PHYSICIAN PRACTICE MANAGEMENT

Transcription

1 The Newsletter of the Massachusetts-Rhode Island Chapter Volume XLI Number 6 MASS MEDIA PHYSICIAN PRACTICE MANAGEMENT Schedule M, Noncash Contributions and Gift-In-Kind Valuations Assuring the Effectiveness of Physician Compensation Plans Reducing Unwarranted Variation in Care Privacy Regulators Are Here to Stay: Effective Communication for Your Organization is Key Determining Strategic Physician Recruitment Needs Under Population Health Management: 5 Key Variables to Consider

2 Privacy Regulators Are Here to Stay: Effective Communication for Your Organization is Key By: David C. Tolley, JD, MA Many healthcare organizations are increasingly focused on data privacy, and the same goes for regulators. In the not too distant past, regulators would allow leeway for non-compliance with highly technical and complex state and federal data security laws. The most recent settlement agreements entered into between healthcare organizations and the United States Department of Health and Human Services Office for Civil Rights ( OCR ) demonstrate that non-compliance big or small will no longer be easily excused. Highlights from Recent Enforcement Activity Just a few of the recent examples include: $800,000 settlement paid on June 23, 2014 by Parkview Health System of Indiana after leaving paper records unsecured and in boxes in a physician s home driveway. $1,725,220 settlement paid on April 21, 2014 (continued on page 14) Issue 6 13

3 (Privacy Regulators - continued from page 13) by Concentra Health Services stemming from the loss of an unencrypted laptop and an alleged history of internal findings suggesting risks based on lack of encryption of electronic devices. $250,000 settlement paid on April 14, 2014 by QCA Health Plan, Inc. of Arkansas ( QCA ) as a result of a lost, unencrypted laptop and suggestions by OCR that QCA had failed to comply over a number of years with HIPAA requirements. $215,000 settlement paid on March 6, 2014 by Skagit County, Washington as a result of inadvertent placement of patient information of 1,581 individuals on a publically available web server. $150,000 settlement paid on December 24, 2013 by Adult & Pediatric Dermatology, P.C. of Massachusetts following an investigation by OCR of the entity s HIPAA compliance program following theft of an unencrypted thumb drive containing the ephi of approximately 2,200 individuals from a staff member s vehicle. $1,215,780 settlement on August 7, 2013 paid by Affinity Health Plan, Inc. when an investigation by OCR indicated that Affinity impermissibly disclosed the PHI of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copiers hard drives. $275,000 settlement on June 6, 2013 paid by Shasta Regional Medical Center when OCR determined that senior medical center officials disclosed PHI to multiple media outlets, without valid authorization (and without sanction) on at least three occasions. (continued on page 15) healthcare financing. TD Bank provides innovative financial solutions to address the unique needs of the healthcare industry. Fixed and Variable Rate Refinancing Direct Purchase Bond Financing Letters of Credit Project Financing Operations Financing Capital and Operating Leases Comprehensive Cash Management Services Standby Bond Services PUt the POWer Of td BanK to WOrK for YOU. Contact Alta Fleming at or connect to TD Bank, N.A. Some fees and restrictions may apply. Loans subject to credit approval. Equal Opportunity Lender 14 Mass Media

4 (Privacy Regulators - continued from page 14) Are There Any New Lessons to Learn? Maybe One What lessons can we learn from these settlements and others? Perhaps the only real lesson is that regulators are serious, and a broad commitment to compliance in a way that fills as many gaps in compliance as possible should be the goal for any organization. But most organizations have known this for some time. Furthermore, most of the themes are not new. For example, three of the seven settlements noted above resulted from theft or loss of a portable electronic device containing unencrypted patient data. While difficult to implement, entities have known for some time that they should have as a goal strong media control procedures along with entity-wide encryption of portable devices. Furthermore, OCR has made clear on a number of occasions that it expects organizations to undertake periodic internal security risk assessments followed by concrete steps by the organization to address potential gaps in security. There is perhaps one lesson that is new when it comes to privacy: organizations cannot overestimate the importance of effective communication with the regulators who come knocking. Most organizations that receive a subpoena or other inquiry from the Department of Justice recognize the immediate seriousness of the inquiry and respond accordingly a well-managed, thoughtful response goes a long way. However, until very recently, privacy regulators at the state and federal level have seldom demonstrated an appetite for imposing penalties for non-compliance like their other law enforcement counterparts. Even seasoned professionals may be inclined towards a more routine and informal approach with these regulators. In our experience, approaching these regulators with an appreciation for the significant power they now wield and the seriousness with which they take their charge goes a long way and can lead to better outcomes for your organization. If you receive a letter or verbal inquiry from a privacy (continued on page 16) Issue 6 15

5 (Privacy Regulators - continued from page 15) regulator, you should consider the following: There is nothing wrong with having discussions with regulators about a reported breach or your compliance infrastructure. However, given that enforcement activity usually arises from follow up questions posed in the aftermath of a reported breach (and the findings that result), you should ensure coordination among compliance, legal and other executive groups to ensure an accurate and effective response by your organization. Avoid piecemeal responses without appropriate consultation among stakeholders. Consider utilizing internal or external counsel to oversee and facilitate responses to regulators so that you can use every communication with a regulator as an opportunity for effective advocacy. Advocacy is, of course, a broad concept. Often, cooperation with regulators is key to good advocacy you are almost always well-served by forming a good working relationship with your regulators. In addition, your ability to advocate effectively often depends on a solid understanding of the underlying facts taking the time to understand any underlying circumstances usually pays off handsomely whether because it helps you secure a better result for your organization or because it helps you calibrate your strategy quickly and avoid taking positions that you cannot later support with evidence. Last, there is no substitute for being willing to tell your story in a way that presents (and emphasizes) the strengths of your organization and acknowledges any weaknesses in proportion to your strengths. David Tolley recently joined the Boston office of Latham & Watkins LLP where he focuses on representing healthcare providers, health plans and life sciences companies in compliance and regulatory enforcement matters. He can be reached at david.tolley@lw.com or (617) Mass Media