HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

Alec Bohm, a third overall pick in the 2018 draft, is playing his third season with the Phillies. On April 11, against the Mets, Bohm was playing third base and committed three throwing errors early in the game. In the second inning, the Philadelphia fans mockingly cheered Bohm after a clean fielding play for an out. While walking back to third base, the TV broadcast captures Bohm telling shortstop Didi Gregorius, “I ****ing hate this place.”

Wow. Was he talking about the fans, the city, the situation right then and there? This is one of those “fork in the road” events that could turn a young player with a promising career into an exiled player. Just give social media the chance. The Phillies came back from a 4-run deficit to win the game with five runs in the 8^th, which ironically started off with a walk to Bohm. But the comeback was clearly not the story of the game. In the clubhouse after the game, the reporters gathered around Bohm to hear what he had to say. Keep in mind that the video of what Alec Bohm said to his shortstop was not 100% clear. This is what he had to say:

The FTC regularly sends out consumer alerts on various scams. Turbo Tax’s “free” tax service and car dealer junk add-on fees are just a couple of recent alerts. Many times, these emails hit the trash bin after reading the subject line. This morning, my inbox had the FTC’s latest alert: Shutting Down Tech Support Scams. This morning was different – I opened the email and read the alert. Why? Because an older family member was a victim of a tech support scam.

First, let me tell you about my family member’s experience with a tech support scam. Some of the facts have been changed to protect the family member’s identity. But to make it easier, let’s call my family member Mom. Mom and Dad are retired and in their 80s. A few years ago, my family went to Mom and Dad’s house for Thanksgiving. While there, other siblings and cousins are discussing possible Christmas gifts, so I jump on Mom’s computer to do a little online shopping.

In the bottom right-hand corner, the Windows task bar typically has a bunch of icons that show programs that are loaded on startup. Mom’s taskbar showed a TeamViewer icon. TeamViewer is a legitimate remote desktop program that is typically used by tech support people to obtain remote access to a workstation, computer or laptop. I recognized the icon because TeamViewer has been used by our own company’s tech support. But there is no reason for Mom to have this program on her home computer. So I start asking questions and this is what I learned.

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

Dr. U. Phillip Igbinadolor, D.M.D. & Associates received a $50,000 civil monetary penalty after his practice disclosed patient PHI in its response to a negative online review.

The practice did not respond to the OCR’s data request, did not respond to an administrative subpoena, and did not contest the findings in the OCR’s Notice of Proposed Determination.

The dentist’s response to the patient’s review stated:

It’s so fascinating to see [Complainant’s full name] make unsubstantiated accusations

when he only came to my practice on two occasions since October 2013. He never

came for his scheduled appointments as his treatment plans submitted to his insurance

company were approved. He last came to my office on March 2014 as an emergency

patient due to excruciating pain he was experiencing from the lower left quadrant. He

was given a second referral for a root canal treatment to be performed by my

endodontist colleague. Is that a bad experience? Only from someone hallucinating.

When people want to express their ignorance, you don't have to do anything, just let

them talk. He never came back for his scheduled appointment Does he deserve any

rating as a patient? Not even one star. I never performed any procedure on this

disgruntled patient other than oral examinations. From the foregoing, it's obvious that

[Complainant’s full name] level of intelligence is in question and he should continue

with his manual work and not expose himself to ridicule. Making derogatory

statements will not enhance your reputation in this era [Complainant’s full name].

Get a life.

Lessons to be Learned

The first lesson is obvious: don’t post PHI on social media without a valid HIPAA authorization. This is not the first time providers have responded to Yelp posts that included PHI or information that could identify the patient. Providers can respond to reviews with generic information about their practice – or ask patients to call. Provider responses should never reveal any information about the patient or their visit.

Another lesson is that the OCR is an equal-opportunity enforcement agency. All providers big and small can be investigated. In this instance, this was not a large provider.

Lastly, if you are unsure of what needs to be in place to comply with HIPAA to protect PHI, read the OCR resolution agreement for a prior - and similar - social media breach. The OCR provided the dental practice with “Corrective Action Obligations." These obligations can be used as a checklist to be used to evaluate your current privacy rule practices. Here are some (but not all) key requirements:

• Policies and procedures that comply with the Privacy Rule.
• The policies should cover the following:
• Permissible and impermissible uses and disclosures of PHI
• Administrative, technical and physical safeguards to protect the privacy of PHI
• Privacy authorization form
• A Notice of Privacy Practices – that lists the way PHI is used on social media
• Provider contact to address Privacy issues – usually the designation of a Privacy Officer
• Internal reporting mechanisms of possible violations
• Policies that address corrective action of privacy policy violations
• Privacy practice employee training

HIPAA has been around for years -

but that does not mean complying with HIPAA is easy.

The rules are long, and require a lot of policies. The Security Rule requires a HIPAA Security Risk Analysis - a task that is interdisciplinary, comprehensive, and detailed. Plus, HIPAA guidance and risks are continually changing - and so should your HIPAA training.

MPA's goal is to make HIPAA easier.

We hope this HIPAA Resource Guide provides some practical, step-by-step tools to help you evaluate, implement, or upgrade to a robust HIPAA compliance plan.

Contents:

• HIPAA In a Nutshell
• HIPAA Checklist
• The Top 5 Social Media Posts Your Privacy Officer Fears Most
• Tackling Social Media
• How to Conduct a HIPAA Security Risk Analysis
• Physical Safeguards
• Technical Safeguards
• Administrative Safeguards
• Breach Notification
• MPA Can Help
• About Margaret
• About Scott

Download now!

MPA scours OIG, DOJ, FBI, OSHA, & OCR updates so you don't have to.

We summarize enforcement trends and deliver the latest compliance and HIPAA developments to your inbox with our Monthly Compliance News Report.

Read MPA’s News Report to stay current with compliance news and developments. Then, forward the News Report (or excerpts) to your Board, Compliance Committee, and management team, to keep them informed with little effort. MPA’s clients use the News Report to find ideas for compliance and HIPAA training, and identify areas where policies or audits are needed.

This month’s issue includes:

• A summary of the 33 OIG health care fraud enforcement cases announced last month
• Examples of False Claims, Kickback, opioid, and state enforcement from last month
• Items added to the OIG Work Plan  
• The latest OIG Advisory Opinion
• OSHA update
• Four new HIPAA enforcements, including a dentist who told a patient to "Get a life" in response to an online review
• The end of multiple COVID-19 PHE waivers for SNFs
• The DOJ's first settlement under its Civil Cyber-Fraud Initiative
• Biden's Cyber Incident Reporting Act, which will require health care providers to notify CISA of cyber incidents within 72 hours
• Telehealth for 151 more days
• ... and more!
• You can read a sample report here. 

Price: $25/month

Cancel any time.

Subscribe today

This blog was originally posted on the Compliance and Ethics blog, published by the Health Care Compliance Association and the Society of Corporate Compliance and Ethics.

This blog was originally posted on the Compliance and Ethics blog, published by the Health Care Compliance Association and the Society of Corporate Compliance and Ethics.

There’s a rumor going around about Elon Musk.

A rumor that Elon Musk is very generous.

The story goes that Mr. Musk was visiting the Tesla Headquarters in Texas, when he encountered an individual waiting in the lobby. This man told Elon he needed to get paid. Elon asked the man how much he gets paid a month, and the man said: “$2,000.” So, Elon wrote the man a check for $2,000 and told him to have a nice day. The man leaves with his check. Another Tesla employee turns to Elon and says: “You just tipped the pizza guy two grand.”

I don’t know how this story started, or if it’s true. My bet? Not true. I couldn’t tell you if Elon Musk tips the pizza delivery guy (or gal) $2,000. But I bet he uses payroll to compensate his employees, rather than writing a personal check.

There’s two sides to every story. And things aren’t always what they seem.

This is true for (mythical) hasty check writing, and for compliance investigations. Here’s an example – and this time, it really did happen.

A nursing home Compliance Officer called to tell me someone slid an anonymous note under her door. The note said: “A nurse aide hugged a resident at lunch and I think it was inappropriate.”

The Compliance Officer’s first reaction was: If this report is accurate, it is concerning. But we need to know more. The next day, the Compliance Officer found a way to help out in the dining room – and she watched. And she saw the hug! A nurse aide did indeed hug a resident: her great aunt. After the nurse aide left, the Compliance Officer spoke with the resident, who confirmed that the hugs are very welcome.

There are two sides to every story.

Now the Compliance Officer knew both sides to this story – but the anonymous note writer did not. To address this, we put together a compliance educational flyer to post throughout the building: “When is it OK to hug a resident?” It didn’t provide the entire story, but hopefully it showed the reporter that she was heard – and Compliance responds.

How do you find all sides to a complaint?

• Don’t make assumptions. Don’t jump to conclusions. Your mind should be blank. Maintain objectivity.
• Ask questions. Look for FACTS.
• Can you interview an independent eyewitness (or eyewitnesses)?
• Conclude what you can from facts. This requires you to put aside what “could have” happened.

I’ll never know if the Elon Musk story is true. But if it is, I’m glad that pizza deliverer got a huge tip.

You don’t need to know all sides of a story to be generous. Especially if you’re Elon Musk. But you do need to llook for both sides to get to the bottom of compliance business.

Your Board is responsible for compliance failures. And, board members can be held personally liable for financial losses caused by those compliance failures.

In other words, your Board is ultimately responsible for your compliance program.

Does your Board know this?

Board Responsibility

The OIG has said: “every Board is responsible for ensuring that its organization complies with relevant Federal, State, and local laws.” 

And, the OIG Compliance Program Guidance for Nursing Facilities, Footnote 4, explains that corporate directors can be personally liable for compliance failures: “Recent case law suggests that the failure of a corporate director to attempt in good faith to institute a compliance program in certain situations may be a breach of a director’s fiduciary obligation. See, e.g., In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 970 (Ct. Chanc. Del. 1996).”

The Caremark lawsuit established that the Board has:

A duty to attempt in good faith to assure that a corporate information and reporting system,

• which the Board concludes is adequate, exists,
• and that failure to do so under some circumstances, may...render a director liable for losses caused by non-compliance with applicable legal standards

Keeping Your Board Informed

The Board has a big job with respect to compliance. This means that on-going board training and education should be on every Compliance Officer’s task list as a standing item. Annual training is not enough and can be accomplished with MPA put together an outline of what this might look like:

Need Help? MPA Can:

• Train your board by Zoom
• Provide written education for your board
• Do you need training topics? Purchase a subscription to MPA’s Compliance Newsletter. Once a month, MPA provides a summary of OIG, DOG, FBI and OCR enforcement updates as well as recent compliance and HIPAA news stories. You can read a sample report here.