Breaking Compliance News Blog

HIPAA Hazard: Forgetting the Boss

Posted by Margaret Scavotto, JD, CHC on 3/9/16 7:30 AM

The Hazard.

Most providers routinely train employees on HIPAA—but many forget the boss. Individuals in a leadership position are even more likely to be asked about patients by the media. And yet many providers skip training at the executive level because they don’t want to be a bother. It is in everyone’s best interests, including the boss’s, to make HIPAA training a bother. 

The Example.

A medical center entered a $275,000 HIPAA settlement after two senior level executives discussed a patient’s medical care with the media, without the patient’s authorization. In addition, senior management shared information about the patient’s condition, diagnosis and treatment with the entire workforce by email. 

What You Can Do.

  • Ask yourself: Who attends HIPAA training? What about the CEO? The Board? Doctors? Who is most likely to speak with the media?
  • It can be tempting to leave execs out of training because we know they’re busy, but be careful when it comes to compliance, including HIPAA. They might not come to your 7 am in-service, but find a way to get them the info they need.
  • Include all employees, including management, leaders and executives, in HIPAA training. These individuals help set the tone of your organization, and can lead employees to HIPAA compliance—if they know what to do.
  • Keep in mind that HIPAA education for leadership might need to be done a little differently than HIPAA education for patient care staff. Tailor education content, including hypotheticals wherever possible, to the specific HIPAA situations your audience might encounter.

Free  HIPAA Checklist

 

Read More

Topics: Penalties and Enforcement, HIPAA

2015’s Compliance Game Changers: Be prepared for 2016

Posted by Margaret Scavotto, JD, CHC on 12/29/15 7:00 AM

DOJ announcements, hefty settlements, and increased scrutiny of contracted therapy made 2015 a monumental year for health care compliance. Here are MPA's top 5 game changers:

Read More

Topics: Penalties and Enforcement

HIPAA Hazard: Putting Gadgets Before Security

Posted by Margaret Scavotto, JD, CHC on 12/3/15 7:30 AM

New technology can bring value and efficiency to an organization, but it can also bring new security vulnerabilities.

The Hazard.

Failing to comply with HIPAA has high stakes. Unfortunately, HIPAA compliance is not always the top priority when a company is looking to invest in technology. Who is in charge of new technology at your company? Who is in charge of security? Privacy? Do these people talk? Or do they operate in silos?

The Example.

A managed care company entered a $1.7 Million settlement after an unsecured database left the PHI of 621,402 patients accessible to unauthorized parties. The company failed to perform a HIPAA security risk assessment in response to a software upgrade.

This is a common problem in the healthcare industry. Let's say your company decides to purchase 900 tablets for its health care professionals. These tablets will improve efficiency, patient care and quality of documentation. Let's also say your compliance officer isn't involved in the purchasing process, and learns of the tablets after the fact. The compliance officer brings up the need to equip the tablets with encryption technology, anti-virus software, and other security measures. Is could be too late to budget for security, after the tablets have been purchased.

What You Can Do.

  • Assess and re-assess. Conduct a HIPAA Security risk assessment at least annually. Also conduct assessments when the Security rule is updated or if security guidance is issued. Most importantly, re-assess whenever you introduce new technology or otherwise update your IT environment.
  • Remove silos. Structure your technology purchasing process so that your Privacy and Security Officers have a seat at the table BEFORE decisions are made. Likewise, recognize that individuals making changes to technology need to communicate changes to your Security Officer, so risk can be assessed.

Learn about other HIPAA Hazards and how you can avoid them.

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: Penalties and Enforcement, HIPAA

DOJ's new compliance enforcement plan: We're coming for individuals

Posted by Margaret Scavotto, JD, CHC on 10/8/15 12:26 PM

Sally Q. Yates, Deputy Attorney General at the U.S. Department of Justice, recently issued a memo that has corporate executives talking. The memo, Individual Accountability for Corporate Wrongdoing, is effective immediately, and makes one thing very clear: the DOJ is coming for individuals.

Read More

Topics: Penalties and Enforcement

HIPAA Hazard: "We're Working On It"

Posted by Margaret Scavotto, JD, CHC on 8/25/15 7:30 AM

Growing HIPAA enforcement suggests that the government thinks providers who are “working on” HIPAA policies and procedures should know better.

The Hazard.

Many organizations seek comfort in the fact that they are “working on” HIPAA Privacy and/or Security policies and procedures, and are hopeful that if they are audited or have a complaint, the government “will go easy on them.” The truth is that the government has high expectations for HIPAA compliance, and little patience for providers’ slow or incomplete efforts to implement HIPAA security measures - and has recently come down hard on providers whose HIPAA compliance efforts were in progress.

The Example.

A health services company was investigated after an unencrypted laptop was stolen. The OCR found that the company had conducted security risk assessments and identified that lack of encryption was a risk. The company had started to encrypt, but had not yet finished. The OCR imposed a $1,725,220 penalty.

Likewise, a health plan was investigated after an unencrypted laptop was stolen. The company encrypted their devices after the breach—but it was too late. The OCR found a pattern of HIPAA noncompliance going back to 2005.

In other words, “we’re working on it” or even “we just did that” are not effective defenses.

What You Can Do.

Make HIPAA risk assessments, policies, procedures, and training an immediate priority. Everyone working in health care is busy—but the government does not see that as an excuse. Consider sharing penalty examples with leadership, in order to motivate your organization to stick to a quick timeline for addressing HIPAA.

Free  HIPAA Checklist

 

Read More

Topics: Penalties and Enforcement, HIPAA

HIPAA Hazard: Going Paperless

Posted by Margaret Scavotto, JD, CHC on 4/13/15 4:35 PM

HIPAA penalties are getting bigger and bigger, and are almost always issued for inadvertent mistakes. MPA monitors the Office of Civil Rights (OCR) HIPAA enforcements, and breaks down the top HIPAA hazards—and how you can stay out of hot water.

The Hazard.

By now it should be clear that failing to comply with HIPAA has high stakes. So does failing to document that you comply with HIPAA.

The Example.

A surgical practice entered a $100,000 HIPAA settlement after it posted patient appointments on a publicly accessible Internet calendar. The OCR investigated, and found multiple HIPAA violations, such as lack of policies and procedures, lack of documentation of employee training, lack of a security risk assessment, and lack of business associate agreements.

What You Can Do.

Give yourself credit for compliance. Do you have informal policies? Write them down. Do you train employees on HIPAA? Have them sign in, and keep the curriculum. Did you conduct a risk assessment? Make sure it is documented, along with any updates. Do your business associates agree to safeguard your PHI? Make sure you have updated, signed business associate agreements in place. Did you conduct audits of HIPAA compliance? Audit findings and corrective actions are part of your paper trail, too.

Learn about other HIPAA Hazards and how you can avoid them.

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: Penalties and Enforcement, HIPAA

The OIG is budgeting for compliance...are you?

Posted by Margaret Scavotto, JD, CHC on 2/17/15 7:00 AM

The OIG recently released its Congressional Budget Justification for Fiscal Year 2016, which outlines the OIG's budget requests for next year, and explains why this money will be put to good use. Let's take a look at the numbers.

Read More

Topics: Penalties and Enforcement

HIPAA Hazard: Working From Home

Posted by Margaret Scavotto, JD, CHC on 1/26/15 7:30 AM

HIPAA penalties are getting bigger and bigger, and are almost always issued for inadvertent mistakes. MPA monitors the Office of Civil Rights (OCR) HIPAA enforcements, and breaks down the top HIPAA hazards—and how you can stay out of hot water.

The Hazard.

Well-meaning employees take work home to meet deadlines, or exceed performance expectations. When this involves PHI, employees with good intentions can create a very bad problem. How do you protect the privacy and security of PHI when it leaves your facility?

The Example.

A hospital entered a $1,000,000 HIPAA settlement after an employee left documents containing PHI on the subway, including PHI for patients with HIV/AIDS. The documents were never recovered, which means no one knows if they were improperly used.

What You Can Do.

Decide if you want to allow employees to bring work home. If so, clearly define how this can be done. It is a good idea for paper PHI to stay in your facility. Also evaluate protections for ePHI. Do you have remote access policies and procedures? If employees are allowed to work from home, can they access ePHI? If so how do you know their access is secure? How do you know your provider’s ePHI is safe from the view of others in the employee’s home?

Learn about other HIPAA Hazards and how you can avoid them.

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: Penalties and Enforcement, HIPAA

December Compliance Penalty Report

Posted by Margaret Scavotto, JD, CHC on 12/11/14 7:00 AM

Highlights of recent compliance-related enforcement are summarized below. Recent enforcement focuses on home health, criminal theft of patient information, and Medicaid personal assistants.

Hospital employee who stole patient information pleads guilty

A former employee of a Dallas hospital pleaded guilty to federal offenses involving his theft of hospital patient information. The employee’s job was to enter patient information into the hospital computer system. The employee obtained patient names, phone numbers, DOB, Medicare status, and claim numbers with the intention of contacting these patients to market his home health care business. He faces up to 5 years in federal prison and a $250,000 penalty. Do your HIPAA policies include controls to prevent employees from committing unauthorized access of patient information?

MO and IL personal assistants head to jail

  • A Missouri woman was sentenced to 15 months in federal prison on health care fraud charges. The woman was working as a Medicaid personal assistant under the Illinois Home Services Program. She was accused of billing Medicaid for hours of care when she did not in fact provide the care--including occasions when the patient was in the hospital.
  • An Illinois man faces 10 years in prison and up to $250,000 in fines after pleading guilty to fraudulently billing the Illinois Home Services Program for personal assistant services. The individual allegedly falsified time sheets, enabling his girlfriend/personal assistant to receive Medicaid payments while she was in jail.

Home health settlements, guilty pleas and convictions

  • A Tennessee-based home health company entered a $25 million False Claims Act settlement. The company allegedly "overstated the severity of patients' conditions to increase billings and billed for services that were not medically necessary and rendered to patients who were not homebound." This case was brought by a whistleblower, who will receive more than $3.9 million as his reward for assisting with the lawsuit.
  • A home health company owner is headed to prison for her role in a $74 million Medicare fraud scheme. She pleaded guilty to conspiracy to commit health care fraud, received an 80 month prison sentence, and must repay $45 million to the government. She admitted to:
    • Billing Medicare for PT and home health services that were medically unnecessary or never provided.
    • Paying kickbacks to recruiters who sent her patients, prescriptions, plans of care and certifications, which were used to fraudulently bill Medicare.
  • A jury convicted two home health company owners, and an adult day care operator, for their roles in a $29 million Medicare fraud plan. All parties were convicted of conspiracy to commit health care fraud, plus other charges. The evidence showed that:
    • The adult day care center billed Medicare for mental health services provided by unlicensed staff.
    • The home health companies billed Medicare for services that were unnecessary or never provided, and fabricated medical records to cover it up--and later burned the false records.
    • A home health company owner gave the adult day care operator kickbacks in exchange for patient information that home health used to bill Medicare for fictional home health services.

Free  Compliance  Checklist

Read More

Topics: Penalties and Enforcement

September Compliance Penalty Report

Posted by Margaret Scavotto, JD, CHC on 9/30/14 2:30 PM

This month brought a wave of compliance-related enforcement, involving unnecessary therapy, kickbacks,  and even fraudulent use of a nursing license number. Settlements for skilled nursing and home health are summarized below:

Read More

Topics: Penalties and Enforcement

    Privacy Policy           Terms of Use