SCGhealth Blog

Get those anti-discrimination notices up!

Tuesday, October 25, 2016

By: Marla Durben Hirsch, Contributing Writer

It’s crunch time for medical offices: October 16 was the deadline for notifying the public that your practice doesn’t discriminate in violation of the law.

The rule implementing section 1557 of the Affordable Care Act, released May 13, bans discrimination on the basis of race, color, national origin, sex, age and disability to any health program or activity which receives any federal financial assistance. Providers are except only if they receive Part B Payments and no other federal money.

Section 1557 in particular prohibits sex discrimination in health care, including denial of health care or coverage based on sex, pregnancy, gender identity and sex stereotypes. The law also enhances the obligations to provide language assistance to people with limited English proficiency and communication assistance to those with disabilities.

Notices to inform patients required

In addition to complying with the rule itself, providers (and other covered entities, such as a health plan or employer provided health clinic) need to post a notice informing the public of the providers’ obligations and patients’ rights. The notice needs to include:

    • That the provider does not discriminate in violation of the law
    • That it provides free aids and services to people with disabilities so that they can communicate with the provider, such as sign language interpreters and written information in other formats
    • That the provider provides free language services with people whose primary language isn’t English
    • How to obtain this help
    • How to file a complaint with the Office for Civil Rights (OCR) if the patient believes that his/her rights have been violated.

    The notice must be posted in conspicuously visible font in significant publications or communications, in conspicuous physical locations available to the public, and in a conspicuous location on the provider’s website.

    Providers also need to post taglines in different languages alerting patients that the language assistance help is available. The taglines need to be in at least the top 15 languages spoken by people with limited English proficiency in that state.

    OCR has provided a sample notice to post in Appendix A of the final rule, as well as on its website, with sample taglines.

    Grievance procedure also required for many

    If a provider has more than 14 employees, then the provider also has to provide patients who believe they have been discriminated against with an internal grievance procedure and designate an employee (known as the “civil rights coordinator” or “section 1557 coordinator”) who will be responsible for section 1557 compliance and handle investigations of alleged violations. The civil rights coordinator can also have other duties; this need not be a dedicated position.

    According to the rule, a grievance must be summited within a certain number of days (OCR suggests 60) after the complainant becomes aware of the alleged discrimination. The grievance must be in writing, with the name and address of the complainant and a description of the alleged discrimination. The civil rights coordinator or his/her designee shall conduct a “thorough” investigation, although it can be informal, and provide a written decision, OCR suggests no later than 30 days after the filing of the complaint. The decision needs to include notice to the complainant of the right to pursue other remedies, such as appealing the decision to the CEO/board/administrator of the entity and/or to file a complaint with the OCR.

    The availability of the internal grievance procedure, and the contact information of the civil rights coordinator also needs to be in the posted notice.

    OCR was kind enough to provide a sample grievance procedure, in Appendix C of the final rule.


    Providers should review their policies and procedures to ensure that they don’t discriminate, and can provide the auxiliary and language aids required. Don’t forget to post the public notice by the deadline and implement an internal grievance procedure if that hasn’t been done already. You can use the sample notice and grievance policy, especially if you’re running out of time; you can always update it down the road. This is a front burner issue for OCR, which has already begun enforcement.

Who Do You Call When You are 911?

Tuesday, October 18, 2016

By: Ben Regalado, Contributing Writer

In an emergency, we’ve been taught to call 911. But what do you do in an emergency when you are the 911, or at least have a key role?

Recently the Centers for Medicare & Medicaid Services (CMS) took steps to establish more consistent preparation, increase patient safety and assure greater coordination. In a final (651 page) rule published September 16 and effective November 15, CMS made specific efforts to increase regulatory mandates for coordinated communication, contingency planning and training.

Emergency Response requires a multidimensional approach. There is the coordination across the various providers of service, and then there is the delivery of services across time, including the days preceding (if known) and following the catastrophe (natural or man-made).

To address deficiencies, CMS is requiring providers and suppliers to focus on these four “best practices”, and has made them part of the Conditions of Participation:

  1. Performing a risk assessment and creating an emergency plan for the “full spectrum of emergencies or disasters”.
  2. Develop appropriate policies and procedures. (This is healthcare. It’s what we do.)
  3. Create a communication plan, both within the organization, across providers, and across the various emergency response systems and organizations.
  4. Conduct regular training and testing. (Then go back to point Step 1.)

Does this apply to you?  Well, while the rule mentions a 17 specific provider types (from hospitals to ambulatory surgical centers to hospices to home health agencies to rural health clinics to psychiatric treatment facilities), physicians are still at the eye of the proverbial hurricane. 

Physicians are supposed to coordinate care. Physicians provide services to patients in and out of facilities. Physicians lead in medical care decisions. Knowing this, physicians and their practice leadership should be prepared to engage with facility managers to help them meet the standards in a meaningful way. 

Of course, you can start with your own practice. Given an increasing reliance on electronic medical records, ensuring appropriate system backup, recovery and access is in place to allow physicians to carry out those functions effectively.  

The well-being of your community is, as always, in your hands.

Was it friendly password sharing or a crime?

Tuesday, August 30, 2016

by Marla Durben Hirsch, contributing writer

Employers and employees should be aware of the significance of sharing passwords, now that a federal appeals court has upheld the conviction of an ex-employee who used a password shared by a current employee to access the employer’s trade secrets.

The Computer Fraud and Abuse Act (CFAA) is a federal law that bans fraudulent access to certain protected computer information not available to the public, such as confidential patient data or client lists. In addition to criminal prosecution, the law, sometimes referred to as the federal “anti-hacking law,” allows the victim to file a lawsuit for restitution and other relief. It always applies to outside hackers. But it can also apply to employees or former employees who access an employer’s computers without authorization or when exceeding authorization.

The interpretation of authorized access varies. In many states, the misuse of the data is a violation of the CFAA regardless of the authorized status of the employee. A few federal circuit courts, such as the one in California, take a more restrictive view. They say so long as an employee was permitted to be on the employer’s computer for any reason, taking employer information doesn’t violate the CFAA.

Court rules against employee
David Nosal, who worked for the executive search firm Korn/Ferry International in California, secretly launched his own search firm with several coworkers. They accessed Korn/Ferry’s data bases with their own usernames and passwords to populate their new database and compete with Korn/Ferry. Nosal also used a fake name to mask his identity when interviewing candidates for his new firm.

Once Nosal and the others left Korn/Ferry, the employer revoked their access to its database. But they continued to access it by using the login credentials of Nosal’s former executive assistant, who was still employed by Korn/Ferry. Korn/Ferry was tipped off to what Nosal was doing and contacted the authorities, which brought a criminal action against him on the grounds he had violated the CFAA.

In a prior prosecution, the court in California, applying its narrower view of the law, ruled that Nosal did not violate the CFAA when he accessed Korn/Ferry’s computers while he was still employed there and still had access to the computers. Although what he was doing was inappropriate, Nosal still had the authority to access the database at that time, so he hadn’t exceeded his authorization.

However, in a separate prosecution, the U.S. Court of Appeals for the Ninth Circuit upheld his conviction for accessing the computers using his former executive assistant’s password after his own login credentials were revoked. The court found Nosal knowingly and with intent to defraud accessed the computer without authorization in violation of the CFAA and engaged in trade secret theft, as well. The court found the term “without authorization” is unambiguous and that once authorization to access a computer has been affirmatively revoked, the user can’t “sidestep” the law by going through the back door and accessing the computer through a third party.

One judge dissented, saying the CFAA doesn’t apply to the “millions” of people who engage in the common, “useful” and generally harmless conduct of sharing passwords.

The majority of the court disagreed with this assessment, noting the case isn’t about password sharing in an innocent context, such as sharing a password so a person can print an airline boarding pass. It added the executive assistant had no authority to provide her password to former employees whose own access had been revoked.

The majority of the court also disagreed with Nosal’s argument that he was unaware his actions would harm Korn/Ferry, since he launched a direct competitor and went to great lengths to access the source lists to further his own business.

The lower court had also rewarded Korn/Ferry about $1 million in restitution. The appeals court remanded that decision to the lower court to review the reasonableness of attorneys’ fees awarded.

Law may assist providers
The CFAA may help providers if their patient or other data is improperly accessed by a rogue employee, hacker or other individual. To protect themselves and best use the CFAA if a cyber event occur, providers should:

  • Find out if your jurisdiction will apply the CFAA where there was either no authorization or authorization was exceeded, or only where the computer user had no authorization to access whatsoever. If it’s the latter, then clearly you would have fewer opportunities to use this law.
  • Take proactive steps to protect computer data, such as updating security patches to reduce the risk of unauthorized access and monitoring for improper use, such as access after hours or on weekends.
  • Don’t provide your employees with more access to computers than is necessary for them to perform their duties.
  • If an employee leaves your employment, revoke their login credentials as soon as possible by changing passwords, canceling usernames, and the like.

SCG Health blog by Email

Recent Posts



SCG Health is a tradename of the Searfoss Consulting Group, LLC. You may reproduce materials available on this site for your own personal use and for noncommercial distribution. For more information, please read the Content Sharing Policy. Art & design by SCG Health. DISCLAIMER: You should consult an attorney for individual advice regarding a particular set of facts and circumstances. SCG Health reserves the right to change the information on this website without notice.