Five Opportunities for Operations and Compliance Excellence in 2023Client Alert
With the holidays behind us and the rest of the year ahead, now is the perfect time to get your operational/compliance house in order! Though your list might be a mile (or an inch) long, here are five places to start.
1. Check your medical records retention and destruction policies to be sure they’re on target.
- Defining the Record.
Do you know what constitutes a patient’s medical record? Depending on your state’s law, the record may include clinical records, administrative and financial data, and even diagnostics. In Ohio, for example, the state Supreme Court has ruled that patient medical records data is not confined to what is kept by a provider’s medical records department. Rather, all data a provider decides to keep that is generated in the process of a patient’s treatment and pertains to medical history, diagnosis, prognosis, or medical condition is a medical record. In that case, the court determined that cardiac rhythm monitoring strips were included in the definition of “medical record”. Know the law in your state so you’re not surprised!
- Keep the Right Stuff for the Right Amount of Time.
Many Federal and State laws dictate the amount of time for which you must retain records. We all know HIPAA requires a covered entity to retain documentation for six years from the date of its creation or the date when it was last in effect, whichever is later. But did you know a 2019 Supreme Court ruling (Cochise Consultancy Inc. v. United States, ex rel. Hunt) means providers may be vulnerable to False Claims Act (FCA) claims for up to 10 years after an alleged violation? As a result, it is a good idea for providers’ medical records retention policies to specify retention of all medical records for at least 10 years to protect against FCA claims. This duration also covers HIPAA. Don’t forget to check your state laws, too! A common example of a state law scenario that requires providers to keep records longer than HIPAA dictates is for minor patients, which frequently ties duration to the age of majority.
2. Make sure your HIPAA policies and procedures are up to date and fully protecting your patients – and you.
- “Regular” HIPAA breaches.
You are no doubt already aware that anytime you suspect a possible HIPAA breach has occurred, you must do a breach analysis. If your analysis reveals that the activity in question meets one of the three exceptions to the definition of “breach”, then you (the covered entity) do not need to complete a risk assessment or provide notice to the affected individual and Secretary of the U.S. Department of Health and Human Services (HHS). If you determine through your analysis that a breach has been committed, you must notify the affected individuals (usually patients) and the Secretary of HHS. If the breach affects fewer than 500 individuals, you can submit notice to the Secretary (via the HHS website) immediately or up to 60 days after the end of the calendar year in which the breach is discovered. This process seems daunting but is actually straightforward and simple – if you keep good records of your breach analysis!
- Complicated scenarios.
Sometimes doing a post-breach analysis requires much less critical thinking than determining on the front end whether disclosing protected health information is permitted. Two scenarios that require a close reading of federal guidance are (1) responding to subpoenas and (2) responding to any request for medical records if you are a “Part 2 provider”. When responding to a subpoena, make sure the facts of the situation at hand meet the specific requirements of HIPAA’s law enforcement exception. If they don’t, you may inadvertently cause a HIPAA breach by improperly releasing information about your patient. Don’t assume lawyers and courts know HIPAA as well as you do! In the case of 42 CFR Part 2 providers, HHS’ Substance Abuse and Mental Health Services Administration’s regulations afford extra protection to substance use disorder patient records. When you receive a request for medical records for substance use disorder services, take the time to understand if you are a Part 2 provider and how those regulations apply to you.
3. Understand the requirements to provide translation services to your patients when needed.
- What the federal laws and regulations require.
Both Title VI of the Civil Rights Act of 1964 and Section 1557 of the Affordable Care Act (ACA) require recipients of Federal financial assistance (e.g., Medicaid, Medicare, Federal grants, etc.) to provide language access services free of charge whenever such services are reasonably necessary to ensure meaningful access to the recipients’ programs. The regulations that implement these laws are wordy, but the federal government provides many resources to help providers understand their responsibilities to persons with limited English proficiency (LEP). These include Guidance to Federal Financial Assistance Recipients Regarding Title VI and the Prohibition Against National Origin Discrimination Affecting LEP (which has a four-factor test to determine “meaningful access”, as well as guidance for a written translation safe harbor) and the Office of Civil Rights’ Five Elements of an Effective Language Assistance Plan. Section 1557 of the ACA sets forth requirements for covered entities to follow, required notices and where/how to post them, and grievance procedures.
- Regulations under fire.
Section 1557 has endured numerous legal challenges, culminating in a July 2022 Notice of Proposed Rule Making that revised previous regulations in important ways. Check out the proposed rule to ensure your organization is compliant!
4. Terminate your relationship with your patients the right way (when necessary) and avoid patient abandonment.
- Defining the provider-patient relationship.
The decision for a provider to terminate its relationship with a patient is never made lightly. On the occasions when patient termination is required, there are a few steps you can take to ensure you’re terminating appropriately and not abandoning your patient. The provider-patient relationship is sometimes defined by state law and is also addressed by medical ethics. Case law holds that a provider-patient relationship begins when a provider agrees to provide treatment to a patient. The American Medical Association’s Code of Medical Ethics Opinion 1.1.1 similarly indicates that the relationship begins when a physician serves a patient’s medical needs. Some courts have held that a provider taking on a patient creates a contractual relationship that continues until the relationship is ended mutually, through dismissal, or until services are no longer needed. One thing is clear – once a provider-patient relationship is established, the provider has a responsibility to that patient until the relationship is terminated.
- Terminating the provider-patient relationship and avoiding claims of abandonment.
When possible, providers should formally terminate the relationship with the patient. Ideally, the provider will provide notice to the patient and also provide the patient with a reasonable opportunity to find substitute care. Sometimes the patient’s insurance company will mandate specific steps the provider must take to terminate the relationship, so pay attention to payor contracts and provider manuals! Always document the reason for and process of termination. Additionally, create and follow your patient termination policy. Sometimes state law and state provider licensing boards maintain requirements for termination. Follow these steps (and more) to avoid accusations of patient abandonment and related liabilities (including licensing board disciplinary action, malpractice claims, breach of payor contracts, and more).
5. Give your patients a Good Faith Estimate of the cost of their services and comply with the Federal No Surprises Act.
- Understand which sections of the No Surprises Act (NSA) apply to you.
Part I of the NSA applies to surprise medical bills for emergency services provided in a hospital emergency department and non-emergency services provided by out-of-network providers at in-network hospitals, outpatient hospital departments, critical access hospitals, and ambulatory surgical centers. Part II of the NSA has much broader applicability. Part II applies to the vast majority of health care providers, even if Part I does not apply.
- Complying with the NSA’s Good Faith Estimate requirement.
Part II of the NSA requires providers to provide to uninsured and self-pay patients good faith estimates of the cost of items and services. It is important to note that the regulations require providers to give the good faith estimate to patients who do not have benefits for an item or service (uninured) and to patients who have benefits for an item or service but choose to not have a claim submitted to their plan (self-pay). The availability of the good faith estimate must be offered upon scheduling or upon request, and the good faith estimate must include expected charges for the items or services that are reasonably expected to be provided together with the primary item or service, including items or services that may be provided by other providers and facilities (e.g., labs). Your mind is no doubt swimming with questions about application to your own practice. Not to fear! The Centers for Medicare & Medicaid Services has issued numerous FAQ documents on the NSA and the good faith estimate requirement. Check them out!