Breaking Compliance News Blog

HIPAA breaches are everywhere: Are your employees prepared?

Posted by Margaret Scavotto, JD, CHC on 12/13/18 2:01 PM

A hospital OR secretary was fired after she accessed the hospital's EHR to locate a co-worker's phone number.

A child's adoptive parents sued a hospital for allegedly violating HIPAA when it notified the child's birth mother of his death.

Hospital employees clicked on links in emails that appeared to be from trusted sources, unleashing a spear phishing attack. Hackers accessed PHI for 63,000 individuals - some of whom are suing the hospital for failing to protect their privacy.

A patient is suing CVS for telling his wife about his Viagra prescription.

Some of you might read these (true) stories and view them as blatant, or at least ignorant, HIPAA violations. Or maybe you believe these are honest mistakes. I think it depends on whether, when, and how the healthcare employees involved were trained on HIPAA in a practical way.

In the CVS example, we can imagine a pharmacist or pharmacy tech at the register and taking phone calls. This person talks to people all day long about prescriptions - often prescriptions dropped off or picked up by a spouse. When is the last time this pharmacist was trained on when to share information with a spouse (and when to keep it confidential)?

Regarding the spear phishing example, I received two phishing email attempts today, and it's only 2:00 p.m. I recognized the emails as phony - but my day job involves HIPAA, and I read about HIPAA for fun. It's always on my mind. Would healthcare employees who spend their days scheduling patients, sending out EOBs, or providing care recognize suspicious emails? It depends on how well they have been trained, and how often.

HIPAA, like the rest of compliance, is not simply something for the lawyers or the compliance department to figure out.

Our compliance programs are only as strong as our weakest employees - and it's up to us to train them to get it right.




Read More

Topics: HIPAA, Social Media, data breach, security

MPA's gift to you: Free compliance video on perks and presents

Posted by Margaret Scavotto, JD, CHC on 12/11/18 7:29 AM

I like presents.

Giving them, getting them, even writing thank you notes for them.

But in healthcare, presents are tricky.

That is why, this holiday season, MPA is sharing a compliance video with you. You are welcome to share this video with your staff to help them navigate patient and vendor gifts, freebies and perks this holiday season.

Perks and Presents



Want to do more to cultivate a culture of compliance?

MPA's Compliance Flash Cards are here...

     .... choose card-stock or digital download:

compliance flash cards sample 1

Read More

Topics: Culture of Compliance

Compliance Officer Interview: Connie Rhoads and Pet Posters!

Posted by Margaret Scavotto, JD, CHC on 12/5/18 7:45 AM

Today I am going to tell you about the best compliance culture idea I have ever heard: Pet Posters.

That's right: Using employee pet photos to create posters promoting compliance.

This idea is clever, charming, motivating, effective - and the brainchild of Connie Rhoads, Vice President of Corporate Compliance at Christian Horizonsa senior living provider in the Midwest.


I interviewed Connie to learn more about how she came up with Pet Posters and how it has been a success at Christian Horizons. (Side note: Connie and I agree that the Ghostbusters poster is our favorite - but it's hard to pick just one).

Margaret: How did you come up with Pet Posters?


I attended a webinar that shared examples from companies who achieved significant impact from small changes to their compliance programs. One of the companies shared their updated compliance hotline poster. They had simply changed the picture on their poster from a rotary phone to a picture of a puppy with its head tilted, as if it was unsure of something. Simply changing the picture was enough to capture their associates' attention. The Compliance Department started receiving appropriate concerns when previously a hotline call was a rarity. 

That was my inspiration! I thought to myself, everyone loves pets, especially their own, so I came up with the ‘Is Your Pet Destined for Stardom?’ Compliance Poster Contest.  Our marketing team created a flyer for the contest and poster templates. I also created a page of suggested slogans. Associates simply had to insert their pet photo into the template, add the slogan, save it and send it in.  We included credits to the ‘Celebrity’ and their owner on each poster. 

Margaret: How long have you been using the Pet Poster program?


Our inaugural promotion was for Compliance and Ethics Week 2016; 2018 is our third year.

Margaret: Have you had any participation obstacles – and how have you overcome them?


Yes - a few. 

Read More

Topics: Culture of Compliance

Compliance Flash Cards are now available in card-stock!

Posted by Margaret Scavotto, JD, CHC on 11/28/18 8:33 AM

Grow employee knowledge and build a culture of compliance with MPA's Compliance Flash Cards! 


The Compliance Flash Cards have been so popular, we have decided to offer them in print! Order now and a set of Compliance Flash Cards will be mailed to you.

  • Incorporate Compliance Flash Cards into new employee orientation and annual compliance training
  • Walk the halls and use the Compliance Flash Cards to have small conversations with staff - increasing compliance awareness and Compliance Officer visibility

MPA's Compliance Flash Cards include:

  • 3 Flash Cards address reporting non-compliance

  • 2 Flash Cards address abuse (1 specifically for SNFs)

  • 4 Flash Cards address Resident Rights in SNFs

  • 5 Flash Cards address documentation, including 2 specifically for SNFs

  • 10 Flash Cards address HIPAA

  • 10 Flash Cards address HIPAA & Social Media (including 4 specifically for hospitals and 4 specifically for SNFs)

  • 1 Flash Card addresses Quality Care

  • 1 Flash Card addresses False Claims

  • 2 Flash Cards address Kickbacks

For digital flash cards, click here.

Read More

Topics: Culture of Compliance

HIPAA Update: The Cost of Not Encrypting

Posted by Margaret Scavotto, JD, CHC on 11/14/18 10:26 AM

At HCCA’s 2018 Compliance Institute, Iliana Peters, formerly of the OCR and now with the Polsinelli law firm, commented that not encrypting is “less and less persuasive.” In other words, it is increasingly harder to justify a decision not to encrypt electronic protected health information (ePHI).

This is welcome input, considering that encryption is “addressable,” but not “required” under the HIPAA Security Rule.

Addressable safeguards require covered entities and business associates to:

  • Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and
  • As applicable to the covered entity or business associate—

            (A) Implement the implementation specification if reasonable and appropriate; or

            (B) If implementing the implementation specification is not reasonable and appropriate— (1) Document              why it would not be reasonable and appropriate to implement the implementation specification; and (2)              Implement an equivalent alternative measure if reasonable and appropriate.

45 CFR 164.306(d)(3).

But when it comes to encryption, the line has been moving since the HIPAA Security Rule was originally implemented. Fifteen years ago, it was common – and perhaps more “persuasive” – to make the argument that encryption was cost prohibitive, and therefore not “reasonable and appropriate.” As time went on, the likelihood of ePHI being compromised increased—partly because there is more ePHI; partly because there is more demand for ePHI on the black market; and partly because hackers have more sophisticated methods of illegally obtaining ePHI. At the same time, encryption options have become plentiful and more affordable.

It comes as little surprise, then, that we are seeing more HIPAA settlements and enforcement involving unencrypted ePHI. For example:

And last but not least, on June 18, 2018, the OCR announced that an HHS Administrative Law Judge (ALJ) ruled that MD Anderson violated the HIPAA Privacy and Security Rules when it failed to encrypt its electronic devices, despite identifying encryption as a high security risk. 

It is noteworthy that the ALJ rejected MD Anderson’s argument that it was not required to encrypt its devices. The ALJ stated:

       The regulations governing ePHI do not specifically require devices to be encrypted if "encryption" in this             context is interpreted to mean some mechanical feature that renders these devices physically impossible           to enter by any persons who are not authorized users. But, these regulations require covered entities to             assure that all systems containing ePHI be inaccessible to unauthorized users. 45 C.F.R. § 164.306(a); 45        C.F.R. § 164.312(a)(1). · These regulations give considerable flexibility to covered entities as to how they          protect their ePHI. Nothing in those regulations directs the use of specific devices or specific mechanisms          by a covered entity. However, the bottom line is that whatever mechanisms an entity adopts must be                  effective. Respondent failed to comply with regulatory requirements because it failed to adopt an effective          mechanism to protect its ePHI.

For covered entities and business associates who have not encrypted – perhaps because it is not “required” under the Security Rule - there are mounting indications from the enforcers that opting not to encrypt is, in the words of Ms. Peters, “less and less persuasive.” 

New Call-to-action

Read More

Topics: HIPAA

Swiss Cheese Compliance

Posted by Margaret Scavotto, JD, CHC on 11/8/18 7:40 AM

Fire to fire. Blind spots. Whack-a-mole. Don't know what I don't know.

These are common phrases used by compliance officers to describe their compliance efforts - particularly new ones. The truth is, every compliance program has holes.

The successful ones know where their gaps are, and have a plan to fix them.

How do you find your compliance gaps?

You will find some gaps by performing routine audits of your compliance risk areas, like HIPAA walk-throughs and medical necessity documentation reviews.

By diligently monitoring your compliance hotline and seeking feedback from your staff, you will identify even more gaps.

To discover the rest, you will need to conduct a gap analysis - also known as a compliance risk assessment, baseline assessment, or annual review.

Assessing your program

Divide your review into three pieces:

  1. Review the seven compliance program elements (policies, auditing, training, communication, compliance officer & committee, disciplinary action, and investigations/corrective action)
  2. Evaluate each compliance risk area (like HIPAA, billing, kickbacks, records, employee screening, etc.)
  3. Analyze any data you have. Your data could include your PEPPER report, hotline call statistics, employee survey results, percentage of employees who completed compliance training, etc.

Keep the following goals in mind:

  1. Verify that compliance tasks are completed. Example: Verify that your Compliance Committee met at least four times this year.
  2. PROVE that the task was completed. Example: Locate Compliance Committee meetings meetings, agendas and attendance sheets.
  3. Make sure you can provide this proof immediately if the OIG shows up and is waiting patiently in the next room.
  4. For every compliance task, goal or requirement you evaluate, identify strengths and weaknesses - and establish a game plan for the future.

If you need help finding your gaps

The HCCA/OIG Compliance Effectiveness Roundtable document is an excellent resource for compliance program review, and is available here. This document lists examples of questions to ask when evaluating your compliance program. 

Or, let MPA assess your program and give you an action plan to fill your compliance gaps and maximize compliance.

Know your gaps? Close them with MPA's compliance and HIPAA tools.

Read More

Topics: Auditing and Monitoring

MPA's Compliance Store is Open!

Posted by Margaret Scavotto, JD, CHC on 11/5/18 1:26 PM

MPA spent 7 years developing compliance tools so you don't have to.

We are not selling a 3-ring binder filled with descriptions of what other people do, or articles explaining how to build a compliance program. Ours are practical tools (policy forms, checklists, flyers and audit tools) that will enable you to make compliance happen in your organization.

MPA's compliance tools combine legal, clinical and management perspectives to bring you a diverse compliance program designed to merge with your operations - and last.

Advance compliance in your organization with MPA's affordable digital downloads:

  • Foundation compliance policies
  • Compliance risk area policies
  • Compliance audit tools
  • HIPAA tool kits
  • Compliance training and culture tools
  • Compliance Board and committee engagement tools
  • Compliance flash cards
  • Monthly Compliance News Report

Read More

Topics: MPA's Compliance Store

HIPAA Fax Check

Posted by Margaret Scavotto, JD, CHC on 10/30/18 9:44 AM

An Ohio resident recently told local news that she has been receiving faxes from a local hospital for the past year.

The problem? The faxes, which contained medical information for another individual, were not meant for her. The faxes included another individual's weight, diagnoses and medication information.

The recipient of the faxes told the media she tried notifying the hospital of the misdirected faxes several times. She says she called the number on the faxes, as well as the hospital's main phone number - and faxed the hospital - but the faxes continued.

After ABC 6 On Your Side contacted the hospital, the hospital audited fax logs and identified that "three faxes were sent to the individual in error due to a transposed fax number in one patient's record."

The hospital notified the patient and apologized - and the woman who received the faxes in error shredded them. But, the story still appeared in local news and made its way into the HIPAA blogosphere.

Transposing a fax number is an honest mistake - one many of us can sympathize with. Still, the stakes are high in today's world of record HIPAA enforcement and high patient expectations of privacy.

This is certainly not the first time a misdirected fax landed a provider in the headlines.

In 2014, the OCR received a complaint alleging that a health center disclosed sensitive PHI, including a patient’s HIV status, treatment information, STDs, medications, sexual orientation, mental health diagnosis and physical abuse. The provider paid a $387,200 fine, and entered a resolution agreement and corrective action plan with the OCR for possible HIPAA violations.

The OCR investigation found that the health center faxed one patient's PHI to the patient's employer, and faxed another patient's PHI to an office where that patient volunteered. The OCR stated that the health center failed to reasonably safeguard the PHI from "intentional and unintentional disclosure."

What can you do?

Include faxes in your new employee training, annual HIPAA training, and ongoing HIPAA updates. Make sure staff understand that when it comes to faxes, HIPAA violations are almost always unintentional. Establish faxing protocols to minimize errors. Address faxes in your HIPAA security risk analysis, and include fax protocols in your HIPAA walk through audits. Finally, if you do have a misdirected fax, your investigation will be a lot easier if you have the capability of pulling fax logs, like the Ohio hospital in the first example did.


New Call-to-action

Read More

Topics: HIPAA

New North Korean Cyberattack– A Sophisticated Attack? Or Not?

Posted by ScottGima on 10/25/18 8:56 AM

A recent technical alert issued jointly by the Department of Homeland Security, the Department of the Treasury and the Federal Bureau of Investigation states a “high confidence” that North Korea is responsible for multiple attacks that have stolen millions of dollars from banking ATM systems across the world.

This attack, known as “FASTCash,” was a very sophisticated attack. The government’s technical alert about the attack includes a diagram. This diagram – and the inner workings of the attack are hard for a non-technical person like myself to discern.   

Phishing Attack

But one surprising detail of the attack is very easy to understand: The hackers began their attack with simple spear-phishing emails:

“The initial infection vector used to compromise victim networks is unknown; however, analysts surmise HIDDEN COBRA actors used spear-phishing emails in targeted attacks against bank employees.”

Despite the high level of sophistication of this attack, the entry into the banks’ network was not technically sophisticated. It was a simple phishing attack directed at bank employees.

What is Spear Phishing?

Spear phishing uses a fraudulent email is designed to appear to originate from a known or trusted source. It is a targeted attack toward the email recipient and/or the recipient’s organization with the goal of obtaining the employee’s credentials (ID and password) and/or to download malware. The fraudulent email could mimic an email coming from Twitter, Facebook, LinkedIn or other social media account. It may also be formatted to look like it originates from a senior executive within the organization. When an employee clicks on the email, they either download malware, and/or are taken to a website where they input their credentials (which are then sent to the hackers).

Is your organization vulnerable to spear phishing?

Possibly. According to Verizon’s 2018 Data Breach Investigations Report, 12% of people click on phishing emails. Using this statistic, if you have 200 employees, you should expect 24 successful phishing attacks this year.

Take this Phishing IQ Test from SonicWall. Do you think you or your employees in your organization can successfully identify every phishing email in this test?


Read More

Topics: HIPAA, security

The perils of “Good” compliance results

Posted by Margaret Scavotto, JD, CHC on 10/23/18 2:54 PM

The set of NBC’s hit TV series The Office includes an office suite (where many hijinks ensue) and an attached warehouse. In Season 2, Episode 5, office manager Michael Scott visits the warehouse and causes colossal destruction with a forklift.

Then, much to warehouse foreman Darryl Philbin’s chagrin, a warehouse employee erases the “936” on a sign that reads: “THIS DEPARTMENT HAS WORKED 936 DAYS WITHOUT A LOST TIME ACCIDENT” and replaces it with a big fat Zero.

This scene raises a nuanced compliance issue. The sign touting 936 days since an accident is an example of identifying – and celebrating – a compliance success. Presumably, accidents were avoided because employees adhered to safety protocols.

But, does this sign also encourage employees not to report accidents? Daryl will be pretty unhappy the next time someone has to put a “zero” on the accident sign – and everyone knows it. Nobody wants to be known as the person who broke the winning streak. This is an unintended consequence of the Zero Accidents sign.

The same is true for compliance: healthcare organizations that have months with zero compliance reports could have a problem.

We of course want to celebrate good metrics and results – but how do we do that while still encouraging people to report problems?

A goal of zero hotline calls deters people from finding and reporting problems. The unintended message is: Don’t report. This means that if your compliance dashboard repeatedly shows zero compliance reports – you should raise an eyebrow, not a glass.

Instead, we need to discuss compliance goals in a way that encourages reporting and discovering non-compliance. Perhaps our goal should be to encourage reporting instead of having Zero reporting. You can support this goal by promoting reporting options (and your anonymity, confidentiality and non-retaliation policies). And, you will still find things to celebrate:

  • Thank those who report
  • Add compliance reporting to performance reviews
  • Recognize efforts to promptly investigate and respond to reports 
  • Celebrate improvement

New Call-to-action

Read More

Topics: Hotline, Culture of Compliance

    Privacy Policy           Terms of Use