Healthcare Compliance News

New Compliance Requirements for Florida Hospitals with Emergency Departments

Florida Governor Ron De Santis has signed the “Live Healthy” legislative package into law, which enhances current policies and includes $716 million in health care investments. The purpose of the legislative package is to strengthen Florida’s health care workforce, broaden access to quality health care, and foster innovation in the industry. The new laws introduce new compliance requirements for hospitals with emergency departments.

The bills signed by Governor DeSantis on March 21, 2024, are:

  • SB 7016, which creates and expands training programs that will help to develop and retain Florida’s health care workforce.
  • SB 7018, which harnesses the innovation and creativity of entrepreneurs and industry leaders to meet the needs and challenges of Florida’s evolving health care system.
  • SB 1758, which formalizes some of the great work already underway within the Agency for Persons with Disabilities through the First Lady’s Hope Florida initiative.
  • SB 330, which creates a new category of teaching hospitals dedicated to advancing behavioral health care through research, collaborating with our colleges and universities, and partnering with the state of Florida to address acute behavioral health care needs.
  • SB 322, which creates public record and meeting exemptions for personal identifying information for practitioners participating in the Interstate Medical Licensure Compact, the Audiology and Speech-Language Pathology Interstate Compact, and the Physical Therapy Licensure Compact.

“We are taking action to bolster our health care workforce to keep pace with our state’s unprecedented growth,” said Governor DeSantis. “I applaud Senate President Passidomo for her dedication to this cause, which contributes to positioning Florida as the freest and healthiest state in the nation.”

New Compliance Requirements for Florida Hospitals with Emergency Departments

One of the bills, SB 7016, introduces new rules for hospitals with emergency departments (EDs), including hospitals with off-campus EDs. In Florida, many patients use EDs for non-emergent care or seek emergency care that could have been avoided if they received regular primary care. The bill requires hospitals with EDs to submit a diversion plan to the state that details how they will help these patients access the appropriate care setting if they present to the ED with a non-emergent condition or indicate that they do not have regular access to primary care.

The nonemergency care access plans (NCAPs), which must not conflict with the Emergency Medical Treatment and Labor Act, will require state approval by July 1, 2025, after which hospitals will be required to submit their plans annually and demonstrate that they are effective. If the NCAP does not receive state approval, it must be updated before a license is granted or renewed.

For Medicaid patients, the NCAP must include outreach to the patient’s Medicaid managed care plan, and at least one of the following:

  1. A partnership agreement with at least one local federally qualified health center or another primary care setting. Staff at the ED must proactively seek to establish a relationship between the patient and the federally qualified health center or primary care setting if the patient indicates they do not have regular access to primary care.
  2. The establishment and operation of a hospital-owned urgent care center within or in close proximity to the hospital ED, to which the patient can be diverted if, after an initial screening, the patient requires non-emergent healthcare services.

The post New Compliance Requirements for Florida Hospitals with Emergency Departments appeared first on HIPAA Journal.

Sen. Cassidy Seeks Feedback on the Regulation of Clinical Tests

U.S. Senator Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, is seeking feedback from stakeholders on ways to improve the regulation of clinical tests in the United States.

Since the Medical Device Amendments (MDA) of 1976 established the Food and Drug Administration’s (FDA) framework for medical devices more than 50 years ago there have been major advancements in in vitro diagnostic technologies that have required improvements to the framework. Similarly, advances in clinical laboratory medicine in the 35 years since the Clinical Laboratory Improvement Amendments of 1988 (CLIA) were enacted demand standards that reflect advances in molecular and genetic testing, as well as appropriate oversight of tests.

While Congress has considered proposals to reform these regulations, there have been no substantive updates to either of these frameworks. Sen. Cassidy is seeking feedback from stakeholders on potential updates to the FDA regulatory framework for diagnostics and the CLIA Regulatory Framework for LDTs, in particular, actions Congress should take to support innovation and ensure patient access to timely and advanced diagnostics.

Sen. Cassidy has asked 10 questions about each set of regulations, such as how well they are currently working, whether updates are needed, areas in need of improvement, and the regulatory burden of any updates to the regulations. The request for information can be found here and responses should be provided by April 3, 2024.

The post Sen. Cassidy Seeks Feedback on the Regulation of Clinical Tests appeared first on HIPAA Journal.

Florida Legislature Passes Bill Providing Companies with Immunity from Data Breach Lawsuits

Companies in Florida may soon be immune from lawsuits if they suffer data breaches provided that prior to the cybersecurity incident, they have been maintaining a cybersecurity program that substantially aligns with industry standards, cybersecurity frameworks such as the NIST CSF, or a state or federal law such as HIPAA, and they comply with Florida’s data breach notification law. The cybersecurity incident liability bill – House Bill 473 – was recently passed by the Florida legislature and now heads to the state governor’s desk for his signature. Governor Ron DeSantis is expected to sign the bill into law.

Currently, healthcare organizations in the state of Florida have a degree of immunity from regulatory sanctions and penalties if they can demonstrate that they have implemented recognized security practices that have been continuously in place for the 12 months prior to a data breach, following a 2021 amendment to the HITECH Act. When determining appropriate penalties in its enforcement activities, the HHS’ Office for Civil Rights will consider the recognized security practices that have been in place and will reduce the penalties accordingly. There are no provisions in HITECH or HIPAA that provide immunity from or limit liability in class action data breach lawsuits.

Any significant healthcare data breach is likely to see one – or most likely several – class action data breach lawsuits filed for exposing sensitive data, and the cost of defending against those lawsuits and paying settlements is considerable. If lawsuits are likely to be filed following any data breach regardless of the cybersecurity measures that have been implemented, then businesses may simply accept the risk and fail to invest appropriately in cybersecurity.

The aim of the bill is to incentivize organizations to invest in security and implement cybersecurity measures to protect the personal data they collect and store as it is in their best interests to do so. The bill goes a step further than similar laws that have been enacted in Ohio, Utah, and Connecticut, where companies that implement appropriate security measures have limited protection against class action data breach lawsuits. In Florida, companies will be provided with immunity from more types of claims and there are no carve-outs for failing to address known threats, and immunity is not conditioned on compliance with a cybersecurity program. Should the bill be signed into law it will be effective immediately.

While the law will undoubtedly be good for businesses, the benefits to consumers are questionable. If the law does have the intended effect and companies invest in cybersecurity as a result, Florida residents will be less likely to have their data compromised. However, in the event of a data breach, consumers will have to cover the cost of protecting themselves against identity theft and fraud and will incur out-of-pocket expenses, as well as costs if they do fall victim to identity theft and fraud if they cannot recover those costs by other means.

The post Florida Legislature Passes Bill Providing Companies with Immunity from Data Breach Lawsuits appeared first on HIPAA Journal.

HSCC Publishes Privacy and Security Coordination Guide

The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group, a public-private industry council of more than 400 healthcare providers, pharmaceutical and medtech companies, payers, health IT entities, and government agencies, has released a new guide for healthcare organizations to help coordinate privacy and security functions to improve efficiencies, effectiveness, and overall compliance.

The HSCC said it has found significant evidence that neither regulation nor enterprise and risk management programs are approaching privacy and security with coherent and coordinated policy and practice. Privacy roles are concerned with supporting compliance with laws, regulations, standards, and practices, monitoring internal policies and procedures, identifying gaps, and establishing new policies concerning the handling of electronic and physical healthcare data. Security roles are concerned with identifying vulnerabilities and risks and implementing technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of electronic healthcare data. Within the healthcare sector, privacy and security often function within separate and distinct silos, even though privacy and security have a great deal in common.

The guidance is intended to help organizations identify factors that contribute to disharmony between their privacy and security efforts. Conflicting priorities can lead to a disconnect between privacy and security, which increases organizational risk. The guidance is aimed at privacy and security officers and their teams, and others who are looking to develop best practices for their privacy and security programs and provides practical recommendations for collaborative practices to get privacy and security teams working together more proactively and cohesively.

The post HSCC Publishes Privacy and Security Coordination Guide appeared first on HIPAA Journal.

What is Healthcare Regulatory Compliance?

Healthcare regulatory compliance is the practice of meeting or exceeding the requirements of all applicable federal, state, local, and industry regulations and any voluntary standards a healthcare organization adopts in order to demonstrate a good faith effort to comply with the regulations. Due to the number of regulations and standards a healthcare organization may have to comply with, healthcare regulatory compliance is complex and has the potential for failure in many different areas.

Most healthcare organizations are required to comply with dozens of federal, state, local, and industry regulations. The regulations can cover subjects as diverse as building safety, data security, codes of conduct, the regulation of controlled substances, and the provision of medical assistance in emergency circumstances. To complicate the challenge of healthcare regulatory compliance, some regulations conflict with each other, while others duplicate standards from other regulations.

It can also be the case that some regulations exempt healthcare organizations from complying with some standards, but not with other standards. An example of this scenario is when a state privacy law exempts HIPAA covered entities from complying with its standards relating to Protected Health Information (PHI), but not from complying with its standards for individually identifiable non-health information maintained by the same organization in a separate non-protected record set.

The Importance of Regulatory Compliance in Healthcare

To understand the importance of regulatory compliance in healthcare, it is necessary to understand the purposes of federal, state, local, and industry regulations and why they exist. Although it is not practical to provide a synopsis of – and the reason for – every healthcare regulation, the following list provides a cross section of regulations a healthcare organization may have to comply with.

The Health Insurance Portability and Accountability Act (HIPAA)

The purpose of HIPAA was to reform the health insurance industry. But, due to concerns that the cost of the reforms would be passed onto employers and employees in the form of increased, tax-deductible premiums – and the impact this would have on Treasury revenues – Congress adopted measures to mitigate the costs to the health insurance industry by reducing fraud, waste, and abuse in the healthcare industry and simplifying the administration of healthcare transactions.

The measures to simplify the administration of healthcare transactions led to the HIPAA Privacy, Security, and Breach Notification Rules. These Rules stipulate permissible uses and disclosures of PHI to protect patient privacy, the safeguards required to ensure the confidentiality, integrity, and availability of electronic PHI, and the procedures for alerting individuals when their health information has been accessed, viewed, or acquired without authorization.

The Conditions of Participation in Medicare and Medicaid

The original conditions of participation in federal Medicare and Medicaid programs were published in 1966 by the Social Security Administration to provide a baseline of care for qualifying beneficiaries throughout the country. As the Medicare and Medicare programs expanded, further conditions for participation have been added, and the responsibility for enforcing compliance transferred to HHS’ Centers for Medicare and Medicaid Services (CMS).

The penalties for non-compliance with the conditions of participation are the same as the penalties for non-compliance with HIPAA – plus non-compliant organizations can also be excluded from federal health programs. CMS has yet to issue a civil monetary penalty for non-compliance with the conditions of participation, but has referred non-compliant healthcare organizations to HHS’ Office of Inspector General when there is evidence of fraud, abuse, or misconduct.

HHS’ Office of Inspector General Exclusions List

HHS’ Office of Inspector General (OIG) investigates individuals and organizations suspected of fraud, patient abuse and neglect, or other incidents of misconduct – for example, violations of the Social Security Administration’s Anti-Kickback Statute or the Stark Law. Individuals and organizations found guilty of fraud, abuse, or misconduct are excluded from the Medicare and Medicaid programs in addition to being fined and/or given a custodial sentence.

In the context of healthcare regulatory compliance, healthcare organizations are prohibited from conducting business with, or engaging the services of, an individual or organization that appears on the HHS OIG Exclusions List. Healthcare organizations that violate this condition of participation can themselves be excluded from the program, fined up to $20,000 per violation, and made to repay up to three times the amount claimed for non-compliant services or items.

The Emergency Medical Treatment and Active Labor Act (EMTALA)

Another way in which healthcare organizations can be excluded from federal health programs is by violating EMTALA. Congress passed EMTALA in 1986 to eliminate the practice of “patient dumping” – a practice in which healthcare organizations refused to provide emergency medical treatment to individuals because of their inability to pay. The Act also prohibits healthcare organizations from discharging patients prematurely because of high anticipated treatment costs.

To comply with EMTALA, healthcare organizations must implement policies for ED workforces to ensure an appropriate screening exam is provided and, if the patient has an emergency medical condition, stabilizing treatment is provided or the patient is transferred to a facility with appropriate capabilities. In addition to being excluded from federal health programs, healthcare organizations that violate EMTALA can be fined up to $129,233 per violation and subject to civil damages.

The Occupational Safety and Health Act

The Occupational Safety and Health Act (OSH Act) in 1970 created the Occupational Safety and Health Administration (OSHA). The Administration was authorized to develop standards for workplace safety and health to reduce the number of avoidable accidents, injuries, and workplace illnesses attributable to poor working conditions. The Administration enforces the standards via a program of inspections and investigations in response to accident reports and workforce complaints.

OSHA compliance consists of complying with applicable safety and health standards, maintaining injury and illness reports, and providing safety training to members of the workforce exposed to specific risks (i.e., bloodborne pathogens). Healthcare organizations that fail to comply with the OSHA requirements can be fined up to $161,323 per violation depending on the nature of the violation, the organization’s history of compliance, and its cooperation during an investigation.

Payment Card Industry Data Security Standards (PCI DSS)

PCI DSS is a contractual obligation (rather than a rule or regulation) that has the objective of ensuring the security of debit and credit card transactions and protecting cardholders against fraud, theft, and the misuse of their personal information. The actual standards themselves closely match the Technical Safeguards of the HIPAA Security Rule, so healthcare organizations that comply with the Security Rule will automatically be in compliance with PCI DSS.

However, when personal information and/or payment information is stored independently of PHI, different breach notification procedures apply if the information is accessed, viewed, or acquired without authorization. The procedures are most often governed by states’ data breach rules; but it is important to be aware that some data breach laws extend across state boundaries and apply to citizens of the state regardless of where the breach of personal or payment information occurs.

Food and Drug Administration (FDA) Regulations

Among other responsibilities, the FDA ensures the safety and effectiveness of drugs, biologics, and medical devices. However, because the Administration is the enforcer of more than two hundred laws, regulations, and standards, there is no one-size-fits-all approach to FDA regulatory compliance in healthcare. It is up to each healthcare organization to determine which FDA laws, regulations, and standards apply to their activities and implement compliance programs for each.

To ensure compliance with healthcare-related laws, the FDA’s Office of Regulatory Affairs conducts regulatory assessments, inspects drug facilities, oversees laboratory testing and clinical trials, and investigates fraudulent or other criminal activities that threaten public health. The Office has the authority to seize unregulated goods, obtain injunctions against healthcare organizations operating unlawfully, or pursue criminal convictions through the FDA’s Office of Criminal Investigations.

Physician Payments Sunshine Act /CMS Open Payments

The Physician Payments Sunshine Act is an Act requiring the transparency of financial relationships between healthcare organizations and drugs companies – including suppliers of biologics, medical supplies, and medical devices. The purpose of the Act is to prevent conflicts of interest that could result (for example) in a patient being provided with an unsuitable medication or an unnecessary treatment because the healthcare provider has a financial interest in doing so.

CMS oversees compliance with the Act via the Open Payments Program, which does not prohibit healthcare organizations from receiving payments or items of value from drugs companies, but requires that payments are reported accurately, completely, and in a timely manner. CMS has the authority to audit healthcare organizations in federal health programs for compliance with the Sunshine Act, and can impose civil monetary penalties of up to $1 million per violation for non-compliance.

State Privacy and Data Security Legislation

State privacy and data security legislation can create more compliance headaches for healthcare organizations than the web of federal legislation. To date, thirteen states have passed some form of consumer protection, privacy, and/or data security legislation, while a further eighteen states have legislation at the committee stage or beyond. In many cases, state legislation can increase an organization’s healthcare regulatory compliance obligations by filling the gaps in federal legislation.

An example of this is the Texas Medical Record Privacy Act which defines covered entities as any person or organization that assembles, collects, analyzes, uses, evaluates, stores, or transmits PHI. This means that a healthcare organization that does not qualify as a HIPAA covered entity or business associate still has to comply with the HIPAA regulations in respect of any PHI relating to a resident of Texas – regardless of where the healthcare organization is located.

Local Fire, Building, Noise, and Safety Codes

Local fire, building, noise, and safety codes can also increase an organization’s healthcare regulatory compliance obligations by requiring more stringent protections for patients, the workforce, and the community in which the organization is located. Although the financial penalties for local code violations are minor in relation to the penalties for violations of federal or state regulations, citations can be issued for some unusual violations (i.e., the failure to remove graffiti from a building).

With regards to requiring more stringent protections than federal or state regulations, there are likely examples of this in every location. For example, in Dallas, §403.11.1.3 of the local Fire Code has more stringent qualifications for standby personnel than OSHA; in New York, §28.103.21 of the Construction Code has more stringent injury reporting requirements than OSHA; and hospitals in Atherton, CA, are not be permitted to use gas-powered leaf blowers under §8.16.040 of the Atherton Municipal Code.

Healthcare Regulatory Compliance Issues and Challenges

In addition to the healthcare regulatory compliance issues and challenges that have already been mentioned (i.e., conflicts, duplications, and partial exemptions) a further issue is that – although individual regulations may not change frequently – because a healthcare organization may have to comply with (say) twelve regulations, if each regulation adds or changes a standard once a year, it is the equivalent of a change to the healthcare regulatory compliance requirements once a month.

The frequency of regulatory changes is not necessarily a challenge if, for example, the change relates to a little used process or a process that is used by a small number of the workforce (i.e. electronic signatures in healthcare transactions). However, larger scale changes – such as changes to the HIPAA Privacy Rule – will have an impact on most healthcare organizations, their Notices of Privacy Practices, workforce policies and procedures, and sanctions for impermissible disclosures.

When regulatory changes represent a material change (for example, the changes to disclosures of reproductive health information), it is also necessary for healthcare organizations to provide members of the workforce whose roles are affected by the changes with additional HIPAA training. While it can be the case that the timing of the mandated training coincides with scheduled refresher training, it can equally be the case additional resources may be required to comply with the training requirement.

As one-off events, these healthcare regulatory compliance issues and challenges are usually manageable. However, over the next year or so, a large number of regulatory changes are scheduled that could create simultaneous compliance challenges for organizations impacted by the FDA’s proposals for remote regulatory assessments, the new CMS requirements for hospital epidemic preparedness, and HHS’ recently released Cybersecurity Performance Goals.

The Benefits of Adopting Voluntary Healthcare Standards

Voluntary healthcare standards are standards that most often exceed the healthcare regulatory compliance requirements to better protect patients, healthcare data, or members of the workforce. Examples include the Joint Commission accreditation standards, ISO 7101:2023, SOC 2, and the American Institute of Architects’ Acoustic Guidelines in Healthcare Facilities (which benefits patients, visitors, and members of the healthcare organization’s workforce).

Adopting voluntary healthcare standards often requires just a little more effort than complying with regulatory standards. For example, if an organization already complies with HIPAA, OSHA, and CMS’ conditions for participation in Medicare, there are minimal training, administrative, and documentation requirements to complete before an organization can apply for ISO 7101:2023 certification to demonstrate it has an effective healthcare quality management system.

The benefit of adopting a voluntary healthcare standard in this example is that organizations that achieve ISO 7101:2023 certification must continue to monitor clinical and non-clinical performance to continually improve their processes and results. Healthcare organizations that comply with this voluntary requirement will simultaneously be complying with matching HIPAA, OSHA, and CMS mandatory requirements – mitigating the risk of non-compliance across the matching requirements.

In addition, achieving an accreditation or certification of voluntary compliance not only demonstrates a good faith effort to comply with mandatory healthcare regulations – which can mitigate a penalty for non-compliance in certain circumstances – but it can also enhance an organization’s brand reputation and can give it a competitive advantage. This may be extremely valuable for a business associate being evaluated by a covered entity for a lucrative contract.

How Software can Support Healthcare Compliance Efforts

It is not difficult to see how the number of mandatory regulations and voluntary standards a healthcare organization may have to comply with – and the volume of changes that might occur as a result – can increase the potential for compliance failures. Nor is it difficult to see how a well-resourced compliance team using a mature risk management strategy might still overlook a critical implementation specification due to the number of similar requirements.

To mitigate the risk of being swamped by regulations and standards, or overlooking a critical implementation specification, healthcare organizations should evaluate customizable healthcare regulatory compliance software. Software solutions for healthcare regulatory compliance are getting more sophisticated, and can be used to determine when one standard conflicts with or duplicates another, or when a state regulation partly exempts an organization from compliance.

When configured to meet an organization’s requirements, healthcare regulatory compliance software can produce guided risk assessments for each business unit and, once the risk assessments are concluded, a corrective action plan if compliance gaps are identified. The software can also be used to assess what changes to policies, procedures, and business practices may be required due to changes to or new regulatory standards. Organizations interested in taking advantage of healthcare regulatory compliance software are advised to seek professional compliance advice.

The post What is Healthcare Regulatory Compliance? appeared first on HIPAA Journal.

What is Risk Management in Healthcare?

Risk management in healthcare is the practice of analyzing healthcare practices and processes to identify risks and opportunities, assess their likelihood and potential impact, and implement controls to prevent losses and optimize profitability. Within each organization, the practice of managing risk can be influenced by the nature of the organization’s structure, the organization’s risk culture/appetite, and the resources available to conduct risk analyses.

The Definition of Risk Management in Healthcare

There is no one-size-fits-all definition of risk management in healthcare because a risk in healthcare is defined as the likelihood of a particular threat triggering or exploiting a particular vulnerability, resulting in harm or damage to a patient, an organization, or its workforce. (Abridged from the definition of risk in HHS’ Guidance on Risk Analysis).

Using this definition of risk, the “traditional” definition of risk management in healthcare is the identification, assessment, and minimization of the organization’s exposure to risks in order to improve patient care, reduce liability risks, and prevent financial losses. However, using this definition of risk can lead to the management of risks being conducted by separate business units in “risk silos”.

This can result in a lack of communication, coordination, and oversight which limits the effectiveness of risk management activities. To make risk management in healthcare more effective, there is a growing trend away from risk silos and towards organization-wide “enterprise” risk management in healthcare – defined by the American Society for Healthcare Risk Management (ASHRM) as:

“Enterprise risk management in healthcare promotes a comprehensive framework for making risk management decisions which maximize value protection and creation by managing risk and uncertainty and their connections to total value”.

The ASHRM’s definition of risk management in healthcare suggests that the management of risks should not only serve the “traditional” purpose, but also be used to identify ways in which processes can be improved, healthcare activities can be made more efficient, the demand on healthcare resources can be reduced, and patient satisfaction/workforce retention can be increased.

More about Enterprise Risk Management in Healthcare

The ASHRM’s model for enterprise risk management in healthcare consists of eight “risk domains”.  Not all eight domains will apply in all risk scenarios, but it is important for those with the responsibility for managing risks to be aware of the domains and to consider the possibility of risks and opportunities (both value opportunities and opportunities to learn) existing in each domain.

1.      Operational

Operational risks occur when a vulnerability in an internal process or system – or an event attributable to human error – affects business operations. Such risks could include a failure in the process for data breach incident response, a failure in a data backup system, or a failure by a workforce member to configure software securely which undermines other security measures.

Analyzing healthcare practices and processes in the operational risk domain might not only identify areas where controls need to be implemented to prevent the risks (i.e. adding failover support to the data backup system), but can also identify opportunities for improvement. For example, building DevSecOps best practices into all application development.

2.      Clinical/Patient Safety

The clinical/patient safety domain relates to the delivery of care to patients, residents of care homes, and other recipients of healthcare. Clinical/patient safety risks can include medication errors, surgical mistakes, patient misidentification, hospital acquired conditions, and patient or visitor injuries attributable to slips, trips, and falls or other hazards covered by the OSH Act.

Most potential clinical and patient safety risks are well chronicled, and risk managers should be able to locate risk management checklists that cover these risks. As a note of interest, it was the analyses of clinical and patient safety that led to the Centers for Disease Control and Prevention (CDC) revising its Guidelines for the Prevention of Catheter-Associated Urinary Tract Infections in 2009.

3.      Strategic

Strategic risks are risks associated with the focus and direction of the organization and can include the failure to adapt to changing best practices, technologies, and patient priorities, or failing to act quickly enough when regulatory changes occur. These failures can result in losses to competitors, reputational damage, or enforcement action being taken by regulatory authorities.

As well as applying to operational units, the strategic domain in ASHRM’s model for enterprise risk management in healthcare can apply to business units such as managed care partnerships, media relationships, marketing, etc. As well as identifying risks in these units, an effective risk analysis can also identify ways for each unit to operate more efficiently.

4.      Financial

In the healthcare industry, the financial sustainability of an organization can be at risk from events theoretically under an organization’s control – such as fraud (both internal and external), malpractice lawsuits, regulatory fines, etc. – and events that are outside of an organization’s control, such as increasing capital equipment costs and interest rates, or unpaid bills.

While it is impossible to implement controls that manage risks outside of an organization’s control, it may be possible to identify ways to mitigate the impact of such events. For example, to mitigate the impact of increasing capital equipment costs and interest rates, it may be better to lease capital equipment on a fixed rate basis – potentially saving thousands of dollars across the organization.

5.      Human Capital

An organization’s human capital is its workforce; and, as most healthcare organizations will have experienced during the COVID-19 pandemic, the workforce is the key component of any healthcare organization. As a result, it is important risks to the wellbeing of the workforce are prioritized in order to prevent avoidable illnesses and injuries, low morale, and recruitment costs.

As well as using a risk assessment to identify, assess, and control risks to the workforce, healthcare organizations should use a risk assessment to identify areas in which the wellbeing of the workforce can be enhanced – for example, by implementing policies that encourage members of the workforce to confidentially report workplace violence or sexual harassment.

6.      Legal/Regulatory

The legal/regulatory risk domain includes the failure to identify, manage, and monitor compliance with federal, state, and local laws and regulations – for example, a healthcare organization in Dallas would likely have to comply with at least HIPAA, CMS’ conditions for participation in Medicare and Medicaid, OSHA, the Texas Medical Records Privacy Act, and the City of Dallas Fire Code.

When compliance with laws and regulations of this nature are managed in separate risk silos, the danger exists that compliance efforts will be duplicated. When they are managed holistically, similar compliance requirements can be combined to reduce the regulatory burden. In this example, the fire prevention requirements of the Dallas Fire Code, OSHA, and CMS’ conditions are almost the same.

7.      Technology

The technology risk domain not only covers software and data, but the systems they run on and the devices on which the systems run. In addition, depending on what enterprise risk management activities are conducted in the operational and strategic domains, the technology risk domain can also cover operational processes and automated decision making technologies.

The potential opportunities in this domain depend on the degree of integration between technologies. For example, patient scheduling software integrated with a practice management system and EHR system can improve the patient experience, accelerate billing and payment processes, and support HIPAA compliant messaging (among other benefits).

8.      Hazard

The hazard domain is a catch-all domain for other types of foreseeable risks that could cause business interruption. This domain includes natural disasters and facility issues (i.e. construction, renovation, etc.) and will soon also include hospital preparedness for emerging infection disease epidemics such as the COVID-19 pandemic.

While this domain is a bit of a grey area in terms of risk assessment responsibilities, it provides an opportunity for an organization to demonstrate a commitment to mitigate the impact of risks in the operational, clinical/patient safety, financial, and human capital domains – enhancing an organization’s reputation while protecting its future operational capabilities.

Risk Management Strategies in Healthcare

In its guide to the history of risk management in healthcare and the evolution to enterprise risk management, ASHRM argues the case that every member of a healthcare organization’s workforce is a risk manager – from the housekeeper that ensures the correct germicide is used on the correct surfaces for the correct amount of time to the organization’s CEO.

While it is difficult to disagree with this argument, it is necessary for there to be an oversight of how risks are managed. This involves determining what frameworks, models, and processes are used to identify vulnerabilities, how risks are analyzed in the context of the organization’s risk culture, and what controls are implemented to correspond with the organization’s risk appetite.

However, when risk management strategies in healthcare are executed by separate business units, inconsistencies between the strategies can result in the same frameworks being used in different ways to obtain conflicting results. Even simple probability/harm risk matrixes can produce different results due to ambiguous inputs or qualitative ratings being assigned to quantitatively smaller risks.

It is for this reason that ASHRM advocates an enterprise risk management model (also known as a holistic or integrated risk management model) in which a risk management team liaises with C-Suite Executives to communicate the risk management strategy, coordinate risk management activities, and oversee the controls put in place to prevent losses and optimize profitability.

Enterprise Risk Management in Healthcare Examples

The enterprise risk management model is particularly effective in healthcare because few activities impact just one domain. However, when multi-domain activities are being analyzed, it is important to have “subject matter experts” liaise with the risk management team in order to broaden the assessment of a potential risk and identify opportunities to create value for the organization.

Actual examples of effective enterprise risk management in healthcare do not appear in the public domain. However, ASHRM has produced a theoretical example of how risk assessing a change of process can result in the creation of value across all eight domains – in this case, changing the process of using a transporter to escort all discharged patients out of the hospital in a wheelchair.

The background to this risk assessment is that engaging a transporter to escort discharged patients out of the hospital in a wheelchair fulfils the organization’s duty of care for safe patient discharges. But what would be the risks and the value if this discharge process was used more selectively?

  • Value in the operational domain is acquired by reducing the number of transporters and wheelchairs required for a room turnaround.
  • Patients who can safely walk out of the hospital increase value in the clinical/patient safety domain by eliminating wait times (for a transporter) and vacating rooms quicker for the next admission.
  • The strategic value lies in the fact that a discharge has been performed to the patient’s satisfaction, which can increase confidence in – and the reputation of – the organization.
  • The improved patient throughput – even if by only 30 minutes per patient – can have a positive impact on profitability and other metrics in the financial domain.
  • Reduced transportation requirements may facilitate the better use of resources in the human capital domain, or enable flexible schedules to increase employee satisfaction.
  • Giving patients the choice of whether they would prefer to walk or be escorted increases the legal/regulatory perception that organizations are recognizing patient preferences and rights.
  • If the discharge process becomes discretionary (for patients), existing technologies could be put to better use to support the discharge process and communication during the process.
  • The hazard domain is both win and lose, as there is an increased risk of patients falling, but there is also the reduced risk of fewer wheelchairs being a trip hazard in cluttered hallways.

Why Risk Management is Important to Healthcare Facilities

Risk management is important to healthcare facilities because there are many areas of a healthcare organization’s activities in which vulnerabilities and opportunities may exist. Preventing the exploitation of vulnerabilities while exploiting potential opportunities is a challenging task which is best approached holistically to prevent inconsistencies in risk management strategies and ensure risks are analyzed and controlled according to the same risk culture/appetite.

However, building an enterprise risk management program from scratch, or transitioning from the traditional approach to an enterprise approach, is not without its own challenges. Possibly the biggest challenge is settling on a risk management strategy and risk culture/appetite that everyone can agree on. For example, a Chief Financial Officer or Chief Compliance Office will likely be more risk averse than a Chief Marketing Officer or Chief Business Development Officer.

Once this challenge is resolved, the next challenge is to justify the benefits of enterprise risk management to the Chief Officers who have had to compromise their risk appetites. This can be a difficult challenge to overcome initially due to the different levels of risk awareness in separate business units and because risk management teams will be under pressure to deliver positive outcomes, and this pressure could get in the way of preventing negative outcomes.

One way to overcome these issues is to implement customizable software for managing risks that can be configured by the risk management team with guided risk assessments and automated corrective action plans for each business unit. This solution resolves the issue of different levels of risk awareness, while delegating the responsibility for risk assessments to subject matter experts in each business unit – enabling the risk management team to focus on identifying positive outcomes.

Organizations that are interested in adopting an enterprise approach to risk management in healthcare should discuss their plans with a compliance expert with knowledge of customizable software for managing risks. While risk management is important to healthcare facilities, it is equally important that risk management activities are conducted effectively in order to prevent unmanaged risks resulting in harm, damage, or the loss of a value opportunity.

The post What is Risk Management in Healthcare? appeared first on HIPAA Journal.

NIST Finalizes HIPAA Security Rule Implementation Guidance

The National Institute of Standards and Technology (NIST) has published the final version of its guidance on implementing the HIPAA Security Rule. The document, Special Publication 800-66r2: Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, was developed by NIST in collaboration with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and guides HIPAA-covered entities and business associates through conducting a risk analysis to identify risks and vulnerabilities to electronic protected health information. The document also identifies activities that HIPAA-regulated entities should consider as part of their information security program and offers guidance on achieving and maintaining compliance with the HIPAA Security Rule and improving cybersecurity posture.

The HIPAA Security Rule sets minimum standards for security and has been in effect since April 2005. Despite being in effect for more than 2 decades, HIPAA-regulated entities are still struggling with compliance. Both sets of HIPAA audits conducted by OCR in 2011 and 2016/2017 identified widespread noncompliance with the HIPAA Security Rule. The second phase of HIPAA audits showed compliance had improved since the first phase of audits, but none of the 63 audited entities achieved the top rating of 1 for risk analysis. A rating of 1 indicates the entity is fully compliant with the goals and objectives of the risk analysis standard of the HIPAA Security Rule. The majority (41) achieved a rating of 3 or 4, meaning minimal or negligible efforts have been put into compliance with the standard. It was worse for risk management, with 44 of the 63 audited entities receiving a 4 or 5 rating. A rating of 5 means the entity did not provide OCR with evidence of a serious attempt to comply with the risk management standard of the HIPAA Security Rule.

While compliance with the HIPAA Security Rule should have improved in the 7 years since the last round of HIPAA audits, the number of healthcare data breaches now being reported suggests otherwise. In 2017, 368 data breaches of 500 or more records were reported to OCR, and 5,131,289 healthcare records were breached. In 2023, 725 data breaches were reported, and more than 133 million records were breached. Hackers have increased their attacks on the healthcare sector in recent years but the number of successful attacks strongly suggests that HIPAA-regulated entities are not fully complying with the risk analysis and risk management provisions of the HIPAA Security Rule.

In February 2023, OCR announced that it is seeking feedback on its audit program which suggests that the HIPAA audit program is about to be resurrected. With OCR in desperate need of funding, the next round of audits may also result in fines for noncompliance. HIPAA-regulated entities should therefore consume the guidance and apply the recommendations to their information security programs.

The post NIST Finalizes HIPAA Security Rule Implementation Guidance appeared first on HIPAA Journal.

February 29, 2024: HIPAA Deadline for Reporting Small Healthcare Data Breaches

The deadline for reporting healthcare data breaches of fewer than 500 records is fast approaching.  These small data breaches usually need to be reported by March 1; however, since 2024 is a leap year, this year’s deadline is February 29.

The HIPAA Breach Notification Rule requires HIPAA-regulated entities to issue notifications to all individuals whose protected health information has been exposed or impermissibly disclosed without unnecessary delay, and no later than 60 days from the discovery of a data breach. HIPAA-regulated entities are also required to report data breaches to the Secretary of the HHS via the Office for Civil Rights (OCR) breach reporting portal.

The HIPAA Breach Notification Rule requires large data breaches – those that affect 500 or more individuals – to be reported to OCR no later than 60 days from the date of the discovery of the data breach, but there is more flexibility for reporting data breaches affecting fewer than 500 individuals. HIPAA-regulated entities must also report these breaches via the OCR breach reporting portal, but they have 60 calendar days from the end of the year when the breach was discovered to report the data breaches.

If a HIPAA-regulated entity chooses to take advantage of this Breach Notification Rule flexibility, the extended time frame ONLY applies to breach reporting to OCR. The individuals who had their PHI exposed or impermissibly disclosed must still be notified about the breach within 60 days of when the breach was discovered.

All data breaches must be reported individually through the OCR breach reporting portal. The breach reports must include details of the breaches and the efforts made to remediate those incidents. If a HIPAA-regulated entity has experienced multiple small data breaches, reporting these breaches may take some time. It is therefore best not to wait until the last minute to report these small data breaches.

The post February 29, 2024: HIPAA Deadline for Reporting Small Healthcare Data Breaches appeared first on HIPAA Journal.

ONC Expands TEFCA with Two Additional Health Information Networks

The Office of the National Coordinator for Health Information Technology (ONC) at the Department of Health and Human Services (HHS) has announced that two new organizations have been designated as Qualified Health Information Networks (QHINs) and have been added to the nationwide data exchange governed by the Trusted Exchange Framework and Common Agreement (TEFCA).

TEFCA was envisioned by the 21st Century Cures Ac to support nationwide interoperability and became operational in December 2023 when the first five QHINs were designated by ONC – eHealth Exchange, Epic Nexus, Health Gorilla, KONZA, and MedAllies. The addition of two new QHINs – CommonWell Health Alliance and Kno2 – brings the total up to seven.

ONC has confirmed that CommonWell Health Alliance and Kno2 can immediately begin supporting the exchange of data under TEFCA and can provide shared services and governance to securely route queries, responses, and messages across networks for healthcare stakeholders including patients, providers, hospitals, health systems, payers, and public health agencies.

“These additional QHINs expand TEFCA’s reach and provide additional connectivity choices for patients, health care providers, hospitals, public health agencies, health insurers, and other authorized health care professionals,” said Micky Tripathi, Ph.D., national coordinator for health information technology. “On behalf of ONC, I want to congratulate CommonWell Health Alliance and Kno2 for their achievement.”

The post ONC Expands TEFCA with Two Additional Health Information Networks appeared first on HIPAA Journal.