health care compliance and regulations, a compliance plan should be in place to provide security for protected health information electronically maintained. The person responsible for a health care practice or company’s IT should perform periodic risk assessments, and sufficient access termination procedures should also be in place. Second, an important part of prevention is proper training. Just as we recommend preparation to respond to identity theft, employers must identify the individuals responsible for safeguarding electronically maintained protected health information and responding to a breach, and provide them with appropriate training. Since health care is such a labor-intensive industry, a high rate of personnel turnover requires proportionate re-training and monitoring of employees regarding compliance with privacy and other regulatory requirements.

Q: You mentioned termination procedures — what procedures provide effective deterrents to unauthorized use or access to electronically maintained protected health information in such situations?

A: As a part of an overall separation procedure, there are some critical checkpoints along the way. Health care providers/employers are advised to standardize the process and create a checklist of steps to be taken when an individual leaves. Document that these steps have been taken, including the return of any company equipment. Next, if the company or practice is large enough to have departments, it is important to quickly alert the department or staff members responsible for changing access to electronically maintained protected health information, deactivating or deleting user accounts and monitoring access. Also, after these and other important steps are carried out, I recommend a post-termination audit to verify that all necessary steps to cut off access to electronically maintained protected health information have been taken.

Q: What steps must be taken to terminate access to electronically maintained protected health information?

A: Such steps, in addition to terminating user accounts and reclaiming computers, laptops, iPads and cellphones, should include terminating access to the physical space, which may require changing locks, access codes, and authorized individuals lists. Obviously, keys, fobs, ID badges, card keys and other items by which the former employee gained access to the physician space must be reclaimed or reprogrammed so that access by the former employee or other former member of your company’s workforce to secure areas with electronically maintained protected health information is no longer possible. For all former employees, and particularly for those with remote access, deactivation of any remote accounts and accessibility should reach all levels of access so that portals, web access and email services are no longer accessible.

 

Published: 5/9/18; by Paula Burkes
Original article: http://newsok.com/for-health-care-providers-safeguarding-patients-electronic-health-information-is-also-an-employment-matter/article/5593919

In this article, Oklahoma City healthcare attorney Mary Holloway Richard discusses Oklahoma’s Certificate of Need laws with the Daily Oklahoman newspaper.

Q: What are Certificate of Need (CON) laws and what is the status of CON in Oklahoma?

A: The history of CON laws is an interesting one. Federal law required CON for facilities that received federal funds to construct facilities. By 1978, unique CON statutes were passed in 36 states. Although the federal mandate was repealed in 1987, many states still have CON laws in place. The CON system was intended by Congress as one mechanism for controlling healthcare costs by controlling development. The idea was that unnecessary beds or services would drive up the costs and miss system efficiencies and economies of scale. Development was broadly defined to include activities ranging from new development, acquisitions, mergers, management agreements, leases, stock purchases and changes in ownership via foreclosure. The Oklahoma legislature repealed CON laws in all areas except for psychiatric and chemical dependency services and long-term care.

Q: What are the current requirements for developing long-term care and behavioral health services in Oklahoma under these statutory schemes?

A: For long-term care, the Oklahoma law provides for the development of long-term care services in a “ … planned orderly economical manner consistent with and appropriate to services needed by people in various (parts of Oklahoma) ….” Development must match or reflect the need demonstrated in the CON application as evaluated by the state Department of Health. The statutes also enumerate the powers of the Department of Health with regard to long-term care facilities and services. The law applies to long-term care facilities including nursing homes, specialized facilities such as long-term acute care and skilled nursing facilities and the nursing component of continuity of care and life care communities. For psychiatric and chemical dependency service facilities, the process is outlined in the statutes and includes application requirements, findings by the state Board of Health, providing bases for the board’s decision, the opportunity for appeal of the board’s decision and an explanation of potential penalties for failure to comply.

Q: Some writers and consultants in the healthcare industry contend that these laws no longer serve the purposes for which they were created by legislatures or fail to achieve the ostensible objectives. Is this fair criticism?

A: All segments of the healthcare industry are highly regulated. There is a good argument to be made that business decisions in the healthcare space are guided by reimbursement, the impact of effectiveness and outcome metrics, and classic business principles such as market share and that, while the original ideas supporting the CON effort may have been sound, the system now provides an additional hurdle and expenses in two areas of significant needs in our state — services to the elderly and others requiring long-term care and to those suffering from behavioral health diagnoses. More specifically, Oklahoma’s CON rules apply only to hospitals so that development for treatment facilities not considered “hospitals” by the Oklahoma Department of Health are not covered by the CON procedures and limitations. The result is that addiction treatment facilities providing services, including beds, only require the approval of the Oklahoma Department of Mental Health and Substance Abuse Services, which does not have its own CON process and can be developed without hindrance.

Q: Is there interest among Oklahoma lawmakers to repeal the last vestiges of CON law in Oklahoma?

A: Although this issue has come up in the last several years, it has not been successful. No such legislation was proposed in the first regular session of this legislative term, which ended in May. In terms of the status of CON laws in the nation, as of 2016, 14 states had discontinued their certificate of need requirements and 34 continued with some remnant of the CON system.

Published: 10/12/17; by Paula Burkes
Original article: http://newsok.com/qa-with-mary-holloway-richard-certificate-of-need-laws-can-bridle-behavioral-other-care/article/5567643

Q: In 2016 the federal government paid out $60 million in “improper payments” to Medicare and Medicare Advantage plans. What are improper payments?

A: The prohibition against improper payments applies to Medicare and to the Medicare Advantage plans which stand in the place of Parts A and B but offer more choices to patients in the private insurance market. Most are HMOs, PPOs, and private fee-for-service plans. “Improper payments” refers to both underpayments and overpayments. The most common payment problems are traced to insufficient documentation of the care provided. Other problems are no documentation, failure to establish medical necessity and incorrect coding. Regulators tell us that the objective is to understand the ordering practitioner’s reasoning in evaluating and diagnosing a patient, in considering the alternative course of action and in selecting a specific treatment plan with the patient. Just as physicians have been trained to document robust informed consent, they are now being called upon to document their thought processes as a way of demonstrating the legitimacy of the treatment.

Q: What action can the federal government take once an improper payment has been identified by the Center for Medicare and Medicaid Services (CMS)?

A: The CMS is part of the Department of Health and Human Services and it has an investigative arm known as the Office of the Inspector General (OIG), which is the most robust of all federal agencies’ legal and investigative arms. The OIG can investigate a provider and refer the matter to the Department of Justice to bring a criminal or civil action against the provider that can result in repayments, penalties, and even incarceration. Such actions also ultimately can result in exclusion from federal payment programs and even loss of the provider’s clinical license to practice. A demand for repayment can be based on an extrapolation of a statistical sample of a provider’s claims submission and payment history.

Q: How can providers avoid making claims that result in improper payments? Are there certain kinds of providers who are at the greatest risk for coding errors?

A: In the face of this regulatory environment, providers would do well to engage in periodic preventive spot audits of their medical records documentation, coding and billing activity. Billing regulations are increasingly complex and require advanced training not only of the practitioner but also of his or her staff, billing company and supporting professionals such as accountants and attorneys. Continuing education, coding seminars and the like are the order of the day for persons with these responsibilities.

Q: What’s the potential impact of these billing errors on patients and on providers?

A: Improper documentation can be a result of mistakes, faulty documentation or fraud. Some documentation shortcomings can be traced back to the provider’s original training or education. Others relate to the electronic records formatting, which some experts argue fosters copying responses rather than creating medical record entries for each patient. Ideally, eliminating unnecessary claims benefits the health care system financially and so ultimately benefits the patient. However, in my experience, “false claims” often represent a failure on the business side of a medical practice or facility operations in a situation where quality services were actually performed. But once characterized as an overpayment, the amount paid by the Medicare contractor must be returned despite the fact that quality services were provided.

From NewsOK / by Paula Burkes
Published: September 29, 2017
Click to see full story – Feds paid $60 million in ‘improper’ Medicare payments last year

The Best Lawyers in America 2018

  • Mary Holloway Richard – Health Care Law

From NewsOK / by Paula Burkes
Published: April 12, 2017
Click to see full story – FBI warns against doctors, dentists using ‘anonymous mode’ computer servers

Q: What attention has the FBI recently given to protect Protected Health Information (“PHI”) from cyber criminals?

A: Under a “Private Industry Notification” dated March 22, the FBI’s Cyber Division has provided guidance that’s applicable specifically to medical and dental providers and focuses on protection of sensitive, identifiable health information.

Q: What does the notice specifically recommend?

A: The notification recommends these health care providers request that their IT services personnel take steps to further secure the information from cyber threats by checking networks for File Transfer Protocol (“FTP”) servers running in anonymous mode. FTPs routinely are used to transport information between network hosts. This is the case, for example, when a covered entity such as a hospital or group practice transfers information to a business associate, such as a billing company or a third-party payer, for the purpose of submitting claims for services provided.

Q: What does “anonymous mode” mean and what threat does it represent?

A: “Anonymous mode” refers to the situation where an FTP server can be structured to permit users who are anonymous, doesn’t require a password to enter, and accepts common user names such as “anonymous” or “FTP.” The danger is that, in such circumstances, sensitive patient information stored on a server could be accessed with little or no security.

Q: Why does the FBI guidance focus specifically on health care?

A: Research conducted at the University of Michigan in 2015 resulted in a finding that more than one million FTP servers would allow such access. According to the FBI, some computer security researchers seek servers in anonymous mode as part of legitimate research, but others make such connections to facilitate nefarious activities such as launching cyber attacks, hacking, blackmailing, harassing and intimidating business owners. It’s the FBI’s purpose issuing this new guidance to both make health care business aware of the risks represented in their IT systems and to shore up weaknesses that pose cyber security risks. In addition to the precautions urged in the notice, the FBI has previously urged companies to buy and implement ransomware.

Q: Should additional actions be taken by medical and dental health care entities to provide additional protections against cyber crime?

A: The FBI encourages medical and dental health care entities to report suspicious or criminal activity to the local FBI field office (locate via www.fbi.gov/contact-us/field) or the FBI’s 24/7 Cyber Watch, CyWatch 855-292-3937 or CyWatch@ic.fbi.gov. Submitted reports must include available information regarding the date, time, location, type of activity, number of people and type of equipment used for the activity, the name and contact person for the entity submitting the report. Victim complaints can be filed with the internet Crime Complaint Center at www.ic3.gov.