Add Retention Agreement Autograph with airSlate SignNow

Add Retention Agreement autograph

well good afternoon everyone and thank you for joining us today for our first webinar of 2021. uh we are so pleased that you have joined us today and we appreciate your time uh we also like to thank you guys for participating in the um poll and kathy we'll go over those uh with you in a moment today we're going to talk about lessons learned from ocr resolution agreements and 2020. um the presentation will be done by myself cassie turner i'm a senior risk management representative in the tmlt risk management department and i'm going to be joined today by kathy bryant hi i'm kathy bryant i'm the manager of tmlt's product development so before we get started just letting you guys know that kathy and i have no commercial affiliations related to this talk today this is just deemed as a resource and it's not a legal opinion and our goals today as we go through the program what we're going to talk about is hopefully to give you an ability to define a resolution agreement and discuss how it affects a practice after an ocr investigation also identify the most common findings by the ocr in 2020 resolutions agreements and also hopefully some mitigating factors to help you protect your organization so what is a resolution agreement to best understand a resolution agreement you really need to know where it starts a resolution agreement doesn't happen unless an organization has had either a reportable breach to the ocr or if they have had an and a complaint that's been reported to the ocr by a patient and that complaint results in an investigation just read recently that 25 are breaches of large numbers of greater than 500 were up 25 in 2019 or 2020 over 2019 i think that is this is a good time to also interject our polling question that we asked about when did you have to report small breaches and the correct answer or the most correct answer is 60 days after the close of the calendar year this year that's march 1st you can report them by december 31st you can report them at the time that the breach occurs but six months may or may not be too long if the breach occurred in december six months would not be within the rules and of course there is obviously a deadline so the ocr has received a complaint or a breach and they have started an investigation investigations take months and months and months typically we're actually seeing those resolution agree or the investigations taking well over a year at this point so and resolution is literally a signed settlement agreement between health and human services or the ocr and the covered entity in which the covered entity agrees to perform certain obligations to make reports to health and human services generally for three years health and human services monitors the organization's compliance with these obligations and often the resolution agreements do include a payment of a penalty the ocr does have a deliberate process that they go through when they are determining that a resolution agreement and penalty is necessary the ocr really believes that these enforcement actions are designed to send a message to other covered entities that it's important to comply with the hipaa rules but before they determine a settlement about or a fine or penalty they consider what the nature or extent of the potential violation was the nature or extent of harm resulting from the hipaa violation your hist or the entity's history with respect to privacy rules compliance and security rule have you had an investigation before are you reporting multiple breaches the financial considerations of the conditions of the entity and they have added a special clause about the effect of covid19 on practices and then there may be other matters of justice that are required so we've listed here for you the 2020 resolution agreements they are also the second file in the downloadable file pod in the lower right hand corner we would just encourage you to look at at these the ones in the downloadable file are hyperlinked back to the ocr website so if you want to read either the press release in full or the actual resolution agreement they are all there you can see that the ocr kind of had a slow start with only one resolution agreement in the first quarter it's interesting to note that it was right before most people were affected by the pandemic and the ocr actually was busy issuing a lot of interim guidance and that guidance has been helpful throughout the pandemic the second quarter there were only two uh two type art two excuse me two settlement agreements and the third quarter we saw four settlement agreements the fourth quarter is a different story there were four settlement agreements with the last actually being on december 22nd which was the 13th investigation in the hippa right to access initiative and we're going to talk a little more about that in in length at the toward the end of the program so what were the top five resolution agreements in 2020 with the ocr number five lost unencrypted laptop number four failure to terminate of former employees access to ephi number three failure to follow hipaa security rule requirements second largest was large breaches by business associate or health insurer and the number one was right to access which kathy was just highlighting at the end of the last quarter and these all totaled around a little over 13 million dollars um kathy said that the ocr had a slow start and quarter one of 2019 uh 2020 rather 2021 has actually already started off pretty quickly we've already seen two settlements come out one kathy and i have been discussing because the fines were rather steep it was failure to provide information or medical records in a timely manner i think the delay was maybe around five or six months um and we saw a two hundred thousand dollar fine from that which is one of the higher ones that we've seen for right to access um so something that we're definitely keeping an eye on with that being such a larger uh fine that we've seen the other settlement was a 5.1 million dollar settlement for a cyber attack that affected about 9 million records um the attackers were within the system from i believe december of 13 through may of 2015 so um had access for quite a while before being discovered uh and again you can see just with the 5 million and the 200 000 there were already close to over half of what they've enforced for the whole year of 2020. so how do we minimize an ocr resolution agreement as we've mentioned knowing the rules the hipaa rule of privacy the rules of security and the breach notification rules and ensuring that you're following what the requirements are for each one of those rules um we've included some quotes here from the office of civil rights director uh saying that you guys owe it to your patients to comply with hipaa rules failure to implement security protections is inexcusable so they're still holding fast to the the protection of the data and the information of the patients secondly for minimizing conducting a security risk assessment and developing a risk management plan from those findings to mitigate any risk or vulnerabilities or threats again you can see the ocr director says the failure to implement basic hipaa requirements such as an accurate risk assessment and risk management plan continues to be an unacceptable and disturbing trend um so if you haven't done those things now is a good time to look at them all of the ocr you know systemically they find non-compliance with the hipaa rules including the failure to conduct the risk analysis and failures to implement those plans as a result and also not having good audit controls in place thirdly having written policies and procedures in place all three hipaa rules require covered entities to have written policies and procedures the ocr audit protocol directs the auditors 100 times to obtain policies and procedures and then to evaluate whether or not those policies and procedures are reflective of what the clinic is actually doing we see often a lot of templates within offices that have not been customized to reflect their standard operating procedure so if you have those policies and procedures you want to make sure that they're actually reflective of what you all are doing and they're not just templated versions that haven't been edited or customized and then the recommendation is that these are to be reviewed and revised as appropriate generally annually is what is expected and then fourthly how to minimize is training your workforce and maintaining documentation of those efforts to train your workforce you want to have training on all three aspects of the hipaa rules breech notification privacy and security you'll want to make sure that you're training your new employees um within 90 days of employment is the texas rule you'll want to ret um retrain to maintain staff competencies um especially with security of protected health information and then anytime there's a change in law or an interpretation of the law or if there's a change in your process let's say you bring on a new emr or you implement something new you'll want to make sure that you're training for that as well and keeping good record of those training efforts so one of the questions that's been posed in the question and answer pod is and a question about what is the ocr the ocr is the office for civil rights it's part of the federal health and human services and they are charged with enforcement of hipaa so that is what the ocr resolution or the ocr stands for so that's the office for civil rights so the office for civil rights really does provide a lot of information inside their settlement agreements i encourage everyone to read settlement agreements and see what the key things that the practice was or was not doing correctly that's highlighted in that agreement and then evaluate your practice to make sure that you are in good standing with those and work to improve your compliance as needed one of the things that we know is that cell phones laptops and other mobile devices are stolen every day and covered entities can best protect their patients data by encrypting mobile devices to thwart identity thieves hacking is the number one source of large breaches of data and in fact there were over 600 healthcare facilities that were impacted by ransom attacks last year by far ransom attacks are our number one cause of a breach that we are seeing both as a company in the state of texas and nationally and lastly from another settlement agreement the ocr has created right of access initiative to address the many circumstances where patients have not been given timely access to their medical records individuals have a right to access their medical records this is a specified in the hipaa privacy rule as a right so it is treated very highly and violations of that right are treated very highly uh by the oh of the office of civil rights the office for civil rights believes that patients cannot take charge of their health care decisions without timely access to their own medical records and information and quite honestly the the organizations that have been fined for failure to allow access under the right of access initiative they there have been significant delays so this is really something that's very important for you to spend some time and make sure that your organization is following the individual right to access their records without any issues that's the and we've included that as the third downloadable file on in the downloadable files pod in the lower right hand corner is actually an extraction of the office for civil rights discussion about the individual right to access it's a pretty lengthy document it has lots of questions and answers and we also have a recorded webinar on our website if you have other questions and want more information basically no one should have to wait a year or over a year to get copies of their medical records and it should not take a federal investigation to access to a secure access to patients medical records too often that's what it takes for health care providers when they don't take their hipaa obligations seriously and i think that's a real important thing to think about it's not only the potential investigation and possible fines but it's really about meeting your obligation to your patients so what do you do when you have a privacy or security incident if it's a security incident you want to disconnect or segment that device from your network we don't want you to turn off the device because sometimes simply turning off the device destroys the forensic evidence on that device because forensically they're going to want to image the drive you want to begin your investigation immediately and document your investigation mitigation effort efforts and corrective action of course we want you to notify your cyber insurance carrier and other agencies as appropriate most often your cyber insurance will connect you with an attorney to help you go through the process of investigation and determination if the incident has resulted in a reportable breach and you really need to understand your legal obligations risks and exposures if you ever receive a phone call or a letter from the office for civil rights again you need to take these very seriously if you have not reported the incident to your cyber insurance carrier you need to do so if you have an attorney assigned already you need to be sure and let them know that you've received a call or a letter and allowed them to help you develop your response to the office for civil rights and of course in all dealings with any kind of investigator especially from the office for civil rights we want you to be courteous and make sure that you get timely responses with the help of your attorney and i can tell you that since the first of the year we have seen one request for information that was much more detailed and more much more extensive in an investigation of a practices reported breach from last year so there are consequences for non-compliance if there weren't we probably none of us would try to comply we know that it's difficult to navigate the maze of non-compliance and the investigations by the ocr and that's why we do not want you to be alone when you do that it is not advised because you really need the guidance of an attorney to help make sure everything is included in the notification and all the different steps along the way often investigations take time away from your patient care or your patients i can tell you that there are multiple phone calls with attorneys with the office for civil rights and all sorts of other things that keep you from taking care of your patients there could be a financial impact you may be paying staff overtime to help get all of the documents pulled together that the office for civil rights is asking for or it may be that you're having to pay for additional help with consultants or other types of of um costs related to your your of course those large breaches of more than 500 patients those are actually reportable not only to the secretary of health and human services to the patient but often but also to the media and those media releases and and required disclosures often result in reputational harm you know patients have rights and know they can go other places so simply having a reportable breach in the newspaper or on television may be a detriment to your practice and of course there are fines and penalties and as we saw last year there those can be quite extensive we're going to start taking questions so feel free to enter your questions in the in the q a pod it's now down at the bottom in the middle we do want you if you are asking for cme if you would please fill out our cme evaluation form we have just sent it to everyone's browser it should be popping up that the cme evaluation form if you did not get that you can certainly click on the link in the blue box at the top you will receive a an email with a link to the recorded webinar tomorrow so cassie do we have any questions uh one question that we have uh we receive phone calls for records and we tell the requester to send a signed release but they decline and continue to call um so in that scenario you will want to have some type of validation of who the patient is validating their identity via their birthday or their driver's license or some type of way to identify and get a verbal consent from them at minimum to be able to release the records we would probably caution on making the patient come into the office to sign a form to get their records again it's creating access which sometimes feels a little counterintuitive but you want to make it not cumbersome for the patient to get access to their records and if it's a third party if it's someone else other than the patient you absolutely are required to have a valid authorization before releasing those records if it's not for treatment payment or health care operations and so absolutely you are you're in your right to not uh release those records but again keeping record of those requests because you don't want those to end up being an actual uh complaint investigation if to the ocr office for civil rights there was a question earlier i i think it was when we were looking at the statistics and and the the settlement agreements and the question was are these in texas no those were nationwide it is possible to do a drill down as far as the actual texas ones but those were nationwide so kathy our next question next question can um tmlt provide a one to two page practical guidance on documentation we need to keep to fulfill hipaa rights and security analysis so that uh is a a challenge to get a one to two page practical guidance for documentation that question actually makes me think about our january 2020 webinar which is recorded and available on the tmlt resource hub and also on youtube but we did something about it's time for your annual hipaa checkup and that did have some helpful hints on things that you should be doing so your security risk analysis is going to be much longer than one page you should be doing your security risk analysis if not every year then you need to be at least reviewing it and completing a complete security risk analysis at least every two years you are also required to do one anytime you make a major change in how you use or produce records or keep records so if for instance you went from a server-based ehr to a web-based ehr then you would need to at that time actually do another security risk analysis to make sure that a new vulnerability had not been created by that change that's one example that we often point out but i would certainly encourage you to check out the other webinar from last year kathy i'll just note that sarah has posted that link in this chat so if you want to download that she's made it real easy for you to go and find that webinar that kathy's referenced we can actually put that over in the web links because they aren't able oh they're not able to get it to say the question so i'll i'll move it over i'm going to take the next question can you request payment for records yes you can request a payment for records um this would be something that we would recommend you have outlined in your policies and procedures of what your format is uh for collecting uh payment the office of civil rights and the federal government has set forth six dollars and fifty cents as a reasonable fee if that's something that you do not feel is a reasonable fee to charge for medical records when you're releasing them to the patient then you can develop a cost based on a formulary that they put forth again this is one of those other topics that can get a little bit complex and we have a webinar that discusses uh payment and up for medical records and we'll post that one as well to the web link so that you can access that as well there was one rule change in there uh since we did that webinar on release to a third party that has basically been removed but the remainder of the webinar information is current for payment okay i just added that uh that web link for the it's time for your annual hipaa checkup to the web link in the lower left hand corner so kathy what is the next question responsibility as a physician if they do receive a breach uh and the emr is web-based kathy so you are responsible for any protected health information that you create maintain receive or transmit so you would have to do a breach notification in most instances the emr that is web-based if the breach occurred because of something on the emr side then they as a business associate may have to report the breach as well and in some cases a decision is made to do a joint reporting but that would only be under the advisement of your attorney and make sure that everything was was documented but you would still be responsible so what is the current requirements for retention of medical records after retirement um the texas medical board requires that medical records for adult patients is seven years and if it's okay with you i'd like to email you some resources so that you can have some more details about maintaining medical records but you are required even after retirement um to maintain those or go through a process of having a custodian which is um a little bit more unique but i'll make sure that you have those resources that really outline the details of that so the next question is if if the practice does not have electronic records and your patient records are in paper how does the law changing access on april 1st affect my practice interesting question and a very well informed physician i might point out what what this is referencing is a new law that is going into effect in april that's called information blocking and it has a lot of detail in this rule but basically it is allowing someone to access or get access to their medical records through a third party application and just this morning we confirmed that a great speaker on this topic for our february webinar and so be sure and watch for that it's an attorney that does extensive work in both health care and health i.t so that will be one that you'll definitely want to either join us for or watch on our hub afterwards if you can't join it how do you encrypt mobile devices do you want to answer that or you want me to take that okay kathy well the easy answer is it depends different devices are encrypted in different ways if you're talking about cell phones it's possible to inc encrypt both iphones and android devices if you're talking about laptops or tablets those types of mobile devices it is probably very specific to both the operating system that you're using as well as the other programs that you're accessing because early on ehrs did not play well with encryption that has definitely gotten better over time but you just want to make sure that you include your health it people or your your it people and your ehr to make sure that you're not creating any difficulties in actually accessing what you need to do but basically the the concept of encryption is that when the the hard drive is encrypted that data is basically scrambled and so even if someone stole that device they could not read that data an example is our laptops are encrypted and if someone stole my laptop and pulled the hard drive and tried to put it into another device it would not be readable because part of the encryption is it knows the device that it was encrypted to so the next question is can you hold medical record release until you receive payment in the state of texas you have 15 days to respond to a medical records request to to provide those records so if it's within that window i would say yes it's fine to hold on until you receive payment the office of civil rights as we've been talking about does say that if the patient is not able to pay um to release the medical records to them and not hold them on ability to pay and we have put also that webinar that we've been referring to about release of medical records and fees over into that bottom left left pod that says web links so you can launch that as well if you're interested because there are several questions about medical records here so again not recommended unless you're within that 15 day window of release next question kathy and trying yeah you're adding the other one for us as well and trying to frame a fraudulent contact from the ocr what is the main mode of communication from the ocr for the initial contact to initiate and so typically the main [Music] main mode is that you're going to know if you've reported a breach and if it is over 500 individuals that are involved you can be you can rest assured that the office for civil rights is going to start an investigation they do have the opportunity to investigate smaller breaches but actually most of those were not seeing we're not seeing that a very small breach is ever creating an investigation there may be some back and forth correspondence which is typically by letter by u.s postal service and so that would be a good thing to train your front staff on to make sure that they knew if you ever get a letter from the office for civil rights that they know what to do with it the other part of that is if it's a complaint investigation often you will get a phone call from the office for civil rights asking for some initial information because they actually have to do at least a phone call to determine if it is something they're going to open a full investigation on looks like one a couple more questions about release of medical records about payment which i think we've touched on and again we've put that webinar over on the web links for you and then final question i'm seeing here right now is the patient billing information considered patient medical record and protected by hipaa short answer is yes that information is is considered to be protected health information and i would just add to that that we have a number of examples where practices that even have paper records still have had to report breaches because their practice management system or their billing system has been breached so that would be something that yes you would need to make sure that those records are protected just looking to see if we have any last questions up [Music] i think that was a follow-up to a couple of the other questions if you are wanting cme for today if you would please be sure and type that into the lower right hand corner type your name and your email address and that way we will make sure that we get our cms or your cme certificates out those typically would be sent out within about a week so if you could just include that so that we can make sure that everyone's getting getting their cme just remind you that a copy of the presentation and the other parts of the program are all down in the downloadable files and those can be downloaded for future reference looking to see if i see any uh last questions cassie no i do not see any and we see that some of you are asking for information and we've taken down your emails and we will email you those resources about consultants and get those over to you so we would just want to thank you for joining us today uh great questions and i know 2021 is off to a a roaring start like cassie said there have already been two resolution agreements and with the changes in leadership in health and human services and the office for civil rights it's unclear as to how we are going to uh what we're going to see actually be the final parts of our the final changes to enforcement but at this point we're we're believing that things are going to stay the course as they have been so being informed certainly is helpful if you do have questions that you come up with after the webinar you can certainly always email those to consulting at tmlt.org cassie and i get those emails and we answer those so feel free to reach out to us if you do have other questions i'm just going to take one last look looks like there's one more question oh this is a good one what should you not include in a release of medical records you want to include what the request is for so if the request is for the complete medical record that they you're going to want to include the one exception to that would be psychotherapy notes if you take psychotherapy notes psychotherapy notes as defined by hipaa is very very specific and that's notes that are taken by a therapist outs and they are maintained outside of the medical records so those would not be included in a typical release of records if you need more information about that reach out to us but that's a really kind of unusual circumstance but if the records say they want all ekgs you send them all ekgs if they say they want the last history and physical you send that to them it just depends on what's on the valid authorization i think that's about the last question been really good questions cassie anyway thank you guys so much for your time today and for joining us um and we just hope that you all stay well and uh we appreciate your your time we'll see you next month