Provider Information: Steps to Take to Prevent Incidents of Medical Identity Theft

          Health care providers need to implement approaches to detect, prevent and respond to medical identity theft incidents.  No single solution applies to all providers because of each provider’s unique size, overhead and available resources.  Therefore, providers should implement a variety of techniques, including patient authentication, training and awareness, and risk assessment.

          Providers should especially be awate of medical identity theft concerns because they could increase as the industry moves toward electronic health records and a national health information network.  If networks do not have adequate privacy and security protections, huge volumes of health information could be improperly accessed and used for medical identity theft, as well as other purposes.

          In many cases, providers have not yet considered the unique characteristics of medical identity theft as a part of their overall risk assessment.  It is important for providers to evaulate whether there are any gaps in their policies and procedures that might lead to medical identity theft.  The best time for this evaluation is during routine risk assessments.

         Although entities covered under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) are required to implement a security awareness and training program for their workforce, medical identity theft is raraly addressed as a separate, individual risk.  Requiring patient authentication – in the form of picture identification as well as a health insurance card – is one way to combat medical identity theft.

        In addition to using education and training to prevent incidents of medical identity theft, providers should consider conducting training following an incident to ensure that employees and contractors have responded appropriately.  This allows staff to debrief , identiry and apply lessons learned, and to continuously improve the quality of privacy and security process and procedures.  It will also help providers respond and mitigate any threats as well as learn steps that can be implemented in the future to prevent similar incidents from occurring.

 Guide to Medical Privacy and HIPAA.  Health Care Series.  December 2008, vol. 7, no. 11.

                

© 2008 Parsonage Vandenack Williams LLC

 For more information, contact info@pvwlaw.com

                                                                                                                                                     

 

                                                                                                                                                                 

Informal Consultations

An informal consultation at a casual lunch can result in a duty to a patient subjecting the consulting doctor to a malpractice claim.  While collegiality is an important part of the practice of medicine, be aware of the risk.  If you are engaging in an informal consultation, keep it informal and keep it generic.  Consider documenting the informal consultation with a note indicating that only generic discussions were involved.  Consult only in your area of expertise.  If discussions go beyond informal, then make the consultation formal and go through all the appropriate steps for such a consult.

© 2008 Parsonage Vandenack Williams LLC

 For more information, contact info@pvwlaw.com

How to Fire an Employee

  Firing an employee is not an easy task – preparation is key.  When firing an employee, careful planning can limit misunderstandings, anger and recrimination.  Before you meet with the employee, make sure that there is detailed documentation in regard to the employee justifying your actions.  Pull together performance appraisals, written warnings, salary information, and all correspondence with that employee, especially if it is related to job performance.

             If an employee is entitled to additional consideration, such as severance, medical coverage, or additional vacation days, you should have your attorney draft a waiver for the employee to sign.  It is important to include all termination benefits to which the employee is entitled.  Make the employee’s receipt of the additional consideration dependent on his or her agreement not to sue.

             You will want to collect everything that the company has given to the employee.  Determine which computer passwords, access codes, and permissions need to be changed.

 If possible, have a witness such as your Human Resources manager observe the proceedings.  This witness will then be available to corroborate the events of the meeting should the former employee decide to sue.

 At the beginning of the meeting, explain to the employee why he or she is being terminated. Be firm but courteous while outlining the reasons as succinctly as possible.  Make sure that the employee completely understands why he or she is being fired, rather than just reprimanded.  Still, try to limit explanations and discussion about the termination.  It is important no to apologize for taking this action.  Give the employee time to express his or her feelings and provide honest answers without leaving room for any debate.

 Finally, explain the conditions of the termination, such as the severance package and any benefits or outplacement services offered. Then have the employee sign all related paperwork, including any appropriate waivers or agreements.  Try to conclude the meeting with a handshake and a sincere wish that the employee do well in the future.  It is always best to leave things on a positive note and keep any hard feelings or upset to a minimum.

 

 © 2008 Parsonage Vandenack Williams LLC

 

For more information, contact info@pvwlaw.com

Retirement Planning Key Numbers 2009

For 2009, the retirement plan limits are as follows:

Annual Additions $49,000

Elective Deferrals  $16,500

Catch up Contributions  $5,500

Maximum Covered Compensation  $245,000

Social Security Wage Base  $106,800.  If you have a profit sharing plan formula integrated with social security, be sure to review whether the formula still makes sense as the social security wage base increases.

 © 2008 Parsonage Vandenack Williams LLC  

 For more information, contact info@pvwlaw.com

Year End Coding Review

For 2009, there are 291 new codes, 375 revised codes and 95 deleted codes.

Consider a year end  analysis related to coding. Be sure you are ready for the 2009 changes.  Generate lists showing procedures and reimbursement levels.  Use the information in contracting.  Review coding changes.  As a group, review and discuss changes and the impact on your practice. Disactivate discontinued codes.  Be sure new codes are available.  Communicate coding changes to everyone involved in the process.

 © 2008 Parsonage Vandenack Williams LLC  

 For more information, contact info@pvwlaw.com

Physician Communications Via Email

If a physician (or physician’s office) is going to email patients, due consideration should be given to HIPAA implications as well as medical malpractice issues. Whenever drafting an email, consider what the email could look like posted as evidence in a courtroom. Adopt a policy concerning email communications and stick with the policy.

Consider the following:

Encrypt email for secured communications.

Save emails to your medical record. You do not want to be in a position ever where a patient can produce an email from you but you don’t have a copy of it.

Include a confidentiality notice on all email.

Include the minimum necessary information in an email.

Never write emails when you are tired or angry. Save your email as a draft. Review once more before sending.

Do not copy others on emails to patients unless it is to your office administrator who is responsible for diligently saving the email.

Do not use email as a replacement for office visits.

Require patients to agree to the use of email for communications. Provide the patient a policy specifying what email can be used for.

 © 2008 Parsonage Vandenack Williams LLC  

 For more information, contact info@pvwlaw.com

Portable Devices Pose Challenges to Protecting Patient Privacy

Covered entities (“CEs”) need to be aware that their wireless networks and portable devices such as iPhones and BlackBerrys are not necessarily secure.

Almost twelve people have been charged with various counts of computer intrusion, fraud and identity theft, among other charges, for participating in a crime ring that allegedly hacked into nine major retailers’ wireless computer networks.  The feds believe that the conspirators stole credit and debit card numbers through “wardriving,” which involves one person who drives a car around while another person in the car attempts to gain access to a wireless network through a laptop computer.

CEs could be targeted in similar schemes and should make sure that their wireless networks are properly encrypted.  CEs should have already converted from using the Wired Equivalent Privacy (“WEP”) system of encryption to the more secure Wi-Fi Protected Access (“WPA”) protocol.  WEP encryption was more common until about a year ago, when researchers discovered weaknesses in it.

Additionally, CEs should remind staff members to use portable devices with care. There are two main risks: (1) if a doctor is in a public place and is using an unsecured network to transmit PHI [i.e., protected health information], then people could intercept that traffic if it is not encrypted or if it is encrypted with a weaker method; and (2) piggybacking on a signal to get into a laptop.  The second risk is much more difficult to accomplish, but it can be done so that perpetrators can look at the traffic coming from the device.

Use of portable devices like laptops and iPhones falls under HIPAA’s workstation use and security policies.  Therefore, CEs should remind staff members about where they can or cannot use these devices.  An airport is a particularly risky place to use such devices because anyone can log in for wireless access with a credit card and can intercept information.  Also, employees should use the locking features of the devices so that no one can open them without a password.  Finally, CEs should go over what kind of information is acceptable to transmit.  This will help to ensure that patient information is protected and HIPAA compliance is maintained at all times.

Health Business Daily, Sept. 17, 2008.

 

© 2008 Parsonage Vandenack Williams LLC

 

For more information, contact info@pvwlaw.com

Joint Commission Makes Accreditation Manuals Electronically Available

The Joint Commission Resources has announced that it will now provide its accreditation manuals in electronic form.  The electronic manuals are a web-based tool for understanding the Joint Commission’s accreditation requirements.  The tool allows users to retrieve accreditation standards, to search text and to locate specific elements of performance that are needed by the facility.  The Commission’s consulting and education subsidiary, the Joint Commission Resources, released the new electronic manuals as part of the organization’s Standards Improvement Initiative.

 

            Manuals for the hospital, critical-access hospital, ambulatory, office-based surgery and home care programs offer filtering tools which focus on the standards relevant to those organizations and a history tracking tool to monitor changes to the standards.  There will be filtering and history tools for the behavioral healthcare, laboratory and long-term-care programs available in the 2010 electronic manuals.

 

            To access the electronic manuals, go to http://www.jcrinc.com/Accreditation-Manuals/.

 

 

Jean DerGurhian.  “Join Commission Resources Moves Manuals Online.” Modernhealthcare.com, Dec. 3, 2008.

 

 

© 2008 Parsonage Vandenack Williams LLC

 

For more information, contact info@pvwlaw.com

Clinical Trial Participants: How to Obtain Informed Consent

              Before enrolling in a clinical trial, human subjects must sign a consent form that details the nature of the study and the types of risks involved.  One survey conducted by CenterWatch determined that 30% of participants did not understand that their study could pose additional risks, and 70% did not know what questions to ask at the beginning of the informed consent process.  Companies can protect themselves in clinical trials through careful preparation of the consent form and extensive investigator training on the consent process.

             The consent document needs to be easy for the participant to read and understand.  The industry standard for consent forms is that they are written at or below an eighth grade reading level.  It is very important that the potential subject is able to understand the information in the form.  It can be challenging to write consent documents, which often need to explain complex medical issues, at such low grade levels.  However, the sponsor and the investigator should treat the task as important.  It should not be left up to the institutional review board to make adjustments.  Rather, sponsors should review any changes that institutional review boards make to ensure that no critical information has been deleted and that the readability and comprehension levels have not been corrupted.

             Researchers should never just hand the consent form to participants to read and sign.  Instead, they need to have face-to-face discussions with them and answer any questions they may have.  After reviewing the consent document with the participant, some investigators test potential subjects to see how much information they actually understood.  If a subject does not appear to grasp the critical points, the researchers need to discuss those issues with them again until they fully understand.  This will help to ensure that true informed consent is obtained from all trial participants.

 Wadlund, Jill.  Heading Off a Clinical Trial Liability Lawsuit.  APPLIED CLINICAL TRIALS. vol. 12, no. 4.

   © 2008 Parsonage Vandenack Williams LLC

 For more information, contact info@pvwlaw.com