Breaking Compliance News Blog

Not-for-profit provider hit with ransomware twice in four months

Posted by Scott Gima on 8/28/19 6:35 AM

A not-for-profit community health center that provides health care for low-income and uninsured patients experienced two ransomware attacks in a four-month period. 

 

The first attack shut down computers for three weeks while the center rebuilt its systems from backups, and did not pay the ransom. This approach is consistent with industry advice for two reasons. First, there is no guarantee that the data will be reinstated after ransom is paid. Second, paying ransom encourages future ransomware attacks.

The second attack likewise locked the center out of its medical records.

Read More

Topics: HIPAA, data breach, security

Nursing home sued after aides taunt resident on Snapchat

Posted by Margaret Scavotto, JD, CHC on 8/22/19 7:37 AM

Two nursing home certified nurse aides were fired and charged with disorderly conduct after filming a 91-year old resident in distress and posting the video to Snapchat. 

The two aides allegedly took a video recording of the resident in distress, while they waved a gown in her face - and the resident tried to push it away. The video caption read: "[Resident name] hates gowns," and was accompanied by laughing/crying emojis. Staff at the nursing home were aware that this resident did not care for hospital gowns.

Read More

Topics: HIPAA, abuse, skilled nursing

What has compliance done for you lately?

Posted by Margaret Scavotto, JD, CHC on 8/20/19 7:51 AM

At the risk of getting some Billboard top ten 1980’s Janet Jackson lyrics stuck in your head for the rest of the day, I’d like to ask you an important question:

What has compliance done for you lately?

Phrased another way:

How has your compliance program helped your organization this year?

Did your hotline encourage employees to report potential false claims internally, so they could be self-reported? Did this hotline call possibly avoid a whistleblower situation?

Did routine compliance audits find a documentation issue – so you could correct it before it became a widespread problem?

Maybe the compliance department collaborated with the HIPAA Security Officer to run a ransomware and phishing campaign, educating employees about potentially hazardous emails and links. As a result, the Compliance Officer and Security Officer received dozens of calls from employees reporting suspicious emails and links that potentially contained ransomware or malware. Can you put a price tag on potentially avoiding a costly ransomware attack?

Read More

Topics: Compliance Basics, Culture of Compliance, compliance, compliance officer

"Taxi!" and other wrong ways to handle reports of misdirected PHI

Posted by Margaret Scavotto, JD, CHC on 7/17/19 9:45 AM

In Canada (where privacy laws are similar to HIPAA), a man requested his surgery records, and soon received a package in the mail from the hospital. When he opened the package, however, he did not find his surgery records—he found another man’s autopsy.

Read More

Topics: HIPAA

Abuse by Smartphone

Posted by Margaret Scavotto, JD, CHC on 7/9/19 9:57 AM

Four nurse aides commit abuse with Facebook Live

The family of an Illinois nursing home resident who appeared in a caregiver’s Facebook Live video is suing the home. Four nursing aids allegedly participated in a video of the resident, who is a stroke survivor with dementia. The lawsuit asserts that the video shows the resident in bed, holding a diaper, surrounding by employees who are harassing him. One of the caretakers is heard yelling “Take off your pants, [resident name].”

This example poses HIPAA concerns and abuse concerns. Without a patient authorization, it is a potential HIPAA violation to record the resident and share that recording with third parties. In addition, CMS made it clear in its Survey & Certification Memo 16-33 that humiliating or demeaning photos or recordings of nursing home residents are mental abuse.

Snapchat use leads to criminal charges

Read More

Topics: HIPAA, Social Media, abuse

DOJ issues new guidance: Evaluation of Corporate Compliance Programs

Posted by Margaret Scavotto, JD, CHC on 6/26/19 8:51 AM

The Department of Justice Criminal Division recently issued a Guidance Document for prosecutors: Evaluation of Corporate Compliance Programs

In this document, the DOJ outlines three questions prosecutors should ask when making an "individualized determination of a corporate compliance program's effectiveness:

  1. "Is the corporation's compliance program well designed?"
  2. "Is the program being applied earnestly and in good faith?" In other words, is the program being implemented effectively?
  3. "Does the corporation's compliance program work" in practice?
Read More

Topics: Compliance Basics, guidance

Why Compliance Should Care About the War on Opioids

Posted by Margaret Scavotto & Scott Gima on 6/18/19 8:51 AM

We have an opioid problem

In the United States, 134 opioid-related deaths occur daily. In 2016, more than 60,000 Americans died from drug overdoses, and two-thirds of those deaths were opioid related. Fentanyl is now responsible for more overdose deaths (28.8%) than heroin. And, three out of four new heroin users first misuse prescription opioids.

In 2017, almost one-third of Medicare Part D beneficiaries received opioids. About 460,000 beneficiaries received high amounts of opioids; 71,000 beneficiaries were at serious risk of misuse or overdose; and almost 300 prescribers had questionable prescribing. Everyone agrees our country has an opioid problem.

Read More

Topics: Quality Assurance, Excluded Providers, Opioids, compliance

Hot HIPAA Issues: Employee Credentials & Business Associate Management

Posted by ScottGima on 6/4/19 7:54 AM

In late 2018, the OCR entered an $111,400 settlement with Pagosa Springs Medical Center (PSMC), a Colorado critical access hospital. The OCR alleged that the hospital failed to terminate a former employee’s remote access to the hospital’s scheduling calendar, which includes patient PHI. The OCR also alleged that the hospital failed to enter a Business Associate Agreement with the scheduling calendar vendor.

Read More

Topics: HIPAA, business associates

Is your SNF ready for the November compliance program deadline??

Posted by Margaret Scavotto, JD, CHC on 5/29/19 10:24 AM

Note: This topic is of special interest to our SNF readers. General healthcare compliance and HIPAA topics will return next week!

The Affordable Care Act mandated compliance and ethics programs for all nursing facilities. Medicare and Medicaid will require implementation by November 28, 2019.

Are you ready?

Fortunately, the ACA requirements closely – but not entirely – track the ACA OIG compliance program guidance and the Federal Sentencing Guidelines principles for compliance programs, so providers who have built compliance programs on these documents should be in pretty good shape. Here is what the ACA requires nursing facilities to have by November 28, 2019:

  • Written compliance and ethics policies and procedures that are communicated to staff, contractors and volunteers and:
    • Reduce the risk of criminal, civil and administrative violations
    • Promote quality of care
    • Designate a compliance contact to receive reports
    • Include an anonymous way to report non-compliance without retribution
    • Include disciplinary standards
    • Apply to contractors and volunteers
  • Assigned high-level personnel oversight for the compliance program, and sufficient resources and authority for such high-level personnel
  • Due care not to delegate substantial discretionary authority to individuals the SNF knew or should have known had a propensity to commit a crime
  • Auditing and monitoring
  • A reporting system
  • Consistent enforcement via discipline
  • Annual review.* 

*It can take weeks or even months to review a compliance program, so if this is your first experience with annual review, it is a good idea to start early.

Organizations with five or more facilities must also have:

Read More

Topics: Compliance Basics, Affordable Care Act, skilled nursing

Erectile dysfunction prescription privacy: another HIPAA lawsuit proceeds

Posted by Margaret Scavotto, JD, CHC on 5/21/19 11:06 AM

An Arizona patient received a free sample for an erectile dysfunction (“ED”) medication from his doctor. Later, his pharmacy, Costco, called the patient to tell him that his full prescription was ready. The patient told Costco that he did not want the prescription and would not be picking it up.

One month later, the patient called Costco about another prescription. Costco again told the patient that his ED prescription was ready, and the patient again told Costco he did not want that prescription. The next day, the patient called Costco to give his ex-wife permission to pick up is prescription. The patient and his ex-wife were considering reconciling. A Costco employee gave the ex-wife the patient’s prescription – and the ED prescription, and joked with the ex-wife about the patient taking so long to pick it up. The ex-wife ended reconciliation attempts with the patient.

The patient sued Costco for negligence and other claims.

Read More

Topics: HIPAA

    Privacy Policy           Terms of Use