Breaking Compliance News Blog

Sign up for MPA's Upcoming Free Compliance Webinars

Posted by Margaret Scavotto, JD, CHC on 6/30/20 5:45 AM

Sign up for the next two webinars in MPA's Free Compliance Webinar Series:


July 21 at 10 a.m CST: Compliance Lessons from NBC's The Office:

While this webinar is based on a TV comedy, I assure you we will cover lots of serious compliance lessons! There is much to learn about compliance culture - good and bad - from Michael Scott.

Sign up here.

August 11 at 11 a.m. CST: HIPAA & PR Pitfalls

OCR has entered multiple HIPAA settlements with healthcare providers who violated HIPAA with public relations campaigns and media communications. Learn what happened and how to stay on the good side of the news.

Sign up here.

Read More

Topics: HIPAA, Culture of Compliance, compliance

Free Webinar: HIPAA & COVID-19 Update, June 23 @ 12 CST

Posted by Margaret Scavotto, JD, CHC on 6/12/20 9:01 AM

Stay compliant during COVID with MPA's free resources:

Read More

Topics: compliance, COVID-19

Using Social Media Safely During a Pandemic

Posted by Margaret Scavotto, JD, CHC on 5/14/20 9:20 AM

During a national public health emergency, healthcare providers will have many reasons to use social media. The community will likely turn to social media to learn what your organization is doing in response to COVID-19. Social media can be used to keep the public informed, ward off panic, advise patients and loved ones of new procedures or protocols, and show the public a strong response during the disaster. Social media is also being used to recruit staff, volunteers, and supplies.

Read More

Topics: Social Media, security, business associates, compliance, COVID-19, privacy

OCR issues guidance on media access to patients

Posted by Margaret Scavotto, JD, CHC on 5/6/20 2:35 PM

On May 5, the OCR issued guidance addressing media access to PHI during the pandemic: OCR Issues Guidance on Covered Health Care Providers and Restrictions on Media Access to Protected Health Information about Individuals in Their Facilities. The OCR’s purpose in issuing this guidance is: “reminding covered health care providers that the HIPAA Privacy Rule does not permit them to give media and film crews access to facilities where patients’ protected health information (PHI) will be accessible without the patients’ prior authorization.” 

During COVID-19, providers are still required to obtain HIPAA authorizations from patients BEFORE the media is given access to patient PHI. This includes film crew access, and access to parts of the facility where patient PHI is accessible to the media in written, electronic, oral, or other visual/audio form. The OCR makes clear that every patient who will be in an area accessed by the media must sign a HIPAA authorization BEFORE the media has access.

Providers CANNOT require a patient to sign a HIPAA authorization as a condition of receiving treatment.

Masking or blurring patient faces or voices (which occurs AFTER the media has access to patients) is NOT enough to comply with HIPAA, unless a HIPAA authorization is obtained BEFORE the media has patient access.

If HIPAA authorizations are obtained in advance, and the media is given access to your facility, the OCR recommends safeguards to protect PHI:

  • Use computer monitor privacy screens
  • Install opaque barriers to block film crew access to PHI of patients who did not sign an authorization

This new guidance elaborates on prior OCR guidance about communicating with the media, including film crews.

Prior to the pandemic, the OCR entered two settlements with providers who allowed film crews access to patients without a proper HIPAA authorization:

  • In 2016, New York Presbyterian Hospital entered a $2.2 million settlement for what the OCR called an “egregious disclosure.” The hospital allowed the ABC TV show NY Med to film two of its patients in the emergency room, without obtaining their authorization. One of the filmed patients was dying; the other was in distress. Filming continued after a medical professional objected. One of the patients filmed was Mark Chanko, a gentleman who was taken to the hospital after he was hit by a garbage truck. When NY Med aired, Mr. Chanko’s voice was muffled and his face was blurred – but he was still recognized by his widow
  • In 2018, the OCR entered a $999,000 settlement with three Boston hospitals who allowed film crews from ABC to film on the premises without obtaining HIPAA authorizations. 

HIPAA media breaches are not limited to film crews:

  • In 2017, a Texas health system entered a $2.4 million settlement with the OCR. A patient presented a fake ID at the system’s OB/GYN clinic. The clinic called the police, which complied with the Privacy Rule’s provisions for reporting a crime on the premises. But, then the health system issued a press release about the arrest – and the press release title included the patient’s name. 
  • In 2013, a medical center entered a $275,000 with the OCR after senior leaders of the medical center “met with media to discuss medical services provided to a patient” and “impermissibly shared details about the patient’s medical condition, diagnosis and treatment in an email to the entire workforce.” 

MPA’s HIPAA & COVID-19 Tool Kit has been updated to include a HIPAA & the Media Policy in response to this guidance.

Read more HIPAA & COVID-19 updates on the blog.


Read More

Topics: HIPAA, compliance, COVID-19, privacy

Sign up for MPA's May Compliance & COVID-19 Webinars

Posted by Margaret Scavotto, JD, CHC on 5/4/20 10:12 AM

I hope you can join me for MPA's upcoming complimentary webinars:

For all providers:

Keeping Compliant During COVID-19

May 19, 2020, 12 CST



For nursing homes:

Phase 3 Compliance Webinar: Social Media Compliance During a Pandemic

May 27, 2020, 12 CST

Register now


Zoom will email you a link to access the webinar - and I will also send this link around the day before the webinar.

Have a great day!

COVID-19 Discounts:

  • All digital download HIPAA Tool Kits are 50% off until June.
  • Compliance program annual reviews are 25% off until June (call or email me for info)
  • Our HIPAA & COVID-19 Toolkit is available at the discounted price of $95.
  • MPA will continue putting out HIPAA announcements, news, and tips on the blog
  • MPA has free compliance and HIPAA resources on its Free Resources page.  

Read More

Topics: compliance, Phase 3, COVID-19

Phase III: Do SNFs need a Compliance Officer?

Posted by Margaret Scavotto, JD, CHC on 2/25/20 8:15 AM



In July 2019, CMS published a proposed rule that would modify the Compliance and Ethics program aspects of the Phase III Long-Term Care Facilities Requirements for Participation (the “Proposed Rule”).

Some of these proposed modifications removed requirements to assign compliance roles to nursing home personnel. For example, CMS proposes eliminating the following requirements:

  • All nursing homes must designate “an appropriate compliance and ethics program contact to which individuals may report suspected violations.”
  • Chains of five or more nursing homes must designate a compliance officer for whom the compliance program “is a major responsibility.”
  • Chains of five or more nursing homes must designate compliance liaisons at each facility.


If made final, the changes will go into effect one year after the rule goes into effect.

CMS’ proposed removal of the compliance officer, compliance liaison, and compliance reports contact requirements might have some nursing homes jumping for joy. After all, fewer regulatory requirements likely means fewer F-tags on your state survey. While we can likely all agree that fewer F-tags are a good thing, nursing homes would be wise to designate someone as compliance officer.

Keep in mind that the Proposed Rule has not yet been made final, and, as of November 28, 2019, SNFs are expected to comply with the original Phase 3 compliance requirements at 42 CFR 483.85. But, what if the Proposed Rule becomes final?

Read More

Topics: compliance, compliance officer, Phase 3

Have you measured your compliance culture?

Posted by Margaret Scavotto, JD, CHC on 2/19/20 11:00 AM


Many healthcare providers are accustomed to assessing their compliance programs on a regular basis. The OIG recommends this practice annually - and, as of November 28, 2019, nursing homes are required to conduct an annual review. It is common for providers to evaluate compliance policies, training, auditing programs, and other aspects of the seven elements of an effective compliance program. It is less common - and yet crucial - for organizations to evaluate their compliance culture.

Read More

Topics: Culture of Compliance, annual review, compliance, Phase 3, surveys

Download MPA's Guide to Compliance Program Review/Annual Review

Posted by Margaret Scavotto, JD, CHC on 2/12/20 9:15 AM

Compliance program review is essential to maintaining an effective program.

Read More

Topics: annual review, compliance, Phase 3

Top 5 reasons you need a compliance program review

Posted by Margaret Scavotto, JD, CHC on 2/11/20 10:15 AM


1. Without a review, you don’t know what you don’t know.

Were policies distributed? Were staff, board members, contractors, and volunteers properly trained? Were all risk areas audited? Were audit findings mitigated? Were compliance reports properly investigated and met with discipline and corrective action? Without conducting a review, you don’t know. Who would you rather identify your compliance flaws: your own organization, via a compliance review – or the government, via an audit or investigation?

Read More

Topics: Compliance Basics, annual review, compliance, vendor screening, Phase 3

Phase III: Do SNFs need to conduct a compliance program annual review?

Posted by Margaret Scavotto, JD, CHC on 1/21/20 8:00 AM

In a word: yes.

In July 2019, CMS published a proposed rule that would modify the Compliance and Ethics program aspects of the Phase III Long-Term Care Facilities Requirements for Participation.

One of the proposed modifications brought a sigh of relief from the nursing home industry: CMS wants to drop the requirement that nursing homes conduct an annual review of their compliance programs.

Instead, CMS proposes the following: “The operating organization for each facility must periodically review and revise its compliance program to identify necessary changes within the organization and its facilities.”

While CMS did not define “periodically” in the proposed rule, CMS refers to a “biennial” review in the proposed rule comments. Hopefully this will be clarified in the final rule.

Keep in mind that the Proposed Rule has not yet been made final, and, as of November 28, 2019, SNFs are expected to comply with the original Phase 3 compliance requirements at 42 CFR 483.85. But, what if the Proposed Rule becomes final?

Read More

Topics: annual review, compliance, Phase 3

    Privacy Policy           Terms of Use