Breaking Compliance News Blog

Margaret Scavotto, JD, CHC

Find me on:

Recent Posts

Stay informed with MPA's Monthly Compliance Newsletter Subscription

Posted by Margaret Scavotto, JD, CHC on 7/10/20 9:45 AM

MPA scours OIG, DOJ, FBI, and OCR enforcement updates and news headlines so you don't have to.

Every month, we summarize enforcement trends and deliver the latest compliance and HIPAA developments to your inbox with our Monthly Compliance News Report.

Coming to this month's issue: 

  • Man charged for promoting unproven COVID-19 tests
  • Home health company breached Corporate Integrity Agreement when it failed to return overpayments
  • OCR enters Early Case Resolutions (ECR) with a state whose COVID-19 hospital visitation policy allegedly amounted to disability discrimination
  • OCR enters Early Case Resolution (ECR) with an organization that allegedly failed to provider interpreting services
  • Employee downloaded patient records and gave them to an attorney
  • 971-person breach due to employees using passwords for multiple accounts
  • Nursing home sued for response to COVID-19
  • Telehealth app breach allows patients to view videos of other patient telehealth visits

Not yet a subscriber? click here to sign up.  

You can read a sample report here

Read More

Topics: Compliance Basics

HIPAA News: Who Leaked Ezekiel Elliott’s COVID-19 Results?

Posted by Margaret Scavotto, JD, CHC on 7/2/20 9:30 AM

It’s not often that I cite a Sports Illustrated article in a HIPAA blog – but last week, the compliance and sports worlds collided when Dallas Cowboys Running Back Ezekiel Elliott’s COVID-19 results went viral

Elliot issued his official, one-word response to the news on twitter: “HIPAA ??” Elliot went on to deny reports that his own agent leaked the news about his COVID-19 status, tweeting that his agent confirmed the information AFTER it was leaked to the media.

We do not know how this happened, but healthcare providers should think through the possibilities and look inward.

  • Did an employee of a healthcare provider treating (or testing) Elliott leak the information? Could this happen within your organization?
  • Are your employees trained about the consequences of breaching patient information in this way? What would your employees find more compelling – your HIPAA policies, or a bribe from a reporter? (To be clear, we have no knowledge that this is what happened here – but it is a possibility).
  • Are your employees trained to understand that COVID-19 status is sensitive PHI – with higher stakes for the patient?
  • Does your organization segregate patient records access to minimize the likelihood of a breach?
  • When your organization treats high-profile patients, are extra precautions taken to protect their PHI (for example, admitting/treating them under an alias)?
  • Do you conduct regular information system activity review audits, to both prevent and detect unauthorized records access?

We don’t know how Zeke Elliott’s records were leaked – but we know it’s wrong, and healthcare providers should take all steps to avoid a similar problem. Keep in mind that breaches of high-profile individuals will continue to be a challenge after COVID-19. As the 4th of July approaches, you might remember Jason Pierre-Paul, the NY Giants player who sued ESPN after a reporter tweeted a picture of his medical record when he was treated for a fireworks injury to his hand.

MPA can help with HIPAA training. We offer interactive, customized Zoom training sessions with current real-world examples and pre- and post-testing.



Read More

Topics: HIPAA, COVID-19

Sign up for MPA's Upcoming Free Compliance Webinars

Posted by Margaret Scavotto, JD, CHC on 6/30/20 5:45 AM

Sign up for the next two webinars in MPA's Free Compliance Webinar Series:


July 21 at 10 a.m CST: Compliance Lessons from NBC's The Office:

While this webinar is based on a TV comedy, I assure you we will cover lots of serious compliance lessons! There is much to learn about compliance culture - good and bad - from Michael Scott.

Sign up here.

August 11 at 11 a.m. CST: HIPAA & PR Pitfalls

OCR has entered multiple HIPAA settlements with healthcare providers who violated HIPAA with public relations campaigns and media communications. Learn what happened and how to stay on the good side of the news.

Sign up here.

Read More

Topics: HIPAA, Culture of Compliance, compliance

Reopening your compliance program in a pandemic

Posted by Margaret Scavotto, JD, CHC on 6/23/20 10:15 AM

Here in Missouri, much of the state reopened on June 15: pools, restaurants, and gyms included. But life looks a lot different. Visitors are still restricted at nursing homes, people are wearing masks, hand sanitizer lurks around every corner, and many people are still choosing to stay home and use curbside services. It’s a different world.

Throughout the pandemic, I have asked healthcare providers: How has COVID-19 affected your compliance and HIPAA programs?

  • Some people say: “It’s business as usual.”
  • Others say: “I’m still working on compliance but at a much slower pace.” This is understandable, given the number of COVID-related tasks and guidance added to compliance officers’ plates.
  • A few people have told me they actually have MORE time to work on compliance now, because other projects have been put on hold.
  • And a handful have told me that compliance has been put on hold completely during the pandemic. I understand why this happens and I empathize with it. These are unprecedented times and healthcare providers are in the middle of a centennial challenge.

If you have had to curtail or limit your compliance efforts due to COVID-19: Document your decisions. Document what activities have been delayed, and why (e.g., resources were redirected to infection control).

As we enter month four of the national public health emergency, my hope for compliance officers who have slowed (or stopped) compliance efforts that they find a way to keep their compliance programs going and, to the extent possible, get back to business as usual.

Where should we start?

How you resume compliance will depend on your risks and resources. Here are some ideas to consider:

  • Schedule a quarterly compliance committee meeting (especially if you are overdue). Use this time to recap your organization’s risks – COVID and non-COVID – and prioritize.
  • Create an action plan to address these risks in order of priority. Decide how you will tackle each risk. Map out your plan over 12 months – and follow up monthly or quarterly to check on progress.
  • Update your board. It’s possible that board meetings have been filled with urgent COVID-19 issues. If compliance has been bumped from the agenda, it’s time to get back on. Compliance, after all, has a key role in addressing and mitigating COVID-19 risks, like HIPAA, infection control, and EMTALA.
  • Find out how you can support your staff. Healthcare employees are likely exhausted, overwhelmed, and stressed out. Compliance can help. An unprecedented amount of guidance has been published since February. What information could your employees be struggling with? Do they need help understanding new HIPAA guidance during the pandemic? When is the last time your employees were reminded of how to report compliance issues? When is the last time the Compliance Officer walked the floors to talk with staff, encouraging them to raise questions?
  • Nursing homes should work on Phase 3 Compliance and Ethics programs. This means making sure updated policies are in place, policies are disseminated, and an annual review is conducted. It can take several months to conduct an annual review – start now and move the process forward. When surveys resume, you will be better off if you aren’t scrambling to implement compliance.

Yes, the pandemic continues. But compliance should also continue. When COVID-19 passes, or at least subsides to a better “new normal,” your organization will need compliance. Compliance provides education that helps people do their jobs; risk management and strategy to make your organization better; and process improvement to provide the best care possible. By taking little steps now to keep compliance going, you can avoid starting over after the pandemic.

Read More

Topics: Compliance Basics, COVID-19

HIPAA News: Contacting COVID-19 Patients about Blood & Plasma Donation

Posted by Margaret Scavotto, JD, CHC on 6/18/20 10:41 AM

On June 12, the OCR published the following guidance: OCR Issues Guidance on How Health Care Providers Can Contact Former COVID-19 Patients About Blood and Plasma Donation Opportunities.

This guidance explains when PHI can be used to identify and contact patients who had COVID-19 about donating blood and plasma to help treat other COVID-19 patients:

  • Covered entities (or their business associates) CAN, under HIPAA, use PHI to identify and contact patients who have recovered from COVID-19 to provide information about donating blood and plasma that could help other COVID-19 patients. The COVID-19 antibodies found in blood and plasma of recovered patients could help treat other COVID-19 patients.
  • This use of PHI is considered health care operations, because it involves “population-based activities related to improving health, and case management and care coordination activities that do not meet the definition of treatment….”
  • Covered entities should limit the use or disclosure of PHI to the minimum necessary.
  • Providers must be careful here – the way they reach out to patients must not constitute marketing. (With some exceptions, uses or disclosures of PHI for marketing require a signed HIPAA authorization).
    • Covered entities should NOT receive any direct or indirect payment from or on behalf of a blood and plasma donation center.
    • Covered entities should refrain from encouraging patients to use a particular blood and plasma center.
    • Covered entities cannot disclose PHI about recovered COVID-19 patients to a blood and plasma donation center for the purpose of soliciting blood and plasma donations – without a signed patient authorization.

MPA has updated its HIPAA & COVID-19 Tool Kit to address this guidance. The following documents have been updated:

  • HIPAA & COVID-19 Update
  • Permitted Uses and Disclosures Policy

Providers who previously purchased the HIPAA & COVID-19 Tool Kit have received these updated downloads by email. To purchase the HIPAA & COVID-19 Tool Kit, click here.

Read More

Topics: HIPAA, COVID-19

MPA, Blue M&Ms, and Toy Story: Great Things Turning 25 in 2020

Posted by Margaret Scavotto, JD, CHC on 6/16/20 12:08 PM

MPA turns 25 in June 2020, and we're in good company.

MPA is officially as old as Craigslist and MPA started helping healthcare providers in 1995 – the same year Kramer began sculpting with pasta on Seinfeld.

We are proud that we have been helping healthcare providers for a quarter century, and we appreciate that we have earned your trust. We wish we could invite each and every one of you to a party to celebrate, but the pandemic has other ideas. Instead, we are saying thank you for 25 years of business with a giveaway.

This June, we are giving away a 12-month license to a Compliance Toolkit, ($1,750). We are also giving away our HIPAA Tools ($995).

Click here to enter. We’ll announce the winner by email at the end of June.


Read More

Topics: Compliance Basics, HIPAA

Free Webinar: HIPAA & COVID-19 Update, June 23 @ 12 CST

Posted by Margaret Scavotto, JD, CHC on 6/12/20 9:01 AM

Stay compliant during COVID with MPA's free resources:

Read More

Topics: compliance, COVID-19

Enter MPA’s 25th Birthday Compliance Giveaway!

Posted by Margaret Scavotto, JD, CHC on 6/2/20 10:00 AM


MPA turns 25 in June 2020!

That’s right, we are as old as eBay, and Kendall Jenner. In 1995, the first Honda CR-V was made, and so was MPA. Braveheart began its legacy in 1995 and so did we.  

We are proud that we have been helping healthcare providers for a quarter century, and we appreciate that we have earned your trust. We wish we could invite each and every one of you to a party to celebrate, but the pandemic has other ideas. Instead, we are saying thank you for 25 years of business with a giveaway.

This June, we are giving away a 12-month license to a Compliance Toolkit, ($1,750). We are also giving away our HIPAA Tools ($995).

Click here to enter. We’ll announce the winner by email at the end of June.

Read More

Topics: Compliance Basics, HIPAA

HIPAA reminder: Is your workforce changing?

Posted by Margaret Scavotto, JD, CHC on 5/19/20 10:44 AM

Many providers are seeing changes to their workforce during the pandemic. Hospitals are recruiting additional healthcare professionals; nursing homes are relying more heavily on agency staff as employees become ill or do not show up for work. CMS has changed rules, allowing expanded types of providers to order tests and perform other tasks. An increased number of students or volunteers are also being used.

With these workforce changes, HIPAA training must continue. The HIPAA privacy and security rule remain in place during the pandemic. OCR enforcement remains active. HIPAA requires providers to train their workforce on HIPAA requirements. Workforce means “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”  45 CFR 160.103

HIPAA training reminders:

  • Covered entities should routinely evaluate who is working on their behalf and determine who is included in their workforce (and needs training).
  • The Privacy Rule requires covered entities to train all workforce members on policies and procedures related to PHI, as necessary and appropriate for the workforce members to carry out their functions. 45 CFR 164.530(b)
  • The Security Rule requires covered entities to: “implement a security awareness and training program for all members of its workforce (including management)” 45 CFR 164.308(a)(5)
  • Workforce members should also be trained to recognize breaches, how to report them internally, and who to report them to.
  • All workforce member should be trained on appropriate social media use (this is especially important during a national emergency).

Read More

Topics: HIPAA, Social Media, security, breach notification, COVID-19, privacy

Using Social Media Safely During a Pandemic

Posted by Margaret Scavotto, JD, CHC on 5/14/20 9:20 AM

During a national public health emergency, healthcare providers will have many reasons to use social media. The community will likely turn to social media to learn what your organization is doing in response to COVID-19. Social media can be used to keep the public informed, ward off panic, advise patients and loved ones of new procedures or protocols, and show the public a strong response during the disaster. Social media is also being used to recruit staff, volunteers, and supplies.

Read More

Topics: Social Media, security, business associates, compliance, COVID-19, privacy

    Privacy Policy           Terms of Use