Health Law Update – March 20, 2014

Alerts / March 20, 2014

Welcome to this week's edition of the Health Law Update.

In This Issue:

CMS's Civil Defense Won’t Let You Hide Under Your Desk

The Centers for Medicare and Medicaid Services (CMS) have proposed new emergency preparedness requirements for healthcare providers and suppliers. These new requirements are designed to address the effect of a broad range of natural and man-made disasters—like attacks, epidemics, flooding, hurricanes and tornadoes—on the healthcare environment. The proposed regulations focus on safeguarding human resources, ensuring business continuity and protecting physical resources. CMS believes the current regulations for Medicare and Medicaid program providers and suppliers do not adequately address these key elements.

The proposed regulations affect 17 types of Medicare and Medicaid providers and suppliers. Facilities under the proposed regulations must devise an emergency plan based upon a broad risk assessment and then develop and maintain (1) policies and procedures addressing emergency preparedness, (2) an emergency communication plan that complies with state and federal laws, and (3) a training program that includes initial and annual trainings and is routinely tested by drills.

CMS expects the implementation of the proposed regulations would not be the same for all providers and suppliers, depending on their category. For example, the implementation of policies and procedures to provide subsistence needs to staff and patients during a disaster would be different for a rural health clinic compared to a large metropolitan hospital. In addition, each facility may need to consider individual factors in determining how to effectuate a requirement, such as the amount of space available within the facility for storing provisions or the provider’s capabilities and capacities for notifying staff and patients not to come to the facility due to an emergency.

Before developing an emergency plan, CMS proposes that facilities conduct an all-hazards risk assessment, an integrated emergency preparedness approach that is specific to the location of the provider and supplier, considering the particular types of hazards likely to occur in or near that location. Facilities developing emergency plans also will need to consider the possibility of emergencies or responses to emergencies that cross state lines. CMS anticipates that facilities work in collaboration with hospitals and other providers and suppliers across state borders in order to ensure continuity of care during an emergency.

Many of the proposed regulations rely on standards already required by third-party accreditation bodies. In particular, CMS has proposed requirements that are similar, and in some cases identical, to the standards required by The Joint Commission (TJC). For example, the proposed regulations require hospitals to have policies and procedures for a plan of safe evacuation. TJC-accredited hospitals, however, must have plans for evacuation as part of their clinical operations management. Nonetheless, facilities that have TJC accreditation still may find it challenging to meet some of the more onerous requirements proposed by CMS. For facilities that do not have TJC accreditation, many of the proposed requirements may be new and require significant changes, and facilities may incur significant costs in doing so.

The proposed regulations will be incorporated into the Medicare and Medicaid programs as Conditions of Participation for providers and as Conditions of Coverage for suppliers. CMS currently is soliciting comments for recommendations and changes or amendments from the public. Final comments are due to CMS by the extended deadline of March 31, 2014.

Although the proposed rule has not yet been finalized, CMS is beginning to reform its emergency preparedness requirements. For example, at the end of February, CMS updated its emergency preparedness checklist for state surveyors.

For more information, please contact Robert M. Wolin, or 713.646.1327; or Kinal Patel, or 713.646.1325.

Get Ready! HHS OCR Announces Next Round of HIPAA Audits

To combat new risks associated with rapidly evolving health information technology, HIPAA and HITECH provide standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI) and breach notification to individuals. HITECH also requires the U.S. Department of Health and Human Services (HHS) to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. In 2011, HHS Office of Civil Rights (OCR) established the HIPAA pilot audit program to assess the controls and processes implemented by covered entities to protect the privacy of PHI.

In a February 24, 2014, notice in the Federal Register (Notice), HHS OCR announced its plan to survey 1200 organizations—800 covered entities and 400 business associates—the first step in selecting organizations for the next round of HIPAA audits. As provided in the Notice, not all organizations surveyed will be audited. The survey “will gather information about respondents to enable OCR to assess the size, complexity and fitness of a respondent for an audit.” OCR intends to collect, among other things, “recent data about the number of patient visits or insured lives, use of electronic information, revenue and business locations.”

For the 2011 HIPAA pilot audit program, OCR developed an audit protocol to measure the efforts of 115 covered entities. OCR also instituted a formal evaluation of the effectiveness of the pilot audit program. In April 2013, OCR released its findings from the 2011-2012 HIPAA audit pilot program. The audit pilot program focused on health plans of all types, healthcare clearinghouses and individual and organizational providers. From the audit pilot program, OCR found that most of the evaluated entities did not conform to HIPAA standards for security, privacy and breach notification—the three audit areas. OCR also found that most entities failed to perform a comprehensive, accurate security risk assessment (two-thirds of those audited). The most common cause of noncompliance was that the entity was “unaware of the requirement.” Privacy requirements that covered entities were most “unaware” of pertained to notice of privacy practices, access of individuals, minimum necessary and authorizations. Security requirements that covered entities were most “unaware” of pertained to risk analysis, media movement and disposal and audit controls and monitoring. OCR also found that smaller healthcare providers, i.e., community pharmacies and practices with revenues of less than $50 million per year, generally were vulnerable and noncompliant in all three audit areas. Healthcare providers that fell into this category accounted for 65 percent of all policy violations.

The next round of HIPAA audits provides another opportunity for OCR to examine different mechanisms for compliance with HIPAA/HITECH, identify best practices and discover new risks and vulnerabilities. The audits are in addition to OCR’s ability to assess HIPAA/HITECH compliance through its routine complaint and investigation process. It is anticipated that the next round of HIPAA audits will focus on OCR hot buttons—timely and thorough security risk assessments, effective and ongoing risk mitigation plans, breach notification procedures, encryption, training and policies and procedures. For the next round of HIPAA audits, OCR currently is in the process of revising its audit protocol to reflect the changes included in the HIPAA Omnibus Rule that became effective on September 23, 2013.

For more information, please contact Lynn Sessions, or 713.646.1352; or Kimberly M. Wong, or 212.271.2028.

OCR Settles Potential HIPAA Violations With County Government

To start 2014, HHS OCR issued its first resolution agreement of the year and its first settlement with a county government—signaling that even local and county governments, regardless of size, must safeguard the privacy and security of patient information in compliance with HIPAA.

Skagit County, Washington (County), located in northwest Washington with approximately 118,000 residents, agreed to settle potential violations of the HIPAA Privacy, Security, and Breach Notification Rules with a $215,000 monetary payment and a three-year corrective action plan (CAP). The Skagit County Public Health Department provides essential services to residents who are unable to afford healthcare. The resolution agreement stems from the County’s December 9, 2011, notification to HHS OCR that money receipts with ePHI of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County.

On May 25, 2012, OCR notified the County of its investigation and indicated that:

  • from approximately September 14, 2011, until September 28, 2011, the County disclosed the ePHI of approximately 1,581 individuals (not just seven individuals as initially reported); the accessible files involved sensitive information, including PHI concerning the testing and treatment of infectious diseases;
  • from November 28, 2011, to the date of the resolution agreement, the County failed to provide notification as required under the Breach Notification Rule; from April 20, 2005, to the date of the resolution agreement, the County failed to implement sufficient policies and procedures to prevent, detect, contain and correct security violations;
  • from April 20, 2005, until June 1, 2012, the County failed to implement and maintain, in written or electronic form, policies and procedures reasonably designed to ensure compliance with the Security Rule; and
  • from April 20, 2005, until the date of the resolution agreement, the County failed to provide security awareness and training to workforce members, including its Information Security staff members, as necessary to and appropriate for workforce members to carry out their functions within the County.

As part of the settlement, the three-year corrective action plan focuses on substitute notice regarding the incident; a review of the County’s accounting of disclosures procedure, including regarding the incident; the County’s hybrid entity and business associate documentation; the County’s security management process; creation and revision of policies and procedures for the County’s covered healthcare components; training of the County’s workforce members involved with the County’s covered healthcare components who have access to ePHI regarding compliance with the Privacy, Security, and Breach Notification Rules; and investigating and reporting to HHS OCR regarding any failures in compliance by a workforce member of a covered healthcare component. For the three-year period, the County also shall submit to HHS annual reports with respect to the County’s compliance with the CAP, which shall include a summary of the security management measures taken during the reporting period, a summary of reportable events identified during the reporting period and the status of any corrective and preventive action, and an attestation signed by an officer of the County attesting review, reasonable inquiry and accurateness of the report.

The OCR’s action against Skagit County indicates that all organizations acting as covered entities—including agencies like local and county governments which may be hybrid entities—must comply with HIPAA and safeguard patient information with, among other things, policies and procedures and adequate workforce training. As commented by Susan McAndrew, deputy director of health information privacy at HHS OCR, “[A]gencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”

A copy of HHS OCR’s press release regarding the Skagit County resolution agreement can be found here.

For more information, please contact Lynn Sessions, or 713.646.1352; or Kimberly M. Wong, or 212.271.2028.

Ohio Medicaid Expansion Underway

Last fall, Ohio became the 25th state to file a state plan amendment to extend Medicaid benefits to approximately 275,000 Ohioans who previously were not eligible for the program. In doing so, Ohio also agreed to accept an additional $2.5 billion in federal Medicaid payments. The Kasich administration believes the move will improve Medicaid and lower the rate of increase in costs to 3.3 percent annually from almost 9 percent a year before Kasich took office. Before the expansion, about 2.4 million Ohioans relied on Medicaid for healthcare.

From January 1 through February, 54,031 Ohioans, or roughly 15 percent of the 366,000 people the state projected would be newly eligible through June of 2015 have gained access to the program.

Lori Herf, senior government relations advisor in BakerHostetler’s Columbus office, continues to be involved in the legislative and rule-making process and discussions with senior members of the Kasich administration as Ohio implements its changes to the Ohio Medicaid program. If you have questions about Ohio Medicaid, please contact Lori A. Herf, or 614.462.2667.

Webinar Now Available: Lessons Learned from FTC Investigation and Challenges of Healthcare Provider Transactions

If you missed our webinar “Lessons Learned from FTC Investigation and Challenges of Healthcare Provider Transactions” featuring former FTC Commissioner Pamela Jones Harbour and other antitrust partners from our Washington, D.C. office, you can listen and view the webinar by clicking here.

Events Calendar

March 21

Cleveland counsel Tom Campanella will speak on "Hot Topics in Health Care That Will Impact You and Your Organization" at a meeting of the Central Ohio Healthcare Financial Managers Association in Columbus, Ohio.

March 25

Houston partner Lynn Sessions will speak on "Mobile Workforces & BYOD Programs: Evaluating Risks as a Result of the Latest Cyber Threats" at the Advanced Forum on Cyber & Data Risk Insurance sponsored by the American Conference Institute in Chicago, Illinois.

March 31

Houston partner Lynn Sessions will speak on "Managing a Healthcare Data Breach Response: Lessons Learned & Best Practices" at the HFMA Texas State Conference 2014 in Austin, Texas.

April 3

Houston partner Lynn Sessions will speak on "HIPAA/HITECH: The Final Rule" at a Healthcare Educational Workshop sponsored by Beazley in Los Angeles, California.

April 4

Washington, D.C. counsel Lee Rosebush will speak on "What’s Next: The Ever Changing Landscape of Pharmacy Compounding" at the 136th Ohio Pharmacists Association Annual Conference in Columbus, Ohio.

April 8

Houston partner Lynn Sessions will speak on "Cyber Liability" at the 2014 Higher Education Risk Management Conference sponsored by The University of Texas System in Lost Pines, Texas.

April 10

Houston partner Scott McBride will speak on "The New Age of False Claims Act Enforcement and Investigations" at the 26th Annual Health Law Conference sponsored by The University of Texas School of Law in Houston, Texas.

April 11

Houston partner Susan Feigin Harris will speak on "Impact of the Affordable Care Act on Texas" at the 26th Annual Health Law Conference sponsored by the University of Texas School of Law in Houston, Texas.

Houston partner Scott McBride will moderate a panel on "The False Claims Act: What Every In-House Lawyer Needs to Know" at the 36th Annual Corporate Counsel Institute sponsored by The University of Texas School of Law in Dallas, Texas.


Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.