Breaking Compliance News Blog

Margaret Scavotto, JD, CHC

Find me on:

Recent Posts

HIPAA Update: The Cost of Not Encrypting

Posted by Margaret Scavotto, JD, CHC on 11/14/18 10:26 AM

At HCCA’s 2018 Compliance Institute, Iliana Peters, formerly of the OCR and now with the Polsinelli law firm, commented that not encrypting is “less and less persuasive.” In other words, it is increasingly harder to justify a decision not to encrypt electronic protected health information (ePHI).

This is welcome input, considering that encryption is “addressable,” but not “required” under the HIPAA Security Rule.

Addressable safeguards require covered entities and business associates to:

  • Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and
  • As applicable to the covered entity or business associate—

            (A) Implement the implementation specification if reasonable and appropriate; or

            (B) If implementing the implementation specification is not reasonable and appropriate— (1) Document              why it would not be reasonable and appropriate to implement the implementation specification; and (2)              Implement an equivalent alternative measure if reasonable and appropriate.

45 CFR 164.306(d)(3).

But when it comes to encryption, the line has been moving since the HIPAA Security Rule was originally implemented. Fifteen years ago, it was common – and perhaps more “persuasive” – to make the argument that encryption was cost prohibitive, and therefore not “reasonable and appropriate.” As time went on, the likelihood of ePHI being compromised increased—partly because there is more ePHI; partly because there is more demand for ePHI on the black market; and partly because hackers have more sophisticated methods of illegally obtaining ePHI. At the same time, encryption options have become plentiful and more affordable.

It comes as little surprise, then, that we are seeing more HIPAA settlements and enforcement involving unencrypted ePHI. For example:

And last but not least, on June 18, 2018, the OCR announced that an HHS Administrative Law Judge (ALJ) ruled that MD Anderson violated the HIPAA Privacy and Security Rules when it failed to encrypt its electronic devices, despite identifying encryption as a high security risk. 

It is noteworthy that the ALJ rejected MD Anderson’s argument that it was not required to encrypt its devices. The ALJ stated:

       The regulations governing ePHI do not specifically require devices to be encrypted if "encryption" in this             context is interpreted to mean some mechanical feature that renders these devices physically impossible           to enter by any persons who are not authorized users. But, these regulations require covered entities to             assure that all systems containing ePHI be inaccessible to unauthorized users. 45 C.F.R. § 164.306(a); 45        C.F.R. § 164.312(a)(1). · These regulations give considerable flexibility to covered entities as to how they          protect their ePHI. Nothing in those regulations directs the use of specific devices or specific mechanisms          by a covered entity. However, the bottom line is that whatever mechanisms an entity adopts must be                  effective. Respondent failed to comply with regulatory requirements because it failed to adopt an effective          mechanism to protect its ePHI.

For covered entities and business associates who have not encrypted – perhaps because it is not “required” under the Security Rule - there are mounting indications from the enforcers that opting not to encrypt is, in the words of Ms. Peters, “less and less persuasive.” 

New Call-to-action

Read More

Topics: HIPAA

Swiss Cheese Compliance

Posted by Margaret Scavotto, JD, CHC on 11/8/18 7:40 AM

Fire to fire. Blind spots. Whack-a-mole. Don't know what I don't know.

These are common phrases used by compliance officers to describe their compliance efforts - particularly new ones. The truth is, every compliance program has holes.

The successful ones know where their gaps are, and have a plan to fix them.

How do you find your compliance gaps?

You will find some gaps by performing routine audits of your compliance risk areas, like HIPAA walk-throughs and medical necessity documentation reviews.

By diligently monitoring your compliance hotline and seeking feedback from your staff, you will identify even more gaps.

To discover the rest, you will need to conduct a gap analysis - also known as a compliance risk assessment, baseline assessment, or annual review.

Assessing your program

Divide your review into three pieces:

  1. Review the seven compliance program elements (policies, auditing, training, communication, compliance officer & committee, disciplinary action, and investigations/corrective action)
  2. Evaluate each compliance risk area (like HIPAA, billing, kickbacks, records, employee screening, etc.)
  3. Analyze any data you have. Your data could include your PEPPER report, hotline call statistics, employee survey results, percentage of employees who completed compliance training, etc.

Keep the following goals in mind:

  1. Verify that compliance tasks are completed. Example: Verify that your Compliance Committee met at least four times this year.
  2. PROVE that the task was completed. Example: Locate Compliance Committee meetings meetings, agendas and attendance sheets.
  3. Make sure you can provide this proof immediately if the OIG shows up and is waiting patiently in the next room.
  4. For every compliance task, goal or requirement you evaluate, identify strengths and weaknesses - and establish a game plan for the future.

If you need help finding your gaps

The HCCA/OIG Compliance Effectiveness Roundtable document is an excellent resource for compliance program review, and is available here. This document lists examples of questions to ask when evaluating your compliance program. 

Or, let MPA assess your program and give you an action plan to fill your compliance gaps and maximize compliance.

Know your gaps? Close them with MPA's compliance and HIPAA tools.

Read More

Topics: Auditing and Monitoring

MPA's Compliance Store is Open!

Posted by Margaret Scavotto, JD, CHC on 11/5/18 1:26 PM

MPA spent 7 years developing compliance tools so you don't have to.

We are not selling a 3-ring binder filled with descriptions of what other people do, or articles explaining how to build a compliance program. Ours are practical tools (policy forms, checklists, flyers and audit tools) that will enable you to make compliance happen in your organization.

MPA's compliance tools combine legal, clinical and management perspectives to bring you a diverse compliance program designed to merge with your operations - and last.

Advance compliance in your organization with MPA's affordable digital downloads:

  • Foundation compliance policies
  • Compliance risk area policies
  • Compliance audit tools
  • HIPAA tool kits
  • Compliance training and culture tools
  • Compliance Board and committee engagement tools
  • Compliance flash cards
  • Monthly Compliance News Report

Read More

Topics: MPA's Compliance Store

HIPAA Fax Check

Posted by Margaret Scavotto, JD, CHC on 10/30/18 9:44 AM

An Ohio resident recently told local news that she has been receiving faxes from a local hospital for the past year.

The problem? The faxes, which contained medical information for another individual, were not meant for her. The faxes included another individual's weight, diagnoses and medication information.

The recipient of the faxes told the media she tried notifying the hospital of the misdirected faxes several times. She says she called the number on the faxes, as well as the hospital's main phone number - and faxed the hospital - but the faxes continued.

After ABC 6 On Your Side contacted the hospital, the hospital audited fax logs and identified that "three faxes were sent to the individual in error due to a transposed fax number in one patient's record."

The hospital notified the patient and apologized - and the woman who received the faxes in error shredded them. But, the story still appeared in local news and made its way into the HIPAA blogosphere.

Transposing a fax number is an honest mistake - one many of us can sympathize with. Still, the stakes are high in today's world of record HIPAA enforcement and high patient expectations of privacy.

This is certainly not the first time a misdirected fax landed a provider in the headlines.

In 2014, the OCR received a complaint alleging that a health center disclosed sensitive PHI, including a patient’s HIV status, treatment information, STDs, medications, sexual orientation, mental health diagnosis and physical abuse. The provider paid a $387,200 fine, and entered a resolution agreement and corrective action plan with the OCR for possible HIPAA violations.

The OCR investigation found that the health center faxed one patient's PHI to the patient's employer, and faxed another patient's PHI to an office where that patient volunteered. The OCR stated that the health center failed to reasonably safeguard the PHI from "intentional and unintentional disclosure."

What can you do?

Include faxes in your new employee training, annual HIPAA training, and ongoing HIPAA updates. Make sure staff understand that when it comes to faxes, HIPAA violations are almost always unintentional. Establish faxing protocols to minimize errors. Address faxes in your HIPAA security risk analysis, and include fax protocols in your HIPAA walk through audits. Finally, if you do have a misdirected fax, your investigation will be a lot easier if you have the capability of pulling fax logs, like the Ohio hospital in the first example did.


New Call-to-action

Read More

Topics: HIPAA

The perils of “Good” compliance results

Posted by Margaret Scavotto, JD, CHC on 10/23/18 2:54 PM

The set of NBC’s hit TV series The Office includes an office suite (where many hijinks ensue) and an attached warehouse. In Season 2, Episode 5, office manager Michael Scott visits the warehouse and causes colossal destruction with a forklift.

Then, much to warehouse foreman Darryl Philbin’s chagrin, a warehouse employee erases the “936” on a sign that reads: “THIS DEPARTMENT HAS WORKED 936 DAYS WITHOUT A LOST TIME ACCIDENT” and replaces it with a big fat Zero.

This scene raises a nuanced compliance issue. The sign touting 936 days since an accident is an example of identifying – and celebrating – a compliance success. Presumably, accidents were avoided because employees adhered to safety protocols.

But, does this sign also encourage employees not to report accidents? Daryl will be pretty unhappy the next time someone has to put a “zero” on the accident sign – and everyone knows it. Nobody wants to be known as the person who broke the winning streak. This is an unintended consequence of the Zero Accidents sign.

The same is true for compliance: healthcare organizations that have months with zero compliance reports could have a problem.

We of course want to celebrate good metrics and results – but how do we do that while still encouraging people to report problems?

A goal of zero hotline calls deters people from finding and reporting problems. The unintended message is: Don’t report. This means that if your compliance dashboard repeatedly shows zero compliance reports – you should raise an eyebrow, not a glass.

Instead, we need to discuss compliance goals in a way that encourages reporting and discovering non-compliance. Perhaps our goal should be to encourage reporting instead of having Zero reporting. You can support this goal by promoting reporting options (and your anonymity, confidentiality and non-retaliation policies). And, you will still find things to celebrate:

  • Thank those who report
  • Add compliance reporting to performance reviews
  • Recognize efforts to promptly investigate and respond to reports 
  • Celebrate improvement

New Call-to-action

Read More

Topics: Culture of Compliance, Hotline

Social Media Snafus: Keep Your Staff HIPAA Compliant

Posted by Margaret Scavotto, JD, CHC on 10/18/18 6:59 AM

An EMS worker gave CPR to a man who suffered a heart attack in his chicken coop. The EMS worker later posted on Facebook: "Well, we had a first... We worked a code in a chicken coop. Knee deep in chicken droppings."

A medical student who helped deliver a baby posted to Instagram a selfie of himself next to the mother's genitals.

A hospital employee appeared in a photo flipping off a newborn baby, with the caption: "How I currently feel about these mini Satans." The photo was shared 185,000 times on Facebook.

A pediatric ICU/ER nurse discussed a child's measles diagnosis on a Facebook page, before the measles case was announced to the public.

What do these stories have in common?

They're true. They involve disrespect to patients. They potentially violate HIPAA. They likely caused their organizations' privacy officers to pour hours into analyzing whether patients needed to be notified of a breach of HIPAA or other privacy laws. And, they made news headlines, creating a sizable PR problem for each provider involved.

Would your employees do this?

Your employees have Facebook, Instagram, Snapchat and Twitter accounts. They text. How many times do you think your employees text and post to social media every day? 

How often do you train staff on how to use social media without violating HIPAA (or disrespecting patients)? Once a year? Is your training frequent, helpful - and memorable - enough to ensure your employees get this right?

Help your employees use social media appropriately.

  • Implement a social media policy.
  • Train employees to recognize PHI.
  • Use examples. Help your team understand how seemingly innocent posts can violate HIPAA.
  • Train some more! Keep HIPAA and social media top of mind.
  • Encourage staff to report violations of the policy. This will allow you to research potential breaches and mitigate them swiftly.

Taking on the unstoppable world of social media might seem impossible. But it's better to help employees use it properly--and know when they aren't--than to cover our eyes and wait to hear it from the patients (or the media).

New Call-to-action

Read More

Topics: Social Media, HIPAA

Anthem Makes HIPAA History

Posted by Margaret Scavotto, JD, CHC on 10/16/18 3:43 PM

In early 2015, Anthem announced the largest healthcare cyber-attack America has seen. Hackers accessed records of 79 million people. Affected patients brought class action lawsuits against Anthem. In 2017, the lawsuits settled for $115 million.

Yesterday, the OCR announced it has settled the underlying HIPAA violations of this data breach for a whopping $16 million. This settlement far exceeds the next-highest HIPAA settlement we have seen ($5.5 million), and brings 2018's average HIPAA settlement amount up to $4,978,000.

The OCR reported that hackers were able to infiltrate Anthem's system after at least one employee clicked on a spear phishing email. The OCR also found that Anthem: "failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014."

What you can do

Your HIPAA security strategy needs to address the HIPAA Security Rules. If you haven't already done so, conduct a HIPAA security risk analysis (or update yours, if it's time). Review HIPAA Security administrative, technical and security safeguards to make sure you have implemented measures to mitigate risks that could subject your organization to an attack.

And, don't forget to train your staff. The OCR noted that the Anthem breach started when potentially a single employee clicked on a spear phishing email.  You could have the most sophisticated HIPAA security defense available - but if employees can't recognize suspicious emails, you are still vulnerable to cyber-attacks.

New Call-to-action


Read More

Topics: security, data breach, HIPAA

Compliance when nobody is watching

Posted by Margaret Scavotto, JD, CHC on 10/11/18 7:42 AM

Everyone knows an effective compliance program needs policies, training, leaders, audits, reporting, investigations, corrective action and discipline. You probably already have these elements in place.

You have policies and training to help your employees do the right thing.

You have audits to verify that your employees are following compliance policies (and doing the right thing).

You have a compliance hotline or other reporting mechanism to find out when employees aren't doing the right thing. And when that happens, you use your investigations, discipline and corrective action policies.

Many of us put these crucial compliance elements in place, cross our fingers, and hope our employees are doing the right thing.

But how do we motivate employees to do the right thing when nobody is watching? After all, most of the time, nobody is watching. And isn't the purpose of compliance to help employees do the right thing - whether somebody is watching or not?

Policies, annual training, audits and a reporting mechanism are a good start. They are essential. But they are not enough to motivate staff to do the right thing all the time. Your challenge as a Compliance Officer is to make compliance part of daily life for your team. How can we help employees understand compliance every day?

Meet employees where they are. Incorporate helpful compliance reminders into their workflow. Would a shift-change chat work? Flyers in the bathroom stalls? (There's nothing else to read in there....) Does the Compliance Officer walk the halls and take a couple of minutes to go over basic compliance concepts with staff? What about displaying short compliance messages on a digital photo frame, or compliance videos on an iPad? Training does not have to be an in-service to be effective.

In the era of social media, infotainment and information overload, compliance has to make some noise. Think outside the box for ways to keep compliance top-of-mind, and help staff do the right thing when nobody is watching.

Compliance Flash Cards are here!

Read More

Topics: Culture of Compliance

Attend Compliance and HIPAA Workshops in Springfield, Illinois

Posted by Margaret Scavotto, JD, CHC on 10/4/18 10:32 AM

MPA is excited to partner with LeadingAge Illinois to bring you a two-day compliance and HIPAA workshop in Springfield Illinois on October 24 and 25!

Come for a day of compliance, a day of HIPAA, or both!  You will get some MPA freebies, including our new Compliance Flash Cards.

How to Build & Maintain an Effective Compliance Program

Overview: This workshop will walk you through steps in building a compliance program. Special emphasis will be placed on strategies for evaluating board and Compliance Committee engagement, audit integrity, compliance culture, quality of reporting, and the programs’ ability to spot and address new compliance issues. You will also receive a compliance checklist, draft board resolution, suggested training topics, PEPPER guide, compliance risk area/audit plan worksheet and compliance officer handbook.

Faculty: Margaret C. Scavotto, JD, CHC, President, MPA    
Scott Gima, COO, Executive VP of Compliance & Management, MPA


Wednesday, October 24, 2018
Illinois Education Association
3440 Liberty Dr. Springfield, IL 62704

Time: 9:00 a.m. – 4:30 p.m.

Fee Per Person: $149 members, $249 Non-members

Learn more or sign up here.

How to Build a HIPAA Program

Overview: In this workshop, we will provide an overview of HIPAA privacy, security, and breach notification that is appropriate for beginners, but will also serve as a refresher for more senior HIPAA professionals. We will emphasize practical strategies to make HIPAA a part of daily life and culture at your organization. Together we will brainstorm strategies to make HIPAA a mindset at our organizations. We will share examples from headlines as well as from around the water cooler, and discuss best practices and practical solutions for preventing these HIPAA hazards, with an emphasis on going beyond a paper policy and annual training.

Faculty: Margaret C. Scavotto, JD, CHC, President, MPA
Scott Gima, COO, Executive VP of Compliance & Management, MPA

Thursday, October 25, 2018
Illinois Education Association
3440 Liberty Dr. Springfield, IL 62704

Time: 9:00 a.m. – 4:30 p.m.

Fee Per Person: $149 members, $249 Non-members

Learn more or sign up here.

Read More

Topics: Compliance Basics, Training and Education, HIPAA

MPA's Compliance Store is Open!

Posted by Margaret Scavotto, JD, CHC on 10/3/18 7:11 AM

MPA spent 7 years developing compliance tools so you don't have to.

We are not selling a 3-ring binder filled with descriptions of what other people do, or articles explaining how to build a compliance program. Ours are practical tools (policy forms, checklists, flyers and audit tools) that will enable you to make compliance happen in your organization.

MPA's compliance tools combine legal, clinical and management perspectives to bring you a diverse compliance program designed to merge with your operations - and last.

Advance compliance in your organization with MPA's affordable digital downloads:

  • Foundation compliance policies
  • Compliance risk area policies
  • Compliance audit tools
  • HIPAA tool kits
  • Compliance training and culture tools
  • Compliance Board and committee engagement tools
  • Compliance flash cards
  • Monthly Compliance News Report

Read More

Topics: MPA's Compliance Store

    Privacy Policy           Terms of Use