SCGhealth Blog


PQRS reporting is due to the federal government by Spring 2017 to avoid a 6% penalty on Medicare receipts in 2018. SCG Health has your back! We are a Qualified Registry and just like your clearinghouse we get your data to CMS for processing. Avoid the penalty the easy way - with SCG Health. Learn more!

You can’t play discrimination dodge ball when it comes to patient communication

Tuesday, February 28, 2017

By Marla Durben Hirsch, contributing writer

Be prepared to provide communication and other assistance to patients with disabilities or with limited English proficiency. There’s been an uptick in government enforcement in this area, with the Office of Civil Rights (OCR) announcing a settlement a month for the last four months against entities that have dropped the ball.

In the most recent settlement, UConn Health agreed to settle allegations that its John Dempsey Hospital failed to provide services and auxiliary aids to a patient in the emergency department who was deaf and requested communication assistance. OCR, joined by the Connecticut attorney general’s office, claimed that the Hospital violated not one but three different laws: 1) The Americans with Disabilities Act (ADA), which prohibits state and local government entities from discrimination against individuals with disabilities; 2) Section 504 of the Rehabilitation Act, which bars discrimination on the basis of disability in any program or activity receiving federal financial assistance and 3) Section 1557 of the Affordable Care Act (ACA), which expanded providers’ obligations to patients with communication problems, such as those with disabilities and limited English proficiency.

The health system has agreed to pay $20,000 in compensatory relief to the patient and take other steps to avoid communication snafus in the future, including revising policies and procedures, training staff, posting a notice of nondiscrimination and assigning an employee to be a civil rights coordinator.

What’s significant is that while OCR noted that the hospital was subject to all three laws and violated all of them “collectively,” in actuality even a solo practitioner is going to be hard pressed to avoid compliance with the laws banning discrimination against those with disabilities or other communication difficulties, since it’s likely that at least one law will apply.

For example, all providers are required under Title VI of the Civil rights Act of 1964 to take reasonable steps to make their programs, services and activities available to those with limited English proficiency. Section 1557 of the ACA applies to any health program or activity which receives any federal financial assistance, which includes Medicaid and Medicare managed care. Only providers participating just in Part B Medicare and receive no other federal money would be exempt.

Moreover, providers should expect to see more enforcement in this area. OCR began its “barrier free health care initiative” several years ago, primarily to help deaf patients obtain interpreter assistance when seeking health care.

However, since section 1557 of the ACA requires providers to publicize that they do not discriminate, it is likely that more aggrieved patients will be filing complaints with OCR, since their awareness of their rights will be increased awareness of their rights.

In addition, OCR has been stopped – that is “enjoined”- from enforcing two of the other nondiscrimination provisions of section 1557. A federal court on December 31 ruled that OCR can’t pursue alleged violations of discrimination against entities on the basis of gender identity or termination of pregnancy. So it’s possible that OCR will concentrate on those components of section 1557 that it can still investigate and enforce.

Your Voluntary Wellness Program Is Safe – For Now

Tuesday, February 07, 2017

By Marla Durben Hirsch, contributing writer

If your practice has instituted an employer sponsored wellness program in accordance with the new rules issued by the Equal Employment Opportunity Commission (EEOC), it looks like those rules currently pass muster. The AARP’s request for a preliminary injunction to prevent the rules from going into effect January 1, 2017 has been shot down by a federal court.

Many employers have instituted voluntary wellness programs such as tobacco cessation classes, Fitbit teams and the like in order to promote and improve the health of their workforce. These programs are popular because they decrease the cost of health care by improving employee health.

Employers can’t discriminate against employees on the basis of disability or genetics, but the law allows employers that operate these wellness programs to conduct voluntary medical exams such as health risk assessments or diagnostic tests and collect medical histories, as part of these programs so long as participation is voluntary. The information collected can include disability or genetic protected information. Moreover, the employer can impose an incentive/penalty of up to 30 percent of the employee’s health insurance premiums for participation. In other words, an employee that doesn’t share her medical information can be subject to an up to 30% increase in the cost of her health insurance premiums.

The EEOC published rules in May 2016 clarifying how employer sponsored wellness programs which collect this confidential medical information would dovetail with the Americans with Disability Act (ADA) and the Genetic Information Nondiscrimination Act (GINA) and imposing some requirements regarding how such wellness programs need to operate.

For instance, the program must be reasonably designed to promote health or prevent disease. Employers also need to provide notice to employees informing them what information will be collected, how it will be used, who will receive it and what will be done to keep it confidential. The notice also needs to state that employees may not be discriminated against in employment because of the medical information they provide as part of participating in the wellness program, nor may they be subjected to retaliation if they choose not to participate.

AARP is concerned that its members, who are older and may be less healthy, will be discriminated against if they reveal confidential medical information that they prefer to keep confidential, and penalized with the higher insurance premiums that they can’t afford if they choose not to. The organization filed a lawsuit in October 2016 to stop the rules from going into effect.

The federal District Court for the District of Columbia said no, ruling December 29, 2016 that the rules were not so onerous to cause “irreparable harm” such that the rule needed to be stopped in its tracks. It said that the rules were designed to prevent employers from using the information to discriminate against employees, and that AARP had not submitted sufficient evidence to show that people would suffer such irreparable harm that the rules could not even be implemented.

The EEOC rules went into effect January 1, 2017, so if you have or are considering operating a voluntary wellness program you can go forward – but you still need to comply. For instance, if you haven’t provided employees with that notice on how the employer sponsored wellness program will work, you need to do so promptly. The EEOC has created a sample notice that employers can adapt.

Practices should also keep an eye on this case. AARP has said that even though it wasn’t granted a preliminary injunction to keep the rules from going into effect, it’s still going to pursue its lawsuit challenging the rules. If AARP ultimately prevails, these wellness programs may need to be restructured.

Don’t let your disposal vendor mishandle your trash into a HIPAA violation

Tuesday, January 17, 2017

By Marla Durben Hirsch , contributing writer

Photo: Adobe Systems Incorporated.

Providers continue to be confused as to how to dispose of their trash without running afoul of HIPAA. But the stakes are now higher – because it’s often the provider’s trash collector that’s exposing the patient data that’s in the garbage.

The Department of Health and Human Services’ Office for Civil Rights, (OCR) which enforces HIPAA’s privacy and security rules, has published guidance on proper disposal methods. While HIPAA doesn’t require particular processes, OCR suggests several, such as shredding, burning, pulping or pulverizing the records so that patient protected health information (PHI) is unreadable and cannot be reconstructed. Records treated this way are considered “secure”; a breach of them doesn’t even have to be reported.

However, many providers still don’t realize that they need to take this step as part of disposal. A number of them, including CVS, Rite Aid and Cornell Prescription Pharmacy have settled alleged HIPAA violations after disposing of unsecured records and other materials containing PHI in unlocked publicly accessible dumpsters. State attorneys general have also fined providers, even solo practitioners, for faulty trash disposal.

And it gets worse, since many providers have turned to outside vendors to dispose of their trash, and the vendors are making mistakes and exposing the PHI, violating HIPAA. The provider is ultimately liable even though it has entrusted the vendor to perform the disposal.

A simple Google search reveals a multitude of these incidents.

For example, the disposal company hired by physician owned Radiology Regional Center, with several facilities in Florida, exposed patient PHI in December 2015 when the back of the truck transporting the records to an incinerator opened, spilling the contents all over the road. While the Center spent considerable time combing the area and retrieving the records, it still had to notify 483,663 patients about the breach. The incident triggered a lawsuit in 2016 from several patients who claim, among other things, that the doctors were unaware of their obligations regarding proper trash disposal and admitted ignorance regarding it. That lawsuit is still pending.

And that may not be all. OCR has for the first time has begun to train its sights on mistakes being made business associates. In 2016 the agency resolved several enforcement actions with providers and business associates for security breaches caused by the business associates. It would not be surprising for OCR to investigate Radiology Regional and other providers whose records have been compromised by their disposal company.

Review all of your business associate agreements with those handling PHI on your behalf to ensure that you are adequately protected in case the business associate exposes patient information. For example, the business associate should pay for the costs of the breach, such as the expense of notifying patients and offering them free credit monitoring. OCR has a model business associate agreement that can help you.

If you delegate trash disposal and destruction to an outside vendor, make sure you know how the vendor will safeguard the information and dispose of it. For instance, look to see if the containers the disposal company is using are sturdy. Ensure that the vendor’s staff is trained in HIPAA compliance.

Be proactive to the extent possible regarding your trash. Consider having the trash incinerated on site so it doesn’t have to be transported. Make the trash unreadable yourself before giving it to the vendor to cart away, say by shredding it or obliterating PHI with a marker. Had Radiology Regional Center taken some of those steps, it may not have been in the hot spot it is today.

Attestation Worksheets Now Available for 2016 Medicare EMR Incentive Program

Tuesday, January 10, 2017

Written by: Melissa Cotton

The Centers for Medicare & Medicaid Services (CMS) has announced that its certified electronic medical record (EMR) Incentive Program attestation system will be open from January 3 through February 28, 2017. All physicians must attest by the February 28, 2017 deadline to avoid a 2018 payment adjustment. The EMR Incentive Program is commonly known as the “Meaningful Use Program.”

CMS has also released two attestation worksheets for eligible professionals, eligible hospitals and critical access hospitals. The worksheets can be located on the CMS website or by following the links listed below:

The Eligible Professional Attestation Worksheet is for physicians in the Modified Stage 2 of the Medicare EMR Incentive Program. Physicians must report on the following:

  • Ten objectives, which should include one consolidated public health reporting objective with measure options requiring physicians scheduled to be in Stage 1 and Stage 2 to meet two public health measures (SCG Health is a specialized registry)
  • Nine out of 64 of the clinical quality measures covering at least three National Quality Strategy domains

Physicians may log into their meaningful use measure dashboard in their certified electronic medical record technology for each objective and use the worksheet as a reference when attesting for the 2016 Medicare EMR Incentive Program in CMS’ Registration and Attestation System. CMS strongly encourages providers to review the additional resources for the 2016 EMR Incentive Program.

For assistance using the Medicare & Medicaid EHR Incentive Program Registration and Attestation System, reference these user guide materials:

To call for support, dial 1-888-734-6433, option 1 between 7:30 a.m. – 6:30 p.m. (Central Time) Monday through Friday, except federal holidays.

Be Prepared for an Audit
As a reminder, please take screen shots and other support materials to demonstrate the information used to attest for meaningful use during the 2016 period chosen. SCG Health’s recommendations and best practices are in these blog posts:

Need help?
With the deadline for attesting for Meaningful Use rapidly approaching, be sure to log in and check your account today. And if you need help, contact SCG Health.

Are You Avoiding the Advance Care Planning Conversation?

Tuesday, January 03, 2017

Written by: Ben Regalado, contributing writer

When it comes to talking about advance care planning, many physicians … still don’t.

Beginning in 2016 Medicare allowed for payment to providers who conduct advance care planning discussions with their patients and/or family members. Realizing that such conversations can be difficult, the payment structure created was based on the time it takes to have the discussion, with few other boundaries. For instance, the conversation didn’t just have to be with the beneficiary, but could include family members.

Still, a poll conducted by the California-based John A. Hartford Foundation a few months after the payment policy went into effect showed that while physicians overwhelmingly supported providing the service, only 14% have actually billed for it. (You can find an excellent summary here.)

The survey noted those most likely to have billed for advance care planning services worked regularly in a hospital setting, had participated in formal training in how to have the conversations, and also had a formal system or process in place to encourage the conversation. It appears the last two factors are potential areas of focus, as both relate strongly having time to prepare for and conduct the advance care planning conversations.

Here are two ideas that you can use to expand the opportunity for conversations in the new year:

1. Physicians who want to have the advance care planning conversation should consider setting aside time during the annual wellness visit. The benefit for the patient is that these services can be provided without a copay or deductible, and the expectation can be established up front that this will be included.

2. As more than half of the physicians surveyed indicated there is a place in their electronic medical record to indicate if the patient has an advance care plan (with some allowing you to see what is in the plan, if a copy has been provided). Reports run a few days before the appointment can help you identify the patients who is a candidate for discussion, or you can ask your staff to check when the appointment is set to see if additional time is needed.

Finding Training Resources
Even if the expectation is established and reports are run, there is no denying the fact that a major barrier to the discussion is physicians feeling unprepared to do so. Nearly one third of doctors polled cited a lack of formal training in how to have the conversation as a barrier.

Indeed, though there are plenty of websites and documents that are designed to help the patient, a quick scan found a lack of online provider focused training resources (although we found a number of journal articles, a few of which you can explore here, here, here or here.)

Perhaps familiarizing yourself with a few of patient oriented resources, such as or, can be a first step in establishing your own process and dialog. In fact, when establishing a appointment with a target age group or patient, you may want to train your staff sensitively and tactfully guide the patient at the time the appointment is made to the website or information of your choosing.

Sensitivity and tact also requires another perspective: addressing the topics of death and dying (among other health related subjects) with cultural sensitivity. Since advance care planning falls outside of the norm of illness and injury, understanding how to approach a particular patient population will take an investment of time. Again, readily available online resources appear to be limited (our search found one very limited guide). You may consider how a local hospice medical director may be able to assist you and your practice through peer education.

Being a physician involves hard decisions and discussions. Our cultural diversity demands sensitivity. Look at advance care planning payment not as revenue, but as a way to facilitate meeting the total care needs of your patients. In the long run, they and their family members will thank you.

OCR, ONC dispel fears about sharing patient records for public health purposes

Wednesday, December 28, 2016

Written by: Marla Durben Hirsch, contributing writer

Queasy about over disclosing information about your patients to the government for fear of violating HIPAA? Evidently, you’re not alone – but your ability to provide this information is broader than you may think.

The Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces HIPAA’s privacy and security rules, and the Office for the National Coordinator of Health IT (ONC) has issued a fact sheet to allay providers’ concerns about sharing data to foster public health.

HIPAA allows covered entities to share patient information without first obtaining the patient’s written authorization when the disclosure involves treatment, payment or operations. According to the fact sheet, released in December, sharing information with public health agencies authorized by law to collect information for public health reasons is one of those instances where an authorization is not necessary.

Lucia Savage, ONC’s chief privacy officer and Matthew Penn, the director of public health law programs for the Centers for Disease Control and Prevention (CDC), explain in a related blog post published December 8, 2016 why the fact sheet was necessary:

“Many Americans have not taken full advantage of electronic health record data, perhaps because of confusion about how the Health Insurance Portability and Accountability Act (HIPAA) interacts with and supports the exchange of electronic health information for the purposes of public health.”

The fact sheet lists several not so hypothetical examples where it’s okay to divulge information, such as:

  • To honor a CDC request to collect disease surveillance information
  • To a state cancer registry, including type, extent, location of cancer and type of initial treatment
  • As part of a state department of health investigation of a disease outbreak
  • To assist a state health department intervention program, such as to reduce lead in drinking water or to measure care coordination outcomes
  • To the Food and Drug Administration collecting information as part of a medical device recall
  • To notify individuals who may have been exposed to a communicable disease while in the provider’s waiting room
  • To engage in medical surveillance in the workplace to evaluate work related injuries and illness, as required by law

Note that entities still need to comply with other provisions of the law, such as following HIPAA’s security rule when sending information electronically. They also need to only provide the minimum amount of data necessary, although they can rely on a public health authority’s request as to what information is necessary for these public health activities.

Why this new alert is important
While the fact sheet and blog post don’t say so, it appears that the government is concerned that the information currently being collected is incomplete. That can have a major impact on an agency’s ability to provide accurate information to the public and to health care providers, such as the spread of Measles that occurred in 2015.

Moreover, situations such as recent natural disasters and the Zika and Ebola outbreaks have increased attention on population health and the need for more proactive action. For instance, The CDC reported in December that the number of cases of mumps in the United States has skyrocketed, with 4,258 cases reported in 2016 as of December 3. In contrast, there were only 229 reported cases of mumps in all of 2012. The CDC suggests that this increase may be due in part to the possibility that the Mumps vaccine may be losing its effectiveness, which would need to be addressed.

Takeaway: Providers should expect more scrutiny in this area of HIPAA now that ONC and OCR have highlighted it as an area needing further guidance and has sought to reduce any confusion about compliance. Check your policies and procedures regarding data sharing for public health purposes and ensure that you understand the rules.

Read the fact sheet.
Here’s the blog post.
Read the CDC mumps report.

Forget Instagram: “Insta-Mail” Could Pose New HIPAA Issues

Tuesday, December 06, 2016

Written by: Ben Regalado, contributing writer

In the early days of email, we looked forward to the voice chiming “You’ve Got Mail!” when we logged in our inbox. While that may be far from the case now, the United States Postal Service is rolling out a new service that will make that phrase literally true. Very soon, if not already, you can sign up for Informed Delivery, and by email find out what’s in your mailbox before you open it, perhaps before the mail itself arrives.

Through Informed Delivery, your post office can send photos of your mail packaging (not contents) to a designated email before delivery, allowing you to see what’s coming before it’s arrived. While the technology isn’t yet where the USPS wants it to be, the full fruition of the service is probably not far away.

The original purpose of the postal service, secure and reliable communication, has proven to be less than profitable in this new era of communication. So, by focusing on generating new revenues from direct marketers who’ve increasingly abandoned the mail for in favor of targeted online advertising, this service allows you to see (among other things) the catalog or magazine about to arrive, and then potentially click on a link that may bring you special offers. This holds appeal to marketers (and maybe you if you choose to enter into that promotional approach) as it gives more exposure to the message.

Of course, what if the message isn’t marketing? What if it instead contains lab results or other medical information that even in a shared household and mailbox, someone wants to protect? As always, we encourage you to take steps to protect the confidentiality of information. 

You obviously can’t control who sees and opens mail in a household. But as much care should be given to what is on the outside now as what is on the inside. While envelopes are often seen as marketing tools, perhaps a return to the plainly printed white or manila envelope should be a consideration. After all, once opened the pieces generally find their way to the recycle bin (right?!). 

Of course, the underutilized patient portals are also supposed to be a greater part of the communication dialog between physicians and their patients. The one-to-one dialog allowed may be where we need to go to promote privacy in communication, and perhaps save time and money.

In addition, having spent more than a few hours slicing open, sorting, scanning and shredding mail sent between doctors and patients, lab companies, hospitals, or even other doctors, we can begin to appreciate the inefficiency and weak security of using the mail, when electronic communication will suffice. Perhaps this new initiative can be used to encourage the digital generation to take the steps to maintain their confidentiality that a portal will provide.

Are you willing to challenge your patient population to adopt the use of portals over US Mail? 

As for those who are less tech savvy, it’s important to understand that while they may not choose to use a portal, or even elect to receive images of their mail by email, the conversation about who will have access to their information must become ongoing. Children-caretakers may want to see what’s in Mom and Dad’s mail, and while the Informed Delivery process is supposed to take steps to assure confidentiality, there is no guarantee that it will.

Repeatedly putting disclosure in the hands of the patients is the most effective means of protecting confidentiality.

Because for medical practices, HIPAA has become automatic - the offer (and frequent refusal) of policies, the signature - that we forget that it is in place to protect the doctor-patient relationship, and at the very least support the care you provide and the dignity of each patient. Much like updating benefits at each visit, perhaps your process should now require more than the annual HIPAA signature, but actively and plainly asking: “Do you want to make any changes to who can see your medical information?”

HIPAA is now a 20-year-old law with ever increasing new permutations. As technology creates pressure points, it’s up to you to respond. How do you intend to do so?

Drug Costs Are a Key Component In Health Premium Increases

Tuesday, November 29, 2016

Written by: Ben Regalado, contributing writer

The debate on who will lead the country is over. But with the widely unexpected unity of the Executive Branch and Congress, the debate over healthcare costs and the fate of ObamaCare is sure to kick back into gear.

Whatever parts of the Affordable Care Act are modified or repealed, along with the continued shift in payment mechanism from cost-based to value-based (because MACRA is not on the chopping block), it is unlikely there will be a shift in the overall focus, which is finding ways to bring down the rising cost of healthcare. Often these focus on provider utilization, but there is another area that merits examination: medication costs.

With the new administration, what that will occur now is anyone’s guess. One reaction immediately following Mr. Trump’s election was the rise in pharmaceutical stocks (while hospital management company stocks fell) in anticipation of a lack of pressure to pursue regulation of drug costs.

That doesn’t mean the problem is gone however. A BlueCross BlueShield Association study which found that the cost of specialty drugs added a “mere” $87 to a individuals’ health care cost from 2013 to 2014 noted that this represented a 26% increase in specialty drug spending. This was not driven by utilization as much as the price and selection of the drugs.

While admittedly this study by an organization of large insurance companies professing to be concerned about member costs and access and not their own profits, the findings are sobering when laid side by side with this summer’s headlines on rising drug costs such as the EpiPen, Daraprim, and Sovaldi. If repeated, it’s possible studies will show the costs increased even more.

Some will say the key area of focus should be the costs of the drugs themselves, continuing the debate over “Big Pharma” (and little pharma) lining their pockets through various tactics which, while legal, prevent more competitively priced alternatives from entering the market. Others believe that although drug costs are rising, it’s more important to look at the big picture. The impact really is to lower overall spending, as these drugs keep people from costly hospitalizations, surgeries, and resource intensive critical care services.

What can be done differently?

One initiative is to unshackle Medicare and Medicaid from being forced to pay what is charged, regardless of the cost. Oddly, the largest single purchaser of prescription drugs - the Federal government - cannot do what it is able to do with so many other purchasing agreement: negotiate prices. One could argue this amounts to setting prices, as Medicare does for professional services, and that negotiations are done by the private insurers who offer Part D plans. 

Another change would be to persuade the Food & Drug Administration (FDA) to allow faster market access for generic or other competitive alternatives than is currently in place or demand that when a pharmaceutical manufacturer “evergreens” (changes a drug slightly so it stays under patient protection) or “hard stops” (completely replacing a drug about to go off patent with a patent protected alternative) a medication that the newer drug have substantial, demonstrable improvements in therapeutic value to maintain market protection.

Again, however, what will happen is anyone’s guess. For now, the market guesses that nothing will happen to the drug companies, but our President-Elect is nothing but unpredictable.

In the end, then, as with the prescription opioid issue, physicians and other prescribers again hold the key. Amid the flurry of marketing and educational efforts, prescribers should ask:

  • Is there truly demonstrated scientific value to the “new” drugs, or are the new chemical formulations of little or no therapeutic value?
  • How does the cost of the medication impact compliance by my patient? Will limited access prevent the proposed therapy from being effective?
  • How does your selection of a drug impact the potential overall healthcare costs? 

As with politics, all healthcare is local. Indeed, it is right at the patient level. Being a patient advocate is not just something done for their care, but for their economic livelihood as well.

New Hazardous Drugs Standards of Care for Your Employees

Tuesday, November 22, 2016

Written by: Ben Regalado, contributing writer

If you thought OHSA and Biohazards were all you had to be concerned about, it’s time to think again. The US Pharmacopeial Convention, or USP, standard published this past spring by National Institute of Occupational Safety & Health (NIOSH), established increasing requirement for healthcare providers when it comes to establishing processes and enhancing staff training when it comes to the handling of specific types of hazardous drugs. 

Healthcare providers need to examine the entire process of handling of these drugs, from arrival to dispensation, in addition to ensuring there are processes in place to deal with unexpected potential exposures. 

While hospitals and other providers frequently have pharmacists or other resources on site they can rely on, the lack of resources in physician practices does not create an excuse for lack of attention. In fact, it may require thoughtful consideration as to whether you will continue to handle these drugs.

NIOSH notes that “drugs considered hazardous include those that exhibit one or more of the following six characteristics in humans or animals: carcinogenicity, teratogenicity or other developmental toxicity, reproductive toxicity, organ toxicity at low doses, genotoxicity (and) structure and toxicity profiles of new drugs that mimic existing drugs determined hazardous by the above criteria.”

Even though the effective date of the new, higher standards isn’t for another 18 months (July 2018), you need to use the time now to prepare. How?

First, start with a comprehensive review of the (34 page) NIOSH List of Antineoplastic and Other Hazardous Drugs in Healthcare Settings for 2016. In the document, providers can find the drug name, comments, and a links to key information.

Second, review Table 5 of the document, which is on pages 32-34. This chart gets into the specifics of why type of Personal Protective Equipment (PPE) you need to have for employees at each stage in the process, beginning with receiving, then continuing through normal handling, compounding, administration through various methods, disposal and cleaning.

PPE necessary, depending on the activity, includes double chemotherapy gloves, protective gown, eye/face protection, respiratory protection and ventilated engineering control. 

Third, while many practice may have a “spill kit” for handling biohazards and/or chemical hazards (e.g., mercury), it may be necessary to specifically create and set aside a kit related to these hazardous drugs.

Remember, OSHA inspectors (and, heaven forbid if anything were to happen, plaintiff attorneys) are not just looking for boxes on a checklist. They will want to know that your staff has been trained, and that they have acknowledged and retained the training provided. This goes hand in hand with the OSHA HAZCOM (or Hazard Communication) Standard.

As hopefully you are aware, in updating HAZCOM, several years ago OSHA transitioned from the familiar Material Safety Data Sheet (MSDS) to now follow the United Nations Globally Harmonized System of Classification and Labelling of Chemicals (GHS), and adopted the universal and standardized Safety Data Sheets (SDS). At the very minimum, you should check your policy handling books to assure that you have these new documents, because while they are nearly identical to the ANSI Standard 16 section MSDS there are a few modifications.

While many of these SDS documents and even the NIOSH document is available online, this is one instance where a practice may want to go through the process of assembling paper copies in a readily accessible binder. Why? Because in an emergency situation, speed matters.

Healthcare is truly one of the most highly regulated industries on many levels. This is just another one you need to know about and add to your continuous New Year’s Resolutions list.

That authorization form? It needs to comply with both HIPAA and the FTC Act

Tuesday, November 15, 2016

By: Marla Durben Hirsch

One of the requirements of the Health Insurance Portability and Accountability Act (HIPAA) that has received less attention is the fact that practices need written authorization from a patient when the practice wants to use or share the patient’s information for activities other than treatment, payment or operations, or other uses or disclosures permitted or required by the privacy rule, such as to law enforcement. If a practice wanted to use or disclose information for commercial activities, such as marketing, fundraising, or research, it needs to get that form signed. Failure to obtain an authorization or handling it incorrect incorrectly can be a violation of HIPAA.


But evidently a faulty authorization form also can be a violation of the Federal Trade Commission (FTC) Act, as the FTC has recently reminded the industry.

The FTC has issued new guidance October 21 notifying HIPAA covered entities and business associates that their HIPAA authorizations also have to comply with the FCA Act.

What’s the FTC’s beef?

The FTC has been making a concerted effort to weigh in on patient privacy issues that spill over into the realm of the FTC. While HIPAA focuses on the privacy and security of health information, the FTC Act protects consumers from misleading, unfair or deceptive activity.

For instance, if a practice says that it provides reasonable security of patient information, but fails to install a security patch in its computer network and is then a victim of hackers, it may be not only a HIPAA violation but also an FTC Act violation since the statement about reasonable security wasn’t truthful, explained Ben Rossen with the Federal Trade Commission’s Division of Privacy and Identity Protection at last month’s annual joint conference on cybersecurity co-hosted by the National Institute of Standards and Technology and the Office for Civil Rights.

The FTC has taken enforcement action against entities for misleading patients about the use of their health information, most recently electronic health record vendor Practice Fusion, which  deceived consumers by soliciting reviews about their physicians without disclosing that the reviews would be made public.

Now the FTC has taken issue with HIPAA authorization forms, reminding entities in the guidance that “you can’t forget the FTC Act” when dealing with HIPAA authorization forms.  That means that the authorization can’t mislead patients as to what the entity is doing with the health information.

The guidance recommends that entities:

  • Review all “user interfaces” to make sure that there’s nothing deceptive, unfair or misleading in the HIPAA authorization form. For instance, key facts about the use of the information shouldn’t be buried in small print, and there should be no inconsistencies in the document, such as claiming in large print that the information will be shared only in one way, and then in small print saying that the sharing will be broader.
  • Consider that consumers use difference devices. For example, the FTC suggests that entities try to avoid electronic authorizations that require consumers to scroll; it’s problematic to promise on one’s website that the practice won’t share information but require a consumer to scroll down to “get the full scoop” and find out that information will be shared. 
  • Tell consumers the full story before asking them to make a material decision, such as before they decide to send or post information that may be shared publicly. 
  • Can’t forget about paper authorization forms. Those are also subject to the FTC Act.

So what needs to go into an authorization form?

HIPAA is specific regarding what an authorization form needs to contain. There are “core elements” and “required statements”:

  • A description of the protected health information to be used and/or disclosed
  • The person authorized to use or disclose
  • The person/specific identification of whom the covered entity may make the disclosure to
  • The dates that the authorization covers, with an expiration date
  • The purpose(s) for which the information may be used or disclosed (say, for testimonials on the entity’s website)
  • The right to revoke the authorization, how to revoke, and that revocation would not affect any disclosures made by the entity before receipt of the revocation. If the revocation right and contact information is in the Notice of Privacy Practices, include a reference to the Notice
  • That treatment is not conditioned on whether the patient signs the authorization
  • That the information is subject to re-disclosure and if re-disclosed may no longer be protected by HIPAA
  • The patient’s signature and date of signing

The authorization form also needs to be in Plain English. It’s not valid unless it’s filled out.

There are dozens of HIPAA authorization templates on the internet; they can often also be obtained from a practice’s specialty society.

Takeaway: The HIPAA authorization templates on the internet seem pretty benign and don’t appear to mislead consumers as the FTC fears. But carefully review any authorization your practice is using or considering to ensure that it won’t run afoul of either HIPAA or the FTC Act.

SCG Health blog by Email

Recent Posts



SCG Health is a tradename of the Searfoss Consulting Group, LLC. You may reproduce materials available on this site for your own personal use and for noncommercial distribution. For more information, please read the Content Sharing Policy. Art & design by SCG Health. DISCLAIMER: You should consult an attorney for individual advice regarding a particular set of facts and circumstances. SCG Health reserves the right to change the information on this website without notice.