Breaking Compliance News Blog

Social Media Snafus: Keep Your Staff HIPAA Compliant

Posted by Margaret Scavotto, JD, CHC on 10/18/18 6:59 AM

An EMS worker gave CPR to a man who suffered a heart attack in his chicken coop. The EMS worker later posted on Facebook: "Well, we had a first... We worked a code in a chicken coop. Knee deep in chicken droppings."

A medical student who helped deliver a baby posted to Instagram a selfie of himself next to the mother's genitals.

A hospital employee appeared in a photo flipping off a newborn baby, with the caption: "How I currently feel about these mini Satans." The photo was shared 185,000 times on Facebook.

A pediatric ICU/ER nurse discussed a child's measles diagnosis on a Facebook page, before the measles case was announced to the public.

What do these stories have in common?

They're true. They involve disrespect to patients. They potentially violate HIPAA. They likely caused their organizations' privacy officers to pour hours into analyzing whether patients needed to be notified of a breach of HIPAA or other privacy laws. And, they made news headlines, creating a sizable PR problem for each provider involved.

Would your employees do this?

Your employees have Facebook, Instagram, Snapchat and Twitter accounts. They text. How many times do you think your employees text and post to social media every day? 

How often do you train staff on how to use social media without violating HIPAA (or disrespecting patients)? Once a year? Is your training frequent, helpful - and memorable - enough to ensure your employees get this right?

Help your employees use social media appropriately.

  • Implement a social media policy.
  • Train employees to recognize PHI.
  • Use examples. Help your team understand how seemingly innocent posts can violate HIPAA.
  • Train some more! Keep HIPAA and social media top of mind.
  • Encourage staff to report violations of the policy. This will allow you to research potential breaches and mitigate them swiftly.

Taking on the unstoppable world of social media might seem impossible. But it's better to help employees use it properly--and know when they aren't--than to cover our eyes and wait to hear it from the patients (or the media).

New Call-to-action

Read More

Topics: Social Media, HIPAA

Anthem Makes HIPAA History

Posted by Margaret Scavotto, JD, CHC on 10/16/18 3:43 PM

In early 2015, Anthem announced the largest healthcare cyber-attack America has seen. Hackers accessed records of 79 million people. Affected patients brought class action lawsuits against Anthem. In 2017, the lawsuits settled for $115 million.

Yesterday, the OCR announced it has settled the underlying HIPAA violations of this data breach for a whopping $16 million. This settlement far exceeds the next-highest HIPAA settlement we have seen ($5.5 million), and brings 2018's average HIPAA settlement amount up to $4,978,000.

The OCR reported that hackers were able to infiltrate Anthem's system after at least one employee clicked on a spear phishing email. The OCR also found that Anthem: "failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014."

What you can do

Your HIPAA security strategy needs to address the HIPAA Security Rules. If you haven't already done so, conduct a HIPAA security risk analysis (or update yours, if it's time). Review HIPAA Security administrative, technical and security safeguards to make sure you have implemented measures to mitigate risks that could subject your organization to an attack.

And, don't forget to train your staff. The OCR noted that the Anthem breach started when potentially a single employee clicked on a spear phishing email.  You could have the most sophisticated HIPAA security defense available - but if employees can't recognize suspicious emails, you are still vulnerable to cyber-attacks.

New Call-to-action

 

Read More

Topics: security, data breach, HIPAA

Compliance when nobody is watching

Posted by Margaret Scavotto, JD, CHC on 10/11/18 7:42 AM

Everyone knows an effective compliance program needs policies, training, leaders, audits, reporting, investigations, corrective action and discipline. You probably already have these elements in place.

You have policies and training to help your employees do the right thing.

You have audits to verify that your employees are following compliance policies (and doing the right thing).

You have a compliance hotline or other reporting mechanism to find out when employees aren't doing the right thing. And when that happens, you use your investigations, discipline and corrective action policies.

Many of us put these crucial compliance elements in place, cross our fingers, and hope our employees are doing the right thing.

But how do we motivate employees to do the right thing when nobody is watching? After all, most of the time, nobody is watching. And isn't the purpose of compliance to help employees do the right thing - whether somebody is watching or not?

Policies, annual training, audits and a reporting mechanism are a good start. They are essential. But they are not enough to motivate staff to do the right thing all the time. Your challenge as a Compliance Officer is to make compliance part of daily life for your team. How can we help employees understand compliance every day?

Meet employees where they are. Incorporate helpful compliance reminders into their workflow. Would a shift-change chat work? Flyers in the bathroom stalls? (There's nothing else to read in there....) Does the Compliance Officer walk the halls and take a couple of minutes to go over basic compliance concepts with staff? What about displaying short compliance messages on a digital photo frame, or compliance videos on an iPad? Training does not have to be an in-service to be effective.

In the era of social media, infotainment and information overload, compliance has to make some noise. Think outside the box for ways to keep compliance top-of-mind, and help staff do the right thing when nobody is watching.

Compliance Flash Cards are here!

Read More

Topics: Culture of Compliance

Attend Compliance and HIPAA Workshops in Springfield, Illinois

Posted by Margaret Scavotto, JD, CHC on 10/4/18 10:32 AM

MPA is excited to partner with LeadingAge Illinois to bring you a two-day compliance and HIPAA workshop in Springfield Illinois on October 24 and 25!

Come for a day of compliance, a day of HIPAA, or both!  You will get some MPA freebies, including our new Compliance Flash Cards.

How to Build & Maintain an Effective Compliance Program

Overview: This workshop will walk you through steps in building a compliance program. Special emphasis will be placed on strategies for evaluating board and Compliance Committee engagement, audit integrity, compliance culture, quality of reporting, and the programs’ ability to spot and address new compliance issues. You will also receive a compliance checklist, draft board resolution, suggested training topics, PEPPER guide, compliance risk area/audit plan worksheet and compliance officer handbook.

Faculty: Margaret C. Scavotto, JD, CHC, President, MPA    
Scott Gima, COO, Executive VP of Compliance & Management, MPA

Date/Location:

Wednesday, October 24, 2018
Illinois Education Association
3440 Liberty Dr. Springfield, IL 62704

Time: 9:00 a.m. – 4:30 p.m.

Fee Per Person: $149 members, $249 Non-members

Learn more or sign up here.

How to Build a HIPAA Program

Overview: In this workshop, we will provide an overview of HIPAA privacy, security, and breach notification that is appropriate for beginners, but will also serve as a refresher for more senior HIPAA professionals. We will emphasize practical strategies to make HIPAA a part of daily life and culture at your organization. Together we will brainstorm strategies to make HIPAA a mindset at our organizations. We will share examples from headlines as well as from around the water cooler, and discuss best practices and practical solutions for preventing these HIPAA hazards, with an emphasis on going beyond a paper policy and annual training.

Faculty: Margaret C. Scavotto, JD, CHC, President, MPA
Scott Gima, COO, Executive VP of Compliance & Management, MPA

Date/Location
 
Thursday, October 25, 2018
Illinois Education Association
3440 Liberty Dr. Springfield, IL 62704

Time: 9:00 a.m. – 4:30 p.m.

Fee Per Person: $149 members, $249 Non-members

Learn more or sign up here.

 
Read More

Topics: Compliance Basics, Training and Education, HIPAA

MPA's Compliance Store is Open!

Posted by Margaret Scavotto, JD, CHC on 10/3/18 7:11 AM

MPA spent 7 years developing compliance tools so you don't have to.

We are not selling a 3-ring binder filled with descriptions of what other people do, or articles explaining how to build a compliance program. Ours are practical tools (policy forms, checklists, flyers and audit tools) that will enable you to make compliance happen in your organization.

MPA's compliance tools combine legal, clinical and management perspectives to bring you a diverse compliance program designed to merge with your operations - and last.

Advance compliance in your organization with MPA's affordable digital downloads:

  • Foundation compliance policies
  • Compliance risk area policies
  • Compliance audit tools
  • HIPAA tool kits
  • Compliance training and culture tools
  • Compliance Board and committee engagement tools
  • Compliance flash cards
  • Monthly Compliance News Report

Read More

Topics: MPA's Compliance Store

Will your staff call the HIPAA Security Officer?

Posted by Margaret Scavotto, JD, CHC on 9/27/18 6:57 AM

Compliance and HIPAA officers routinely train staff on how to respond to a potential security incident. Often, instructions look something like this:

  • If you receive an email that appears to be from an impostor, stop and call the Security Officer immediately.
  • If you get an email with suspicious links, stop and call the Security Officer immediately.
  • If a window pops up on your screen and prompts you to click a button, stop and call the Security Officer immediately.

These are excellent precautions for employees to follow when they encounter potential spam, phishing attempts, spear phishing, or ransomware attacks.

But… how likely are your employees to call your Security Officer? Hopefully, staff are familiar with the Security Officer and would not hesitate to pick up the phone. If you aren’t sure how comfortable staff are reaching out to the Security Officer, it’s worth an inquiry. Here are some items to consider:

  • Where is the Security Officer’s office? Does it get a lot of foot traffic? Would employees know how to find the Security Officer in an emergency? Or, is his or her office housed with separate corporate offices, which have less visibility? If so, you might need to take some extra steps to make sure staff know how to find this person.
  • How often does the Security Officer interact with staff? Does the Security Officer lead HIPAA Security training – or is this training done online, without Security Officer interaction? Does the Security Officer participate in new employee orientation? Attend regular staff meetings? Walk the halls and make conversation? Send out friendly security reminder emails?

Or, is your organization one of the 47% that do not have an appointed Security Officer? (If so, it’s time to appoint one).  

Staff are more likely to contact the Security Officer in an emergency if they have already interacted with this person – preferably more than once. Make sure outreach is an integral part of the Security Officer’s role – it could be just as effective in preventing a HIPAA breach as a firewall.

MPA's Compliance Store is now open! Maximize compliance with MPA's compliance tool kits.

Read More

Topics: HIPAA

Compliance Report Card: How is the Compliance Officer’s relationship with the board doing?

Posted by Margaret Scavotto, JD, CHC on 9/12/18 7:14 AM

In April 2018, the Society of Corporate Compliance and Ethics and the Health Care Compliance Association released a report: The Relationship between the Board of Directors and the Compliance and Ethics Officer. 

This report includes (among others) the following compliance officer survey findings:

  • About half of compliance officers report to the board
  • 46% of compliance officers believe the board “values compliance a great deal”

I don’t know if the boards that receive regular compliance reports are the same boards that value compliance a great deal. - that wasn't part of this survey. But it’s a good guess that they are. Do the boards who receive regular compliance reports value compliance more? Maybe. I’ll go out on a limb and opine that it’s highly likely.

How can a board value compliance if it isn’t aware of compliance activity?

How can a board appreciate the role of compliance if it doesn’t hear about compliance successes?

How can a board lead and be responsible for a compliance program if it isn’t informed on compliance?

It can’t.

Is your organization part of the 50% where compliance doesn’t report to the board – or the 50% that does?

If the compliance officer does report to the board, how often? According to the HCCA & SCCE report, 35% of compliance officers report to the board four times a year, and another 29% report five or more times a year. If reporting is new in your organization, quarterly reports will bring you in line with many others in the industry.

Read More

Topics: Board Involvement

Attend Compliance and HIPAA Workshops in Illinois!

Posted by Margaret Scavotto, JD, CHC on 9/5/18 2:40 PM

MPA is excited to partner with LeadingAge Illinois to bring you two two-day compliance and HIPAA workshops!

Come for a day of compliance, a day of HIPAA, or both! Two options: Naperville, IL and Springfield, IL

How to Build & Maintain an Effective Compliance Program

Overview: This workshop will walk you through steps in building a compliance program. Special emphasis will be placed on strategies for evaluating board and Compliance Committee engagement, audit integrity, compliance culture, quality of reporting, and the programs’ ability to spot and address new compliance issues. You will also receive a compliance checklist, draft board resolution, suggested training topics, PEPPER guide, compliance risk area/audit plan worksheet and compliance officer handbook.

Faculty: Margaret C. Scavotto, JD, CHC, President, MPA    
Scott Gima, COO, Executive VP of Compliance & Management, MPA

Date/Locations:

Thursday, September 27, 2018
NIU Naperville Conference Campus
1120 E Diehl Rd, Naperville, IL 60563

Wednesday, October 24, 2018
Illinois Education Association
3440 Liberty Dr. Springfield, IL 62704

Time: 9:00 a.m. – 4:30 p.m.

Fee Per Person: $149 members, $249 Non-members

Learn more or sign up here.

How to Build a HIPAA Program

Overview: In this workshop, we will provide an overview of HIPAA privacy, security, and breach notification that is appropriate for beginners, but will also serve as a refresher for more senior HIPAA professionals. We will emphasize practical strategies to make HIPAA a part of daily life and culture at your organization. Together we will brainstorm strategies to make HIPAA a mindset at our organizations. We will share examples from headlines as well as from around the water cooler, and discuss best practices and practical solutions for preventing these HIPAA hazards, with an emphasis on going beyond a paper policy and annual training.

Faculty: Margaret C. Scavotto, JD, CHC, President, MPA
Scott Gima, COO, Executive VP of Compliance & Management, MPA

Date/Locations
Friday, September 28, 2018
NIU Naperville Conference Campus
1120 E Diehl Rd, Naperville, IL 60563
 
Thursday, October 25, 2018
Illinois Education Association
3440 Liberty Dr. Springfield, IL 62704

Time: 9:00 a.m. – 4:30 p.m.

Fee Per Person: $149 members, $249 Non-members

Learn more or sign up here.

 
Read More

Topics: Compliance Basics, Training and Education, HIPAA

Margaret Scavotto blogs for HCCA: A Tale of Two Doctor's Visits

Posted by Margaret Scavotto, JD, CHC on 8/30/18 7:47 AM

A Tale of Two Doctor's Visits

by Margaret Scavotto, JD, CHC

A few weeks ago, I went to a new doctor for a consultation. While waiting alone in a patient room for the doctor, I noticed a monitor attached to the wall. It showed a color-coded appointment schedule with last names of every patient coming in that week. I wondered what I else I could access if I tried to use the computer (Don’t worry, I didn’t try).

When I checked out after my appointment, I saw three patient files open on the reception desk. I also saw another monitor, with a patient’s X-ray prominently displayed. While my PHI wasn’t visible to others that day, I realized it could be. I felt disrespected. I didn’t go back. Instead, I asked around for another doctor – one with good privacy practices – and will fork over another copay to see a different doctor.

Read more at The Compliance and Ethics blog.

Read More

Topics: HIPAA

Nursing Home CEO heads to prison

Posted by Margaret Scavotto, JD, CHC on 8/29/18 6:05 AM

 

The former CEO of American Senior Communities (ASC) was sentenced to nine and a half years in prison. ASC manages 70 Indiana nursing homes.

The CEO pleaded guilty to conspiracy to commit fraud, conspiracy to violate the anti-kickback statute, and money laundering. A second executive, the former COO, also pleaded guilty and was sentenced to 57 months in prison.

Both sentences involve a $19.4 million fraud and kickback scheme lasting six years. Here is how the scheme worked:

  • The CEO asked vendors to inflate their bills and paid the excess to himself and to other defendants
  • The CEO created shell companies who submitted phony bills to ASC
  • The CEO asked vendors for kickbacks in exchange for ASC's business
  • The CEO took kickbacks in exchange for referring patients to a particular home health or hospice company

As a result of these arrangements, the CEO took home an extra $600,000 a year (on top of his $1,000,000 salary), which enabled him to spend millions on private jets, trips to Vegas, diamonds and gold bars, lakefront property, and political contributions.

In 2015, the CEO asked a vendor to increase its bill by 30% and pay the excess to one of his shell companies. Instead, the vendor went to the authorities.

The DOJ is serious about holding individuals criminally responsible for fraud and kickback schemes. This raises the stakes for individuals running healthcare organizations. When is the last time your executives and board members were trained on compliance? Do they understand kickbacks, and the potential civil and criminal liability attached?

Read More

Topics: Board Involvement

    Privacy Policy           Terms of Use