CHPC Study Group

5/27/2020...17 subs listing...Happy Wed!

  • 1.  5/27/2020...17 subs listing...Happy Wed!

    Posted 05-27-2020 09:44 AM
    Snake Bite Leader...staying the course...checking in..and today's list:
    1. S/P
    2. CO/AB
    3. T/E
    4. C/A/W/N
    5. R/E
    6. A/M
    7. I/M/NESI


    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Bill Wong's Resource Folder: https://bit.ly/BillWong
    Super Summer Slam Study Squad sign up: CLOSED

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    ------------------------------
    Certification Disclaimer


  • 2.  RE: 5/27/2020...17 subs listing...Happy Wed!

    Posted 05-27-2020 10:05 AM

    Riptide checking in...starting to warm up finally in New Jersey.

    My list for today...

     

    02 A

    04 D

    06 S

    08 A

    10 P

    12 T

    14 O

    16 P

    18 C

     

    Best Regards,

    Scot Lovejoy   

    Scot Lovejoy RPh. CHC CHPC

    Chief Pharmacy Officer

    Compliance Officer

    Agadia_itself (625x184) (625x184) (100x29)

    9 Campus Drive, 2nd Floor East

    Parisippany, N.J. 07054

    (O) 973-540-8400  x227

    (C) 973-570-3803

    (F) 973-540-8440

     

    Confidentiality Notice:  This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure.  If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system.  Thank you.

    No copyright infringement intended.

     

     




    Certification Disclaimer


  • 3.  RE: 5/27/2020...17 subs listing...Happy Wed!

    Posted 05-27-2020 10:09 AM
    Boots checking in from the TX Hill Country.  Had some excitement Sunday night.  A near tornado (never touched ground) went up the alleyway 2 houses away from us. It knocked down a large tree 3 houses from us, which luckily didn't hit the house.  It destroyed a greenhouse though.  it also knocked down a lot of limbs from several trees, including one of ours.  It knocked down another tree up the street from us before it disappeared.  Area was without power for 3-1/2 hours.  Exciting.
    Here are my lists:

    7 Elements/17 Sub-Elements

    1. S/P
    2. CO/AB
    3. T/E
    4. C/A/W/N
    5. R/E
    6. A/M
    7. I/M/NESI
    Security Rule 164.3XX (Other 1):
    2          A
    4          D
    6          S
    8          A
    10        P
    12        T
    14        O
    16        P
    18        C

    Breach Notification Rule 164.4XX (Other 2):
    0          A
    2          D
    4          N
    6          N
    8          N
    10        N
    12        L
    14        A

    6-20-100
    Take care my friends.


    ------------------------------
    Lloyd Hemmert
    Compliance & Ethics Officer
    Hill Country MHDD Centers
    Kerrville,TX
    [lhemmert@hillcountry.org]
    ------------------------------

    Certification Disclaimer


  • 4.  RE: 5/27/2020...17 subs listing...Happy Wed!

    Posted 05-27-2020 10:25 AM

    SongBird Checking in.

     

    Lloyd, I am glad you (and your neighbors) are safe!

     

    I have been working on Breach Policies, so here's how I memorize my 164.4xx's list:

    2 A

    4 D

    6 NI

    8 N-M

    10 N-S

    12 N-BA

    14 LE

    16 (A)BP

     

    Here's my question for the day:

    The "burden of proof" language (164.416) reads that the CE has the burden of demonstrating that all notifications were made as required....or that the use/disclose did not constitute a breach. 

     

    We received guidance from a consultant firm that my breach policy should have a procedure that is a work flow (flow chart) and has an objective calculator to determine if an incident meets definition of breach.  I am finding that I am spending an inordinate amount of time trying to create something that I already know and do... I have a form I complete/document that goes through all the definitions, exceptions and mitigation... It doesn't have a "calculator" -

    My policy reads pretty much like the rule reads- but I don't have procedures WRITTEN because truthfully, I'm the only one who DOES the analysis (with oversight by my compliance committee).

     

    I feel like I'm lost in the weeds.

    Can anyone help me see my way out?

     

    Thanks in advance.

     

    Marcia A. Rasch, PhD, CHC
    Compliance Officer
    HealthSource of Ohio
    424 Wards Corner Road Suite 200
    Loveland, OH 45140
    PH:  513-707-4021
    Fax: 513-707-5676
    mrasch@hsohio.org 
    www.healthsourceofohio.org

     

    This electronic document, and any related attachments, may contain confidential information belonging to the sender which may be legally privileged. It may also include Protected Health Information (PHI) which is protected by federal law from unauthorized use or disclosure to anyone other than the intended recipient for purposes of payment, treatment, or operations unless otherwise authorized by the patient or employee. Use or disclosure of PHI for reasons other than those described above is strictly prohibited. The information is only for the exclusive use of the individual or entity originally intended.



    Certification Disclaimer


  • 5.  RE: 5/27/2020...17 subs listing...Happy Wed!

    Posted 05-27-2020 10:35 AM
    Marcia,

    I think in many ways your answer to your question is in your posting.

    Totally from a C&C perspective and also knowing that as over the years I've reviewed MANY breach assessments that included assessments that the OCR has requested as part of investigations, the key I believe is that your assessment process (LoProCo for example) needs to be consistent.  Whether it's qualitative (High, Med, Low) or quantitative (uses a scoring method), or a combination of both, there is no required or prescribed method.  It's up to you.  Another tangible example of how the HIPAA rules are flexible.  This also can lead to situations where CEs or BAs get varied advice or suggestions on how to do something.

    By the way, P&Ps that read almost, similar, or even practically verbatim to the rules they apply to is not a problem at all.  The key here is to make sure that you can put your policies into practice.

    Please post if you have any other follow up and I welcome others to share their own ideas...whatever they may be...as this is true to form to C&C.

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Bill Wong's Resource Folder: https://bit.ly/BillWong
    Super Summer Slam Study Squad sign up: CLOSED

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    ------------------------------

    Certification Disclaimer


  • 6.  RE: 5/27/2020...17 subs listing...Happy Wed!

    Posted 05-27-2020 10:44 AM

    Thanks Frank!

    I'll take another shot – I'll relook at my form, and just dump my process out of my head onto a written procedure!

     

    I welcome everyone's C & C!

    Have a great day!

     

     

    Marcia A. Rasch, PhD, CHC
    Compliance Officer
    HealthSource of Ohio
    424 Wards Corner Road Suite 200
    Loveland, OH 45140
    PH:  513-707-4021
    Fax: 513-707-5676
    mrasch@hsohio.org 
    www.healthsourceofohio.org

     

    This electronic document, and any related attachments, may contain confidential information belonging to the sender which may be legally privileged. It may also include Protected Health Information (PHI) which is protected by federal law from unauthorized use or disclosure to anyone other than the intended recipient for purposes of payment, treatment, or operations unless otherwise authorized by the patient or employee. Use or disclosure of PHI for reasons other than those described above is strictly prohibited. The information is only for the exclusive use of the individual or entity originally intended.



    Certification Disclaimer


  • 7.  RE: 5/27/2020...17 subs listing...Happy Wed!

    Posted 05-27-2020 10:53 AM
    Keep it simple such as in the policy...the risk assessment to conclude a breach uses a form (Attachment A to this policy) which takes into account the exceptions and factors identified in the regulations on how to determine if an impermissible access, acquisition, use, or disclosure is a breach.

    Note...there are tons of generic policies you can use which would require minimal editing...and there are many risk assessment worksheets (such as AHIMA's tool) that you can also use.

    Keep it easy breezy and shouldn't take much time at all.

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Bill Wong's Resource Folder: https://bit.ly/BillWong
    Super Summer Slam Study Squad sign up: CLOSED

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    ------------------------------

    Certification Disclaimer


  • 8.  RE: 5/27/2020...17 subs listing...Happy Wed!

    Posted 05-27-2020 11:29 AM
    Hello from Oregon!  The weather is picking up here!  That makes stay at home nice-r.  Our county is one of the last counties to be re-opening into Phase 1 on June 1.  Good conversation above Marcia and Frank.  Something that I have to ponder as I look at my policies again.  We have a breach notification policy and procedure at the County level that I follow, so I am not sure we need our own as a department.  I appreciate Frank's comments on the variables and that there are no required or prescribed methods.

    Thank you for getting my mind going on this Wednesday morning!  And before I forget:

    1. S/P
    2. CO/AB
    3. T/E
    4. C/A/W/N
    5. R/E
    6. A/M
    7. I/M/NESI

    2    A
    4    D
    6    S
    8    A
    10  P
    12  T
    14  O
    16  P
    18  C

     

    0    A – 400 - Applicability
    2    D – 402 - Definitions
    4    N – Notification to individuals
    6    N – Notifications to the media
    8    N – Notification to the secretary
    10  N – Notification by a business associate
    12  L – Law enforcement delay
    14  A – Administration requirements and burden of proof

     

     




    ------------------------------
    Melanie Schoonover, MS, CRC, CHC
    Quality Assurance Supervisor
    ------------------------------

    Certification Disclaimer


  • 9.  RE: 5/27/2020...17 subs listing...Happy Wed!

    Posted 05-27-2020 11:37 AM

    Marcia and Frank,

     

    This brings up another scenario question in my mind.

     

    If you have a CE, that CE has a BA, and that BA has a subcontractor. The subcontractor to the BA informs the BA that they have had a computer misplaced and possibly stolen.  They are not sure if it had any PHI from the CE on it. The BA informs the CE Compliance Director of the incident. After the Compliance Director and the BA determines there was PHI on the laptop, and determine there is less than 500 individuals PHI involved. What would the Compliance Officer do next?

    1 - Would the Compliance Officer tell the BA they have to send out the notices?

    2 - Would the CE send out the breach notices?

    3 -  Would the Sub contractor send out the breach notices?

     

    I would love to hear some input?

    Thanks,

    Vicky

     

    Vicky Roe, RN CHC CPMA

    Clinical Auditor

    Southeast Georgia Health System, Inc.

    2415 Parkwood Drive, Brunswick, GA 31520

    Office:  (912) 466-3264   Fax:  (912) 466-7044    Emailvroe@sghs.org

     

    This e-mail and any attachments may contain privileged and confidential information and are for the sole use of the intended recipient. Any unauthorized review, use, disclosure, or distribution is prohibited. If you have received this in error, please contact the sender by telephone or e-mail immediately and destroy all copies of the original immediately.   "noscramble" means the email is being sent unencrypted

     

     




    Certification Disclaimer


  • 10.  RE: 5/27/2020...17 subs listing...Happy Wed!

    Posted 05-27-2020 11:49 AM

    Oh yeah...I like these...hopefully we get some C&C!

    1 - Would the Compliance Officer tell the BA they have to send out the notices?
    The question of "who" will actually send out the notices is likely going to be a case by case decision.  When considering these questions, remember that in the end, though you can find many blogs and web postings that can be confusing...the regs clearly state that CE or BA, as applicable will have the burden of demonstrating that the notifications were done.  So this is a classic case where the answer "it depends" applies very well and reasonably. Also, there may be obligations in the BAA or service contract that if the BA is responsible for the breach, the BA is also responsible for completing the required notifications to the individuals...for example.  There really is no ONE answer...several possibilities.

    2 - Would the CE send out the breach notices?
    That is one option.

    3 -  Would the Sub contractor send out the breach notices?
    That is the other option

    I'll add another funky curve ball...you could even have the CE...and...BA send out notices.  Again...case by case.  I've seen this done as well.



    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Bill Wong's Resource Folder: https://bit.ly/BillWong
    Super Summer Slam Study Squad sign up: CLOSED

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    ------------------------------

    Certification Disclaimer


  • 11.  RE: 5/27/2020...17 subs listing...Happy Wed!

    Posted 05-27-2020 12:02 PM

    I love these too!

    I agree with Frank- "it depends"-

    It depends on the language in the BAA/contract agreement with the BA (does it state expectations?)

    It depends how the BA wrote the subcontractor agreement...

    It depends on how "reliable" the BA is.

    The other potentially "negotiable" area is WHO will pay for the credit monitoring (if required) and any additional expenses that may be included in the notifications.

     

    I believe that ultimately, it's the CE who needs to make sure they get DONE – but doesn't mean the CE has to do it!

    However, one tactic the CE would consider- the level of cooperation by the BA would likely influence if the CE will  CONTINUE the relationship with the BA – or does the CE go find a different, more reliable vendor!

     

    On the other hand...at least they TOLD the CE it occurred! That's a giant step for some BA's!

    How's that for C & C? ��

     

     

    Marcia A. Rasch, PhD, CHC
    Compliance Officer
    HealthSource of Ohio
    424 Wards Corner Road Suite 200
    Loveland, OH 45140
    PH:  513-707-4021
    Fax: 513-707-5676
    mrasch@hsohio.org 
    www.healthsourceofohio.org

     

    This electronic document, and any related attachments, may contain confidential information belonging to the sender which may be legally privileged. It may also include Protected Health Information (PHI) which is protected by federal law from unauthorized use or disclosure to anyone other than the intended recipient for purposes of payment, treatment, or operations unless otherwise authorized by the patient or employee. Use or disclosure of PHI for reasons other than those described above is strictly prohibited. The information is only for the exclusive use of the individual or entity originally intended.



    Certification Disclaimer


  • 12.  RE: 5/27/2020...17 subs listing...Happy Wed!

    Posted 05-27-2020 01:00 PM

    Ok...think about this...

    If you had to choose the best answer, and you have no idea what the contract says. Your choices are:

    1.       The CE tells the BA they have to send out the Breach Notifications

    2.       The sub-contractor is the one responsible to send out the breach notices.

    3.       The CE sends out the breach notices

    4.       The CE tells the BA to cancel the contract with the sub-contractor

     

    Vicky

     

    Vicky Roe, RN CHC CPMA

    Clinical Auditor

    Southeast Georgia Health System, Inc.

    2415 Parkwood Drive, Brunswick, GA 31520

    Office:  (912) 466-3264   Fax:  (912) 466-7044    Emailvroe@sghs.org

     

    This e-mail and any attachments may contain privileged and confidential information and are for the sole use of the intended recipient. Any unauthorized review, use, disclosure, or distribution is prohibited. If you have received this in error, please contact the sender by telephone or e-mail immediately and destroy all copies of the original immediately.   "noscramble" means the email is being sent unencrypted

     

     




    Certification Disclaimer


  • 13.  RE: 5/27/2020...17 subs listing...Happy Wed!

    Posted 05-27-2020 02:47 PM

    Vicky,

    I'd have chosen option 1 -until I'm looking at the rule today.

     

    In the past, I (The CE) has worked with the BA to send out the Breach notices, but the CE gets a full report on total number sent, return receipts, etc.  and has full oversight/input to conclusion.  The CE reports to OCR at end of year.

     

    HOWEVER- since I am neck deep into the rule -  here's what 164.410c.2. says (line 2019 of Franks version):

     

    2. A BA shall provide the CE with any other available information that the CE is required to include in notification to the individual under 164.404©(the letter) at the time of the notification required by paragraph (a) of this section....

     

    The rule just says the BA shall notify the CE!! So, I guess I  back pedal!

     

     

    Good thing I'm still writing my policy ��

     

    Marcia

    X4021

     




    Certification Disclaimer


  • 14.  RE: 5/27/2020...17 subs listing...Happy Wed!

    Posted 05-27-2020 03:25 PM

    Marcia,

     

    Thank you for making me re-think this! I went back and read the regs again, and you are right, there is no mention of the BA having any responsibility to send out the breach letters. They only have to give the CE  "any available information that the covered entity is required to include in notification to the individual under 164.404 c)  at the time of the notification required by paragraph (a) of this section or promptly thereafter as information becomes available."

     

    I learned something today!

    Thanks,

    Vicky

     

     

    Vicky Roe, RN CHC CPMA

    Clinical Auditor

    Southeast Georgia Health System, Inc.

    2415 Parkwood Drive, Brunswick, GA 31520

    Office:  (912) 466-3264   Fax:  (912) 466-7044    Emailvroe@sghs.org

     

    This e-mail and any attachments may contain privileged and confidential information and are for the sole use of the intended recipient. Any unauthorized review, use, disclosure, or distribution is prohibited. If you have received this in error, please contact the sender by telephone or e-mail immediately and destroy all copies of the original immediately.   "noscramble" means the email is being sent unencrypted

     

     




    Certification Disclaimer


  • 15.  RE: 5/27/2020...17 subs listing...Happy Wed!

    Posted 05-27-2020 03:35 PM

    https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

     

    In this sample Business Associate Agreement provided by HHS it states this, which seems to say that Business Associate could be the one to notify:

     

     

    Gwen Pekuri

     




    Certification Disclaimer


  • 16.  RE: 5/27/2020...17 subs listing...Happy Wed!

    Posted 05-27-2020 04:24 PM

    Gwen,

     

    Thank you for sharing the sample agreement. I am reading it as Marcia said earlier, that according to your specific contract, that you could have it built in that the BA has to do the Breach Notifications. However, according to the regulations, I don't see  there is  specific wording that the  BA's are responsible for sending out the breach notifications. The CE is ultimately responsible to make sure the notifications go out.

    I love this C & C. I feel I really learned something today.

     

    Vicky

     

    Vicky Roe, RN CHC CPMA

    Clinical Auditor

    Southeast Georgia Health System, Inc.

    2415 Parkwood Drive, Brunswick, GA 31520

    Office:  (912) 466-3264   Fax:  (912) 466-7044    Emailvroe@sghs.org

     

    This e-mail and any attachments may contain privileged and confidential information and are for the sole use of the intended recipient. Any unauthorized review, use, disclosure, or distribution is prohibited. If you have received this in error, please contact the sender by telephone or e-mail immediately and destroy all copies of the original immediately.   "noscramble" means the email is being sent unencrypted

     

     




    Certification Disclaimer


  • 17.  RE: 5/27/2020...17 subs listing...Happy Wed!

    Posted 05-27-2020 05:58 PM

    Thanks Gwen,

    Yes our Attorney says she wants all BAAs to include their obligation to the extent possible.

    But sometimes, it's not possible!

     

    That language just makes me think, we need to understand the PURPOSE or SPIRIT of the rule, instead of trying to comply with just the language of the rule. 

     

    I think that may I get hung up at times..when my OCD takes over ��

     

    Thanks for the great discussion today!

     

    SongBird signing off!

     

    Marcia A. Rasch, PhD, CHC
    Compliance Officer
    HealthSource of Ohio
    424 Wards Corner Road Suite 200
    Loveland, OH 45140
    PH:  513-707-4021
    Fax: 513-707-5676
    mrasch@hsohio.org 
    www.healthsourceofohio.org

     

    This electronic document, and any related attachments, may contain confidential information belonging to the sender which may be legally privileged. It may also include Protected Health Information (PHI) which is protected by federal law from unauthorized use or disclosure to anyone other than the intended recipient for purposes of payment, treatment, or operations unless otherwise authorized by the patient or employee. Use or disclosure of PHI for reasons other than those described above is strictly prohibited. The information is only for the exclusive use of the individual or entity originally intended.



    Certification Disclaimer


  • 18.  RE: 5/27/2020...17 subs listing...Happy Wed!

    Posted 05-27-2020 05:55 PM

    I just finished my draft of procedure.

    I think I had a "hangover" from Pre-HITECH. 

    BTW- I LOVE Frank's version of the HIPAA rules!

    THANK YOU FRANK!

     

    Marcia

    X4021

     




    Certification Disclaimer