Hospice Conditions of Participation – employees versus contractors
Hospice conditions of participation require that almost all hospice core services are delivered by hospice agency employees and may not be delivered by contractors. Hospice core services include:
Nursing services
Social services
Counseling services including spiritual, bereavement and dietary
Physician services
Although physician services are a core service, the regulations permit a hospice agency to contract for physician services.
When may a hospice use contracted staff for core services?
Other than physician services, only under extraordinary circumstances may a hospice agency use contracted staff for core services.
What are extraordinary circumstances?
Under extraordinary circumstances, a hospice may use contracted staff to provide core services. Examples include:
Patient needs unexpectedly exceed the capacity of hospice agency employees, due to unanticipated surge in demand. In this case, contracted staff may be temporarily used to service patients.
Temporary staffing shortages, for example due to illness, result in the inability of the hospice to service patient needs. In this case contracted staff may be used to temporarily supplement hospice agency employees.
A hospice patient travels outside of the hospice agency’s service area. In this case the agency is permitted to contract with another Medicare certified hospice agency to provide services to the patient while the patient is traveling.
What is hospice initial accreditation and why is it important?
Hospice initial accreditation is a way to ensure delivery of consistent and high quality services across all accredited hospice agencies. The accreditation program ensures that the hospice agency is fully compliant with Medicare Conditions of Participation. The program also reviews that the hospice is compliant with state and local laws. An on-site survey conducted by the accrediting organization evaluates the quality of the clinical care provided, quality and compliance of patient records, policies and procedures, and performance improvement. Patient and family experiences and quality outcomes are also reviewed. The organization’s financial and long term viability is also studied via review of budgets and other related metrics.
When would a hospice want to complete the accreditation process?
A home hospice must complete the initial Medicare accreditation process before it is able to bill Medicare for services provided to patients. CMS has approved three accrediting organizations (AO) to conduct Medicare surveys and accreditation for hospice agencies: CHAP, ACHC, and JCAHO. These agencies have standardized accreditation and assessment processes although the requirements and actual on-site survey review may vary depending upon state and local regulations.
There are six key elements of the initial accreditation process
File and obtain state home licensure
Register with accreditation organization
Obtain CMS 855A
Develop patient caseload – verify agency is meeting Conditions of Participation
Ensure Conditions of Participation are being met
On-site survey visit
We now discuss each of these elements in greater detail.
Element 1: The process begins with the hospice filing a state home hospice licensure. Each state has its own requirements for approval. So this process and its time lines will differ by state.
Element 2: Register with one of the three accreditation organizations (AO). The AO will require a registration fee. Although the accreditation will be received from CMS, Medicare has granted authorization to AO to conduct the accreditation process on behalf of CMS. The AOs have local branches, allowing them to customize their surveys for state and local regulatory requirements.
Element 3: Confirm 855A is accepted by the Medicare Administrative Contractor (MAC) that is appropriate for the hospice agency’s region: Palmetto GBA, NGS or CGS.
Element 4: Develop patient caseload. Specifically, the hospice must have serviced five patients, with at least three active at the time that the AO conducts the survey. Further, although the hospice is not currently billing Medicare, all patients must be treated as if they are Medicare eligible. All documentation must be completed within the Medicare required time frames and services must be provided by employees, as per Medicare guidelines.
Element 5: Ensure Conditions of Participation are being met. This element involves a number of different items.
The first item is that the hospice agency must verify it is providing all core services using hospice agency employees. Core services include nursing, social work, and counseling including spiritual, bereavement, and dietician. These services must be provided using hospice employees. Contractors may not be used to provide these services. Physician is also a core service but CMS permits the medical director and alternate medical director services to be provided using either hospice agency employees or contracted services.
The second item is to very that the hospice agency is able to provide all non core services using either hospice agency employees or contractors. Non core services include the therapies: physical therapy, occupational therapy, and speech therapy. Additionally, the agency must verify that it is able to provide aide services. It also must be able to demonstrate that it has a bereavement program, even if this service is not yet being used.
The third element is that the hospice agency must verify it can provide all four levels of care including routine, GIP, respite, and continuous care. Not all of these levels of care must be provided through hospice employees; the agency may contract to provide these levels of care.
As a final element, the hospice agency should demonstrate that it can provide DME, pharmaceuticals, drugs and biologicals.
Element 6: On-site survey. Once the hospice confirms that that prior five elements are completed, it will indicate to the AO that it is ready for a Site Visit. The date of the Site Visit will not be announced to the hospice agency but will typically occur within 45 days of when the hospice agency indicates site readiness. The survey will be conducted on-site over three consecutive days. The AO will review patient medical records, accompany staff on patient home visits, and review both clinical and non-clinical hospice agency policies and procedures. The AO will also review the agency for financial viability by reviewing budgets and other related metrics.
What happens after the survey is completed?
After the AO completes the on-site survey, the hospice agency will be notified of the final findings of the survey. There are four possible outcomes.
Agency passed with no deficiencies
Agency passed with minor deficiencies; agency must write an action plan that must be accepted by the accrediting organization
Agency has major deficiencies; deficiencies must be resolved, followed by another three day survey
Agency failed the survey; agency must restart the entire process
What happens after a hospice agency is issued its accreditation letter?
The AO sends a copy of the accreditation letter to the state department of health. Upon receipt, the state will confirm that the agency continues to meet all state requirements for Medicare eligibility. CMS will also contact the Fiscal Intermediary to confirm that the agency is located and operating at the physical address indicated on the Medicare application. The hospice agency will then be issued a Provider Number, also referred to as CMS Certification Number (CCN).
In order to bill Medicare, the hospice agency must enroll in EDI and will be issued a Billing Number. We discuss this process separately.
Where can you find more information?
This video from ACHC provides a description of the initial hospice accreditation process
Not everything that looks like a data breach is, in fact, a reportable data breach. Before you report a data disclosure to the US Department of Health and Human Services Office for Civil Rights (OCR), you should confirm that what you are concerned is a reportable data breach is, in fact, a HIPAA breach.
A HIPAA breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under HIPAA that compromises the security or privacy of the data.
Not every disclosure of PHI is a breach. There are three important exceptions.
Three data disclosures that are not considered a reportable breach:
Unintentional Access:
An employee unintentionally accesses PHI but does not further disclose the PHI in a manner that is not permitted per the HIPAA regulations. For example, a clinician wishes to enter information in the chart for patient “John Smith”. The clinician opens the chart for patient John Smith living on Bay Ridge street instead of patient John Smith living on Reed Street. The clinician closes the chart as soon as the mistake is identified.
Inadvertent Disclosure to Authorized Person:
An individual who is authorized to see the PHI inadvertently shares the PHI with another person in the organization. That second person does not further disclose the information in a manner that is not permitted per HIPAA regulations. For example, a technician sends lab results for the wrong patient to a physician. The physician deletes the results.
Inability to Retain the PHI:
PHI is inadvertently disclosed to someone unauthorized to have access to the information but that person would not be reasonably expected to retain the information. For example, a clinician’s young child is on the phone while the clinician is discussing patient PHI.
Is every disclosure that does not fall into one of these three exception categories considered a reportable breach?
The regulations allow for a four factor analysis to assess the overall level of risk of compromise, to discover the extent of the data breach, and to determine whether or not notification is required. Only after this four factor analysis is completed, the hospice agency determines whether or not a breach occurred and the level of risk.
The following are the four factors:
Factor 1: Nature and Extent of PHI Involved
What information is involved? Can the patients be identified? What personal or helath information is included?
Factor 2: Who Accessed the Data/ to Whom was the Data Disclosed
Was the data disclosed to a person in the organization or in another HIPAA covered organization who is required to follow data privacy rules? In either of these cases, the risk is reduced as both of these types of persons are trained in HIPAA regulations.
Factor 3: Was PHI Actually Acquired or Viewed
Was the PHI actually viewed or acquired? For example, an encrypted device with PHI is stolen but based upon forensic analysis it is determined that no one accessed the PHI. In this case, there was a risk of data breach but analysis determined that PHI was not actually acquired or viewed.
Factor 4: To What Extent have you Mitigated the Risk
What actions have been taken to reduce the risk of PHI access. For example, has the PHI been returned to you? Have you taken steps to track down the device that was not returned by the former employee?
What should I do if a breach has occurred?
If, upon completion of the four factor analysis, it is determined that a breach has occurred, then notification is required.
Affected person must be notified and media and the state may be required to be notified as well.
If fewer than 500 persons are involved, the OCR must be notified at the end of the calendar year. Otherwise, the OCR must be notified within 60 days.
Take appropriate action
Not every disclosure of data is a breach. Investigation must be conducted to determine if the disclosure constitutes a reportable data breach. If the disclosure is a data breach then appropriate actions must be taken to report the breach to all relevant parties within the required time frames. Note that required actions may vary by state.
