Friday January 8, 2016
In accordance with Section 6106 of the Affordable Care Act
facilities are required to electronically submit staffing
information to drive accountability effective July 1, 2016.
Providers will be required to submit their staffing and census
data quarterly. They will have 45 days after the last day in each
fiscal quarter to submit - making the due date for the first PBJ
submission November 14, 2016
Get Ready With These Five Steps:
1. Identify & Classify All Direct Staff - all direct
care staff (including agency and contract staff), does not include
individuals whose primary duty is maintaining the physical
environment (example housekeeping).
CMS defines direct care staff as those individuals who, through
interpersonal contact with residents or resident care management,
provide care and services to allow residents to attain or maintain
the highest practicable physical, mental, and psychosocial
· Create a Unique Employee ID - for each direct care employee;
should not contain any personally identifiable information, such as
a Social Security Number (SSN).
· Hire Date - the first date of a staff member's employment and
is paid for services rendered, either through direct employment or
under contract. Note: Contract Employees -first date worked at the
facility and billed for.
· Termination Date - the last date of a staff member's
employment and is paid for services rendered either through direct
employment or under contract. Note: Contract Staff - the last date
the facility communicates that the contract employee will no longer
be providing services (either voluntary or involuntary).
· Pay Type Code - categorizes the staff member as a direct
employee of the facility (exempt or non-exempt), or hired under
contract and paid by the facility. Note: non-exempt - entitled to
overtime pay, exempt - not entitled to overtime pay, contract -
individuals under contract and individuals who provide services
through organizations that are under contract.
2. Assign CMS Job Codes - identifying and assigning a CMS
job code to an employee for each and every shift to ensure a
payroll-based reporting submission is accurate and complies with
CMS requirements. CMS has defined 37 job Codes to be used when
reporting direct care hours worked. Facilities should report the
hours worked based on an employee/s primary function for that
There must be a job code attached for every hour submitted through
the PBJ system. Job responsibilities can change multiple times
throughout the day and CMS recognizes that most roles have a
variety of non-primary duties that are provided throughout the
Assign each position and shift a job code, this job code should be
used and paired with the direct care staff including agency and
contract staff, which works those shifts.
See Attached CMS PBJ Version 1.0 Policy Manual Table 1: Labor and
Job Codes and Descriptions.
3. What Should Be Counted, What Should Not Be Counted? - It
is important for facilities to know what should and should not be
reported in the PBJ when compiling a complete an accurate file for
submission. CMS has provided situations where direct care hours
worked should not be reported:
· Hours paid for any type of leave or non-work related absence
from the facility.
· Any unpaid overtime (a salaried employee works 10 hours but is
only paid for 8 hours).
· Hours for services performed that are billed to FFS Medicare or
· Hours providing services to residents in non-certified
One of the biggest challenges for submission of the PBJ will be to
gather and aggregate staffing data from disparate sources. Direct
care hours are usually tracked through time and attendance systems.
The following situations could possibly be overlooked but should be
· Contract and Agency work.
· Corporate staff at a facility performing task/duties that fit
into a CMS job category (e.g. Regional Director fills in for the
Administrator that's out on vacation or leave).
· Salaried staff that do not clock in or clock out.
4. Create a Checks and Balances System - CMS provided
examples of the difficulty facilities may experience in their
ability to appropriately track and allocate exact hours.
· For Medical Directors, it might be difficult to allocate the
exact hours spent performing medical director duties as opposed to
primary care duties.
· For Consultants, it might be difficult to identify the exact
hours a specialist contractor (e.g. non-agency nursing staff) is
(Note: It is important for facilities to define their expectations
within their service provider contract.)
(CMS has stated that the hours reported should be based on
payments made for services and be verified through payroll,
invoices and/or tied back to contract).
5. Start Now and Be Ready - Your success will be determined
based on staffing with the PBJ staffing measurements by
implementing a proactive process to identify and adjust staffing
levels. Staffing is a challenging process with constant shift
updates including call-offs, time-off requests, employee no-shows,
and fluctuations in census, activity, acuity and workload.
Set up a process that allows staffing information to be easily
accessed, create dashboards that identifies staffing requirements
based on census, against budgeted hours. If gaps are identified
adjustments should be made.
CMS has identified staffing as a key component in delivering
quality care and positive resident outcomes. They use staffing
information in the Nursing Home Five Star Quality Rating System to
help consumers understand the level and differences of staffing in
nursing homes. CMS requires facilities to submit CMS Form 671 and
CMS Form at the time of survey to calculate the Staffing Domain of
the Five Star Rating System.
Hopefully utilizing these 5 steps will help your facility achieve
the staffing and management goals that will enable you to correctly
document and report direct care hours worked.
Wednesday June 15, 2016
In an effort to review and examine compliance with the Health
Insurance Portability and Accountability Act of 1996 and its
implementing regulations ("HIPAA"), the Department of Health and
Human Services Office for Civil Rights ("OCR") is conducting Phase
2 HIPAA audits for both covered entities and business associates.
OCR is conducting the audits to assess new risks, identify
effective privacy and security measures, and develop targeted
guidance on specific areas of concern.
The first step in the audit phase is a pre-audit screening email
sent to potential auditees. We have seen several of these delivered
recently. A sample of the pre-audit screening email can be found
here. The email contains a questionnaire addressing size, entity
type, services, contact information, and other background
information. The online questionnaire must be completed and
returned to OCR within 30 days. Based on the responses received and
the information gathered, OCR will create a smaller, representative
sample audit pool. Thus, not all entities that receive the initial
pre-audit screening email will be audited. However, failure to
respond to the questionnaire will not remove an entity from the
audit selection pool. OCR will use publicly available information
about an entity if it receives no response within the 30-day
Every covered entity and business associate is eligible to
receive the pre-audit screening email and to be entered into the
audit selection pool. However, at this point, we believe the
screening e-mail is being sent to entities who have filed a breach
notification report with OCR. Based on the responses to the
pre-audit questionnaire contained in the screening e-mail, OCR will
choose a representative sample of auditees. Entities will be
notified if selected.
Phase 2 audits will target areas of frequent non-compliance with
HIPAA, such as risk management, privacy practices, individual
access to protected health information ("PHI"), breach
notifications, and electronic security. Most audits will not
involve site visits, though some may. Once an entity is selected
for the audit process, it has only 10 days to respond to OCR's
audit request, submit all requested documentation through OCR's
online portal, and provide a listing of its business associates.
While OCR has not stated the exact information that will be
requested, we suspect the information requests will include, among
other things, HIPAA policies, procedures, and plans, listing of
systems that house electronic PHI, risk assessment(s), breach
notification documents, Notice of Privacy Practices and other HIPAA
forms, and a business associate listing.
Depending on an entity's size, the 10-day window may leave
little time to compile and provide the requested information. Thus,
while receiving the pre-audit screening e-mail does not guarantee
that an entity will be audited, it is recommended that receiving
entities take proactive steps to prepare in the event they are
ultimately audited. Recommended steps include the following:
· Assemble a
HIPAA response team and hold an initial meeting so that everyone
may be prepared in the event of an audit. Potential team members
may include your privacy officer, security officer, compliance
officer, IT department supervisor, and administrator.
· Locate all
HIPAA-related materials so that they can be gathered quickly in the
event of an audit.
· Review HIPAA
policies and procedures to make sure they are up to date, operating
effectively, and do not contain any gaps.
· Review HIPAA
forms to make sure they are up to date and are being properly
· Compile a
listing of business associates, which, for larger entities, could
take a significant amount of time. There are several pieces of
information OCR has indicated it will request with respect to
business associates. A template form for gathering this information
is available here. While use of the template is not required, it
does ensure inclusion of all the business associate information OCR
· In relation,
confirm that a business associate agreement is in place for each
instance where one is required. We have seen some recent
enforcement actions whereby covered entities have been fined for
not having a business associate agreement in place when one was
· Compile and
review the latest risk assessment(s) to make sure they are still
valid and cover all the systems that house, transmit, and store
electronic PHI. (We have seen recent enforcement actions whereby
covered entities have been fined for not having a risk assessment
or a series of risk assessments that cover all relevant
· Compile an
inventory of systems and system assets that house, transmit, and
store electronic PHI.
OCR has indicated that the Phase 2 audits are not designed to
determine an entity's compliance with HIPAA. Nonetheless, OCR has
retained the right to initiate a compliance review based on
information received during an audit. Thus, we believe it is
worthwhile to take the steps mentioned above in order to help
reduce the risk of a compliance investigation.
For more information on the Phase 2 HIPAA audits, please contact
any of the Burr & Forman attorneys listed below.
Partner ~ AL
Counsel ~ AL
Partner ~ AL
Partner ~ AL
Partner ~ GA
Partner ~ TN
Counsel ~ AL
Partner ~ AL
Partner ~ TN
Associate ~ AL
Partner ~ FL
Partner ~ AL
No representation is made that the quality of services to be
performed is greater than the quality of legal services performed
by other lawyers. ADVERTISEMENT