Breaking Compliance News Blog

Sign up for MPA's Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 5/19/22 8:45 AM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

Compliance Lessons from the Phillies: Own Your Mistakes and We’ve Got Your Back

Posted by Scott Gima on 5/17/22 8:45 AM

Alec Bohm, a third overall pick in the 2018 draft, is playing his third season with the Phillies. On April 11, against the Mets, Bohm was playing third base and committed three throwing errors early in the game. In the second inning, the Philadelphia fans mockingly cheered Bohm after a clean fielding play for an out. While walking back to third base, the TV broadcast captures Bohm telling shortstop Didi Gregorius, “I ****ing hate this place.”

Wow. Was he talking about the fans, the city, the situation right then and there? This is one of those “fork in the road” events that could turn a young player with a promising career into an exiled player. Just give social media the chance. The Phillies came back from a 4-run deficit to win the game with five runs in the 8th, which ironically started off with a walk to Bohm. But the comeback was clearly not the story of the game. In the clubhouse after the game, the reporters gathered around Bohm to hear what he had to say. Keep in mind that the video of what Alec Bohm said to his shortstop was not 100% clear. This is what he had to say:

Read More

Topics: compliance

When Senior Tech Support Scams are a Cybersecurity/HIPAA Issue

Posted by Scott Gima on 5/10/22 9:45 AM

The FTC regularly sends out consumer alerts on various scams. Turbo Tax’s “free” tax service and car dealer junk add-on fees are just a couple of recent alerts. Many times, these emails hit the trash bin after reading the subject line. This morning, my inbox had the FTC’s latest alert: Shutting Down Tech Support Scams. This morning was different – I opened the email and read the alert. Why? Because an older family member was a victim of a tech support scam.

First, let me tell you about my family member’s experience with a tech support scam. Some of the facts have been changed to protect the family member’s identity. But to make it easier, let’s call my family member Mom. Mom and Dad are retired and in their 80s. A few years ago, my family went to Mom and Dad’s house for Thanksgiving. While there, other siblings and cousins are discussing possible Christmas gifts, so I jump on Mom’s computer to do a little online shopping.

In the bottom right-hand corner, the Windows task bar typically has a bunch of icons that show programs that are loaded on startup. Mom’s taskbar showed a TeamViewer icon. TeamViewer is a legitimate remote desktop program that is typically used by tech support people to obtain remote access to a workstation, computer or laptop. I recognized the icon because TeamViewer has been used by our own company’s tech support. But there is no reason for Mom to have this program on her home computer. So I start asking questions and this is what I learned.

Read More

Topics: HIPAA, security

Sign up for MPA's Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 5/4/22 8:15 AM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

HIPAA Nightmare: Dentist tells patient to Get a Life

Posted by Margaret Scavotto, JD, CHC on 4/28/22 9:00 AM

Dr. U. Phillip Igbinadolor, D.M.D. & Associates received a $50,000 civil monetary penalty after his practice disclosed patient PHI in its response to a negative online review.

 

The practice did not respond to the OCR’s data request, did not respond to an administrative subpoena, and did not contest the findings in the OCR’s Notice of Proposed Determination.

 

The dentist’s response to the patient’s review stated:

 

It’s so fascinating to see [Complainant’s full name] make unsubstantiated accusations

when he only came to my practice on two occasions since October 2013. He never

came for his scheduled appointments as his treatment plans submitted to his insurance

company were approved. He last came to my office on March 2014 as an emergency

patient due to excruciating pain he was experiencing from the lower left quadrant. He

was given a second referral for a root canal treatment to be performed by my

endodontist colleague. Is that a bad experience? Only from someone hallucinating.

When people want to express their ignorance, you don't have to do anything, just let

them talk. He never came back for his scheduled appointment Does he deserve any

rating as a patient? Not even one star. I never performed any procedure on this

disgruntled patient other than oral examinations. From the foregoing, it's obvious that

[Complainant’s full name] level of intelligence is in question and he should continue

with his manual work and not expose himself to ridicule. Making derogatory

statements will not enhance your reputation in this era [Complainant’s full name].

Get a life.

 

Lessons to be Learned

The first lesson is obvious: don’t post PHI on social media without a valid HIPAA authorization. This is not the first time providers have responded to Yelp posts that included PHI or information that could identify the patient. Providers can respond to reviews with generic information about their practice – or ask patients to call. Provider responses should never reveal any information about the patient or their visit.

Another lesson is that the OCR is an equal-opportunity enforcement agency. All providers big and small can be investigated. In this instance, this was not a large provider.

Lastly, if you are unsure of what needs to be in place to comply with HIPAA to protect PHI, read the OCR resolution agreement for a prior - and similar - social media breach. The OCR provided the dental practice with “Corrective Action Obligations." These obligations can be used as a checklist to be used to evaluate your current privacy rule practices. Here are some (but not all) key requirements:

  • Policies and procedures that comply with the Privacy Rule.
  • The policies should cover the following:
    • Permissible and impermissible uses and disclosures of PHI
    • Administrative, technical and physical safeguards to protect the privacy of PHI
  • Privacy authorization form
  • A Notice of Privacy Practices – that lists the way PHI is used on social media
  • Provider contact to address Privacy issues – usually the designation of a Privacy Officer
  • Internal reporting mechanisms of possible violations
  • Policies that address corrective action of privacy policy violations
  • Privacy practice employee training

Read More

Topics: Penalties and Enforcement, HIPAA, Social Media

Download MPA's Free HIPAA Resource Guide!

Posted by Margaret Scavotto, JD, CHC on 4/26/22 9:00 AM

HIPAA has been around for years -

but that does not mean complying with HIPAA is easy.

The rules are long, and require a lot of policies. The Security Rule requires a HIPAA Security Risk Analysis - a task that is interdisciplinary, comprehensive, and detailed. Plus, HIPAA guidance and risks are continually changing - and so should your HIPAA training.

MPA's goal is to make HIPAA easier.

We hope this HIPAA Resource Guide provides some practical, step-by-step tools to help you evaluate, implement, or upgrade to a robust HIPAA compliance plan.

Contents:

  • HIPAA In a Nutshell
  • HIPAA Checklist
  • The Top 5 Social Media Posts Your Privacy Officer Fears Most
  • Tackling Social Media
  • How to Conduct a HIPAA Security Risk Analysis
  • Physical Safeguards
  • Technical Safeguards
  • Administrative Safeguards
  • Breach Notification
  • MPA Can Help
  • About Margaret
  • About Scott

Download now!

Read More

Topics: Training and Education, HIPAA

Subscribe to MPA’s Compliance Newsletter and Stay on Top of Compliance

Posted by Margaret Scavotto, JD, CHC on 4/20/22 8:45 AM

MPA scours OIG, DOJ, FBI, OSHA, & OCR updates so you don't have to.

We summarize enforcement trends and deliver the latest compliance and HIPAA developments to your inbox with our Monthly Compliance News Report.

Read MPA’s News Report to stay current with compliance news and developments. Then, forward the News Report (or excerpts) to your Board, Compliance Committee, and management team, to keep them informed with little effort. MPA’s clients use the News Report to find ideas for compliance and HIPAA training, and identify areas where policies or audits are needed.

This month’s issue includes:

  • A summary of the 33 OIG health care fraud enforcement cases announced last month
  • Examples of False Claims, Kickback, opioid, and state enforcement from last month
  • Items added to the OIG Work Plan  
  • The latest OIG Advisory Opinion
  • OSHA update
  • Four new HIPAA enforcements, including a dentist who told a patient to "Get a life" in response to an online review
  • The end of multiple COVID-19 PHE waivers for SNFs
  • The DOJ's first settlement under its Civil Cyber-Fraud Initiative
  • Biden's Cyber Incident Reporting Act, which will require health care providers to notify CISA of cyber incidents within 72 hours
  • Telehealth for 151 more days
  • ... and more!
  • You can read a sample report here

Price: $25/month

Cancel any time.

Subscribe today

 

Read More

Topics: Training and Education, compliance

Compliance Lessons from Circus Camp

Posted by Margaret Scavotto, JD, CHC on 4/19/22 8:45 AM

This blog was originally posted on the Compliance and Ethics blog, published by the Health Care Compliance Association and the Society of Corporate Compliance and Ethics.

 

Last week was Spring Break in my house. We didn’t have travel plans, so my kids went to Circus Camp and Ice Cream Camp at the local performing arts center. Almost as good as the beach.

Every evening after camp, my kids exuberantly regaled us stories of walking on the tightwire, using stilts, juggling, doing “super cool” trampoline jumps, and balancing peacock feathers on their foreheads. They also brought home ice cream, which was a big win for Mom.

On the last day of camp, we were invited to a 15-minute circus show, where we could see what the kids learned. During the show, my daughter waited patiently on the rainbow gym mat while her fellow plate spinners, stilt walkers, and jugglers performed – until it was her turn to walk the tightwire. The time I was most proud of her was not actually when she walked across the tightwire (although that was pretty neat). I was the proudest of her when she was sitting quietly on the sidelines while her friends performed, waiting her turn.

She’s six. That’s a big deal.

She’s a pint-sized ball of energy overflowing with excitement for her new skills – and she still understood that the circus isn’t a solo act. It only works if everyone waits their turn – allowing each individual their turn to shine.

Compliance isn’t a solo act either.

If you are thinking that linking “circus” and “compliance” is one analogy too far, hear me out.

Let’s say you are the Corporate Compliance Officer for a hospital. You have your CHC certification, you have years of experience, you are good at your job, and you are extremely dedicated to it. The hospital is lucky to have you.

You put together a list of the top 10 risks you want to audit this year, rank them by priority, and map out a 12-month plan to complete these audits. The list will keep your auditing department busy, and you feel comfortable that the organization is looking at the top concerns.

But.

Do other leaders agree with your top 10? Do other decision makers think your top 10 align with their top 10? If not, and you spend resources auditing them and find a problem, you might struggle to get support for the corrective action if there is not consensus that it’s a priority.

Let’s say you put together a training plan for the next 12 months. It naturally includes compliance and HIPAA training for new employee orientation, plus annual training on those subjects. You also put together a monthly education campaign with a schedule of topics that will get promoted with tips, flashcards, and flyers. Think of how compliance awareness will grow!

But.

Do managers agree with your 12 months of topics? Maybe you picked social media as a quarterly topic – do managers also see social media as a top concern? Have managers had a chance to weigh in on the areas where employees make mistakes or ask questions? Do these topics vary by department, building, or shift?

Compliance isn’t a solo act.

Compliance depends on committed compliance officers who tirelessly plan, strategize, and come up with new ideas. But our work cannot stop there. We also need to communicate, build relationships and gain trust – reach out, listen, obtain feedback, and secure buy-in. When we take that extra step, the goals and plans we painstakingly make for our organization’s compliance program are far more likely to succeed.

If the plate spinners had come out while a kindergartner was walking across the tightwire, chaos would have ensued, and nobody would sign up for Circus Camp next year. Buy-in would have been lost. Likewise, compliance officers who take their turn, and give others a chance to be heard, will steal the show.

Read More

Topics: Compliance Officer & Committee, compliance

Elon Musk and the Pizza: There’s Two Sides to Every Story

Posted by Margaret Scavotto, JD, CHC on 4/12/22 8:15 AM

This blog was originally posted on the Compliance and Ethics blog, published by the Health Care Compliance Association and the Society of Corporate Compliance and Ethics.

There’s a rumor going around about Elon Musk.

A rumor that Elon Musk is very generous.

The story goes that Mr. Musk was visiting the Tesla Headquarters in Texas, when he encountered an individual waiting in the lobby. This man told Elon he needed to get paid. Elon asked the man how much he gets paid a month, and the man said: “$2,000.” So, Elon wrote the man a check for $2,000 and told him to have a nice day. The man leaves with his check. Another Tesla employee turns to Elon and says: “You just tipped the pizza guy two grand.”

I don’t know how this story started, or if it’s true. My bet? Not true. I couldn’t tell you if Elon Musk tips the pizza delivery guy (or gal) $2,000. But I bet he uses payroll to compensate his employees, rather than writing a personal check.

There’s two sides to every story. And things aren’t always what they seem.

This is true for (mythical) hasty check writing, and for compliance investigations. Here’s an example – and this time, it really did happen.

A nursing home Compliance Officer called to tell me someone slid an anonymous note under her door. The note said: “A nurse aide hugged a resident at lunch and I think it was inappropriate.”

The Compliance Officer’s first reaction was: If this report is accurate, it is concerning. But we need to know more. The next day, the Compliance Officer found a way to help out in the dining room – and she watched. And she saw the hug! A nurse aide did indeed hug a resident: her great aunt. After the nurse aide left, the Compliance Officer spoke with the resident, who confirmed that the hugs are very welcome.

There are two sides to every story.

Now the Compliance Officer knew both sides to this story – but the anonymous note writer did not. To address this, we put together a compliance educational flyer to post throughout the building: “When is it OK to hug a resident?” It didn’t provide the entire story, but hopefully it showed the reporter that she was heard – and Compliance responds.

How do you find all sides to a complaint?

  • Don’t make assumptions. Don’t jump to conclusions. Your mind should be blank. Maintain objectivity.
  • Ask questions. Look for FACTS.
  • Can you interview an independent eyewitness (or eyewitnesses)?
  • Conclude what you can from facts. This requires you to put aside what “could have” happened.

I’ll never know if the Elon Musk story is true. But if it is, I’m glad that pizza deliverer got a huge tip.

You don’t need to know all sides of a story to be generous. Especially if you’re Elon Musk. But you do need to llook for both sides to get to the bottom of compliance business.

 

Read More

Topics: compliance, investigations

Have You Trained Your Board On Compliance This Year?

Posted by Margaret Scavotto, JD, CHC on 4/6/22 8:30 AM

 

Your Board is responsible for compliance failures. And, board members can be held personally liable for financial losses caused by those compliance failures.

In other words, your Board is ultimately responsible for your compliance program.

Does your Board know this?

Board Responsibility

The OIG has said: “every Board is responsible for ensuring that its organization complies with relevant Federal, State, and local laws.” 

And, the OIG Compliance Program Guidance for Nursing Facilities, Footnote 4, explains that corporate directors can be personally liable for compliance failures: “Recent case law suggests that the failure of a corporate director to attempt in good faith to institute a compliance program in certain situations may be a breach of a director’s fiduciary obligation. See, e.g., In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 970 (Ct. Chanc. Del. 1996).”

The Caremark lawsuit established that the Board has:

A duty to attempt in good faith to assure that a corporate information and reporting system,

  • which the Board concludes is adequate, exists,
  • and that failure to do so under some circumstances, may...render a director liable for losses caused by non-compliance with applicable legal standards

Keeping Your Board Informed

The Board has a big job with respect to compliance. This means that on-going board training and education should be on every Compliance Officer’s task list as a standing item. Annual training is not enough and can be accomplished with MPA put together an outline of what this might look like:

Need Help? MPA Can:

  • Train your board by Zoom
  • Provide written education for your board
  • Do you need training topics? Purchase a subscription to MPA’s Compliance Newsletter. Once a month, MPA provides a summary of OIG, DOG, FBI and OCR enforcement updates as well as recent compliance and HIPAA news stories. You can read a sample report here

Read More

Topics: Board Involvement, Training and Education, compliance

    Privacy Policy           Terms of Use