Compliance Hot Topic Issues for Senior Living Communities Wednesday September 30, :45 4:15 p.m.

Transcription

1 Compliance Hot Topic Issues for Senior Living Communities Wednesday September 30, :45 4:15 p.m. Marilyn Mines, RN, BC, RAC CT Senior Manager of Clinical Services 111 S. Pfingsten Road, Suite 300 Deerfield, IL Main: (847) or (888) Direct: (847)

2 Janet Potter, CPA, MAS Manager 111 S. Pfingsten Road, Suite 300 Deerfield, IL Main: (847) Direct: (847) Objectives Learn the regulations regarding medication delivery in the assisted living and supportive living arena Understand the definitions related to medication delivery in these post acute settings Evaluate current HIPAA practices to determine areas which are potential risk areas 4 2

3 ASSISTED LIVING FACILITIES 5 Assisted Living Facility (ALF) Regulations Title 77: Public Health Chapter I: Department of Public Health Subchapter c: Long Term Care Facilities Part 295 Assisted Living and Shared Housing Establishment Code SUBPART E: MEDICATIONS Section Medication Reminders, Supervision of Self Medication, Medication Administration and Storage 6 3

4 Assisted Living Facility (ALF) Regulations The Assisted Living and Shared Housing Act 210 ILCS 9/ (The Act) Section 70: Service Requirements 7 Assisted Living Facility (ALF) Regulations Medication services are optional in an ALF If a facility chooses to provide this service, the scope ofthe service may include the following: Medication reminders Supervision of self medication Medication administration Medication storage 8 4

5 ALF Medication Reminders Verbal reminders to take pre dispensed, self administered medication Observing that the resident takes the medication Documenting whether or not the resident took the medication 9 ALF Supervision of Self Medication Assisting the resident with selfadministered medication using any combination of the services If unlicensed personnel are supervising the self medication, it must be under the direction of a licensed health care professional See attachment #1 Assessment for Self Md Med and attachment #2 Medication Mdi i Grid Gid ALF 10 5

6 ALF Supervision of Self Medication (continued) A combination of any of the following services are considered assistance with self medication: Reminders to take medications Reading the medication label to the resident Checking the self administered medication dosage against the label of the medication Confirming that resident has obtained and is taking the dosage as prescribe 11 ALF Supervision of Self Medication (continued) A combination of any of the following services are considered assistance with self medication: cont Documenting in writing if the resident took or refused to take medication Opening the container for a resident who is unable to do it themselves (however, only a licensed person can remove the medication from the container) 12 6

7 ALF Medication Administration Only a licensed health care professional employed by the organization can administer routine insulin or routine Vitamin B 12 Per 210 ILCS 9/10, a licensed health care professional is a registered professional nurse, an advanced practice nurse, a physician assistant, or a licensed practical nurse 13 ALF Medication Administration Facilities who assume this responsibility must have policies and procedures addressing Obtaining and refilling medications Storing, and controlling medication Dispensing medication Assisting with self/medication administration Recording medication assistance Maintenanceof medication records 14 7

8 ALF Medication Administration Facilities who assume this responsibility must have an updated drug reference guide (no more than 2 years from the copyright date) available and accessible to employees Non licensed staff may not administer any medication 15 ALF Medication Storage by the Resident Medication must be stored and controlled Medication must be inaccessible to other residents The resident s service plan must indicate storage and administration by the resident 16 8

9 ALF Medication Storage by the Facility Not left unattended by an employee Be in a locked container, cabinet, or area that is inaccessible to other residents not in a bathroom or laundry area Disposed of properly when expired or discontinued 17 ALF Medication Storage: General Stored in the original labeled container and according to instructions on the label Not pre poured Medication organizers may be prepared up to 1 month in advance by: the resident, nurse, or resident relative/representative 18 9

10 ALF Medication Regulations A separate medication record must be maintained for each resident receiving medication administration Name of resident Name of medication, dosage, directions, and route of administration Date and time that medication is scheduled to be administered Date and time of actual medication administration Signature or initials of the employee administering medication 19 Issues with Medication Services Does the staff know the differences between medication reminders and supervision of selfmedication? Doesthe staff know the differences between selfmedication and administration of medications? Does the nonlicensed staff know their limitations based on job descriptions and policies? 20 10

11 Issues with Medication Services What type of documentation is used for the Reminders? Supervision of self medication? Medication administration? Are there holes in the medication record (for medication administration only)? Who is doing the documentation? 21 Issues with Medication Services Assisted Living Federation of America used 2014 information data to compile the 10 most common citations in U.S. US assisted living facilities published March 2015 Number 1 is Medication Administration Described as violations relating to aspects of medication administration, which could include: failure to properly document pre pours, secure a physician s order or discard expired medication 22 11

12 Issues with Medication Services The 2012 report cited Allaspectsof medication administration, including failure to properly document pre pours, secure a physician's order, or discard expired medication Improper storage 23 SUPPORTIVE LIVING FACILITIES 24 12

13 Supportive Living (SLF) Regulations Title 89: Social Services Chapter 1: Department of Public Health Subchapter d: Medical programs Part 146 Specialized Health Care Delivery Systems Subpart B: Supportive Living Facilities Section d) Medication Oversight and Assistance in Self administration 25 Medication Services to be Provided Resident reminders to take their medications When asked by the resident, take medication from storage area and hand to the person Opening or uncapping medication containers for residents When asked by the resident, help remove from container and/or help to consume or apply 26 13

14 Medication is Part of Nursing Services The nurse must administer medications if the resident is unable to do so The nurse may set up medications (a week s supply at a time) 27 Documentation of Medication Administration Though documentation for medication administration is individualized based on resident needs, the following must be included for each resident: Name of resident Name of medication, dosage, directions and route of administration Date and time medication is scheduled to be administered and actually was given and that the resident actually took it or refused it Signature or initials of employee administering the medication Type of oversight required 28 14

15 Issues with Medication Regulations There is no specified process required by HFS for medication services Of the 60 SLF facilities in Illinois, each has their own individual way of managing medication oversight and assistance 29 Medication Errors Wrong Extra medication given Route of administration Medication given Time Failure to give a medication Amount of medication Client 30 15

16 Medication Risk Areas Distraction is the leading cause of medication errors Adverse drug reactions are greater in the elderly Decreased liver and kidney function Increased sensitivity to medications as we age More co morbidities and drugs The more drugs, the greater chance for adverse reaction Decreased cognition and vision 31 Medication Risk Areas Prescription errors Wrong drug Excessive dose Improper fill 32 16

17 Prevention of Medication Errors On going, random quality assurance and oversight of: Medication administration Medication assistance Medication supervision Evaluate each medication error look for trends Determine ways to improve the delivery system 33 Prevention of Medication Errors On going, random quality assurance and oversight of: Quarterly review of residents receiving 7 or more medications Quarterly reviews of residents on antipsychotic drugs and those with falls Monthly review by the administrator of PRN medications Narcotic sheets Documentation of the MAR 34 17

18 Prevention of Medication Errors Keep an up to date list of all medications Review the list whenever the resident sees the physician Review the list whenever the resident has a change in condition Annual review by the physician Standardize medication processes as much as possible Educate staff, residents, and representative Question when a dose or medication doesn t appear correct Medication interactions Adverse drug reactions 35 Response to Medication Errors based on Policy/Procedure 36 Call the family or responsible party, if applicable Evaluation by a nurse Document Determine whether the physician needs to be notified Assess and monitor the resident Report to the Department within 24 hours if the medication error resulted in hospitalization 18

19 Medication Error Report All errors must be recorded Use the specific SLF form to record each medication error (attachment #3) Keep on file in the facility 37 HIPAA 38 19

20 Covered Entities HIPAA laws only apply to covered entities Healthcare providers Health plans Healthcare clearinghouses 39 Healthcare Providers Health care provider who transmits any health information in electronic form in connection with a transaction covered by the rules Means a provider of medical or health services and any other person or organization that furnishes, bills, or is paid for health care in the normal course of business 40 20

21 Covered Transaction Transaction means the transmission of information between two parties to carry out financial or administrative activities related to health care Health care claims or equivalent encounter information Health care payment and remittance advice Coordination of benefits Health care claim li status Enrollment and disenrollment in a health plan Eligibility for a health plan Health plan premium payments Referral certification and authorization First report of injury Health care claims attachments Other transactions that the Secretary may prescribe by regulation 41 Covered Entity So I don t do any of those listed on the previous slide, I m off the hook, right? 42 21

22 CCRCs Are you part of a continuing care retirement community (CCRC)? If so, you are probably included under their umbrella both as a provider of services and in their corporate compliance and ethics program 43 Still Not a Covered Entity? Your residents and the community still view you as a healthcare provider and expect you will safeguard their protected health information (PHI) Unauthorized disclosures could be a public relations nightmare even if you and your workforce were not involved Jackson Memorial Hospital and the ESPN reporter who leaked football playerjason Pierre Paul s medical record Bottom line: comply as if you are a covered entity 44 22

23 Business Associates (BAs) The Omnibus Rule clarifies the definition of a BA to include any individual or organization which creates, receives, maintains, or transmits PHI for a function or activity on behalf of a CE This includes vendors that move or transmit PHI on behalf of a CE including personal health record (PHR) vendor, health information organizations, and e prescribing gateways (including any cloud storage) Does not include those which act only as a conduit for PHI, such as an internet service provider or mail/package carrier 45 Business Associates Examples Data analysis, processing or administration Accreditation Quality assurance Billing Benefit management Collections Legal Actuarial Accounting/Auditing Consulting Management, administrative, or financial 46 23

24 Business Associates BAs must now have their own policies and procedures for both HIPAA privacy and security Including administrative, technical, and physical safeguards Verify that BA agreements (BAAs) were updated and provided to existing BAs in 2013 and forward BAs must have BAAs with their subcontractors 47 Increased Responsibility The CE is liable for violations resulting from acts or omissions of a BA that t is either an agent of the CE, or acting within the scope of the agency BA is liable for violations resulting from acts or omissions of a subcontractor that is an agent of the BA acting within the scope of the agency Previously, the liability fell primarily on the CE 48 24

25 Protected Health Information (PHI) Name SSN Any information, whether oral or recorded in any form or medium, that is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse and relates to the past, present, or future physical or mental health or condition of an individual, the provision of healthcare to an individual or the past, present, or future payment for the provision of healthcare to an individual Diagnosisi Address Photo 49 Phone number Payment amount Minimum Necessary Standard Minimum necessary standard when using or disclosing PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request 50 25

26 TPO Disclosure is always allowed for: Treatment Payment Health care operations 51 Treatment Treatment purposes of another healthcare provider Hospital SNF Physician s Office Therapy Home Health 52 26

27 Payment For another health care provider or a CE s own payment Health care claims Medical review Coinsurance 53 Health Care Operations Operational activities of a health care provider such as Quality assessment and improvement activities Training, evaluation, or performance activities of health care professionals Health care fraud and abuse detection activities 54 27

28 Sharing Information Although we can readily share PHI for purposes of TPO, we need to protect that information when we transmit it Physicians Other buildings on your campus Home health or hospice Hospitals 55 Data Security Breach A data security breach happens when individually identifiable protected health information is left unsecured by a CE A non encrypted USB key, CD, POS device or laptop with patient data is lost A spreadsheet or other document with patient PHI is e mailed without being password protected Data Security Breach affects electronic data only but any unauthorized disclosure is still a breach Unsecured PHI is defined by HHS as PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology 56 28

29 Breach Under the rules, a breach is now presumed to have occurred unless the CE or BA can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment considering at least the following factors on the next slide 57 Breach The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification The unauthorized person who used the PHI or to whom the disclosure was made Whether the PHI was actually acquired or viewed The extent to which the risk to the PHI has been mitigated 58 29

30 Office for Civil Rights (OCR) OCR is the HIPAA Police A branch of the Department of Health and Human Services (DHHS) OCR investigates complaints of violations of healthcare privacy and security OCR also performs audits of providers The OCR website provides guidance for many aspects of the rules, and sample privacy notices and BA contracts 59 OCR Audits OCR is to begin auditing both Covered Entities (CEs) and Business Associates (BAs) this fall Originally slated to begin August 2014 Limited official information was available at the time this handout was prepared 60 30

31 OCR Audits An estimated 400 desk audits of CEs and BAs will be audited may be lowered to 200 May also do comprehensive onsite audits Will be completed by OCR auditors, rather than contractors as in Phase 1 Desk audits will look at one of three areas: privacy, security or breach 61 Desk Audits Prior to being selected for an audit, OCR will send a notice confirming addresses, etc. then you will receive the official notification 62 31

32 Pilot Audits During , OCR performed pilot or test audits of covered entities including health plans, no business associates All audited entities were found to have some deficiencies 63 Pilot Audits Across the board, providers struggled with the security rules and compliance issues The smaller the organization; the more struggles they had Issues: Notice of Privacy Practice Right to Request Privacy Protection for PHI Access of Individuals to PHI Administrative Requirements Uses and Disclosures of PHI 64 32

33 Uses and Disclosures Areas of difficulty: Business Associates Identify Verification Minimum Necessary Authorizations Deceased Individuals Personal Representatives Judicial and Administrative Procedures Group Health Plan Requirements 65 Security Rule Issues Risk Assessment Access Management Security Incident Procedures Contingency Planning and Backups Workstation Security Media Movement and Destruction Encryption Audit Controls and Monitoring Integrity Controls 66 33

34 Risk Assessment Conduct a risk assessment starting with asking these questions regarding all forms of PHI: Where is it? Where does it go? Who touches it along the way? Start by reviewing the most current analysis May be able to utilize information from compliance plan and program preparation 67 Identifying Uses of PHI E mail Canan employeeworking at home access your network? Do patients or family members/responsible parties use e mail to communicate with the CE? Faxes Do you transmit PHI via the fax machine? Is it fax to fax or computer generated fax? Answering machines Do you leave messages on patients answering machines? What about voice mail systems? 68 34

35 Identifying Uses of PHI Identify written documents that contain PHI Formal documents Forms Records Informal documents Duplicate or back up records Telephone messages 69 Oral Communication Identify inappropriate oral communications Whenexaminingthe examining appropriatenessof of oral communications consider: Content Context Participants Yada yada Location 70 35

36 Incidental Uses and Disclosures An incidental use or disclosure is not a violation of the privacy regulations if the use or disclosure: Cannot reasonably be prevented Is limited in nature, and Occurs as a by product of an otherwise permitted use or disclosure 71 Incidental Uses and Disclosures Covered Entities may only take advantage of this protection if they have applied reasonable safeguards to their operations to prevent inadvertent disclosures and have implemented the minimum necessary standard 72 36

37 Day to Day Operations 73 E Mail When e mailing PHI, either in the body of the e mail or as an attachment, it must be protected Password protected t Encrypted Attachments can be password protected, do not send the password in the same e mail as the attachment The same password can be reused for frequent transmission between the same 2 parties If PHI is in the body of the e mail, it must be encrypted To avoid that, do not include PHI or use initials or other abbreviations that would not be individually identifiable 74 37

38 Transporting Records The privacy and security regulations pose significant considerations for the protection of PHI for employees who work in the field or from home whether h as part of an established arrangement or on an occasional basis to catch up with work from the office All PHI must be maintained in accordance with the privacy regulations at all times Lost and stolen laptops are one of the biggest areas of HIPAA violations 75 Transporting Records PHI that leaves the CE must be safeguarded Even if it is to another area of the campus Privacy Officer should give permission for employees to transport PHI from the office Locked carrying cases should be used Computers must be protected including: smart phones, handheld devices, and laptop computers Records may not be left unattended 76 38

39 Portable Devices All portable devices should have the capability to be remotely wiped if lost Laptops USB Keys Smart Phones Tablets Should be encrypted and/or password protected 77 Smart Phones The HIPAA Team or Corporate Compliance Committee must review the use of smart phones within the organization and incorporate recommendations into the compliance program and HIPAA policies and procedures Do employees/managers/board of directors access e mail via their smart phone that could contain PHI? Are the phones password protected or encrypted? Can the devices be wiped remotely if lost? Consider requiring stronger PIN codes than simple 4 digit codes which can be cracked in seconds by a hacker possibly fingerprint scanners 78 39

40 Smart Phone Risk Areas Are security patches and updates promptly installed? If not it can leave a phone vulnerable to hacking Are text messages encrypted if they contain PHI? While encryption isn t required by HIPAA regulations specifically, recent OCR resolutions strongly urge encryption of text messages Lost phones must be reported immediately to the security officer or IT department 79 Malware Update security patches on all laptops, computers, smart phones and other devices Failure to update software leaves the devices susceptible to malware Use software that is currently supported and updated by the vendor 80 40

41 Passwords Don t share passwords Don t post passwords under the keyboard, on the side of the monitor, etc. Require passwords to be changed every 6 months Must be at least 8 characters long to be secure Shorter passwords can be cracked by hackers in seconds Should include capitals, numbers or special characters All systems should be password protected Unique user identification 81 Disposal All materials (print or electronic) with PHI must be properly destroyed before disposal Paper records shredded crosscut recommended Electronic media must be scrubbed or wiped clean Verify this has been done before donating or recycling old computers or equipment 82 41

42 Photocopiers Many digital photocopiers, fax machines and printers have hard drives and can store PHI Prior to discarding or returning old rented equipment determine if the hard drive can be scrubbed or otherwise made unreadable 83 Physical Access Controls Do you have physical access controls in place to protect your residents from a disclosure of their protected health information? Visitor checkin Such as: Locked entrances Private offices Computer screens turned away from public view 84 42

43 Workforce Training All members of the workforce must receive HIPAA training When first hired a comprehensive training that is appropriate to their job functions may be different training for different job classes Don t forget to train volunteers and contract employees With contract employees or vendors you can confirm with their employer that they have equivalent HIPAA training, but you ll still need to train them on your specific policies 85 Workforce Training Provide periodic updates and reminders on HIPAA HIPAA training is not a one time event Changes in policies Reminders posted in employee lounges or other areas Reminders in employee newsletters or sent via e mail Make it specific and relevant to your organization 86 43

44 Volunteers A volunteer is specifically identified and included in the privacy regulation s definition of the CE s workforce Include them in the training and education of the workforce 87 Facility Directory How a patient s PHI is used and disclosed in the facility directory must be included in the Notice of Privacy Practices and patients must have the opportunity to agree or object The facility directory may only contain the patient s name, location, general condition and religious affiliation (only to be disclosed to clergy) Any other information (i.e., phone numbers, birthdays) must be eliminated 88 44

45 Bulletin Boards and Newsletters CE s bulletin boards and newsletters many times disclose the PHI of patients Birthdays for the month Patient satisfaction surveys Photographs of patients Thank you letters CEs must determine if it is permitted or required to disclose these types of PHI without a specific authorization signed by the patient 89 Resources OCR Website: Guide to Privacyandand Securityof ElectronicHealthInformation: security guide.pdf HITECH Audit Program: html 90 45

46 Disclaimer This presentation and handouts are for general information and do not include a full analysis of any specific circumstances or situations. Information contained herein is accurate at the time of publication. We recommend that you consult with your FROST advisor before implementing any action. 91 Questions? 92 46

47 Attachment #1 MEDICATION SELF-ADMINISTRATION ASSESSMENT Resident Name The resident can: Code Yes or No List Medications include route, dosage, frequency, ointments, ear and/or eye drops, inhalers, injections, patches, suppositories, and PRN medications Identify the medication State what the medicine is used for Open the container and remove the medication State the correct number of pills/dosage State when the medication is to be taken State the common side effects Document that the drugs were taken Properly store the medication Reorder medications when necessary Administer inhalers, eye or ear drop, patch, suppository injections, or ointment Based on the above assessment, the resident can self administer the following medications Based on the above assessment, the resident will receive reminders for the following medication Based on the above assessment, the resident will receive set-up for the following medication Based on the above assessment, the resident will receive supervision for the following medications Based on the above assessment, the resident will have the following medications administered by a nurse Nurse Completing the Assessment Date of Assessment completion 2015 Frost, Ruttenberg & Rothblatt, P.C.

48 Attachment #2 RESIDENT TAKES OWN MEDICATIONS YES NO Resident has difficulty opening containers Requires medication administration by a licensed healthcare professional YES Requires supervision NO Continued evaluation YES Resident can read labels NO Requires supervision by a licensed healthcare professional Can resident remove medication for container once opened? YES Medication supervision by an aide with RN supervision NO Resident requires periodic review of mediations, assistance with storage or ordering YES Medication supervision by a licensed healthcare professional NO Continued evaluation Resident has pre dispensed medication YES Resident forgets to take medications NO Resident is independent Medication reminders YES NO Evaluate for medication set up

49 Supportive Living Facility Medication Error Report Appendix C-20(1) Facility Name: Facility Address: Resident Name: RIN: DOB: Medication Management (i.e., set-up, reminders, cuing): Date Error Occurred: Time Error Occurred: a.m./p.m. Medication(s) involved: Complete second page of report listing ALL medications involved. Type of error: Description of Error: Dosage Time Wrong medication Wrong route Missed medication Observation of adverse reaction(s)/outcome(s): Notification: Physician Date: Time: am/pm Designated Representative Date: Time: am/pm Other Date: Time: am/pm Physician instructions: Name of hospital and city (if applicable): Plan of correction to prevent future errors: Signature of staff completing form & date Title Date submitted to HFS (if applicable) HFS 3869 (N-6-07) IL

50 DEPARTMENT OF HEALTHCARE AND FAMILY SERVICES Supportive Living Facility Medication Error Report Appendix C-20(2) Medication Dosage Frequency Reason for Rx Attach more pages if necessary For instructions, see Supportive Living Facilities Provider Handbook, Chapter C-200, Appendix C-20a HFS 3869 (N-6-07) IL

51 Appendix C-20(a) INSTRUCTIONS DEPARTMENT OF HEALTHCARE AND FAMILY SERVICES Supportive Living Facility Medication Error Report What errors need to be recorded? ALL medication errors that occur for residents receiving medication management services from the SLF are required to be recorded. Medication management includes: medication set-up, reminders, assistance with self-administration (eg. cuing) and administration by licensed staff. A medication error includes: wrong medication wrong dosage wrong time (medication given within 1 hour of prescribed time is NOT considered an error) wrong route missed medication How are errors recorded? The HFS Medication Error Report form must be completed each time an error is discovered. ALL medications involved in the incident must be listed on the second page of the report form. For instance, if a resident misses a dose of two different medications, a separate line should be completed for each medication involved. What errors must be reported to HFS? Any medication errors that result in adverse reactions requiring hospitalization must be reported to the HFS Regional Supervisor on the HFS Medication Error Report within 24 hours of discovery. All other medication errors shall be recorded on the HFS Medication Error report and kept on file for Department review.