by Elizabeth E. Hogue, Esq. | Apr 11, 2024 | Clinical, Regulatory
By Elizabeth E. Hogue, Esq.
A key purpose of the Health Insurance Portability and Accountability Act (HIPAA) is certainly to protect patient information. Another is to help ensure that patients have access to their health information. In fact, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services, the primary enforcer of HIPAA, has focused on enforcement actions against providers that do not make information available to patients on a timely basis. OCR launched a right to access enforcement initiative in 2019 that is continuing.
Providers must give medical information to patients and their representatives within thirty days of requests. When they fail to do so, they may be subject to enforcement action by OCR. Following are two examples of recent enforcement actions.
OCR announced on April 1, 2024, that Essex Residential Care in New Jersey will pay a civil money penalty of $100,000 to resolve violation of HIPAA’s right of access standard. This is the 48th settlement reached under the right of access initiative. OCR received a complaint in May of 2020 from the personal representative of the estate of a patient who passed away. Following an investigation by OCR, the personal representative, who was the son of the patient, received the records in November of 2020. The provider did not contest the fine.
In another recent case, the daughter of a patient who passed away was appointed as the personal representative of her mother’s estate. She made multiple requests to Phoenix Healthcare for a copy of her mother’s medical records. She finally received the records one year after her initial request. Phoenix Healthcare initially received a civil money penalty of $250,000 for failure to provide timely access.
The provider appealed. An administrative law judge (ALJ) upheld the violation and ordered Phoenix to pay a civil money penalty of $75,000. The Departmental Appeals Board affirmed the ALJ’s decision. Then Phoenix agreed to settle for $35,000 and waived the right to further appeals. While it may seem in this case that the provider’s appeals significantly lowered its costs, it is important to note that the provider also undoubtedly expended significant resources on two appeals of OCR’s enforcement action.
Providers have placed a great deal of time and effort into the protection of healthcare information in compliance with HIPAA. Rightfully so, but providers seem to have lost sight of the fact that HIPAA is also about ensuring that patients and their representatives have timely access to their records. Now is the time for providers to conduct intensive education of staff members about HIPAA’s requirements regarding access in order to avoid enforcement actions like those described above.
©2024 Elizabeth E. Hogue, Esq. All rights reserved. No portion of this material may be reproduced in any form without the advance written permission of the author. For more information on how to get access to this or any other article, please contact The Rowan Report.
by Kristin Rowan | Apr 11, 2024 | Admin, CMS, Regulatory
by Kristin Rowan, Editor
For a few weeks now, we have been covering the Change Healthcare cyberattack by ALPHV/BlackCat and the subsequent updates from CMS. Pharmacy and medical orders have been delayed, providers and patients are suffering, and CMS has issued “guidance” with no real solution. Underground reports indicate that Change Healthcare paid $22 million to BlackCat following the first cyberattack and that BlackCat stole 6TB of data from the system. Change Healthcare has refused to respond to questions about the alleged payment. Three weeks after the attack, Change Healthcare started to come back online, starting with the pharmacy services, which returned on March 7th. Parent company UnitedHealth Group indicated that other services would return in the coming weeks.
Legal Action
More than 87% of physicians are see more than a 20% drop in daily claim submissions. As of April 9th, physicians are still reporting issues with cash flow and anticipate higher than expected losses due to financing and loans that may be needed to cover them as the effects of the attack continue. Rivals of Change Healthcare are reportedly onboarding hundreds of customers who have left the organization. One of these, Availity, has processed more than $5 billion in claims that were left unprocessed by Change Healthcare’s system and has onboarded 300,000 providers with a backlog of more than 50 health systems waiting to start using the platform.
The attack has caused long-term disruptions, delays, cash flow problems, patient care disruptions, prescription delays, and billing issues. Some physician practices have started using personal money to cover payroll and other expenses. The US Department of Health and Human Services (HHS) has launched a formal inquiry into Change Healthcare’s data protection standards. This inquiry follows six class action lawsuits filed against the organizations. Physicians were still reporting significant impacts on their claims.
Adding Insult to Injury
Change Healthcare has barely gotten their systems up and running were still putting out fires when they were hit again. 
On April 8, RansomHub contacted Change Healthcare and alleged to have 4TB of data stolen from the system and are demanding an extortion payment to keep the data private . RansomHub has threatened to sell the data, which includes US military personnel and patient data, medical records, and financial data, to the highest bidder in 12 days if the ransom isn’t paid.
Among the prevailing theories as to why Change Healthcare has been hit again is that the first ransom was supposed to have been split between ALPHV/BlackCat and an associate known as “notchy”, but ALPHV absconded with the ransom, leaving the other with nothing. Looking for a payout equal to what they lost, notchy partnered with RansomHub to try to recoup their losses. A second theory is that ALPHV and RansomHub are one in the same and that ALPHV went to ground after the ransom payout and have resurfaced as RansomHub. RansomHub, however, claims that after ALPHV went to ground, some of their affiliates joined the RansomHub operation and this is how they came by the data. Either way, it seems that the data stolen in the first attack was not returned after the ransom was paid and Change Healthcare is still susceptible to further extortion. This also means that the Change Healthcare system was not hacked a second time, but rather this is just an extension of the first data breach.
No word yet on whether Change Healthcare and UnitedHealth Group will pay the second ransom demand.
We will continue to follow this story and provide updates as it impacts payment and claims processing.
# # #
Kristin Rowan has been working at Healthcare at Home: The Rowan Report since 2008. She has a master’s degree in business administration and marketing and runs Girard Marketing Group, a multi-faceted boutique marketing firm specializing in event planning, sales, and marketing strategy. She has recently taken on the role of Editor of The Rowan Report and will add her voice to current Home Care topics as well as marketing tips for home care agencies. Connect with Kristin directly kristin@girardmarketinggroup.com or
www.girardmarketinggroup.com
©2024 by The Rowan Report, Peoria, AZ. All rights reserved. This article originally appeared in Healthcare at Home: The Rowan Report. www.therowanreport.com One copy may be printed for personal use: further reproduction by permission only. editor@therowanreport.com
by Tim Rowan | Apr 11, 2024 | Clinical, Editorial, Telehealth
by Tim Rowan, Editor Emeritus
In 2020, doctors flooded telehealth companies with requests for help caring for patients reluctant to leave home to come to their appointments. Following suit, many Home Health agencies that had never considered investing in home telehealth before, opened up their wallets to acquire equipment, from simple wearables to high-end, HIPAA-compliant video systems.
In addition to the need to provide care at a safe distance, many HHA leaders knew the added service would attract the attention of hospitals desperate to discharge recovering Covid victims as well as non-Covid patients. Some HHAs established relationships with hospitals they had not had before, given the chance to demonstration Home Health’s unique advantages over extended hospital stays and discharges to institutions such as SNFs that had become virtual death sentences during the height of the pandemic.
All Things Must Pass
With the introduction and widespread free availability of Covid mRNA vaccines, the death rate graph line began to tilt downward. Then came the discovery that the SARS-CoV-2 and its variants are transmitted through the air and not through unwashed surfaces. People stopped disinfecting their counter tops after unloading groceries. And they started in-person doctor visits again. Patients returned to allowing nurses into their homes.
In regions where vaccination and booster rates were high, hospitals found themselves with more and more empty beds. They took down tented treatment centers in their parking lots and sent refrigerated trailers back to trucking companies. Desperation referrals to Home Health tapered off, as did the need for virtual visits.
Isaac Newton said every action has an equal and opposite reaction. If that holds true in the healthcare business as it does in physics, the reaction to Covid easing is seen in Remote Patient Monitoring tech companies. According to Fierce Healthcare, the New York Stock Exchange told one RPM company, Amwell, formerly known as “American Well,” to raise its stock price or be delisted. Fierce added detail about the company’s woes:
“Despite decimating its workforce at the end of 2023 to cut expenses, the company still projects a 2024 loss between $160 million and $155 million amid incremental revenue growth. The company’s market cap was a stone’s throw from $6 billion at the height of its valuation, when shares were trading for more than $42 each. Amwell shares were trading at $0.72 as of market close on April 5, giving the company a current market cap of about $208.6 million.
Another market leader fared no better, Fierce Healthcare found. “Telehealth giant Teledoc, which has been in operation for 20 years, has struggled in the stock market and is facing headwinds as the virtual care market has become crowded with digital health players. Shares dropped 22 percent in February as the company missed fourth-quarter revenue estimates and offered a downbeat forecast for the rest of the year.”
Teledoc’s 15-year CEO, Jason Gorevic, resigned last week after the company reported a net loss of $220 million for 2023, following 2022’s historic loss of $13.7 billion, mostly from a write-off related to the plummeting value of its ill-advised Livongo acquisition. According to Fierce Healthcare, Teladoc shelled out $18.5 billion for the digital chronic condition management company, a record in digital health.
Gorevic’s rationale that the telehealth field has become too crowded may not be far off. Last July, Becker’s Hospital Review published an industry survey titled “280+ Telehealth Companies to Know.” The list included a half dozen names we recognized from past Home Health conferences, including Health Recovery Solutions, AMC, Vivify, and FoneMed.
Do Hospital Woes Translate Down to Home Health?
Making comparisons between telemedicine companies that focus on hospitals and physicians and those who focus on post-acute providers is hampered by the fact that few in our sector are publicly traded and do not share their numbers. UnitedHealth, which acquired Vivify in 2019 and assigned it to its Optum division, does not separately report Vivify revenue.
Health Recovery Solutions, one of the best-known names in post-acute RPM, is privately held by its founding CEO and seven investors. Its most recent influx of $800,000 occurred in January, 2022, making it impossible to determine whether it was motivated by investor confidence or the need for cash as Covid began its decline.
Analysis
This publication has promoted the advantages of remote patient monitoring for its entire 25-year existence. We have covered startups and established tech companies offering every technology from PERS to Zo monitors to automated phone calls, in-home cameras and microphones. We have followed the evolution of two-way communications and vital sign detectors from tabletop devices to tablets and smartphones. We have even tested a few robots. We have seen HHAs experience great success, and we have seen devices collecting dust on shelves.
Throughout, we have maintained that, when selected, implemented, and deployed properly, monitoring patients 24/7 instead of once or twice a week can improve patient outcomes, boost agency reputation, and, more often than not, produce a healthy ROI. The end of the latest pandemic may mean the end of demand for Remote Patient Monitoring systems, but that would be unfortunate.
Tim Rowan is a 30-year home care technology consultant who co-founded and served as Editor and principal writer of this publication for 25 years. He continues to occasionally contribute news and analysis articles under The Rowan Report’s new ownership. He also continues to work part-time as a Home Care recruiting and retention consultant. More information: RowanResources.com or Tim@RowanResources.com
©2024 by The Rowan Report, Peoria, AZ. All rights reserved. This article originally appeared in Healthcare at Home: The Rowan Report. One copy may be printed for personal use: further reproduction by permission only. editor@therowanreport.com
by Elizabeth E. Hogue, Esq. | Nov 8, 2023 | Clinical
Untitled Document
by Elizabeth E. Hogue, Esq.
Joyce Grayson, a home health nurse for Elara Caring, was murdered on October 28, 2023, in the home of a patient where she was providing services. Ms. Grayson was reported missing by a family member to the local police department. The family member was also able to track her last location to the home of a patient she was scheduled to visit at 8:00 a.m. on the day of her death. The patient resided at a halfway house for convicted sex offenders. Police have not yet formally identified a suspect in Ms. Grayson’s death.
This horrible news reminds of steps that staff members and providers can take to protect their staff members:
- Staff members should be sure of the locations of patients’ homes and have accurate directions. · Employees should contact their supervisors in the event of threatening circumstances.
- During visits, employees should remain alert and watch for signs of possible violence; such as verbal expressions of anger and frustration, threatening gestures, signs of drug or alcohol use, or the presence of weapons.
- When employees are verbally abused in patients’ homes, they should ask the speaker(s) to stop. If verbal abuse continues, caregivers should leave patients’ homes and notify their supervisors that they have done so. · If possible, caregivers should identify more than one exit from patients’ homes and keep a clear path to at least one of them.
- All employees should read or reread The Gift of Fear by Gavin de Becker and take action when their instincts tell them that they should be fearful. · Management should develop a written policy of “zero tolerance” for all incidents of violence, regardless of source. The policy should include animals! The policy must require employees and contractors to report and document all incidents of violence, no matter how minor. Emphasis should be placed on both reporting and documenting. Employees must provide as much detail as possible. The policy should also include “zero tolerance” for visible weapons when caregivers are present in patients’ homes. Caregivers must be required to report the presence of visible weapons.
- Agencies should develop quality indicators that improve efforts to protect staff. Indicators in quality and safety standards should include patient assault and other instances of violence or threatened violence. The results of these indicators should result in violence prevention plans and training programs in de-escalation of violence.
- Data systems should be strengthened to monitor the exposure of staff members to aggression. More resources should be invested in measuring aggressive events and specific factors that resulted in exposure, such as patient type.
- Ongoing education should be provided to protect staff. Education should focus on intentional actions that staff members must take to recognize, document, and counter threatened or actual violence.
The Connecticut General Assembly recently passed a law to increase protection for healthcare workers that does not include home care providers. Now lawmakers are calling for extension of the legislation to include home healthcare staff. Martin Looney, President Pro Tempore of the Connecticut State Senate told the CT Mirror: “More and more care is going to be provided in a home setting, which is generally a good thing. But if that is true, we need to make sure that the people who are providing that care are safe.”
Amen to that, Mr. Looney! Let’s get to it!
©2023 Elizabeth E. Hogue, Esq. All rights reserved. No portion of this material may be reproduced in any form without the advance written permission of the author.
