HHS OCR to Teaching Hospitals & Medical Schools: Get Written Consent for Sensitive, Intimate Exams

In a letter sent out today, the Office of Civil Rights informed teaching hospitals and medical schools that it has prepared a clarification of HHS's Conditions of Participation. Here's the bottom line:

Recent articles in both the mainstream media as well as medical and scientific literature have brought public attention to the traditional practice of allowing practitioners or supervised medical, advanced practice provider, or other applicable students to perform pelvic and other invasive examinations on patients who are under anesthesia. With this attention, patient advocates, physicians, and the students themselves have expressed concern about whether patients, especially anesthetized patients, have been sufficiently informed about this practice and whether their full consent was obtained before these educational exams were performed. 

[My additional note: Anyone who has spent time with third- and fourth-year medical students is likely to have heard about unconsented-to pelvic exams performed on unconscious patients for training purposes.] 

While CMS recognizes that these patient exams are often conducted as part of the vital skills clinical students must obtain during their training and education, we also firmly believe that patients have the right to make informed decisions on the healthcare services they receive so that they can give their full consent for those services including any training- and education-related examinations that may be performed in addition to any treatments or procedure that they expect to receive, especially if those patients will be under anesthesia at the time.  

Therefore, we are revising our interpretive guidance in the State Operations Manual (SOM), Appendix A for hospitals at tag A-0955, to include under the example of a properly executed and well-designed informed consent form, as well as the hospital’s policy and process for informed consent, the following elements (in addition to those outlined above) [new guidance in italics]:  

• Whether physicians other than the operating practitioner, including, but not limited to, residents, medical, advanced practice provider (such as nurse practitioners and physician assistants), and other applicable students, will be performing important tasks related to the surgery, or examinations or invasive procedures for educational and training purposes, in accordance with the hospital’s policies. Important surgical tasks include: opening and closing, dissecting tissue, removing tissue, harvesting grafts, transplanting tissue, administering anesthesia, implanting devices, and placing invasive lines. Examinations or invasive procedures conducted for educational and training purposes include, but are not limited to, breast, pelvic, prostate, and rectal examinations, as well as others specified under state law. 

While CMS understands that the performance of such examinations has been necessary for teaching medical and other students critical clinical examination skills, we believe that patient permission for these exams is an essential part of the informed consent process for hospitals, and necessary for compliance with the informed consent requirements in the CMS hospital CoPs. [Footnotes omitted.]

Practice pointer: Tell the student/trainee about the informed-consent process that preceded the training session. I've been told by more than one attending physician that the patient's consent was obtained before the training session. If nothing is said to the student/trainee, they may conclude (erroneously) that the patient's consent wasn't obtained.

HHS's Office of Civil Rights Launches Investigation into Cyberattack on UnitedHealth's Subsidiary, Change Healthcare

On Feb. 12, Change Healthcare experienced a ransomware attack. Most of us had not heard of Change Healthcare before then, but the effect of the cyberattack was felt widely around the country. Associated Press states that "Change Healthcare provides technology used to submit and process insurance claims — and handles about 14 billion transactions a year."As reported by Becker's CFO Report (3/13/24), 

Change Healthcare . . . processes 1 in 3 healthcare claims in the U.S. . . .  The attack has crippled many operations for hospitals, insurers, physician practices and pharmacies across the country, with the American Hospital Association calling it the "most significant cyberattack" on healthcare in U.S. history.

The attackers (identified as the BlackCat Group) allegedly "stole 6 terabytes of data from Change, including medical records and Social Security numbers, and has since received $22 million in bitcoins, according to Reuters."

Getting back to business as usual is taking a lot of time:

As of March 7, Change Healthcare's pharmacy electronic prescribing is fully functional for claim submission and payment transmission. Change is expected to have its electronic payment platform available for connection March 15. Its medical claims network and software are expected to start testing for reconnection March 18, with the company working throughout that week to restore service. 

Meanwhile, AP reports that "[t]he Office for Civil Rights said Wednesday that it also will examine whether Change Healthcare followed laws protecting patient privacy." The HHS press release (3/13/24) is here. It states in part (emphasis added):

The cyberattack is disrupting health care and billing information operations nationwide and poses a direct threat to critically needed patient care and essential operations of the health care industry.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities (most health care providers, health plans, and health care clearinghouses) and their business associates must follow to protect the privacy and security of protected health information and the required notifications to HHS and affected individuals following a breach.

Ransomware and hacking are the primary cyber-threats in health care. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.