Signed into law on July 2, 1964, the Civil Rights Act was a landmark piece of legislation. Its protections have now been expanded by Congress.
A great deal of news continues to be reported on patterns of workplace sexual harassment across all industries, including entertainment, finance, government, and healthcare. Beyond the emotional duress suffered by victims of harassment, such conduct now marks a violation of the Civil Rights Act.
These and other civil rights issues prompted the following interview with Rita Bowen, vice president of privacy, compliance, and health information management (HIM) policy for MRO. Below are highlights of that interview:
Buck: Is sexual harassment at work a civil rights violation? If so, how should the reporting of such a violation be handled internally?
Bowen: Yes. Sexual harassment is a form of sex discrimination that violates Title VII of the Civil Rights Act of 1964. Title VII applies to employers with 15 or more employees. According the Department of State, unwelcome sexual advances, requests for sexual favors, and other verbal or physical conduct of a sexual nature constitute sexual harassment when the following occurs:
- An employment decision affecting that individual is made because the individual submitted to or rejected the unwelcome conduct; or
- The unwelcome conduct unreasonably interferes with an individual’s work performance or creates an intimidating, hostile, or abusive work environment.
Buck: Tell me about reporting sexual harassment.
Bowen: Historically, awareness of the pervasiveness of sexual harassment and addressing the issue have been hindered by the low incidence of reporting. Unfortunately, many victims are still reluctant to speak out, believing they are powerless to change the situation. However, this has begun to shift in our country as more women continue to come forward.
According to a recent article in Harvard Business Review, organizations can take proactive steps to alleviate fear around reporting sexual harassment and protect employees from retaliation. In addition to “bystander training” focused on observer awareness, human resource (HR) departments must develop clear reporting systems. The Society for Human Resource Management recommends a) having clear definitions of what constitutes harassment; b) including examples of prohibited conduct; c) explaining how victims and viewers of harassment should respond to and report harassment; d) outlining how HR should handle the process; and e) expressing what disciplinary measures should be followed.
Buck: Does patient access to health information apply to same-sex marriage?
Bowen: The U.S. Department of Health and Human Services (HHS) provides specific guidance on HIPAA (the Health Insurance Portability and Accountability Act), same-sex marriage, and sharing information with patients’ loved ones. In fact, the HIPAA Privacy Rule includes provisions that recognize the important role that family members, such as spouses, play in a patient’s healthcare. Covered entities are allowed to share information about the patient’s care with family members under certain circumstances.
Based on HIPAA guidance, it is interesting to note how the rule has evolved over the past five years. On June 26, 2013, in United States v. Windsor, the Supreme Court held Section 3 of the Defense of Marriage Act (DOMA) to be unconstitutional. That Section had provided that federal law would recognize only opposite-sex marriages. This decision expanded federal recognition of the rights of individuals in same-sex marriages but did not resolve the status of such rights under state law. Two years later, on June 26, 2015, in Obergefell v. Hodges, the Court held that “the Fourteenth Amendment requires a state to license a marriage between two people of the same sex and to recognize same-sex marriages lawfully performed in other States.”
As a result of these decisions, the guidance is clear that “the terms marriage, spouse, and family member include, respectively, all lawful marriages, lawfully married spouses, and both the lawful spouses and the dependents of all lawful marriages and clarifies certain rights of individuals under the Privacy Rule.” This guidance also updates and expands on related guidance issued in September 2014.
According to the Privacy Rule, “the term marriage includes all lawful marriages. A lawful marriage is any marriage sanctioned by a state, territory, or a foreign jurisdiction as long as a U.S. jurisdiction would also recognize the marriage performed in the foreign jurisdiction. The term spouse includes all individuals who are in lawful marriages without regard to the sex of the individuals.”
In addition, if a state provides legally married spouses with healthcare decision-making authority on behalf of one another, a covered entity is required to recognize the lawful spouse of an individual as the individual’s personal representative without regard to the sex of the spouses.
Buck: Please identify and describe the most recent OCR (Office for Civil Rights) resolution agreement.
Bowen: By definition, a resolution agreement is a settlement agreement signed by the HHS and a covered entity or business associate in which the covered entity or business associate agrees to perform certain obligations and make reports to HHS, generally for a period of three years.
HHS periodically publishes recent civil rights resolution agreements and compliance reviews. Following a complaint investigation or compliance review, OCR may determine whether it is necessary to negotiate resolution agreements that require covered entities to take corrective action in compliance with federal civil rights laws. These can be extensive statewide agreements requiring systemic change in the way a state does business, or they may cover a single healthcare provider or hospital. The most recent example occurred as follows:
- OCR works with DOJ to ensure federally funded medical center provides communication services for deaf and hard-of-hearing patients (Dec. 20,2017):
The University of Vermont Medical Center (UVMMC) agreed to enter into a Voluntary Resolution Agreement with HHS Office for Civil Rights (OCR), the U.S. Department of Justice, and the U.S. Attorney’s Office for the District of Vermont to ensure effective communication with individuals who are deaf or hard of hearing.
UVMMC is an academic medical center that is part of a six-hospital network, serving Vermont and Northern New York. It is a Level I Trauma Center and provides a full range of tertiary-level inpatient and outpatient services, as well as primary care services at 10 Vermont locations. The UVMMC Campus, a regional, academic healthcare center and teaching hospital in alliance with the University of Vermont, is a 562-bed facility and includes most of UVMMC’s inpatient services and an emergency department.
According to the HHS Press Office, OCR initiated a compliance review with UVMMC under Section 504 of the Rehabilitation Act and Section 1557 of the Patient Protection and Affordable Care Act after DOJ received two separate complaints alleging violations of Title III of the Americans with Disabilities Act (ADA) and its implementing regulation. The two separate complainants alleged that UVMMC failed to provide appropriate auxiliary aids and services necessary for effective communication while they were receiving medical treatment. Both complainants are deaf and use American Sign Language as their primary means of communication. UVMMC is a recipient of HHS federal financial assistance and required to provide appropriate auxiliary aids and services to persons with impaired sensory, manual, or speaking skills so that individuals have an equal opportunity to benefit from the services received.
“If patients cannot communicate effectively with medical providers, their access to healthcare will suffer,” OCR Director Roger Severino said. “The Americans with Disabilities Act, Section 504 of the Rehabilitation Act, and Section 1557 of the Affordable Care Act ensure that persons who are deaf or hard of hearing are given equal access to healthcare, and this resolution shows that we are committed to enforcing this vital law.”
The voluntary resolution agreement requires UVMMC to take remedial actions, including providing notice of the availability of auxiliary aids and services, implementing grievance procedures and feedback protocols, providing training to UVMMC personnel, and updating policies and procedures through continued improvement. UVMMC has also agreed to pay the complainants $20,500 in compensatory relief. The agreement is effective for three years, during which time both OCR and the U.S. Attorney’s Office will monitor UVMMC’s compliance.
Complaints may also be instituted with DOJ pursuant to Title III of the ADA if the hospital is a private hospital. More information about the ADA is available at http://www.ada.gov.
Buck: Are there some special topics in health information privacy that fall under HIPAA regulations? If so, please describe.
Bowen: Yes. All patient identifiable information is protected, and there are definitely stricter guidelines applied to sensitive information, such as drug abuse, alcohol use, and certain diseases. Therefore, a strong disclosure management practice is required to ensure that all guidelines are met, especially those applied to sensitive information.
Managing electronic health information presents unique challenges for regulatory compliance, ethical considerations, and ultimately, for quality of care. As electronic health record system meaningful use expands, and more data is collected, such as from mobile health devices, that challenge for healthcare organizations increases.
The response to those challenges must include information governance, described as the strategic management of enterprise-wide information based on policies and procedures related to health information confidentiality, privacy, and security. The role of stewardship to ensure data integrity is the core of information governance.
Balancing the various interests in health information and upholding its confidentiality, privacy, and security present ongoing and important challenges.
Buck: Please provide enforcement results as of Dec. 31, 2017.
Bowen: Since the compliance date of the Privacy Rule in April 2003, OCR has received over 171,161 HIPAA complaints and has initiated over 870 compliance reviews. As of Dec. 31, 2017, a total of 98 percent (164,252) of these cases have been resolved.
OCR has investigated and resolved over 25,637 cases by requiring changes in privacy practices and corrective actions or providing technical assistance to HIPAA-covered entities and their business associates. Corrective actions obtained by OCR from these entities have resulted in systemic changes affecting all the individuals they serve. OCR has successfully enforced the HIPAA rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or their business associate. To date, OCR has settled or imposed a civil penalty in 53 cases, resulting in a total dollar amount of $75,229,182. Entities investigated include national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices. In another 11,386 cases, OCR investigations found that no violation had occurred.
It is important to note that from the compliance date to the present, the compliance issues investigated most are:
- Impermissible uses and disclosures of protected health information
- Lack of safeguards of protected health information
- Lack of patient access to their protected health information
- Lack of administrative safeguards of electronic protected health information
- Use or disclosure of more than the minimum necessary protected health information
The HHS website provides additional information about enforcement results, including monthly updates reporting the number of cases received, investigated, or resolved. It is incumbent upon all of us who work in compliance to remain aware of reported incidents and resolution agreements, provide ongoing education, and update policies and procedures accordingly.
For additional information on this subject, register now to attend “OCR Audits and Enforcement Actions: Lessons Learned,” featuring Rita Bowen, Feb, 20, 2018, at 1:30 p.m. EST.
About the Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB
In her role as vice president of privacy, compliance, and HIM Policy for MRO, Bowen serves as the company’s privacy and compliance officer (PCO), overseeing the company’s compliance with HIPAA and chairing the organization’s Data Protection Steering Committee. In addition, she ensures that new and existing client HIM policies and procedures are to code. She has more than 40 years of experience in HIM, holding a variety of HIM director and consulting roles. Prior to joining MRO, she was senior vice president and privacy officer for HealthPort, Inc., now known as CIOX Health. Bowen is an active member of the American Health Information Management Association (AHIMA), having served as its president and board chair, as well as a member of the Board of Directors, the Council on Certification, and various focus and specialty groups, such as privacy. Additionally, Bowen is a former chair for the AHIMA Foundation. She has been honored with AHIMA’s Triumph Award in the mentor category; she is also the recipient of the Distinguished Member Award from AHIMA’s Quality Specialty Group and the Tennessee Health Information Management Association (THIMA). Bowen has served as president for both the Arizona Health Information Management Association (AzHIMA) and THIMA, and served in AHIMA’s House of Delegates. Bowen is an established author and speaker on HIM topics and has taught HIM studies at Chattanooga State and the University of Tennessee-Memphis. Bowen holds a Bachelor of Medical Science degree with a focus in medical record administration and a Master’s degree in health information/ informatics management technology.