Has your business hit a wall? Do you think every year your sales will grow but they continue to stay the same or even drop? Continue reading Business Education Series – Breaking the Million Dollar Barrier
Fraser Trebilcock’s Spring 2016 Estate Strategies newsletter contains valuable information on a variety of Trusts and Estates topics, including:
- Did your grandfather leave you his Colt Army Revolver in his will? A new Senate Bill aims to simplify the inheritance process.
- Four areas to consider when planning for the successful transition of the family business.
- The nursing home admissions process is stressful and overwhelming. Know these tips before you sign a nursing facility admissions contract.
To view the newsletter, click here: Fraser Trebilcock Trusts and Estates Spring Newsletter 2016
The evolution of social media and digital marketing has drastically changed the landscape for how many businesses target customers and clients. Continue reading Using Data Insights to Help Drive Your Online Presence
On May 17, 2016, the White House and the United States Department of Labor announced the finalization of the long-anticipated rule increasing the salary thresholds for most employees who currently are exempt from overtime pay. Continue reading United States Department of Labor Raises Salary Thresholds for Overtime Exemptions
You have your batch and taste perfected and are ready to share the flavor with customers, but do you know where to start in opening your own brewery in Michigan? Continue reading How to Start a Brewery, Brewpub, or Microbrewery in Michigan
Struggling to develop a content strategy or don’t even know where to start? Join us on May 17th for the complimentary “Content Marketing Hacks to Drive Business Growth” rapid-fire panel at the Lansing Regional Chamber of Commerce. Continue reading Business Education Series – Content Marketing Hacks to Drive Business Growth
The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently entered into resolution agreements with the Raleigh Orthopaedic Clinic, P.A. of North Carolina and North Memorial Health Care, a not-for-profit health care system in Minnesota, to settle charges the entities released protected health information (“PHI”) without first obtaining written business agreements.
These recent settlements by the OCR should serve as a reminder to covered entities of the importance of having proper policies and procedures in place to identify and evaluate potential business associates before disclosing PHI—and the potentially high cost for failing to do so.
The Raleigh Orthopaedic Clinic agrees to pay $750,000 to settle charges
The Raleigh Orthopaedic Clinic (“the Clinic”) is a provider group practice that operates clinics and an orthopedic surgery center in the Raleigh, N.C. area. The OCR began its investigation of the Clinic in April 2013 after the OCR received a breach notification from the Clinic indicating an impermissible disclosure of PHI to a third party vendor.
The disclosure stemmed from an oral agreement between the Clinic and a vendor. As part of the agreement, the Clinic released the x-ray films and related PHI of 17,300 patients to a vendor that was supposed to convert the images to electronic records in exchange for harvesting the silver from the x-rays.
The Clinic agreed to pay $750,000 to settle charges that it potentially violated the HIPAA Privacy Rule by providing the PHI of nearly 17,300 patients to a potential business partner without first executing a business associate agreement. In an April 19th press release announcing the OCR’s settlement agreement with the Clinic, OCR Director Jocelyn Samuels stated “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise.” The OCR Director went on to emphasize that “[i]t is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
In addition to the $750,000 payment, the settlement agreement with the OCR requires the Clinic to: 1) implement procedures for determining whether entities are business associates; 2) select a responsible individual who will ensure business associate agreements are in place before disclosing PHI to a business associate; 3) create a standard template for business associate agreements; 4) develop procedures for maintaining documentation of business associate agreements for at least six (6) years beyond the date a business associate relationship terminates; and 5) limit disclosures of PHI to the minimum necessary to accomplish the purpose for which the business associate was hired.
North Memorial Health Care agrees to pay $1,550,000 to settle charges
North Memorial Health Care (“North Memorial”) is a not-for-profit health care system in Minnesota that operates in the Twin Cities and surrounding areas. The OCR began investigating North Memorial following the report of a data breach in September 2011. The data breach stemmed the theft of an unencrypted, password-protected laptop that was stolen from the locked vehicle belonging to an Accretive Health employee. Accretive Health was North Memorial’s business associate. The laptop contained electronic PHI of 9,497 individuals.
The OCR’s investigation revealed that North Memorial impermissibly disclosed the PHI of at least 289,904 individuals to its business associate, Accretive, without obtaining a written business associate agreement from Accretive. The OCR also found that North Memorial did not establish an enterprise-wide risk analysis to address patient information risks and vulnerabilities, as required by 45 C.F.R. § 164.308(a)(1)(ii)(A).
In addition to the $1.55 million payment to settle the charges, North Memorial must abide by the terms of a corrective action plan, which includes developing an enterprise-wide risk analysis and management plan. North Memorial is also required to provide training for workforce members affected by the corrective action plan.
In the March 16, 2016, press release announcing the settlement, OCR Director Samuels stressed that “[o]rganizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
These recent settlements announced by the OCR show the high cost a covered entity could face for not having an appropriate business associate agreement in place. The settlement should remind covered entities to have the proper policies, procedures, and personnel, in place to identify and evaluate potential business associates before releasing PHI.
To find out more about the business associate agreements or other HIPAA requirements, contact Fraser Trebilcock at 517.482.5800.
Detroit has become a hotbed for technology – from startups to Fortune 500 corporations. Innovation and entrepreneurship is leading the trend within the city and spreading across the entire state of Michigan. Take a walk through downtown Detroit and you will pass offices for Twitter, Google, and Quicken Loans. You can see the energy is different with an emphasis on development, whether in new construction to new technology being invented.
To showcase the momentum, Techweek Detroit was held last week at various locations across the city. The schedule was packed with industry leaders sharing their insights, entrepreneur tips and tricks to getting businesses off the ground, and networking events to build connections within the technology space.
Keynote speaker on Friday, Linglong He CIO of Quicken Loans, shared how the culture at Quicken Loans is the secret to its success. A few keys to its growth and top company culture: trust, alignment, integrity, eye on deadline and communication with the overall goal being on excellence, not perfection. “Carry your own sunshine – we can’t change the weather in Detroit, so carry your own strength and sunshine,” she encouraged.
Other speakers included:
- David Behen, CIO of Michigan Department of Technology, Management & Budget
- Jill Ford, Director of Innovation and Entrepreneurship for the City of Detroit
- Bridget Russ, CMO of Shinola
- Taggart Matthiesen, Director of Product for Lyft
To see a full list or presenters and events, CLICK HERE.
Earlier this month, the U.S. Department of Health and Human Services, Office of Inspector General (OIG) released an educational resource for governing boards entitled Practical Guidance for Health Care Governing Boards on Compliance Oversight (Practical Guidance). The Practical Guidance was developed in collaboration with the Association of Healthcare Internal Auditors (AHIA), the American Health Lawyers Association (AHLA), and the Health Care Compliance Association (HCCA). Guidance documents previously issued by the OIG emphasized the need for governing boards (Boards) to be fully engaged in their oversight responsibility. A fundamental element of any oversight plan involves asking the right questions of management to determine the effectiveness of an organization’s compliance plan and to gauge the performance of those carrying out the compliance plan.
The Practical Guidance just released by the OIG seeks to provide guidance to Boards as they oversee their organizations’ compliance with state and federal health care regulations. In particular, the Practical Guidance addresses issues relating to a Board’s oversight of compliance programs, including:
- Expectations for Board oversight of compliance programs;
- The roles of an organization’s audit, compliance, and legal departments, and the relationships between them;
- Mechanisms and processes for issue-reporting within an organization;
- Approaches to identify regulatory risks;
- Methods to ensure accountability for achievement of compliance goals.
Many of the guidance issues addressed in the Practical Guidance are best practice recommendations rather than strict legal requirements. Since many of the practices addressed in the current Practical Guidance have been discussed in voluntary compliance program documents previously released by the OIG, this post will just highlight some of the newest recommendations addressed by the current Practical Guidance.
Expectations for Board Oversight of Compliance Programs
The Practical Guidance encourages Boards to use publicly available compliance resources as benchmarks for their organizations. Specifically, the Practical Guidance recommends using the Federal Sentencing Guidelines (Guidelines), the OIG’s voluntary compliance program documents, and OIG Corporate Integrity Agreements (CIAs), as baseline tools for Boards and management to determine what functions may be necessary for an effective compliance program.
The OIG recognizes that a one size fits all approach does not work when designing a compliance program and that a board may choose to review the adequacy of an existing compliance program in its own organization-specific way. In the most recent Practical Guidance, the OIG simply recommends that a Board make management aware of the Federal Sentencing Guidelines, voluntary compliance program guidance, and relevant CIAs, as a good first step in ensuring the adequacy of an existing compliance program.
The Practical Guidance also suggests that a Board may raise its level of substantive expertise by adding, or periodically consulting, an experienced regulatory, compliance or legal professional. Adding such a professional to a Board provides a valuable resource to other Board members, and sends a strong message about an organization’s commitment to compliance.
Roles and Relationships
The Practical Guidance recommends that Boards define the interrelationships of the audit, compliance, and legal departments in an organization. A Board should evaluate the adequacy and performance of these departments on a periodic basis. The structure, reporting relationships, and interaction of these and other functions (e.g., quality, risk management, and human resources) should be included as departmental roles and responsibilities are defined.
The Practical Guidance emphasizes the need for an organization’s audit, compliance, and legal departments to speak with a common language to the Board and management with regard to governance concepts, such as accountability, risk, auditing, monitoring, and compliance. Agreeing on the adoption of departmental definitions and relationships can facilitate the development of such a common language.
Reporting to the Board
The Practical Guidance recommends that a Board set and enforce expectations for receiving regular compliance-related information from management. Regular internal reviews by a Board will not only give the Board a snapshot of where its compliance program is, but regular internal reviews should also lead to better compliance program results and higher quality services.
The Practical Guidance also recommends a Board consider conducting “executive sessions” on a regular basis. These executive sessions would include leadership from the compliance, legal, quality, and audit departments, but would exclude senior management in an attempt to encourage more open communication between departments. Regular executive sessions could also create a continuous expectation of open communication rather than initiating communication only when a problem arises.
Identifying and Auditing Potential Risk Areas
The Practical Guidance recognizes that some regulatory risk is common to all health care providers. The Practical Guidance also recognizes that certain types of activities are more high risk because they are more vulnerable to fraud. Those high risk activities include referral relationships, billing issues, privacy breaches, and quality-related events.
The Board should ensure that strong processes for identifying risk areas are in place, including identifying risk areas from internal or external information sources. The Board should ensure that risk areas are routinely audited and reviewed and should also ensure that management develops, implements, and monitors corrective action plans.
Encouraging Accountability and Compliance
The Practical Guidance recognizes that compliance is an enterprise-wide responsibility. Therefore, while the audit, compliance, and legal functions of an organization serve as advisors, evaluators, identifiers, and monitors of risk and compliance, the actual responsibility of executing the compliance program rests with the entire organization.
A Board may assess execution of a compliance program at the individual, department, or facility-level, and may choose to link incentives to compliance and quality outcomes. The Practical Guidance suggests that, as an extension of its oversight of an organization’s reporting structures, a Board should evaluate whether compliance systems encourage communication across the organization and whether employees feel comfortable raising compliance concerns without retaliation or retribution.
The OIG’s most recent Practical Guidance adds to previously issued compliance documents and provides a good starting point for Boards carrying out oversight of an organization’s compliance with state and federal regulations. A Board should still consult with counsel or other compliance professionals to ensure its compliance program complies with relevant federal, state, and local laws.
To find out more about the effect of governance issues related to health care or your business, contact Fraser Trebilcock at 517.482.5800.