by Cheryl Coon
This article was originally published in the May/June issue of the Tarrant County Physician. You can read find the full magazine here.
As we start a new year, health care providers should consider a compliance check. Health care laws change, new regulations are promulgated, and advisory opinions1 are issued on a frequent basis. Healthcare policies and procedures need to be reviewed to make sure they are up to date, and organizations may need to undertake certain necessary actions, e.g., updating their HIPAA security policy. Compliance checks are ideally performed at least once a year.
In the past year, for example, the federal Stark anti-referral regulations were amended.2 The Stark amendments made significant changes to the rules, including revising the definitions of “fair market value” and “commercial reasonableness.” In addition, amendments to the HIPAA regulations have been proposed,3 and the Office of the National Coordinator for Health Information Technology (ONC) finalized rules for electronic records that include provisions relating to patients’ access to their medical records.4
For a compliance review, HIPAA issues to consider include, but are not limited to:
- Review employee training to confirm it is up to date, including necessary or desirable written documentation;5
- Review Notice of Privacy Practices provided to patients – is everything current; do new areas need to be added or sections deleted? Are the explanations of possible uses of patient data correct?
- Review the security risk assessment, particularly given the increase in cyberattacks. Review any changes to technology, new equipment such as computers or servers, new software, and what third parties and employees have access to medical records. Has your location changed? Is your security contingency plan still accurate?
- Review to verify patient access to their records complies with the new ONC rules and HIPAA;
- Determine if there are new business associates to add, business associates that need to be deleted, or agreements amended;
- Verify that the named HIPAA privacy and/or security officer is still in that position;
- Review the breach reporting policy and make necessary or desirable changes;
- Determine if any third-party agreements or business associate agreements have been revised or added, and if so, if the agreements in writing include any amendments;
- Assess compliance with state privacy/medical record laws, which often have different provisions than HIPAA.6
In other areas, things to consider include, but are not limited to:
- Perform an inventory of third party agreements and verify, for new or amended relationships, as applicable, that an appropriate Stark referral analysis was performed and is up to date and that an anti-kickback analysis also was performed and is up to date, i.e., is remuneration fair market value?7
- Update policies and practices to conform to the new Stark rules and any other applicable new or amended federal and state laws;
- Review continued compliance with any safe harbors relied on under the Stark rules and/or anti-kickback rules, if applicable, e.g., equipment or real estate leases, personnel service and/or management agreements;8
- Confirm employee background checks are up to date;
- Confirm federal health care exclusion screening is up to date;
- Confirm licensed employees have completed continuing education requirements and any other conditions to maintain licensure;
- Inventory leases and any amendments and make sure appropriate documentation is in place, including, if applicable, a fair market value analysis;
- Verify record retention policies still comply with current laws and that the procedures are being followed;
- Consider whether an audit of the use of appropriate billing codes is necessary;
- Verify required licenses are up to date for personnel and any equipment;
- Verify compliance with federal and state telehealth laws, if applicable, including any provisions related to COVID-19;
- Verify that patient record request policies are up to date and that personnel are complying with the policies;
- Verify appropriate due diligence is being performed for applicable laws when new vendors or contractors are engaged.
Your organization should also consult in-house or outside counsel to verify any changes to federal and state laws before beginning the compliance review process. Furthermore, there is value in engaging an attorney and seeking legal advice on the review in order to invoke the attorney-client privilege where possible. The privilege will not protect all documents or all communications, but it provides significant protection during the process for covered communications.9
Again, this “list” is not comprehensive, particularly given the plethora of health care laws that could apply and the complexity of such laws. As an example, this list does not focus on Medicare or Medicaid compliance. Nonetheless, it should provide a reminder for the key areas to cover when conduct a general healthcare compliance check.
1. This article is not intended to be a comprehensive summary of all final or proposed changes to federal and state health laws and regulations. Additionally, given the many types of healthcare providers, the article does not address all possible federal and state laws but is intended to provide an example of the type of questions they should ask.
2. See, e.g., OIG Advisory Opinion No. 20-08 (Dec. 20, 2020) ((regarding a federally qualified health center’s proposal to offer gift cards to incentivize certain pediatric patients to attend rescheduled preventive and early intervention care appointments).
3. 85 Fed. Reg. 77,492 (Dec. 20, 2020).
4. See 85 Fed. Reg. 6,446 (Jan. 21, 2021). The proposed changes largely relate to the new ONC rules regarding access to patient records.
5. See 85 Fed. Reg. 25,642 (May 1, 2020).
6. According to many experts, training should be performed at least annually.
7. For example, the Texas Medical Record Privacy Act has a much broader definition of “covered entity” than HIPAA, being any person who engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information and including any person who obtains or stores protected health information. See also 15 Tex. Admin. Code § 390.2 which lists various statutes that could be applicable to Texas covered entities.
8. The definitions of “fair market value” and “commercial reasonableness” have changed under the new Stark rules that were effective January 19, 2021 (with limited exceptions).
9. The new Stark rules also made changes in these areas.
10. Generally, the elements of attorney client-privilege are: (1) the person asserting the privilege must be a client or someone attempting to establish a relationship as a client; (2) the person with whom the client communicated must be an attorney and acting in the capacity as an attorney at the time of the communication; (3) the communication must be between the attorney and client exclusively; (4) the communication must be for the purpose of securing a legal opinion, legal services, or assistance in some legal proceeding, and not for the purpose of committing a crime or fraud; and (5) the privilege may be claimed or waived by the client only.