Breaking Compliance News Blog

Margaret Scavotto, JD, CHC

Find me on:

Recent Posts

HIPAA & COVID-19: telehealth

Posted by Margaret Scavotto, JD, CHC on 3/27/20 12:00 AM

Blog Series: Staying HIPAA Compliant During COVID-19

Sarah Badahman, CHPSE, Founder/CEO, HIPAAtrek, St. Louis 

Read More

Topics: HIPAA, data breach, security, COVID-19, privacy

HIPAA & COVID-19: What HIPAA requirements are waived during COVID-19?

Posted by Margaret Scavotto, JD, CHC on 3/26/20 10:01 AM

Blog Series: Staying HIPAA Compliant During COVID-19

Sarah Badahman, CHPSE, Founder/CEO, HIPAAtrek, St. Louis 

Bethany Baty, Digital Marketing Director, HIPAAtrek, St. Louis

Margaret Scavotto, JD, CHC, President, MPA, St. Louis 

***To help providers with HIPAA compliance during the COVID-19 pandemic, all MPA HIPAA Tool Kits are now marked down to 50% off. 
 
A HIPAA & COVID-19 Telehealth policy was added to the Privacy and Security Tool Kits on 3/24 ***

Today is day four of a five day blog series on HIPAA issues that are relevant during COVID-19. Our goal is to help you remain compliant during these challenging times. ~ MPA and HIPPAtrek.

 

What HIPAA requirements are waived during COVID-19?

On March 16, the Office for Civil Rights (OCR) issued a bulletin in response to the COVID-19 outbreak: Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency. For providers who followed the OCR’s waivers during Hurricanes Irma or Michael, this waiver should look familiar to you.

Who is covered by the waiver?

This waiver only applies to covered hospitals. All other providers must continue to follow HIPAA fully (with some leeway given under the Telehealth Waiver).

What’s waived

Under this waiver, as of March 15, 2020, the OCR waives sanctions and penalties against hospitals that do not follow these HIPAA Privacy Rule provisions:

  • the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient's right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient's right to request confidential communications. See 45 CFR 164.522(b)

The waiver ONLY applies to the COVID-19 public health emergency. To get the benefits of the waiver. Hospitals must:

  • have a disaster protocol in place
  • use the waiver for a maximum of 72 hours from the time the disaster protocol is implemented
  • resume complying with the Privacy Rule when the public health emergency ends.

What’s not waived?

The OCR’s waiver alert provides guidance on HIPAA practices that are not waived, and should be followed during the COVID-19 pandemic. Here is what is NOT waived:

  • The REST of the Privacy Rule. All Privacy Rule provisions not listed in the waiver must still be followed. Perhaps most importantly, providers must continue to follow the Minimum Necessary Rule wen making disclosures.
  • The waivers do NOT change how providers can communicate with the media. Follow your directory. For all other requests, get an authorization.
  • The Security Rule is NOT waived. Providers must still safeguard patient information with administrative, physical, and technical safeguards. With employees working from home and cyber scams on the rise, provider should take extra security precautions.

We encourage you to read the OCR’s Alert in its entirety to familiarize yourself with all of the OCR’s recommendations and reminders.

***To help providers with HIPAA compliance during the COVID-19 pandemic, all MPA HIPAA Tool Kits are now marked down to 50% off. 
 
A HIPAA & COVID-19 Telehealth policy was added to the Privacy and Security Tool Kits on 3/24 ***

Read More

Topics: HIPAA, data breach, security, COVID-19, privacy

HIPAA & COVID-19: Watch out for COVID-19 cyber scams

Posted by Margaret Scavotto, JD, CHC on 3/25/20 9:56 AM

Blog Series: Staying HIPAA Compliant During COVID-19

Sarah Badahman, CHPSE, Founder/CEO, HIPAAtrek, St. Louis 

Bethany Baty, Digital Marketing Director, HIPAAtrek, St. Louis

Margaret Scavotto, JD, CHC, President, MPA, St. Louis 

***To help providers with HIPAA compliance during the COVID-19 pandemic, all MPA HIPAA Tool Kits are now marked down to 50% off.
 
A HIPAA & COVID-19 Telehealth policy was added to the Privacy and Security Tool Kits on 3/24.***

 

Today is day three of a five day blog series on HIPAA issues that are relevant during COVID-19. Our goal is to help you remain compliant during these challenging times. ~ MPA and HIPPAtrek.

Watch out for COVID-19 cyber scams

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about increased hacker activity during the coronavirus pandemic: Defending Against COVID-19 Cyber Scams.

In this Alert, CISA warns the nation to be on guard against an increase in malicious cyber activity:

Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.

Likewise, the FBI addressed an “unprecedented wave” of cyber-attacks in the U.S.

Sadly, hackers are focusing their efforts on the three states hit the hardest by coronavirus: California, New York, and Washington – and hackers are targeting employees working from home. As the virus spreads in more states, this focus could broaden.

On Monday, the OIG sent out a Fraud Alert warning the public about a new fraud scheme preying on COVID-19 fears. Individuals are using telemarketing, social media, and in-person solicitation to offer COVID-19 tests to Medicare beneficiaries. The scammers obtain patients' personal information and Medicare information, and use it to submit fraudulent Medicare claims and commit identity theft. Individuals who think they need to be tested for COVID-19 should contact their physician or the health department, rather than responding to a solicitation.

CISA outlines precautions you can take to increase your security defense against COVID-19 inspired cyber-attacks:

In addition, now would be a good time to increase training on phishing scams and other malicious attacks. Consider providing staff with examples of malicious emails for training purposes, or use phishing drills.

HIPAAtrek and MPA can help make HIPAA compliance easier with policy downloads, training, and HIPAA software. Let us know if we can help. 

***To help providers with HIPAA compliance during the COVID-19 pandemic, all MPA HIPAA Tool Kits are now marked down to 50% off. 
 
HIPAA & COVID-19  Telehealth policy was added to the Privacy and Security Tool Kits on 3/24 ***

Read More

Topics: HIPAA, data breach, security, COVID-19, privacy

HIPAA & COVID-19: Disclosing to public health and the authorities

Posted by Margaret Scavotto, JD, CHC on 3/24/20 9:00 AM

Blog Series: Staying HIPAA Compliant During COVID-19

Sarah Badahman, CHPSE, Founder/CEO, HIPAAtrek, St. Louis 

Bethany Baty, Digital Marketing Director, HIPAAtrek, St. Louis

Margaret Scavotto, JD, CHC, President, MPA, St. Louis 

 

Today is day two of a five day blog series on HIPAA issues that are relevant during COVID-19. Our goal is to help you remain compliant during these challenging times. ~ MPA and HIPPAtrek.

Disclosures to Public Health and the Authorities

COVID-19 is a national emergency. While healthcare facilities are preparing for the coronavirus pandemic, hospitals are facing increased workloads. Healthcare providers and public health agencies are working in overdrive to prevent the further spread of the virus. Healthcare providers are required to report cases of COVID-19 to public health agencies as a part of the response effort. As healthcare professionals identify new cases of COVID-19, they must follow required protocols for notifying public health agencies and alerting those that may be at risk of exposure to the virus.  

The risk of over-disclosure is prevalent as we work to protect the public by informing those that may have had contact with a COVID-19 infected patient. Care needs to be taken to release only the minimum necessary information to properly inform those at risk for infection. This will become increasingly important as more cases are identified.

Rely on Public Health Agencies

During an infectious disease outbreak – such as COVID-19 - protection under the Privacy Rule is not waived. Providers are permitted, and required, to disclose patient information for public health activities. Public health agencies include the CDC and state or local public health departments that are authorized by law to receive patient information. Public health agency disclosures may include:

  • referrals for testing of suspected cases of COVID-19
  • confirmed cases of COVID-19
  • deaths due to COVID-19 infections

Rely on your public health agencies to make media disclosures and locate potentially exposed persons. If you have a public relations department, work with them to ensure only relevant disclosures are made and that those disclosures do not include any PHI identifiers.

PHI Identifiers:

  • Name
  • Geographical areas
  • Dates, except of year (unless over the age of 89)
  • Telephone and Fax numbers
  • Social Security numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identification and serial numbers, including license plates
  • Web URLs
  • Device identifiers and serial numbers
  • Internet protocol addresses
  • Full face photographs and comparable images
  • Biometric identifiers
  • Any other unique identifying number or code

Healthcare providers and public health agencies also have a responsibility to protect the public against COVID-19. Protection will include informing persons that have had contact with a COVID-19 infected patient. These communications should include instructions to adhere to recommendations of healthcare providers and/or government agencies to avoid a serious or imminent threat to public health.

Additionally, these disclosures are more sensitive and require authorization, in some instances. Steps must be taken to not disclose information that could identify the patient. When unsure if the disclosure requires an authorization, healthcare providers should either contact a healthcare attorney or use caution and obtain patient consent. In February, the Office for Civil Rights (OCR)  released a bulletin to help healthcare providers navigate the COVID-19 pandemic and HIPAA.

Relying on your local or state public health agencies to report new cases of COVID-19 protects the healthcare provider from a potential HIPAA breach. This process ensures patient privacy and proper reporting format, and assists in containing public panic.

Consider Local Laws

In addition to HIPAA considerations, healthcare providers and public health agencies need to consider local and state laws when disclosing patient information. This includes awareness of any changes that are implemented during a declared public health emergency. Work with your healthcare attorney to create notifications to patient family members, care givers, and the media. Your attorney will be your best resource to help you ensure your notifications meet your local and state laws as well as ensure HIPAA privacy. If you need a referral to a healthcare attorney, please contact us and we can help put you in touch with a healthcare attorney in your area.

The coronavirus is not a case of public health versus patient privacy. As public health agencies and healthcare providers must work together to identify, treat, contain and prevent the further spread of COVID-19, they must also remember to work together to protect patient privacy.

HIPAAtrek and MPA can help make HIPAA compliance easier with policy downloads, training, and HIPAA software. Let us know if we can help. 

SIGN UP for MPA and HIPAAtrek's webinar:

Surviving HIPAA During COVID-19

March 25, 1:00 p.m. CST

CLICK HERE TO SIGN UP

Read More

Topics: HIPAA, security, COVID-19, privacy

HIPAA & COVID-19: Working from home

Posted by Margaret Scavotto, JD, CHC on 3/23/20 1:00 PM

Blog Series: Staying HIPAA Compliant During COVID-19

Sarah Badahman, CHPSE, Founder/CEO, HIPAAtrek, St. Louis 

Bethany Baty, Digital Marketing Director, HIPAAtrek, St. Louis

Margaret Scavotto, JD, CHC, President, MPA, St. Louis 

The coronavirus pandemic is an unprecedented challenge for healthcare providers. Hospitals are facing increased workloads and fear supply shortages. Nursing homes have shut their doors to most visitors while they try to keep their residents and employees safe. Providers across the country are embracing telehealth, figuring out public health disclosures, and have to think fast about how to respond to an increase in inquiries from patients, families, and the media.

For the next five days, HIPAAtrek and MPA will shed the light on five key HIPAA issues that are relevant during COVID-19. Our goal is to help you stay compliant during these challenging times.

  • Monday:       Working from home
  • Tuesday:      Disclosing to public health and the authorities
  • Wednesday: Watch out for cyber scams
  • Thursday:     What’s waived?
  • Friday:          Using telehealth safely

Working from Home During the Coronavirus Pandemic

As the nation continues to respond to the COVID-19 pandemic, it is important that we work together to help facilitate the effort to contain and prevent. An integral part of this effort is requiring staff to work remotely when possible - and this includes compliance professionals. MPA and HIPAAtrek are both working remotely in order to hopefully flatten the curve of the COVID-19 pandemic.

Here are some steps you can take to stay HIPAA compliant while sending your workforce home.

One of your first considerations is to ensure that all employees understand the same privacy and security standards apply when working from home – and, potentially, a few more. This presents a unique and unprecedented situation for compliance teams across the country. Issues requiring immediate attention include:

 

Bring Your Own Device (BYOD)

It is highly probable that many of your employees have never worked remotely before. It is also likely the facility does not have enough workstations to facilitate working from home. Requiring employees to use their own workstations is acceptable; however, it is imperative that you create and follow a BYOD policy. If you need a policy, please contact HIPAAtrek. We can send you a template to help you get this started.

Use VPN

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued an Alert on March 13 encouraging employers to use virtual private networks (VPNs) for teleworking employees. VPNs provide an added level of security when employees are accessing your network from home. CISA also recommends keeping VPNs patched and updated to guard against a rise in malicious cyberthreats by hackers seeking to take advantage of security weaknesses inherent in telework. CISA’s complete recommendations can be found in their Alert.

Train employees on patient privacy requirements while working remotely

Special training should be provided to ensure the employee understands the unique challenges to patient privacy while working from home. This should include:

  • Protecting patient privacy from family members, roommates, or other individuals in the home or remote working location. Employees will need to set up their work environment to ensure members of their household or visitors do not have access to any patient information.
  • Ensuring proper internet protocols. This includes not using public WIFI or leaving workstations logged into WIFI when they are not in use. If possible and as CISA recommends, use VPN.

Minimum Necessary Rule

Remind remote employees to follow the minimum necessary rule.

The OCR has made it easier for healthcare facilities to manage their HIPAA compliance programs during this time by announcing a limited waiver to the Privacy Rule and by allowing for non-HIPAA compliant communications to facilitate telehealth visits. Even with these waivers on penalties, it is important that patient privacy be upheld whenever possible – and the minimum necessary rule still applies! Make sure employees understand these waivers and that they have a point of contact within your organization to ask compliance questions.

HIPAAtrek and MPA can help make HIPAA compliance easier with policy downloads, training, and HIPAA software. Let us know if we can help. 

SIGN UP for MPA and HIPAAtrek's webinar:

Surviving HIPAA During COVID-19

March 25, 1:00 p.m. CST

CLICK HERE TO SIGN UP

Read More

Topics: HIPAA, security, COVID-19, privacy

Compliance when nobody is watching

Posted by Margaret Scavotto, JD, CHC on 3/17/20 9:30 AM

From the archives... 

Everyone knows an effective compliance program needs policies, training, leaders, audits, reporting, investigations, corrective action and discipline. You probably already have these elements in place.

You have policies and training to help your employees do the right thing.

You have audits to verify that your employees are following compliance policies (and doing the right thing).

You have a compliance hotline or other reporting mechanism to find out when employees aren't doing the right thing. And when that happens, you use your investigations, discipline and corrective action policies.

Many of us put these crucial compliance elements in place, cross our fingers, and hope our employees are doing the right thing.

But how do we motivate employees to do the right thing when nobody is watching? After all, most of the time, nobody is watching. And isn't the purpose of compliance to help employees do the right thing - whether somebody is watching or not?

Policies, annual training, audits and a reporting mechanism are a good start. They are essential. But they are not enough to motivate staff to do the right thing all the time. Your challenge as a Compliance Officer is to make compliance part of daily life for your team. How can we help employees understand compliance every day?

Meet employees where they are. Incorporate helpful compliance reminders into their workflow. Would a shift-change chat work? Flyers in the bathroom stalls? (There's nothing else to read in there....) Does the Compliance Officer walk the halls and take a couple of minutes to go over basic compliance concepts with staff? What about displaying short compliance messages on a digital photo frame, or compliance videos on an iPad? Training does not have to be an in-service to be effective.

In the era of social media, infotainment and information overload, compliance has to make some noise. Think outside the box for ways to keep compliance top-of-mind, and help staff do the right thing when nobody is watching.

Compliance Training Handbooks are here!

Read More

Topics: Culture of Compliance

The perils of “Good” compliance results

Posted by Margaret Scavotto, JD, CHC on 3/12/20 9:15 AM

From the archives... this week we revisit one of MPA's top blogs:

 

The set of NBC’s hit TV series The Office includes an office suite (where many hijinks ensue) and an attached warehouse. In Season 2, Episode 5, office manager Michael Scott visits the warehouse and causes colossal destruction with a forklift.

Then, much to warehouse foreman Darryl Philbin’s chagrin, a warehouse employee erases the “936” on a sign that reads: “THIS DEPARTMENT HAS WORKED 936 DAYS WITHOUT A LOST TIME ACCIDENT” and replaces it with a big fat Zero.

This scene raises a nuanced compliance issue. The sign touting 936 days since an accident is an example of identifying – and celebrating – a compliance success. Presumably, accidents were avoided because employees adhered to safety protocols.

But, does this sign also encourage employees not to report accidents? Daryl will be pretty unhappy the next time someone has to put a “zero” on the accident sign – and everyone knows it. Nobody wants to be known as the person who broke the winning streak. This is an unintended consequence of the Zero Accidents sign.

The same is true for compliance: healthcare organizations that have months with zero compliance reports could have a problem.

We of course want to celebrate good metrics and results – but how do we do that while still encouraging people to report problems?

A goal of zero hotline calls deters people from finding and reporting problems. The unintended message is: Don’t report. This means that if your compliance dashboard repeatedly shows zero compliance reports – you should raise an eyebrow, not a glass.

Instead, we need to discuss compliance goals in a way that encourages reporting and discovering non-compliance. Perhaps our goal should be to encourage reporting instead of having Zero reporting. You can support this goal by promoting reporting options (and your anonymity, confidentiality and non-retaliation policies). And, you will still find things to celebrate:

  • Thank those who report
  • Add compliance reporting to performance reviews
  • Recognize efforts to promptly investigate and respond to reports 
  • Celebrate improvement

Read More

Topics: Hotline, Culture of Compliance

There's no HIPAA for cats, by the way.

Posted by Margaret Scavotto, JD, CHC on 3/3/20 10:36 AM

From the archives... this week, I bring you an oldie but a goodie - one of our top blogs from 2019.

Recently, my husband and our five year old daughter took our dog to the vet for a check-up. When they came home, my five year old was very excited to tell me that she got to talk to Dr. Julie about Abby's tooth cleaning and Jack's nail trimming.

Abby and Jack are my mother's cats, who, in case it isn't obvious, also see Dr. Julie.

I was astounded! Until my husband reminded me: "There's no HIPAA for cats, Margaret."

That's right. Of course!

But this got me thinking. If Abby and Jack were people, we would have a pretty big problem on our hands. My mother lives four minutes away. So do my nephews. So do my aunt and uncle. There's some overlap in doctors and dentists in our family (in addition to veterinarians). We bump into each other all over town.

And yet, thanks to HIPAA, we all expect and trust that our medical information will be kept private. Can you imagine it any other way? Can you imagine the chaos that would ensue if everyone discussed everyone else's tooth cleanings and nail trimmings all over town, as if we were cats?

Aristotle said what separates humans from the animals is rationality. I think it's HIPAA, too.

 

Read More

Topics: HIPAA

Phase III: Do SNFs need a Compliance Officer?

Posted by Margaret Scavotto, JD, CHC on 2/25/20 8:15 AM

 

Absolutely.

In July 2019, CMS published a proposed rule that would modify the Compliance and Ethics program aspects of the Phase III Long-Term Care Facilities Requirements for Participation (the “Proposed Rule”).

Some of these proposed modifications removed requirements to assign compliance roles to nursing home personnel. For example, CMS proposes eliminating the following requirements:

  • All nursing homes must designate “an appropriate compliance and ethics program contact to which individuals may report suspected violations.”
  • Chains of five or more nursing homes must designate a compliance officer for whom the compliance program “is a major responsibility.”
  • Chains of five or more nursing homes must designate compliance liaisons at each facility.

 

If made final, the changes will go into effect one year after the rule goes into effect.

CMS’ proposed removal of the compliance officer, compliance liaison, and compliance reports contact requirements might have some nursing homes jumping for joy. After all, fewer regulatory requirements likely means fewer F-tags on your state survey. While we can likely all agree that fewer F-tags are a good thing, nursing homes would be wise to designate someone as compliance officer.

Keep in mind that the Proposed Rule has not yet been made final, and, as of November 28, 2019, SNFs are expected to comply with the original Phase 3 compliance requirements at 42 CFR 483.85. But, what if the Proposed Rule becomes final?

Read More

Topics: compliance, compliance officer, Phase 3

Have you measured your compliance culture?

Posted by Margaret Scavotto, JD, CHC on 2/19/20 11:00 AM

 

Many healthcare providers are accustomed to assessing their compliance programs on a regular basis. The OIG recommends this practice annually - and, as of November 28, 2019, nursing homes are required to conduct an annual review. It is common for providers to evaluate compliance policies, training, auditing programs, and other aspects of the seven elements of an effective compliance program. It is less common - and yet crucial - for organizations to evaluate their compliance culture.

Read More

Topics: Culture of Compliance, annual review, compliance, Phase 3, surveys

    Privacy Policy           Terms of Use