Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

Are HIPAA Whistleblower Provisions Around the Corner?

Are HIPAA Whistleblower Provisions Around the Corner?(January 25, 2012):  Historically, home health agencies, physicians, clinics and other health care providers have associated the term “whistleblower” with the filing of a FalSe Claims Act case by an insider, former employee or other individual alleging to have direct knowledge of fraudulent billing conduct by a provider.  As health care providers will soon find, individuals harmed by the wrongful breach of their Protected Health Information (PHI) will soon have an opportunity to share in any penalties against by Department of Health and Human Services (HHS), Office of Civil Rights (OCR).  While not technically a “whistleblower” award program, the quasi-HIPAA whistleblower provisions included in recently-passed legislation  may ultimately present many of the same incentives to individuals who are allegedly harmed as a result of a breach of their PHI.

I.   Background of HIPAA Whistleblower Provisions:

Over the last few years, a number of health care providers and other “covered entities” (both large and small) have been audited and penalized by the government for improper breaches of protected health information. Enforcement actions taken have varied, ranging from mere warnings to criminal prosecution.

II.   HITECH Raises the Bar for Providers:

The “Health Information Technology for Economic and Clinical Health Act” (HITECH) contains a number of significant privacy provisions impacting health care providers.  Two of these provisions include:  (1) The initiation of privacy audits by contractors working for the  Department of Health and Human Services (HHS), Office of Civil Rights (OCR); and (2) The sharing of Civil Monetary Penalties assessed in response to an improper breach with the affected patients.

  • Privacy Audits

As OCR has announced, the agency has initiated an audit program intended to help ensure that health care providers are complying with the various medical records privacy provisions laid out in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  To do so, OCR has contracted with several nationally-recognized audit firms for the purpose of auditing health care provider compliance with HIPAA’s privacy provisions.

When will audits begin? According to OCR, the initial audits of provider compliance with HIPAA / HITECH requirements began in November 2011. Once these initial audits are completed, OCR intends to focus the remaining audits on the issues and concerns identified in the contractors’ first preliminary audits. At this time, all audits are anticipated to be completed by December 2012.

If prior “pilot” programs are any indication of how these audits will be handled, we anticipate that OCR will ultimately adopt an ongoing audit HIPAA / HITECH process, tasked with assessing the compliance of health care providers, covered entities and business associates. It is essential that you critically review your current practices – after you have been audited, it will likely be too late to avoid the imposition of penalties.

How will HIPAA / HITECH audits be conducted? According to OCR, organizations selected for audit will be notified by the agency of their selection. At that time, they will be asked to provide “documentation of their privacy and security compliance efforts.” During this pilot period, each of the covered entities audited will receive a site visit. During the site visit, contractor representatives will be required to interview key personnel. The contractors will also review the covered entity’s practices and determine whether their operations fully comply with HIPAA’s / HITECH’s privacy requirements. After completing the site visit, a draft report will be prepared which outlines how the audit was handled, the conclusions that were reached by the contractor and the remedial actions that were taken by the covered entity. The draft report will be shared with the covered entity prior to finalization and the covered entity will have a chance to respond to the contractor’s findings.

  • Sharing of Civil Monetary Penalties

In addition to the HIPAA audit protocol discussed above, HITECH includes a seemingly-innocuous section which commands the Secretary HHS to establish a methodology to distribute a percentage of Civil Monetary Penalties to individuals harmed by an improper breach of protected health information or another HIPAA violation. For instance, if a patient’s medical records or other protected health information is inappropriately accessed or divulged to unauthorized persons and the OCR ultimately investigates the violation and assesses Civil Monetary Penalties against a provider or other covered entity in connection with the breach, the harmed patient may be eligible to receive a portion of the penalties collected by the government.

On its surface, such a clause seems reasonable – after all, why not compensate those who have been hurt by a wrongful disclosure or breach? However, this law (and its soon-to-be-created implementing regulations) will likely have extensive repercussions in reporting and enforcement of HIPAA violations. Giving patients a financial incentive to report wrongful disclosures and breaches of their protected health information will likely lead to increased reporting of incidents since harmed patients may now be eligible to share in any penalties collected.  Similar laws which allow private individuals to receive a portion of penalties and other funds recovered, such as the False Claims Act (FCA), have been extremely successful in detecting and deterring fraudulent activity. While HITECH does not create a “private right of action” for HIPAA violations and is substantially different from the FCA, it is important to note that their basic principles are the same. By giving private citizens, with perhaps greater and more immediate knowledge of an issue than the government, a real reason to report a problem, these problems can be more quickly and effectively remedied.

In 1986, when the FCA was overhauled with new provisions that gave private citizens more power and a greater likelihood of collecting money, the FCA’s usage skyrocketed. In what could be a very similar situation, affected individuals with the chance to receive a portion of fines and penalties will be far more likely to aggressively report and pursue these violations. For covered entities (comprising virtually all providers, billers and business associates), this means that implementing effective HIPAA privacy policies should be at the top of your compliance “to-do” list.

III.   How Health Care Providers Should Respond:

Among their first steps, health care providers and other covered entities should:

  • Ensure that patient protected health information is fully secured and protected.
  • Take steps to prevent improper access by authorized parties.
  • Ensure that anyone who accessing protected health information is properly logged so that patients can readily obtain an accounting or listing of anyone who has reviewed all or part of their records. This log should also document the purpose for assessing the record.
  • Take steps to prevent the access of protected health information by authorized personnel for unauthorized reasons.
  • Take steps to better ensure that no protected health information is inappropriately disclosed to third parties.

While the points outlined are essential, they are far from all-inclusive.  It is imperative that you identify qualified counsel to assist you in meeting your HIPAA / HITECH obligations.

Further, when handling protected health information, health care providers must remain mindful of the “minimum necessary” rule.  Health care providers, other covered entities and business associates who handling protected health information must only disclose the minimum information necessary for a requesting entity to properly do its job.

Ultimately, all health care providers, covered entities and business associates should take reasonable steps to help ensure that applicable HIPAA / HITECH provisions are fully met.

Healthcare LawyerRobert W. Liles and other health law attorneys at Liles Parker PLLC are skilled in counseling health care providers, billers and other covered entities in HIPAA compliance and other compliance-related issues. We can help you implement an effective Compliance Plan, conduct gap analyses and internal audits.  Furthermore, we can train your staff on staying compliant with federal regulations, including but not limited to, HIPAA / HITECH mandates, OSHA requirements, coding / billing regulations and more. For a free consultation, please call Robert at 1 (800) 475-1906.

IEP Team Members Play an Essential Role in the Development of Your Child’s IEP

(October 25, 2011): By law, certain individuals — IEP Team members — must be involved in writing a child’s Individualized Education Program (IEP).  Note that an IEP team members may fill more than one of the team positions if properly qualified and designated. For example, the school system representative may also be the person who can interpret the child’s evaluation results.

IEP Team members must work together to write the child’s IEP. A meeting to write the IEP must be held within 30 calendar days of deciding that the child is eligible for special education and related services.

IEP team members bring important information to the group. Members share their information and work together to write the child’s Individualized Education Program. Each person’s information adds to the team’s understanding of the child and what services the child needs.

Parents are key members of the IEP team members. They know their child very well and can talk about their child’s strengths and needs as well as their ideas for enhancing their child’s education. They can offer insight into how their child learns, what his or her interests are, and other aspects of the child that only a parent can know. They can listen to what the other team members think their child needs to work on at school and share their suggestions. They can also report on whether the skills the child is learning at school are being used at home.
Teachers are vital IEP Team members as well. At least one of the child’s regular education teachers must be an IEP Team Members if the child is (or may be) participating in the regular education environment. The regular education teacher has a great deal to share with the team. For example, he or she might talk about:

• The general curriculum in the regular classroom;
• The aids, services or changes to the educational program that would help the child learn and achieve; and
• Strategies to help the child with behavior, if behavior is an issue.

The regular education teacher may also discuss with the IEP team members any supports for school staff that are needed so that the child can:

• Advance toward his or her annual goals;
• Be involved and progress in the general curriculum;
• Participate in extracurricular and other activities; and
• Be educated with other children, both with and without disabilities.

Supports for school staff may include professional development or more training. Professional development and training are important for teachers, administrators, bus drivers, cafeteria workers, and others who provide services for children with disabilities.  A child’s special education teacher contributes important information and experience about how to educate children with disabilities. Because of his or her training in special education, this teacher can talk about such issues as:

• How to modify the general curriculum to help the child learn;
• The supplementary aids and services that the child may need to be successful in the regular classroom and elsewhere;
• How to modify testing so that the student can show what he or she has learned; and
• Other aspects of individualizing instruction to meet the student’s unique needs.
Beyond helping to write the IEP, the special educator has responsibility for working with the student to carry out the IEP. He or she may:
• Work with the student in a resource room or special class devoted to students receiving special education services;
• Team teach with the regular education teacher; and
• Work with other school staff, particularly the regular education teacher, to provide expertise about addressing the child’s unique needs.

Another important member of the IEP team is the individual who can interpret what the child’s evaluation results mean in terms of designing appropriate instruction. The evaluation results are very useful in determining how the child is currently doing in school and what areas of need the child has. This IEP team member must be able to talk about the instructional implications of the child’s evaluation results, which will help the team plan appropriate instruction to address the child’s needs.

The individual representing the school system is also a valuable team member. This person knows a great deal about special education services and educating children with disabilities. He or she can talk about the necessary school resources. It is important that this individual have the authority to commit resources and be able to ensure that whatever services are set out in the IEP will actually be provided.

The IEP team may also include additional individuals with knowledge or special expertise about the child. The parent or the school system can invite these individuals to participate on the team. Parents, for example, may invite an advocate who knows the child, a professional with special expertise about the child and his or her disability, or others (such as a vocational educator who has been working with the child) who can talk about the child’s strengths and/or needs. The school system may invite one or more individuals who can offer special expertise or knowledge about the child, such as a paraprofessional or related services professional. Because an important part of developing an IEP is considering a child’s need for related services, related service professionals are often involved as IEP team members or participants. They share their special expertise about the child’s needs and how their own professional services can address those needs. Depending on the child’s individual needs, some related service professionals attending the IEP meeting or otherwise helping to develop the IEP might include occupational or physical therapists, adaptive physical education providers, psychologists, or speech-language pathologists.

When an IEP is being developed for a student of transition age, representatives from transition service agencies can be important participants. Whenever a purpose of meeting is to consider needed transition services, the school must invite a representative of any other agency that is likely to be responsible for providing or paying for transition services. This individual can help the team plan any transition services the student needs. He or she can also commit the resources of the agency to pay for or provide needed transition services. If he or she does not attend the meeting, then the school must take alternative steps to obtain the agency’s participation in the planning of the student’s transition services.

And, last but not least, the student may also be an IEP team member. If transition service needs or transition services are going to be discussed at the meeting, the student must be invited to attend. More and more students are participating in and even leading their own IEP meetings. This allows them to have a strong voice in their own education and can teach them a great deal about self-advocacy and self-determination.

Ashley Morgan Healthcare AttorneyIf you are having problems with one or more IEP Team members and need assistance negotiating a reasonable resolution with the school district, call attorney Ashley Morgan, as attorney with Liles Parker, for assistance. For a free consultation, call: 1 (800) 475-1906.