HITECH Increases HIPAA Risk
Risk to violators, that is. Be sure to read the new interim final rule posted today. Key to the proposed changes is that the maximum penalty increases 60-fold — to $1.5 million for violations of an idential provision. And a covered entity can no longer bar the penalty unless correction is made within 30 days of discovery.
Read the HHS press release.
Add comment October 30, 2009
Swine Flu and Vendor Credentialing: Part II
Last May in the Swine Flu and Vendor Credentialing post, we highlighted the new reality that a number of customer hospitals were email visiting vendor representatives to new H1N1 precautions. These hospitals relied on their Vendormate registration files for current vendor contact information. Most of these notes were gentle reminders of communicable disease best practices and basically read, “if you’re sick, stay home.”
With H1N1 still with us, hospitals are again alerting visiting representatives to new precautions. Hospitals want to require seasonal flu and H1N1 vaccinations, but know that distribution issues make that impossible. Instead they are requiring the immunizations or a mask when on site.
Most of these customers have adjusted their Vendormate-based program to communicate the shot or mask requirement and to track compliance.
To reinforce the message, Vendormate badges at these hospitals now include a WARNING by the badge photo indicating that a MASK is required if the visiting representative hasn’t yet been able to complete the vaccinations. This message is critical for the hospital staff to be able enforce the requirement quickly and effectively without interfering with the vendor’s business routine.
Add comment October 23, 2009
HHS Breach Notification Form On line
The Hunton & Williams privacy and security blog has been very active recently. It covers a wide range of issues of interest to many industries. Last Friday, they noted that the Department of Health and Human Services had added the on-line form for breach notifications.
For all of you worried about the burden of reporting a breach, take a look at the form. It’s not onerous and should take only a few minutes to complete. Of course, the real issue is having a plan for notifying affected individuals. Unfortunately, that’s not something an online form can handle for you.
Add comment October 6, 2009
HITECH & BAA & Vendor Credentialing
Several of our healthcare customers came together for a call last week to talk about the implications of the Health Information Technology for Economic and Clinical Health (HITECH) Act, particularly as it concerns vendors that meet the “Business Associate” requirement. Representing hospitals from California to Florida to Michigan and in between, these systems shared a common concern about the best way to prepare for this act.
If you’re not familiar with the BA concept, a business associate is role defined by the Department of Health and Human Services and is essentially any organization that assists a covered entity (e.g., hospital) with the performance of functions that involve access to protected health information (PHI). In the HITECH Act, requirements that were once only the obligation of the covered entity are now expanded to be directly required of the BA. The biggest concerns are along the data security and breach notification requirements with potential direct civil and criminal penalties.
For the group, the questions ran along the lines of: How does this change our existing relationships with Business Associates? Will vendors resist continuing BA relationships because of these increased requirements? What role does this play in vendor credentialing programs?
By the end of the call, few conclusions were reached. The Act isn’t in force yet, and further comments and clarifications are expected from HHS. The group did agree that there was a very helpful overview from Rachel Nosowsky, Esq. for the American Bar Association here.
Looking ahead, healthcare providers may want to include requirements related to the HITECH act in their BA agreements — such as requiring patient privacy training for employees and asking BA employees to acknowledge data security policies and practices, etc.
But one significant point of consensus: The content and terms of Business Associates Agreements are the domain of the contracting effort, not the rep credentialing program. A hospital should no more ask a rep to sign off on amended BA agreements than it would ask a rep to unilaterally approve a change in contract terms.
Add comment September 11, 2009
Getting the Word Out
I’ll suggest that the day-to-day reality of compliance management is more about actively communicating the sets of unacceptable behaviors rather than uncovering and punishing perpetrators. After all, the vast majority of people follow community standards of ethical behavior (except, perhaps, during rush hour). For this reason, it’s not surprising to see recommendations like this recent one from Supply Chain Management Review. An article discussing Gifts and Entertainment Policies best practices, includes this conclusion:
Finally, another best practice on this topic is to send an annual letter to suppliers, reminding them of the policy and expectations, alerting them to the consequences for failing to abide by the policy, and enclosing a summary of the policy for their guidance.
I appreciate the intention of clarity. Define your standards, and communicate them to all affected parties. But how do you do this, really? How many supply chain managers have the contact information for all the supplier reps who might be doing the entertaining? Sure you’ve got your contacts, but what about the other department heads’ contacts?
And then, what about your other policies that you want to communicate? Do you bundle this all into one extended message? Or do you piecemeal it over time? A “Message a Month”?
The recommendation also includes repetition. Not just at the start of the contract, but annually. Again, I agree. Reinforcement, reminders, and repetition are all keys to communication and learning.
Of course, I have my own point of view here. And it’s that Vendormate addresses this by having suppliers register on a buyer’s customized portal. The supplier, rather than the buyer, keeps the contact information current. This way the supplier is always informed of the buyer’s standards, just as the supplier stays current about the buyer’s product and service needs. The web-based portal provides 24/7 availability of all policies (old, new, and in-between) and serves as the central database of record for supplier and vendor contact information for email announcements of changing policies.
But not everyone is a Vendormate user, so, I’ll open this up for comment. What are your real world approaches to this communication recommendation?
Add comment August 25, 2009
States Reinforce CMS Exclusion Guidelines
In January, 2009, the Centers for Medicare & Medicate Services (CMS) released a State Medicaid Director Letter (SMDL #09-001) clarifying and reminding States of the requirements and consequences of payments to excluded individuals and entities.
Since then, states have been at work communicating the same requirements either under their own letterhead or by re-post. A quick scan of the internet shows communications from:
- Alabama
- Iowa
- Kentucky
- Louisiana
- Maryland
- Nebraska
- Nevada
- Oklahoma
- Rhode Island
- South Carolina
- Virginia
I’m sure there are more. But whether it was a reTweet from your state or you saw it directly from HHS, two key points remain:
Sets forth the Centers for Medicare & Medicaid Services’ (CMS) policy with respect to States’ responsibility to communicate to providers their obligation to screen employees and contractors for excluded individuals and entities both prior to hiring or contracting and on a periodic basis (emphasis added)
States should require providers to search the HHS-OIG website monthly (emphasis added) to capture exclusions and reinstatements that have occurred since the last search.
Add comment August 17, 2009
Healthcare Crackdown on Fraud
John Commins over at HealthLeaders recently wrote about the ever-rising focus on fraud in the healthcare. In his article, Culture of Compliance Preempts Whistleblower Suits, he makes the point that the potential gains to the whistleblower in a difficult economy could easily increase the number of whistleblower suits. He continues that creating a culture of compliance, with appropriate reporting pathways, is the best way to prevent these suits.
The aphorism is true: Prevention is the best medicine.
Cultures are typically created informally and unintentionally. Action by action. Decision by decision. Until there is a consistency in viewpoint and behavior. I’ll build on John’s recommendation that now is the time to conciously create a culture of compliance by adding that culture has to be applied consistently across staff, contractors, and vendors.
Add comment July 30, 2009
Bankruptcy, Part II
Back in October, we posted the BPM or Bankruptcy Page Metric, which was just a count of the pages of Chapter 11 filings in the US Bankruptcy Court, District of Delaware. From a base of 3 pages of filing in January, 2008, the number of pages in the filings jumped to 16 pages in August, 2008.
Now, we see this statistic from the Washington Business Journal
More than 14,000 businesses filed for bankruptcy protection in the first quarter of 2009, a 64 percent increase over the same period a year earlier.
Nearly 10,000 of the business filings in the first quarter were Chapter 7 liquidations. Chapter 11 reorganizations accounted for 3,421 filings.
Chapter 7, as you know, means the doors are closed. No continuing operations ala Chrysler, GM, etc.
Every buyer and materials manager needs to have contingency plans in place to respond to a bankruptcy. Start with monitoring the credit scores and status of your vendors through your vendor program. Then have direct and frank conversations with your suppliers to understand their current situation and how you can work with them to keep the worst from happening.
Add comment July 10, 2009
Vendor Program Audits: From Homeroom to First Period
Back on the topic of vendor program audits, this week is about auditing the hospital’s own participation in the vendor program. I’ve made my middle-school son the stand-in for vendor representatives, so let’s turn the table and make his teachers the analogy for hospital staff.
Our school system has a set of guidelines for teachers. But not surprisingly each teacher approaches the task at hand differently. And that’s good. The teachers’ training and experience should be respected.
But at the same time, that variety can make it difficult for the administration to manage the less glamorous parts of running a school and for the students to figure out what to do.
It’s the same with hospitals. Each department wants to do what it believes is best and with its own style. But that grass-roots level initiative can make it difficult for administration to be confident standards are being met across departments and for vendors to figure out what to do.
The key is balance. Standardize the routine so that flexibility is possible when needed.
From a vendor program standpoint, sign in and badge status reports by department are the teacher’s pets, telling which departments aren’t toeing the line.
Here’s what many of our customers do.
First, run a report of all vendor rep sign-ins for some period — say a week or a month. Sort it by department. Which departments have the highest visitor traffic? Is it the ones you expect? If patient care areas like the cath lab aren’t at the top of the list, you know that something is off. On the flip side, if no one is signing in for pediatrics, that’s another problem.
Now sort the list by badge status within department. Do you see a department with a lot of non-compliant vendors? Stop by and find out why that department isn’t collecting the required documents. Maybe that document isn’t really relevant and that requirement should be dropped. Maybe that department doesn’t understand that your vendor program is about getting the mundane paperwork out of the way, so that the staff can focus on care delivery, not risk management.
Add comment July 1, 2009
Vendor Credentialing for Brides
I’m going to digress a bit this week to highlight the expansion of vendor verification and credentialing into other verticals beyond healthcare.
Buyers have always turned to references for reassurance when they lacked personal experience in selecting a supplier. And as the internet expands a buyer’s access to potential suppliers to infinite levels, references and credentials become even more meaningful. At first, comments from strangers about hotels, software, etc. suffice, but reading through those comments quickly becomes numbing. Comments run the gamut from excellent to miserable.
Who can you trust? Turn to the experts to help you decide and vendor credentialing is born.
Now vendor credentialing is moving into a variety of industries, but I think the most intriguing application is the wedding industry. The average US wedding in 2008 cost $21,800 (down, by the way, from $28,700 in 2007) according to The Wedding Report.
So, when you’re spending that amount of your own money, you certainly want to be sure you’re getting what you want. No longer restricted to referrals of friends and families, the happy couple can now turn to Verified Valid to credential the potential wedding service provider.
Vendors pay from $50 to $300 for credentialing and verification based on the level required. Then brides pay an additional fee for access to the information. (Hmmm. That’s more expensive than in healthcare.)
This all makes more sense than most “Buyer’s Guides” I’ve seen which are little more than paid listings without any vendor qualfication other than the check cleared. At least here, brides save time and get trusted independent counsel. Vendors get a stamp of credibility and access to qualified buyers without having to prove themselves over and over.
As healthcare compliance becomes increasingly integrated with risk and supply chain management, it won’t be surprising to see a shift in the vendor’s view that the value of vendor credentialing is in credibility and access to buyers rather than just a hurdle to be jumped.
Add comment June 17, 2009
