When the North Carolina Division of Medical Assistance (“DMA”) decides to place a Medicaid provider on prepayment review, it can be the equivalent of a death sentence for a small business. The primary problem is that there are few avenues to appeal the decision to be placed on prepayment review, even when there is little or even no justification for DMA’s decision. Prepayment review then becomes a waiting game reducing cash flow and overwhelming providers with a paper chase gotcha game. Although the initial decision to place a provider on prepayment review cannot be challenged, this does not mean that a Medicaid provider has no options to challenge the prepayment review process.
An increasing number of health care providers are outsourcing the hosting and maintenance of software applications, the storage of data, and related support services. Outsourcing can provide cost savings, rapid deployment, system scalability, other efficiencies, and appropriate data security. It also introduces additional issues into the provider’s risk management analysis, largely based on the fact that a third party rather than the provider has possession and control of vital and sensitive assets and information. Before you enter into a contract that includes a cloud computing component, you should consider some of the following:
- No business decision or activity is risk free. Risk management is a balancing process based on the particular facts and circumstances. For example, a provider may be less concerned about its inability to access its web-based job application submission portal than its electronic health record application. Not all risks are the same, and a provider should devote more attention and resources to managing its greatest risks.
- Risk management is a team sport. Effective risk management requires the participation and interaction of representatives of the intended user group, financial analysts, compliance officers, information technology and data security experts, and legal counsel experienced in advising on and negotiating the particular type of contract.
The Office of Civil RIghts (“OCR”) recently announced that Phase 2 of the HIPAA audits would be further delayed because the audit portals and project management tools that are needed to initiate the audit process are not ready and available for usage. Phase 2 of the HIPAA audits was initially slated to begin in the fall of 2014 and was subsequently moved to late 2014 or early 2015. Currently, no timeline has been provided as to when the next round of audits will officially begin.
A delay in Phase 2 of the OCR HIPAA Audits does not mean that covered entities and business associates should not continue to make sure they are in compliance with all HIPAA regulations. The potential consequences for failure to comply with HIPAA regulations are significant. While the audit portals are still under development, it is a good time for covered entities to (i) make sure their HIPAA policies and procedures are up to date and meet the latest privacy and security requirements, (ii) create a list of all business associates that provide services to the covered entity, and (iii) conduct an internal risk assessment to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
Among other things, Parker Poe’s healthcare attorneys advise our healthcare clients about (i) compliance with HIPAA’s privacy requirements as they affect healthcare information, including preparing employee and patient notices, plan policies and procedures, plan amendments and authorization and other forms, and (ii) HIPAA compliance requirements for business associates.
The Equal Employment Opportunity Commission has made emerging issues in employment discrimination law one of its national enforcement priorities. Last week, the EEOC settled a lawsuit brought against a California seed and fertilizer provider, alleging that the employer required applicants to submit to pre-employment medical examinations that included solicitation of family medical histories.
Under the Genetic Information Non-Discrimination Act, employers cannot require applicants or employees to disclose family medical histories as a condition of employment. The EEOC claimed that the defendant refused to hire at least one applicant after he revealed that family members had suffered from a medical condition. In addition to violating GINA, the EEOC alleged that the pre-employment examination was in violation of the Americans with Disabilities Act, because the employer screened applicants based on medical conditions that were unrelated to the requirements of the job. The employer agreed to pay $187,500 and to adopt measures intended to prevent use of such medical examinations as a screening tool in its hiring.
Most employers and medical providers that conduct pre-employment examinations are aware of these requirements, and have deleted requests for family medical histories from their exams. In addition to complying with GINA, employers should periodically review their post-offer, pre-hire examination procedures to make sure that medical grounds used to exclude an applicant from employment are clearly and directly related to their essential job functions. If the exclusion is based on a possible ADA disability, the employer needs to fully explore available reasonable accommodations before making a final decision to reject the applicant.
Jonathan Crotty has been a successful counselor and problem solver for large and small employers in the Carolinas and beyond for over 20 years. He heads Parker Poe’s Employment and Benefits practice group and represents employers in all aspects of the employment relationship, from hiring to discharge.