Rx FOR RISK IS A PRMS PUBLICATION
2015 | Volume 23 | Issue 4
FOR RISK Addressing risk management issues and concerns in the field of psychiatry
2015 Round-Up
Reading Rx for Risk on a screen? Click on the page numbers below to be taken directly to that section of the newsletter!
IN THIS ISSUE, we wanted to remind our Rx for Risk readers of another way to access PRMS risk management information – through our LinkedIn posts. If you’re not already doing so, please consider following PRMS and our individual risk managers to keep apprised of the latest developments affecting you and your practice. Here are some of our most popular posts from this past year. Enjoy!
Table of Contents EIGHT SIMPLE STEPS TO KEEP PATIENT INFORMATION SECURE
03
WHAT DOES RYAN HAIGHT HAVE TO DO WITH TELEMEDICINE?
04
RISK MANAGEMENT REMINDERS FOR ONLINE MARKETING
05
TIMESAVING TIP FOR PHYSICIANS
07
GET THE CUSTODY ORDER – BEFORE TREATING
09
4 STEPS TO IMPLEMENT E-PRESCRIBING
10
The content of this newsletter (“Content”) is for informational purposes only. The Content is not intended to be a substitute for professional legal advice or judgment, or for other professional advice. Always seek the advice of your attorney with any questions you may have regarding the Content. Never disregard professional legal advice or delay in seeking it because of the Content. ©2016 Professional Risk Management Services, Inc. (PRMS). All rights reserved.
PRMS
8 SIMPLE STEPS TO KEEP PATIENT INFORMATION SECURE Posted April 23, 2015 The Office of the National Coordinator for Health Information Technology has issued an updated Guide to Privacy and Security of Electronic Health Information. In addition to reviewing the specific requirements of the Privacy, Security, and Breach Notification Rules, the government provides the following list of “Low-Cost, Highly Effective Safeguards” for protecting patient information: 1) Say “no” to staff requests to take home laptops containing unencrypted ePHI. My comment: Laptops and other portable devices containing ePHI are often stolen or lost. Proper encryption is a safe harbor, meaning even if a laptop contains ePHI and is lost, if it is encrypted, there is no breach. 2) Remove hard drives from old computers before you get rid of them.
My comment: The same is true for copiers – all hard drives on any equipment must be removed or wiped clean prior to disposal (via selling it, returning it to leasing company, or trashing it).
3) Do not email ePHI unless you know the data is encrypted.
My comment: If you are emailing unencrypted PHI, you should only with the patient’s consent, after having been informed of the risk. We recommend that physicians formally obtain patients’ consent to email and suggest adding language about the risk that information in an unencrypted email could be ready by a third party. According to HHS, in commentary accompanying the Omnibus Rule, “If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way…”
4) Make sure your server is in a room accessible only to authorized staff, and keep the door locked.
My comment: Duh!
5) Make sure the entire office understands that passwords should not be shared or easy to guess.
My comment: This should be part of your annual staff training.
6) Notify your office staff that you are required to monitor their access randomly.
My comment: Do random review of audit trails to ensure employees are not inappropriately accessing patient information.
7) Maintain a working fire extinguisher in case of fire.
My comment: A good reminder.
8) Check your EHR server often for viruses and malware.
My comment: This is critical to ensure there has been no inappropriate access or hacking of ePHI.
This resource from ONC is an excellent resource filled with many practical tips and resources.
Rx FOR RISK
3
2015 | Volume 23 | Issue 4
PRMS
WHAT DOES RYAN HAIGHT HAVE TO DO WITH TELEMEDICINE? Posted November 12, 2015 Ryan Haight was a 17 year-old male who easily acquired narcotics from an online website simply by filling out a questionnaire. A doctor who never saw him wrote the prescription and the drugs were mailed directly to his house. He overdosed and died in 2001, after just barely turning 18, from a cocktail of painkillers, including Vicodin, which he obtained online. On the internet, Ryan was “Quiksilver” - a master at mixing the drugs he bought online, and then describing the resulting trips online. His blogs of his drug mixing were followed by many. At home, Ryan was an honor student who played tennis and liked Quiksilver clothes and baseball cards. Upon his death, his parents learned of his double life, and how he had been ordering addictive drugs online and paying with a debit card his parents gave him to buy baseball cards on eBay. His parents (a nurse and a surgeon) assumed all the packages he received were baseball cards. His mother was instrumental in pushing through the Ryan Haight Online Pharmacy Consumer Protection Act of 2008. The statute amended the Controlled Substances Act by adding several new requirements for online pharmacies to prevent the illegal distribution of controlled substances via the internet. Key to telemedicine, the Act requires at least one face-to-face evaluation of the patient prior to a controlled substance prescription being issued. There is an exception to the in-person evaluation requirement for telemedicine providers. However, under the Act’s definition of telemedicine, the remote treatment must occur with the patient in a hospital or other facility registered with the DEA and by a prescriber with a DEA license in the patient’s state. The American Telemedicine Association (ATA) has recently sent a formal request to the DEA, indicating that the Act’s strict prohibition is inhibiting the growth of telemedicine. The ATA is seeking the DEA’s assistance in obtaining a framework to allow legitimate prescribing via telemedicine beyond what is currently allowed. Stay tuned….
Join PRMS risk managers every month for On Our Minds, a monthly discussion on recent events that may impact your practice. First Friday of every month Noon – 1:00pm EST Visit us online to join the call and to listen to previous sessions
Rx FOR RISK
4
2015 | Volume 23 | Issue 4
PRMS
RISK MANAGEMENT REMINDERS FOR ONLINE MARKETING Posted June 29, 2015 Since my original post on physicians’ online marketing, I’ve received requests for more information on the topic. So here are my expanded thoughts -
Websites Websites can be a great way to market your practice online. In terms of professional liability, the greater the interaction on a physician’s website, the greater the risk. A simple, non-interactive practice information website or online practice brochure has very low risk. Potential risk areas include: • Inadvertent establishment of a treatment relationship: If an individual submitted a psychiatric question to you, and you responded, it could be viewed by that individual to be treatment advice, which could inadvertently establish a physician-patient relationship. • Patient testimonials: You should exercise extreme caution when soliciting patients about testimonials, particularly in terms of ethical obligations and legal requirements. »» Ethically, it could be viewed as putting a patient in a situation where he did not feel he could say no. According to the American Medical Association, testimonials as to the physician’s skill or quality of professional services tend to be deceptive when they don’t reflect the results that patients with conditions comparable to the testimoniant’s condition generally receive. And, as pointed out American Psychiatric Association’s Opinions of the Ethics Committee on the Principles of Medical Ethics, informed consent for testimonials is a problem because it cannot be easily withdrawn. »» States can, as West Virginia has done, prohibit physician advertising that uses testimonials. The risk management advice is: • Ensure website content is current and accurate. • Comply with applicable state law requirements related to physician websites. • If you are a Covered Entity under HIPAA, post your Notice of Privacy Practices on your website. • Do not violate intellectual property law when posting materials from other sources. • If you link to outside sources, link only to credible websites and post a disclaimer on your website explaining that you are not responsible for information on linked websites. • If you are selling products on the website, ensure compliance with applicable laws and ethical standards. • Avoid posting anything on your website that could be construed as specific treatment advice. • Do not allow individuals to communicate with you via the website to avoid the inadvertent establishment of a treatment relationship. Current patients should communicate via a secure patient portal. • If prospective patients can download forms, consider including a statement that doing so does not guarantee a treatment relationship will be established.
Rx FOR RISK
5
2015 | Volume 23 | Issue 4
PRMS
• If you have online appointment scheduling via your website, ensure all information is secure and not available for others to see. One practice learned this lesson the hard way – after having to pay $100,000 to stop the government investigation resulting from a publicly accessible online scheduling calendar containing patient demographic and medical information.
Online Referral Services Online referral services, such as ZocDoc and Psychology Today, can be very appealing to psychiatrists for online marketing. Potential risk areas include: • Drug-seekers: Many psychiatrists are finding that many patients who find doctors online do not want a treatment relationship, but rather only want controlled substances. • Limited purpose patients: Physicians using these types of online referral services are also finding the patients have a purpose other than treatment in mind, such as filling out disability forms, or testifying in litigation, etc. • Services’ use of patient information: Be sure you know exactly what the service is doing with your patient’s information. In one case, unbeknownst to the physicians, a vendor was sending follow-up emails to patients under the doctors’ names, asking for feedback about the visit. • Services’ request for testimonials: At least one of the online referral services is very persistent in urging physicians to obtain patient testimonials – for the service’s own use. The risk management advice is: • To dissuade potential patients who may be drug-seeking, consider adding the following language to your profile: »» “I check the state prescription monitoring program before I prescribe” (if your state has a prescription monitoring program) »» “I do not prescribe controlled substances on the first visit” »» “I do not prescribe for pain” • To manage additional patient expectations, you should include other applicable statements, such as the first visit is only an evaluation to see if it is appropriate to establish a treatment relationship. • A Business Associate Agreement (BAA) pursuant to HIPAA is necessary from the service as it will, at a minimum, store patient information. Even if you are not a covered entity under HIPAA, you should obtain the BAA to ensure the service promises to adequately protect your patients’ confidentiality.
Responding to Negative Online Reviews Unfortunately, in today’s digital world, online reviews are a fact of professional life. Fortunately, the vast majority of physician reviews are positive. But, as a psychiatrist, you have very few options when faced with a negative review. Potential risk areas include: • Patient confidentiality: Even though your patient has put it on the internet for the entire world to see, you still must maintain patient confidentiality. By addressing a review, you would be inappropriately confirming the reviewer is a patient.
Rx FOR RISK
6
2015 | Volume 23 | Issue 4
PRMS
• Contracting with patients to not post negative reviews: One organization has suggested that its members do a contract with patients under which patients promise to not say anything negative about the physician. In exchange, the physician will give the patient confidentiality rights under HIPAA. The federal agency responsible for enforcing HIPAA learned of this contract and stepped in and clarified that patients cannot be required to agree to a gag order in exchange for confidentiality, to which they are entitled to without any such contract. • Astroturfing: A creative physician realized that he could bury the negative reviews by having his staff pretend to be patients and post positive reviews. The state Attorney General learned of this and fined the practice $300,000. The risk management advice is: • You can contact the website to request removal of a false review. While most review sites do not remove reviews when requested, some will consider doing so. • If you know the identity of the poster, you could consider contacting the patient to discuss the issues raised and request that they remove the post.
TIMESAVING TIP FOR PHYSICIANS Posted September 3, 2015 I as a Risk Manager am always looking for ways to save physicians time in doing what is necessary to deliver good clinical care. One of my favorite tips is to consider incorporating the FDA’s medication guides into informed consent discussions. These patient information guides are: • Free • Available for hundreds of medications • Typically 1-2 pages • Easily downloadable • Updated frequently (and you can sign up to be notified of updates) • And written in language that is easy for patients to understand. The medication guides list the most important safety information first which can assist you in your informed consent communications with patients. The government has essentially culled the package insert information to a reasonable amount of information to be shared with patients. The patient leaves with the medication guide and you should keep a copy in your record. This documentation will provide at least some evidence of what was covered in your informed consent discussions. As always, consider individualizing the documentation. This can be done as simply as noting a specific question or concern raised by the patient in the informed consent discussion.
Rx FOR RISK
7
2015 | Volume 23 | Issue 4
PRMS
REGISTER TODAY!
V I E W F R O M T H E J U RY B OX:
Clark v. Stover A Psychiatric Malpractice Mock Trial
After an extremely successful first year, PRMS is thrilled to once again invite you to join the jury for Clark v. Stover! You will go inside the courtroom to learn the stages of litigation in a psychiatric malpractice trial and valuable risk management tips to keep your patients and practice safe.
Featuring Liza Gold, MD, Jeffrey Metzner, MD and Barry Wall, MD.
“Best CME I have attended in at least a decade!” – 2015 Seattle Mock Trial Attendee DATES
FULL-DAY COST
May 13 Atlanta, GA
September 17 Denver, CO
July 9 Pittsburgh, PA
October 23 New York, NY
August 12 Chicago, IL
December 3 Orange County, CA (half-day)
FREE $25 $100 $200
RESIDENTS & PRMS CLIENTS EARLY CAREER PSYCHIATRISTS EARLY BIRD RATE REGULAR RATE
HALF-DAY COST FREE $25 $75 $150
RESIDENTS & PRMS CLIENTS EARLY CAREER PSYCHIATRISTS EARLY BIRD RATE REGULAR RATE
REGISTER TODAY PsychProgram.com/MockTrial seminars@prms.com | (800) 245-3333 In California, d/b/a Transatlantic Professional Risk Management and Insurance Services
Rx FOR RISK
8
2015 | Volume 23 | Issue 4
PRMS
GET THE CUSTODY ORDER – BEFORE TREATING Posted February 17, 2015 A frequent call to our risk management helpline goes something like this: Physician: I’m treating a minor patient whose parents are divorced. Dad has not been involved in treatment but is now requesting a copy of my chart. Mom doesn’t want me to share anything with dad, so what do I do? Risk Manager: Do you have a copy of the custody order? Physician: No So we then start the discussion of why the physician needs to see the custody order. Not only will the order likely address who has access to the minor’s medical records, but the order will also spell out which parent(s) can consent to treatment. Typically, unless parental rights have been terminated, both parents can access treatment information, even a parent without custody. If the issue of consent to treatment and consent to release of treatment information is not addressed in the order, the parents should seek resolution from their attorneys. Physicians treating minors may want to consider the following: • Make it your office policy to request a copy of the custody order at the first visit. • When an appointment is made for a new patient who is a minor, ask if the parents are divorced. If so, advise that a copy of the custody order will need to be brought to the first appointment. Without the order, the physician cannot see the patient because there is no proof that the parent bringing the minor has the legal authority to consent to treatment. Once you have determined who has authority to access treatment information, there may be additional factors to consider, such as the clinical impact on the patient.
Rx FOR RISK
9
2015 | Volume 23 | Issue 4
PRMS
4 STEPS TO IMPLEMENT E-PRESCRIBING Posted January 16, 2015 Are you are thinking about adding e-prescribing to your practice? Or do you practice in New York (where you must begin e-prescribing by March 27th) and don’t know where to start? Here’s what you need to know:
1. Understand the law – federal and state Most federal law relevant to e-prescribing involves electronic prescribing of controlled substances (EPCS). The software vendor must provide you with proof of certification by the DEA or by third party audit. Not all vendors have this certification, so not all vendors can offer EPCS. The DEA also requires identity-proofing to allow for two-factor authentication. The two factors could be something you know (such as a password), something you have (such as a token), or something you are (such as biometric information). Your vendor should be able to guide you through these requirements. State law will vary. In New York, there are very few exceptions to the mandated e-prescribing of all prescriptions, including prescriptions for controlled substances. Also, New York requires prescribers to register their system with the state, and send notification to the state when e-prescribing was not possible (due to a technology failure, for example).
2. Prepare to utilize either an electronic health record with e-prescribing that includes EPCS, or a stand-alone e-prescribing system that includes EPCS If you already have an electronic health record (EHR) system, you may be able to add an e-prescribing system to it. You will need to confirm that the e-prescribing system includes EPCS. If you are in New York, and your EHR system will not support EPCS, or you don’t have an EHR, you will need to invest in a standalone e-prescribing system that includes EPCS. When purchasing an e-prescribing system, cost is just one of many factors to consider. No-cost e-prescribing systems may be available, but remember, nothing is really free. As my colleague David Cash always says, “Free is not a sustainable business model.” You may have to pay for 24/7 access, additional users, or ad-free access. You also need to consider the support that will be provided and whether you can accept the contract terms.
3. Comply with any state requirements 4. Get up and running You will need to get trained on the system you select and notify patients that you are now prescribing electronically.
Rx FOR RISK
10
2015 | Volume 23 | Issue 4
PRMS
Does this all sound overwhelming? You’re not alone – it is a big task. If you would like more information, I encourage you to visit PRMS’ website. I’ve made a lot of useful information available to everyone, including a recording of a program we presented in New York last month. While it addresses New York law, it may be useful to those outside of New York as well. The handouts are also available and include the following: • An article titled “E-Prescribing Vendor Contracts: What You Need to Know” • Questions to ask e-prescribing vendors • E-Prescribing vendors with certified stand-alone EPCS currently available • And more!
Follow PRMS and our risk managers on social media for helpful resources and regular updates on topics that may impact your practice. Twitter.com/PsychProgram
PRMS Donna Vanderpool, MBA, JD David Cash, JD, LLM Ann McNary, JD Justin Pope, JD
Rx FOR RISK
11
2015 | Volume 23 | Issue 4
Have any comments or questions about an article?
We would love to hear from you! RiskManagement@prms.com
(800) 245-3333 PsychProgram.com