Breaking Compliance News Blog

Margaret Scavotto writes for HCCA: Compliance When Nobody is Watching

Posted by Margaret Scavotto, JD, CHC on 2/13/19 8:54 AM

Compliance When Nobody is Watching

by Margaret Scavotto, JD, CHC

Everyone knows an effective compliance program needs leaders, policies, training, audits, reporting, investigations, corrective action, and discipline.

You probably already have these elements in place. You have policies and training to help your employees do the right thing. You have audits to verify that your employees are following compliance policies (and doing the right thing). 

Read more here.

For Compliance Today: Copyright 2019 Compliance Today, a publication of the Health Care Compliance Association (HCCA).


Read More

Topics: Culture of Compliance

Stay informed in 2019

Posted by Margaret Scavotto, JD, CHC on 2/5/19 11:31 AM

MPA scours OIG and OCR enforcement updates and news headlines so you don't have to.

Every month, we summarize enforcement trends and bring you the latest compliance and HIPAA developments, and deliver them to your inbox in our Monthly Compliance News Report.

Not yet a subscriber? Use coupon code NEWYEAR to save 25% off the price when you sign up.  

You can read a sample report here.

Read More

Topics: Compliance Basics

10,000 steps to compliance

Posted by Margaret Scavotto, JD, CHC on 1/23/19 7:51 AM

Don’t be discouraged by the title - this story is actually (hopefully) encouraging.

When I first got my Fitbit, I learned I averaged 5,000 to 6,000 steps a day. A few times a week I’d get far more than that, but my weekday average could be better.

Around Thanksgiving 2018, I decided to pick up the pace and set a goal of reaching 10,000 steps a day - no matter what.

I went to Zumba at the Y (7,000 steps), walked around my in-laws’ pond (1,000 steps), walked up and down the stairs at my office (100 steps), and danced around the kitchen (as many steps as it took).

I hit 10,000 steps 14 days in a row. And then I kept going. I of course have an off day every now and then. But overall, I feel better when I find the time to get 10,000 steps. And over time, it’s become easier to work this into my day.

What does this have to do with compliance?

Compliance professionals often tell me: I start working on compliance, but then I get distracted and weeks go by. I start working on an audit and then something else comes up and by the time I get back into the audit, I have to re-learn the entire process. I want to spend more time on compliance, but there is just so much else to do.

The problem here is that compliance needs to be part of our daily routine, no matter what. 

By consistently reaching a small goal (10,000 steps a day), I achieved a bigger goal: I lost 10 pounds. Compliance is the same way. If you commit to working on compliance consistently - even slowly but surely - over time, you will be rewarded with bigger results.

Here are some ways you can commit to compliance every day – and achieve big goals over time:

  • In 5 minutes, you can go over a compliance tip, question or flash card with an employee, making a positive connection with compliance and reinforcing compliance knowledge.
  • In 10 minutes, you can walk the halls and increase your visibility as Compliance Officer.
  • In 20 minutes, you can conduct a HIPAA walk-through audit of a department.
  • In 30 minutes, you can review a policy with an employee.

Make room for small tasks, and watch your compliance program meet big goals in 2019.

Read More

Topics: Culture of Compliance, Compliance Basics, Compliance Officer & Committee

*Free Webinar* MPA and Wolters Kluwer present: Creating a Culture of Compliance

Posted by Margaret Scavotto, JD, CHC on 1/17/19 7:52 AM

Every compliance program needs policies, training, reporting, leadership and audits to succeed – but it’s not enough. Federal guidance makes clear that an effective compliance program requires a strong culture to support it. Practical experience also teaches us that culture will make or break a compliance program.


We will walk through steps providers can take at the employee, management and board levels to cultivate a compliance culture that takes your company in a direction of employee trust, internal reporting, audits with integrity, and compliance strength.

  • Using examples from the headlines, we will walk through real-world fact patterns and decisions that shaped compliance culture.
  • Learn to identify steps providers can take to promote a positive culture of compliance, as well as strategies to counteract negative culture forces. Approaches will include board involvement, staff training, accountability and incentives, and more.
  • Learn conventional and unconventional strategies for building your own culture of compliance.
Wolters Kluwer Legal & Regulatory U.S. is pleased to partner with Above the Law for CLE accreditation.*  Upon the conclusion of each webinar an informal certificate of completion will be issued by Wolters Kluwer Legal & Regulatory U.S. Attendees will also receive an official certificate via email from Above the Law's third party CLE provider, Marino Law. 

*CLE available for NY, NJ and CA. A Uniform Certificate of Attendance for CLE credit will be issued for all other states.

Read More

Topics: Training and Education

Stay informed in 2019

Posted by Margaret Scavotto, JD, CHC on 1/15/19 6:27 AM

MPA scours OIG and OCR enforcement updates and news headlines so you don't have to.

Every month, we summarize enforcement trends and bring you the latest compliance and HIPAA developments, and deliver them to your inbox in our Monthly Compliance News Report.

Not yet a subscriber? Use coupon code NEWYEAR to save 25% off the price when you sign up.  

You can read a sample report here.

Read More

Topics: Compliance Basics

HIPAA breaches are everywhere: Are your employees prepared?

Posted by Margaret Scavotto, JD, CHC on 12/13/18 2:01 PM

A hospital OR secretary was fired after she accessed the hospital's EHR to locate a co-worker's phone number.

A child's adoptive parents sued a hospital for allegedly violating HIPAA when it notified the child's birth mother of his death.

Hospital employees clicked on links in emails that appeared to be from trusted sources, unleashing a spear phishing attack. Hackers accessed PHI for 63,000 individuals - some of whom are suing the hospital for failing to protect their privacy.

A patient is suing CVS for telling his wife about his Viagra prescription.

Some of you might read these (true) stories and view them as blatant, or at least ignorant, HIPAA violations. Or maybe you believe these are honest mistakes. I think it depends on whether, when, and how the healthcare employees involved were trained on HIPAA in a practical way.

In the CVS example, we can imagine a pharmacist or pharmacy tech at the register and taking phone calls. This person talks to people all day long about prescriptions - often prescriptions dropped off or picked up by a spouse. When is the last time this pharmacist was trained on when to share information with a spouse (and when to keep it confidential)?

Regarding the spear phishing example, I received two phishing email attempts today, and it's only 2:00 p.m. I recognized the emails as phony - but my day job involves HIPAA, and I read about HIPAA for fun. It's always on my mind. Would healthcare employees who spend their days scheduling patients, sending out EOBs, or providing care recognize suspicious emails? It depends on how well they have been trained, and how often.

HIPAA, like the rest of compliance, is not simply something for the lawyers or the compliance department to figure out.

Our compliance programs are only as strong as our weakest employees - and it's up to us to train them to get it right.




Read More

Topics: data breach, Social Media, HIPAA, security

MPA's gift to you: Free compliance video on perks and presents

Posted by Margaret Scavotto, JD, CHC on 12/11/18 7:29 AM

I like presents.

Giving them, getting them, even writing thank you notes for them.

But in healthcare, presents are tricky.

That is why, this holiday season, MPA is sharing a compliance video with you. You are welcome to share this video with your staff to help them navigate patient and vendor gifts, freebies and perks this holiday season.

Perks and Presents



Want to do more to cultivate a culture of compliance?

MPA's Compliance Flash Cards are here...

     .... choose card-stock or digital download:

compliance flash cards sample 1

Read More

Topics: Culture of Compliance

Compliance Officer Interview: Connie Rhoads and Pet Posters!

Posted by Margaret Scavotto, JD, CHC on 12/5/18 7:45 AM

Today I am going to tell you about the best compliance culture idea I have ever heard: Pet Posters.

That's right: Using employee pet photos to create posters promoting compliance.

This idea is clever, charming, motivating, effective - and the brainchild of Connie Rhoads, Vice President of Corporate Compliance at Christian Horizonsa senior living provider in the Midwest.


I interviewed Connie to learn more about how she came up with Pet Posters and how it has been a success at Christian Horizons. (Side note: Connie and I agree that the Ghostbusters poster is our favorite - but it's hard to pick just one).

Margaret: How did you come up with Pet Posters?


I attended a webinar that shared examples from companies who achieved significant impact from small changes to their compliance programs. One of the companies shared their updated compliance hotline poster. They had simply changed the picture on their poster from a rotary phone to a picture of a puppy with its head tilted, as if it was unsure of something. Simply changing the picture was enough to capture their associates' attention. The Compliance Department started receiving appropriate concerns when previously a hotline call was a rarity. 

That was my inspiration! I thought to myself, everyone loves pets, especially their own, so I came up with the ‘Is Your Pet Destined for Stardom?’ Compliance Poster Contest.  Our marketing team created a flyer for the contest and poster templates. I also created a page of suggested slogans. Associates simply had to insert their pet photo into the template, add the slogan, save it and send it in.  We included credits to the ‘Celebrity’ and their owner on each poster. 

Margaret: How long have you been using the Pet Poster program?


Our inaugural promotion was for Compliance and Ethics Week 2016; 2018 is our third year.

Margaret: Have you had any participation obstacles – and how have you overcome them?


Yes - a few. 

Read More

Topics: Culture of Compliance

Compliance Flash Cards are now available in card-stock!

Posted by Margaret Scavotto, JD, CHC on 11/28/18 8:33 AM

Grow employee knowledge and build a culture of compliance with MPA's Compliance Flash Cards! 


The Compliance Flash Cards have been so popular, we have decided to offer them in print! Order now and a set of Compliance Flash Cards will be mailed to you.

  • Incorporate Compliance Flash Cards into new employee orientation and annual compliance training
  • Walk the halls and use the Compliance Flash Cards to have small conversations with staff - increasing compliance awareness and Compliance Officer visibility

MPA's Compliance Flash Cards include:

  • 3 Flash Cards address reporting non-compliance

  • 2 Flash Cards address abuse (1 specifically for SNFs)

  • 4 Flash Cards address Resident Rights in SNFs

  • 5 Flash Cards address documentation, including 2 specifically for SNFs

  • 10 Flash Cards address HIPAA

  • 10 Flash Cards address HIPAA & Social Media (including 4 specifically for hospitals and 4 specifically for SNFs)

  • 1 Flash Card addresses Quality Care

  • 1 Flash Card addresses False Claims

  • 2 Flash Cards address Kickbacks

For digital flash cards, click here.

Read More

Topics: Culture of Compliance

HIPAA Update: The Cost of Not Encrypting

Posted by Margaret Scavotto, JD, CHC on 11/14/18 10:26 AM

At HCCA’s 2018 Compliance Institute, Iliana Peters, formerly of the OCR and now with the Polsinelli law firm, commented that not encrypting is “less and less persuasive.” In other words, it is increasingly harder to justify a decision not to encrypt electronic protected health information (ePHI).

This is welcome input, considering that encryption is “addressable,” but not “required” under the HIPAA Security Rule.

Addressable safeguards require covered entities and business associates to:

  • Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and
  • As applicable to the covered entity or business associate—

            (A) Implement the implementation specification if reasonable and appropriate; or

            (B) If implementing the implementation specification is not reasonable and appropriate— (1) Document              why it would not be reasonable and appropriate to implement the implementation specification; and (2)              Implement an equivalent alternative measure if reasonable and appropriate.

45 CFR 164.306(d)(3).

But when it comes to encryption, the line has been moving since the HIPAA Security Rule was originally implemented. Fifteen years ago, it was common – and perhaps more “persuasive” – to make the argument that encryption was cost prohibitive, and therefore not “reasonable and appropriate.” As time went on, the likelihood of ePHI being compromised increased—partly because there is more ePHI; partly because there is more demand for ePHI on the black market; and partly because hackers have more sophisticated methods of illegally obtaining ePHI. At the same time, encryption options have become plentiful and more affordable.

It comes as little surprise, then, that we are seeing more HIPAA settlements and enforcement involving unencrypted ePHI. For example:

And last but not least, on June 18, 2018, the OCR announced that an HHS Administrative Law Judge (ALJ) ruled that MD Anderson violated the HIPAA Privacy and Security Rules when it failed to encrypt its electronic devices, despite identifying encryption as a high security risk. 

It is noteworthy that the ALJ rejected MD Anderson’s argument that it was not required to encrypt its devices. The ALJ stated:

       The regulations governing ePHI do not specifically require devices to be encrypted if "encryption" in this             context is interpreted to mean some mechanical feature that renders these devices physically impossible           to enter by any persons who are not authorized users. But, these regulations require covered entities to             assure that all systems containing ePHI be inaccessible to unauthorized users. 45 C.F.R. § 164.306(a); 45        C.F.R. § 164.312(a)(1). · These regulations give considerable flexibility to covered entities as to how they          protect their ePHI. Nothing in those regulations directs the use of specific devices or specific mechanisms          by a covered entity. However, the bottom line is that whatever mechanisms an entity adopts must be                  effective. Respondent failed to comply with regulatory requirements because it failed to adopt an effective          mechanism to protect its ePHI.

For covered entities and business associates who have not encrypted – perhaps because it is not “required” under the Security Rule - there are mounting indications from the enforcers that opting not to encrypt is, in the words of Ms. Peters, “less and less persuasive.” 

New Call-to-action

Read More

Topics: HIPAA

    Privacy Policy           Terms of Use