There's a good chance a patient will file a complaint with HHS' Office for Civil Rights (OCR) or a data breach will occur at your practice. In 2013, OCR reported 85,239 complaints by patients against healthcare organizations, 16 of which resulted in fines of more than $1 million, and more than 20,000 of which required the healthcare organization to take corrective action.
But how you manage a complaint or breach could make all the difference in your practice's survival — and its reputation going forward.
On Monday, Carolyn Hartley, president and CEO of Physicians EHR, Inc., spoke about what happens during an OCR audit and a data breach during her session, "Reputation Management: Surviving a HIPAA Breach or Audit," at the MGMA13 Conference in San Diego. More importantly, she offered reputation-management guidance to attendees in the session, which was so packed late-coming attendees stood against the back wall.
Hartley's advice is particularly timely, considering the recent changes to HIPAA: In January, OCR released the final HIPAA omnibus rule, which modified the HIPAA Privacy and Security Rules, as well as the breach notification rule, to comply with the HITECH Act.
The modification to the breach notification rule requires healthcare entities to essentially prove, through a four-part risk assessment, that there is a low probability that PHI has been compromised. If they can prove that, then they do not need to disclose the breach. Healthcare entities found guilty of data breaches face fines of up to $1.5 million by the government plus notification costs and reputational damage, as they need to notify not only their patients, but also the media if the breach affects more than 500 individuals.
Here's Hartley's basic overview of what your practice should do when patients complain or data is breached.
Surviving an OCR Audit
Audits, which occur in response to complaints, are something every practice should be prepared for. But perhaps the most important rule to remember is "don't panic."
"Just because they call and say, 'You had a complaint filed against you' doesn't mean you're in trouble," said Hartley, noting that the most frequent investigations are based on impermissible uses and disclosures of protected health information (PHI)/ePHI, lack of safeguards of PHI/ePHI, and lack of patient access to PHI/ePHI.
And while achieving Stage 2 of meaningful use, per CMS' EHR incentive program, requires doing a risk assessment, most practices' risk assessments, which address the aforementioned issues, are not up to date.
"[When asked], most practices say, 'Yeah, we did a risk assessment in 2005, 2006' but they don't get their money [for attesting] because it isn't current," said Hartley.
When OCR begins an audit, practices should be aware of how it will likely go down: After OCR accepts a complaint for follow-up investigation, it will send a letter to a practice and clearly describe the nature of the complaint before asking whether you agree with the complaint.
Practices should first verify the OCR contact's information by calling HHS. Next, they need to be prepared to show OCR their policy that applies to the particular complaint.
What they're really asking is, "what are you doing right and what you're doing wrong, said Hartley
Your next move: Don't send them a huge policy manual. Just send them the policy that applies to the situation. For practices with EHRs, documenting policies and how they are followed is much easier.
You'll also likely be asked about training you provided to your employees based on the policy.
"You want to make sure you're covered under your policies and procedures and documented when you trained on a procedure," she said.
OCR will also want to know: What are you doing to mitigate this complaint? In response, you need to provide a clearly documented mitigation plan.
"You need to be able to prove what you have done," said Hartley. "Be sure to follow up and ask, 'What can we provide for you? What do you need?'"
Surviving a Data Breach
Surviving a data breach may seem much more stressful than surviving the audit, but many healthcare organizations have done it and come out of the process stronger than ever, with improved data security policies.
Your mitigation plan should start with gathering information on what exactly happened (this may fall under the direction of a compliance officer).
"One of the things we learned right away is there's an enormous amount of finger pointing," said Hartley. "The person managing the crisis has to get behind the finger pointing … and get facts."
Next, prepare a letter to notify patients. It should tell people what happened, and contain all the "who, what, when, where, and why" information. A practice should figure out which patients' records were affected, and be sure it has all the updated contact information (sometimes this means contacting representatives of patients who are unable to receive messages, such as the caretaker for disabled patients, said Hartley). The letter should contain information on the date the breach was discovered, what was stolen, and what PHI it contained.
Keep in mind that anyone breached can post that letter or give it to the media, "so what you put in that letter is important to managing your reputation," said Hartley. Also: You will need to separately alert the local media to the breach, per HIPAA rules.
Before sending out the letter, be sure you have briefed your crisis-management team, which should include your attorney and insurance agent. They need to support you and tell you what to do next. This includes corrective actions you will take, and future risk-management strategies, said Hartley.
Protecting Your Reputation
Today's patients have the ability and desire to find out as much negative information as they can about healthcare organizations — including past complaints and data breaches. As a result, reputation management is a crucial consideration for medical practices.
When faced with an audit or breach, practices should, above all else, not minimize the situation or act arrogantly, said Hartley.
Physicians should be aware of how they are perceived by patients who file the complaints that are likely to trigger audits, she added.
For more on surviving a data breach, see our recent story, "What to Do When Your Medical Practice Data is Breached."