The recent Pennsylvania-specific workers compensation case, Dantry v. Unemployment Compensation Board of Review, No. 1665 C.D. 2017 (Pa. Cmwlth. 2019), elucidates the need for employers to provide appropriate and necessary training on the Health Information Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA). This case is a good example of the risks and liabilities that can flow from an employer failing to train its employees properly.
An Occupational Therapist (OT) was terminated from employment for forwarding protected health information (PHI) of a student from her work email account to her personal email account. The Unemployment Compensation Board determined the OT was not eligible for unemployment compensation based on the level of misconduct. The case was then sent to the Commonwealth Court of Pennsylvania to determine if the OT’s conduct constituted willful misconduct based on the employer’s policies, procedures and training. Although the employer presented material to support the expectation of employees to follow the HIPAA and FERPA laws, the Commonwealth of Pennsylvania did not believe the policies and procedures provided enough detail as to how the employer expected its’ employees to act. The Commonwealth of Pennsylvania concluded the employer has the burden to provide detailed policies outlining the expectation and conduct of its employees, thus referring the matter to the board for an unemployment compensation decision based on willful neglect.
The facts of the case made it clear the OT felt the employer did not provide appropriate training, or enough detail, to ensure the OT knew what was expected of her conduct in several regards. Although the termination was not disputed, the denial of unemployment benefits also triggered this OT to accuse her employer of billing fraud. The laws provide many protections and incentives for employees who bring bonafide fraud issue to light. Although this issue was not reported in the case file, it is worth highlighting to alert employers of the additional inherent risks associated with properly training employees and handling terminations through the proper protocols.
It is prevalent knowledge that per OIG Compliance Program Guidance, the foundation of an effective compliance program includes, among other things, training and education, comprehensive and publicized policies and procedures, as well as protocols for handling compliance issues and violations. Employers must lay a strong compliance program foundation and diligently train, educate and retrain employees on the policies, procedures and operating practices for dealing with compliance issues all the while continuing to reiterate the rules. All employees must have a good sense of what is expected of them, and where they can go to refresh their knowledge, ask questions and seek clarification.
Here are seven key areas to consider and have in place to protect your organization:
- Always, provide new hire and annual training.
- Have employees attest to the training and their receipt of the compliance policies and procedures.
- Maintain the training records.
- Ensure you have a clear and detailed “Code of Conduct.”
- Provide details, when appropriate, about your policies and procedures—in particular HIPAA, False Claims Act, Civil Monetary Penalty Law, FERPA, Stark Law, Anti-Kickback Statute, Patient Inducement, etc.
- Understand the school’s expectations on complying with FERPA. This should be in the contract language. For example, if you provide pediatric or athletic training services to students, who protects and owns PHI?
- Know the school’s expectations when communicating with students, athletes, coaches, and physicians. Remember, most students in a primary or secondary school setting are of minority age which requires you to seek parental or legal guardian consent and direction.
This case involved many facets of a company’s compliance program, including new hire orientation, human resource management during the termination process, policy and procedure processes, contract language and management with an external business partner, HIPAA and FERPA regulations, and internal and external company email communications.
LW Consulting, Inc. can assist by conducting a compliance program assessment or review the specific risk areas your therapy or athletic training staff may encounter when providing care in a school setting. Contact Deborah Alexander, Director of Rehabilitation Consulting Services, by calling 717-213-3122, or email DALexander@LW-Consult.com.
Will your compliance program withstand the scrutiny of regulators?