Tag: compliance

HIPAA and Mobile Devices: What Your Service Needs to Know

For ambulance services, HIPAA compliance is a particularly sensitive issue. Because of the sensitive nature of the health data that EMS and EMT professionals deal with on a daily basis, HIPAA Privacy and Security standards must be carefully adhered to.

This issue becomes even more sensitive when you consider that most of the data collected during pre-hospital care will likely be collected, tracked, and documented on a mobile device. Laptops, smartphones, and tablets are indispensable tools for ambulance care. Most of these devices will have access to electronic health records (EHR) platforms, which will in turn be connected to the rest of a hospital’s EHR data.

While mobile devices can provide convenience in life-or-death situations, they are also particularly vulnerable to the risk of a data breach. A data breach of unsecured health information can lead to serious HIPAA violations and put patient privacy at risk.

The kind of health information that these devices have access to is called protected health information, or PHI. PHI is any demographic information that can be used to identify a patient. Common examples of PHI include names, dates of birth, medical information, insurance ID numbers, addresses, full facial photos, and telephone numbers, to name a few.

The HIPAA Rules set specific standards for maintaining the privacy, security, and integrity of PHI. Though the regulation can seem complex, the standards are in place to safeguard PHI. As per HIPAA, ambulance services necessarily fall under the category of Covered Entities, meaning that they are responsible for maintaining compliance with both the HIPAA Privacy Rule and the HIPAA Security Rule.

These two rules set limits for how and when PHI must be stored and accessed. Below, we list a few of the major components of the HIPAA Rules that all ambulance services can implement in order to keep PHI safe and secure on the go.

  • All mobile devices that can access PHI must have full-disc encryption. Additionally, all devices should be routinely backed-up on encrypted servers. In the event that a device is lost or stolen, full-disc encryption will keep hackers or thieves from accessing sensitive health data.
  • Your organization should have HIPAA policies and procedures in place pertaining to mobile devices taken “off-site.” This would necessarily include all laptops, tablets, and smartphones with access to PHI that are used in pre-hospital care in an ambulance. By outlining when devices are permitted to be used, who is permitted to use them, and how they are to be handled in off-site settings, your organization will mitigate the risk to PHI stored on these devices.
  • Keep a full inventory of all devices within your organization that can access or handle PHI in any way. Routine check-ups on the condition and location of devices listed in your inventory will help ensure that devices are not misplaced. And in the event that a device is misplaced or stolen, organization officials will notice as soon as the inventory is reviewed so that action can be taken to remedy the breach.
  • Access to PHI on mobile devices and in pre-hospital settings should be limited only to essential members of the organization’s workforce. This is known as the Minimum Necessary Standard. It’s a part of the HIPAA Privacy Rule that states that access to PHI must be limited based on employees’ roles, and that when access is granted, it should be limited to the minimum access necessary for each employee to perform their role.

These are just a few of the ways that ambulance services can protect PHI and comply with HIPAA mobile device standards.

In addition to the actions listed above, a total compliance program that addresses the full extent of the law must be in place in order to prevent HIPAA violations and data breaches.

Addressing HIPAA compliance can help ambulance services confidently treat their patients without worrying about the risk of data breaches or government fines.

OIG Releases SemiAnnual Report to Congress

The Office of the Inspector General of the Department of Health and Human Services (HHS-OIG) recently issued the “Measuring Compliance Program Effectiveness: A Resource Guide“. The Guide was developed by a group of HHS-OIG professionals who wanted to provide a set of metrics by which health care providers can measure the elements of their compliance program. The authors recognize that not all the metrics are applicable to all health care providers but intended to be used as a guide. The Guide was released on March 27.

You can also read the full “Semiannual Report to Congress (October 1, 2016 – March 31, 2017)“.

Maintaining Compliance Within an EMS Service

Maintaining compliance within an EMS service can be a daunting task, especially given the number of regulations that we must follow.

One way to look at EMS is if a trucking company married a hospital.

There are rules and regulations to abide by for an entire fleet of vehicles, from safe operation guidelines all the way down to the use and color of lights. Then there are requirements for a group of healthcare providers, which include necessary certifications such as CPR and knowledge of pertinent life-saving skills.

Not only does maintaining compliance keep vehicles and equipment running smoothly, but it can offer employees valuable peace of mind and keep everyone focused on the same goals of providing the best care possible.

I like to consider compliance an investment in common sense.

Employees know what is expected of them at all times, and they know what type of support their employer will provide to keep their skills sharp. In turn, an EMS service gains from being in good standing with regulators and from an engaged, confident workforce.

The benefits of a strong culture of compliance are immense. An organization that lives and breathes compliance can help ensure a smooth-running operation that features top-notch communication and quality providers who offer excellent care.

Journey to Compliance

These six key ways ensure compliance will serve as a roadmap to a strong culture in your organization:

  1. Start from the top: Backing from leadership ensures a strong culture of compliance. For certification and education compliance to stick, it starts with the attitudes of upper management, such as the board of directors, chiefs, officers, and day-to-day operations staff. Leaders must actively support all compliance efforts, including regular compliance-related reports, approving policies and having a general knowledge of the rules that govern EMS providers. Without the right tone from the top, an EMS service’s compliance efforts are usually undermined and ultimately fail. This results in issues with governing bodies, payers, scheduling and staffing.
  2. Commit to resources: Having the right personnel and systems in place are both vital to creating a strong compliance culture. The organization’s compliance staff should have experience in directing compliance efforts and supporting the evaluation of compliance-related risks. When it comes to certifications and education, compliance is always black and white. Knowing how to evaluate and respond to operational issues is important to maintaining compliance and successfully operating an EMS service. Systems that provide information to assist the service in complying with its obligations are a necessity.
  3. Have the write stuff: Developing written policies and procedures for compliance programs and internal controls is essential to adequately address regulatory requirements and an EMS service’s specific risks. Having these policies and procedures in writing sets the expectation of what is required of both managers and employees. Assessing risks before drafting these programs will help identify key areas where controls are needed. A compliance program should include how a service’s policies can be implemented from an operational perspective. This will include internal controls and standard operating procedures.
  4. Provide education: Providing the training for your EMS employees gives them peace of mind that they will be in compliance and acknowledges that the service values them.
  5. Test the system: Subjecting procedures to an independent review and audit ensures the compliance system is working correctly. This review provides an evaluation of where the EMS service’s compliance efforts stand. It also offers an opportunity to correct deficiencies before an outside regulatory audit is performed.
  6. Communicate more: Communication is vital to all organizations, but it can be the most difficult piece of the puzzle to achieve. With compliance-related responsibilities, sharing information is very helpful and, in some cases, required. Communicating expectations within EMS training programs is imperative. Reporting compliance efforts and noting any deficiencies should be a part of a communication strategy, especially if your state has an active medical director and/or board of EMS.

New I-9 Form Required

New Form I9 Effective January 22, 2017

All employers are required to begin using the new Form I9 starting on January 22, 2017. The new form can be found on the US Citizenship and Immigration Services (USCIS) website. To ensure that you are utilizing the correct form, an expiration date of August 31, 2019 is in the top right hand corner of the form.

Last year we were aware of several ambulance providers who were the subject of Form I9 audits by the USCIS which resulted in technical violations for failing to complete the form correctly. The Form I9 is the document all U.S. employers are required to have completed when hiring a new employee to assure that they are legally eligible to work in the United States. While there has been a reduction in Form I9 Audits from USCIS in 2015, employers should be prepared as the five year trend is on the rise and I am aware of several ambulance providers currently dealing with audits.

The Law

The Immigration Reform and Control Act (IRCA) of 1986 requires employers to examine documentation from each newly hired employee to prove his or her identity and eligibility to work in the United States. The IRCA led to the Form I-9 Employment Eligibility Verification, which requires employees to attest to their work eligibility, and employers to certify that the individual presented documents to the employer that appeared to for the individual and genuine. The form has very specific rules regarding when the certain section of the form must be completed, which documents the employee can proffer as proof of eligibility, and how information must be present in the different sections of the Form I9.

While most employers understand that they must obtain certain information from every newly hired employee, they are often not aware of the specific dates upon which the different sections of this form must be completed. This is where the greatest number of compliance issues arise.

The Form’s Timing

Section 1 of Form I9 is the Employee Information and Attestation section and must be completed by the employee by the close of business on the employee’s first day of employment. This section consists several mandatory fields of the personal information of the new employee and two optional fields. It includes the employee’s full name, date of birth, address, and social security number, email address (optional), telephone number (optional).  In addition, the employee must attest that they are a citizen of United States, a Non-Citizen National, a Lawful Permanent Resident, or an Alien Authorized to Work in the US. The employee must provide an Alien Registration Number or USCIS Number if they check that they are a lawful permanent resident. If they are an Alien Authorized to Work, they must provide the date their authorization expires and their Alien Registration Number. The employee must sign the document and date it. If there is a translator or preparer, they must complete the certification at the end of Section 1.

Section 2 is the Employer or Authorized Representative Review and Verification section and must be completed by the close of business on the third day of employment. This section is where many make a very simple error. First, there is a place at the top of this section where the employer must list the employee’s full name. This frequently gets left blank. Next, the employer must identify the document(s) that the employee is presenting as proof of identity and employment authorization. In Column A, there is a list of acceptable documents, typically a Passport, Permanent Resident Card, or Employment Authorization Document. One or more of these documents can be sufficient. Alternatively, the employee can present one document from each List B and C. These are typically a driver’s license and a birth certificate. These documents don’t have to be copied, but if they are, they must be kept with the Form I9.

It is critical that the employer complete the Certification section of Section 2. This is another area where employers frequently make mistakes. In the Certification, there is a section to mark the date of the employee’s first day of employment. I often find this section blank or find that the employer mistakenly enters the date that they viewed the employee’s documents. The employer needs to complete the Certification section and date it, entering the employer’s business name and address. Failure to complete any of these sections can lead to a Substantive or Technical Violation and fines.

Section 3 of the Form I9 is completed by the employer when re-verifying that an employee is authorized to work or when rehiring an employee within three years of the date on the original Form I9. It is important that employer develop a mechanism for identifying and ensuring any expiring document(s) that requires re-verification. Of course, an employer can always complete a new Form I9 for a returning employee.

Penalties

Title 8 of the Code of Federal Regulations Section 27a.10 established a fine range from $110 to $1,100 per violation.  Fines can be for either a Technical violation, one where an employer fails to ensure that the employee provided all of the personal information, name, DOB, address, etc. or a Substantive violation, where the employer fails to review and verify the required documents or when someone is working without authorization.  These fines can be issued for each individual violation and can be substantial.

Other common errors that carry fines include not documenting the title of the document that the employee presented as proof (example, US Passport, State Driver’s License and Social Security Card).  Not initialing corrections made to the form when corrections are necessary.  Not re-verifying those work authorization documents that require re-verification.

Solution

All of the fines are avoidable by ensuring that you clean up the Form I9 process within your organization. First, services should ensure that only individuals trained and knowledgeable in completing the Form I9 are involved in this process. For training, the USCIS provides great Form I9 training for free on their website. In addition, USCIS has great instructions that accompany the Form I9 and provide for video instruction on their website.  Following these instructions carefully will be the best guarantee that you will complete the form correctly.

In addition, every ambulance service should conduct an audit of their Form I9 processes within their organization. I would have one individual, who is knowledgeable about the rules, conduct a review of all Form I9s for current employees and for any employees who were terminated within the last five years. Under the Regulations, employers can purge any Form I9 documents for employees who are terminated after one year from termination or three years after the date of hire, whichever date is later. However, employers should have Form I9 documents on all employees who are currently on your payroll.

For purposes of record keeping, it is best to keep all Form I9s in one location so that they can be easily provided in the event of an audit. Employers are not required to make copies of the documents an employee provides to the employer as proof of authorization. However, if the employer does copy the documents, they should be kept with the Form I9. I recommend employers make copies of those documents, store them with the Form I9, and be kept in a secure location. If those documents are stored electronically, it is critical that there are sufficient systems in place to ensure the integrity and security of the documents including an electronic audit trail.

Many employers utilize e-Verify, the online system hosted by the USCIS in partnership with Social Security Administration (SSA) that allows employers to search the linked federal databases to ensure that employees are eligible to work in the US and verifies the employee’s Social Security Number. e-Verify is free to employers and is voluntary throughout the country. However, you should check you state law as many states have passed legislation requiring the use of e-Verify. It is easy to enroll and is a necessary part of any I9 compliance plan.

I can tell you that all of the providers that I have questioned about this issue assured me that they have adequate processes in place to ensure compliance. However, after we discussed the timing and information required for the different sections of the Form I9 that were identified in many of the audits I am aware of, it quickly became apparent that most did not really have safeguards in place.

Have an HR Question?  Ask Scott!

Webinar Now 9/21: Scott Moore, Esq on Employment Lawsuits

It’s not too late! Scott Moore, Esq’s Know When to Hold ‘Em or Fold ‘Em webinar has been rescheduled to September 21 at 2:00 p.m. ET.  Register now►

Employment Lawsuits: Know When to Hold ‘Em or Fold ‘Em

September 21 at 2:00 PM ET
$99 for Members
$199 for non-Members

This SHRM SEAL-Recertification Provider_CMYK_2016_1.25in (®)program is valid for 1 PDC for the SHRM-CP or
SHRM-SCP

Speaker: Scott Moore, Esq., EMS Resource Advisors

Your organization has been served with a lawsuit or investigative demand on an employment claim. Is your organization prepared for what is ahead? This session will follow what an employer should do long before the Constable serves the papers. Human Resources Managers treat employee personnel records like it is evidence in a case because it could be. This session will also discuss the financial and practical costs of defending your organization and how you can still lose even if you win.

Spotlight: Rebecca Williamson

Rebecca Williamson
Compliance Officer, Muskogee County EMS
Medicare Regulatory Committee Co-Chair,
AAA Board & Committees
Tulsa, OK

Tell us a little about yourself.

I was born in Muskogee, OK and currently live in Tulsa, OK. I received my nursing degree from Connors State College and my bachelor’s degree in English from Northeastern State University. I began working at Muskogee County EMS as a paramedic 24 years ago, have moved through the ranks over the years, and have held my current title of Compliance Officer for about 12 years. When I’m not doing EMS, I am the Director of Nurses at Kids’ Space, a child advocacy center in Muskogee.

I’m married to Steve Williamson, CEO/President of EMSA, and between us we have 7 children and 6 grandchildren.

What do you enjoy most about your job?

It’s always a challenge. Nothing is ever the same. I enjoyed being a paramedic because it was always different and no two patients were alike. Even though I’m now in administration and I’m dealing with Medicare, Medicaid, and insurance and regulatory issues and legislation, it is still never the same between days. I never feel like I have everything figured out, so there’s always a challenge in my job.

What is your biggest professional challenge?

The EMS industry as a whole has so many challenges, but my biggest professional challenge would be making sense of some of the laws, regulations and rules that govern how we operate and how we get paid. Also, dealing with the bureaucracy and taking a simple concept, such as “we provide medical care,” and trying to get people in Congress and the legislature to understand that we’re not a supplier, but a provider. Translating all of that into simple, real-world language that everyone can understand so we can all be on the same page – that is a challenge.

What is your typical day like?

I don’t really have a typical day! I’m very fortunate that, because I travel so much and because I have to be in different places, my schedule is very flexible and I’m able to work from home a lot. But typically when I go into the office, I can tell in the first five minutes if it’s going to be one of those days that I’m not going to sit down at all, or one of those days where I’ll have blocks of time to sit down and be productive. I try to talk to the medics every morning, and I talk to our Director and do a brief overview every morning and deal with any problems that may have occurred. My day is a constant interaction with the other administrators, the staff, and the medics, and can be a lot of running around.

How has participation in AAA membership and advocacy helped your organization?

I feel as though we as an organization (Muskogee County EMS) are light years ahead of so many other ambulance services because we get the information and the education that we need so easily. We can stay on the forefront of what is happening legislatively with Medicare and Medicaid regulatory issues, and we are in such a better position as a company and as a business because we have access to frontline information and top-of-the-line education. With AAA, industry experts are just a phone call or an email away. I cannot imagine trying to do my job and be effective at all without the education, the experts, and the ability to contact people who can help at a moment’s notice. I cannot imagine doing my job without having access to the AAA.

Audit Alert! USCIS Form I9

One of the most commonly misunderstood compliance issues for any employer is the US Citizenship and Immigration Services (USCIS) Form I9. Form I9 is the document all US employers are required to have completed when hiring a new employee to assure that they are legally eligible to work in the United States. While there has been a reduction in Form I9 Audits from USCIS in 2015, employers should be prepared as the five year trend is on the rise. In fact, I am aware of several ambulance providers currently dealing with audits.

The Law

The Immigration Reform and Control Act (IRCA) of 1986 requires employers to examine documentation from each newly hired employee to prove his or her identity and eligibility to work in the United States. The IRCA led to the Form I-9 Employment Eligibility Verification, which requires employees to attest to their work eligibility, and employers to certify that the individual presented documents to the employer that appeared to for the individual and genuine. The form has very specific rules regarding when the certain section of the form must be completed, which documents the employee can proffer as proof of eligibility, and how information must be present in the different sections of the Form I9.

I believe that most employers understand that they must obtain certain information from every newly hired employee. However, with the Form I9, there are very specific dates upon which the different sections of this form must be completed. This is where the greatest number of compliance issues arise when dealing with I9 Audits.

The Form’s Timing

Section 1 of Form I9 is the Employee Information and Attestation section and must be completed by the employee by the close of business on the employee’s first day of employment. This section consists several mandatory fields of the personal information of the new employee and two optional fields. It includes the employee’s full name, date of birth, address, and social security number, email address (optional), telephone number (optional). In addition, the employee must attest that they are a citizen of United States, a Non-Citizen National, a Lawful Permanent Resident, or an Alien Authorized to Work in the US. The employee must provide an Alien Registration Number or USCIS Number if they check that they are a lawful permanent resident. If they are an Alien Authorized to Work, they must provide the date their authorization expires and their Alien Registration Number. The employee must sign the document and date it. If there is a translator or preparer, they must complete the certification at the end of Section 1.

Section 2 is the Employer or Authorized Representative Review and Verification section and must be completed by the close of business on the third day of employment. This section is where many make a very simple error. First, there is a place at the top of this section where the employer must list the employee’s full name. This frequently gets left blank. Next, the employer must identify the document(s) that the employee is presenting as proof of identity and employment authorization. In Column A, there is a list of acceptable documents, typically a Passport, Permanent Resident Card, or Employment Authorization Document. One or more of these documents can be sufficient. Alternatively, the employee can present one document from each List B and C. These are typically a driver’s license and a birth certificate. These documents don’t have to be copied, but if they are, they must be kept with the Form I9.

It is critical that the employer complete the Certification section of Section 2. This is another area where employers frequently make mistakes. In the Certification, there is a section to mark the date of the employee’s first day of employment. I often find this section blank or find that the employer mistakenly enters the date that they viewed the employee’s documents. The employer needs to complete the Certification section and date it, entering the employer’s business name and address. Failure to complete any of these sections can lead to a Substantive or Technical Violation and fines.

Section 3 of the Form I9 is completed by the employer when re-verifying that an employee is authorized to work or when rehiring an employee within three years of the date on the original Form I9. It is important that employer develop a mechanism for identifying and ensuring any expiring document(s) that requires re-verification. Of course, an employer can always complete a new Form I9 for a returning employee.

Penalties

Title 8 of the Code of Federal Regulations Section 27a.10 established a fine range from $110 to $1,100 per violation. Fines can be for either a Technical violation, one where an employer fails to ensure that the employee provided all of the personal information, name, DOB, address, etc. or a Substantive violation, where the employer fails to review and verify the required documents or when someone is working without authorization. These fines can be issued for each individual violation and can be substantial.

Other common errors that carry fines include not documenting the title of the document that the employee presented as proof (example, US Passport, State Driver’s License and Social Security Card). Not initialing corrections made to the form when corrections are necessary. Not re-verifying those work authorization documents that require re-verification.

Solution

All of the fines are avoidable by ensuring that you clean up the Form I9 process within your organization. First, services should ensure that only individuals trained and knowledgeable in completing the Form I9 are involved in this process.  The USCIS provides great Form I9 training for free on their website. In addition, USCIS has great instructions that accompany the Form I9 and provide for video instruction on their website. Following these instructions carefully will be the best guarantee that you will complete the form correctly.

In addition, every ambulance service should conduct an audit of their Form I9 processes within their organization. I would have one individual, who is knowledgeable about the rules, conduct a review of all Form I9s for current employees and for any employees who were terminated within the last five years. Employers can purge any Form I9 documents for employees who are terminated after one year from termination or three years after the date of hire, whichever date is later. However, employers should have Form I9 documents on all employees who are currently on your payroll.

For purposes of record keeping, it is best to keep all Form I9s in one location so that they can be easily provided in the event of an audit. Employers are not required to make copies of the documents an employee provides to the employer as proof of authorization. However, if the employer does copy the documents, they should be kept with the Form I9. I recommend employers make copies of those documents, store them with the Form I9, and be kept in a secure location. If those documents are stored electronically, it is critical that there are sufficient systems in place to ensure the integrity and security of the documents including an electronic audit trail.

Many employers utilize e-Verify, the online system hosted by the USCIS in partnership with Social Security Administration (SSA) that allows employers to search the linked federal databases to ensure that employees are eligible to work in the US and verifies the employee’s Social Security Number. e-Verify is free to employers and is voluntary throughout the country. However, you should check you state law as many states have passed legislation requiring the use of e-Verify. It is easy to enroll and is a necessary part of any I9 compliance plan.

I can tell you that all of the providers that I have questioned about this issue assured me that they have adequate processes in place to ensure compliance. However, after we discussed the timing and information required for the different sections of the Form I9 that were identified in many of the audits I am aware of, it quickly became apparent that most did not really have safeguards in place.