Skip to: Curated Story Group 1
healthcarebusinessreview

Advertise

with us
    • US
    • EUROPE
    • APAC
    • CANADA
  • Home
  • Sections
    Business Process Outsourcing
    Compliance & Risk Management
    Consulting Service
    Dental Billing Services
    Facility Management Services
    Financial Services
    Healthcare Digital Marketing
    Healthcare Education
    Healthcare Procurement
    Healthcare Security
    Healthcare Staffing
    Long-Term Care Pharmacy Services
    Medical Billing
    Medical Case Management
    Medical Transportation
    Patient Monitoring
    Practice Management Service
    Real Estate Services
    Supply Chain
    Therapy Services
  • Contributors
  • News
  • Vendors
  • Conferences
  • CXO Awards
Welcome back to this new edition of Healthcare Business Review !!!✖
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
9 FEBRUARY - 2023After a lengthy investigation, it was revealed that the on-site phlebotomist had likely signed orders (unbeknown to the provider) for the blood test and drew an additional blood tube to send to CardioDX for each patient whose sample was sent for testing. The phlebotomist offered the test in most cases to the patient without the provider's knowledge. There was no admission by the phlebotomist of whether they were working with or compensated by CardioDX or their representative. They did acknowledge that their annual compliance training included the Code of Conduct. Needless to say, this person was relieved of their duties.So at this point, there are a few significant problems:Invalid (forged) signatures resulting in invalid ordersNo BAA or service agreement in placeHIPAA breach related to sharing protected health information with a vendor that was not a business associateMedically unnecessary testing being charged to MedicareThe testing involved less than 500 patients. This is important because if 500 or more individuals are involved, the HIPAA breach needs to be reported without unreasonable delay to the Office of Civil Rights in any case within 60 days from discovery and reported to prominent media outlets in the states and jurisdictions where the breach victims reside. There must also be a posting on the breach entity's (provider's) home page. In addition, each individual must be notified of the breach in writing. The notification must include an explanation of what happened, the nature of the PHI, and the measures the provider has taken to prevent future breaches. There must also be instructions on how to breach victims who can limit harm along with a toll-free number, postal and email address to direct questions to contact the provider/ covered entity.After discussion with the general counsel, the organization retained legal consultation with an outside firm versed in handling HIPAA breaches. This way, we could craft a comprehensive written notice to the beneficiaries, notify the Office of Civil Rights in a timely fashion, and set up a system to gather inquiries from affected individuals with customer service recovery. Because our organization did not charge any fees for the testing, we did not have to proceed with a Medicare refund repayment.Lastly, we provided education to the primary care offices regarding directing vendor representatives to our vendor registration process, which included guidance on the service agreement process. Of note, vendor registration can be a challenge with organizations that have numerous locations. Best practice will ensure your organization's locations are aware of the vendor registration process and your general Code of Conduct to guide vendor representatives and employees. BEST PRACTICE WILL ENSURE YOUR ORGANIZATION'S LOCATIONS ARE AWARE OF THE VENDOR REGISTRATION PROCESS AND YOUR GENERAL CODE OF CONDUCT TO GUIDE VENDOR REPRESENTATIVES AND EMPLOYEES
< Page 8 | Page 10 >