Breaking Compliance News Blog

Ransomware impacts surrounding hospitals

Posted by Margaret Scavotto, JD, CHC on 7/10/23 12:00 PM

Several physicians conducted a study that was recently published in JAMA Open Network:  Ransomware Attack Associated with Disruptions at Adjacent Emergency Departments in the US.
Read More

Topics: HIPAA, security, compliance

New DOJ Compliance Guidance: How do you measure up?

Posted by Margaret Scavotto, JD, CHC on 4/19/23 3:47 PM

The U.S. Department of Justice, Criminal Division, publishes a guidance document: Evaluation of Corporate Compliance Programs (ECCP). The DOJ has updated the guidance multiple times, most recently in March 2023.

This guidance is used in two ways:

  • Federal prosecutors conducting criminal fraud or misconduct investigations (including healthcare fraud) use it to evaluate the effectiveness of a corporation’s compliance program. An effective program has the potential to reduce financial penalties imposed.
  • Corporations, including healthcare providers, use the ECCP as a resource when implementing or evaluating the effectiveness of their compliance programs.

The DOJ guidance focuses on three questions:

  1. Is the corporation’s compliance program well designed?
  2. Is the program being applied earnestly and in good faith? (Is the program adequately resourced and empowered to function effectively?)
  3. Does the corporation’s compliance program work in practice?

June ECCP 2020 Updates

In June 2020, the DOJ updated the ECCP; a summary of updates follows.

Read More

Topics: Penalties and Enforcement, Culture of Compliance, guidance, compliance

Earn CEUs with MPA's FREE Compliance Webinar!

Posted by Margaret Scavotto, JD, CHC on 4/5/23 10:08 AM

 

 

Sign up for MPA's FREE Compliance webinar:

All webinars start at 11:00 a.m. CST and are presented by Margaret Scavotto and Scott Gima

 

SNF Compliance Update

April 19, 2023

90 minutes

1.8 CCB CEUs

1.5 NAB CEUs

It’s been a long road since the Affordable Care Act mandated compliance and ethics programs for nursing homes in 2010. Since then, we have had rules issued; enforcement delayed; a pandemic; and, as of October 24, 2022, enforcement via CMS survey. Compliance is never easy in the highly regulated world of long-term care – but it has only gotten harder since this mandate was announced.
Read More

Topics: Training and Education, HIPAA, compliance

Thank goodness we didn't get struck by lightning

Posted by Margaret Scavotto, JD, CHC on 3/7/23 7:15 AM

When it rains, we don’t walk around saying “Oh, no! I’m so worried I might get struck by lightning. I better stay inside all day and change my whole day around.”

Nobody says that. When it rains, I DO hear people saying “It’s raining – this is so good for my garden.” Or the grass or the flowers. Or the basil plants.

Why? Because the odds of getting struck by lightning are LOW. The odds of the rain nurturing plants, however, is HIGH. It’s pretty much guaranteed.

Why, then, when we talk about compliance with leadership and the board room, do we tend to focus so much on penalties?

Yes, penalties are a very important reality and leadership does need to know about them. This is especially important for board members, who have a fiduciary duty to ensure an organization’s compliance program is functioning properly, so as to avoid penalties from the DOJ and the OIG.

But the truth remains that the likelihood of receiving a penalty is relatively low (this of course assumes that your organization is diligently operating a compliance program and trying to do the right thing. I think it’s safe to say that if you are reading this blog, you likely fall into that category). So perhaps the focus of our compliance messaging should be less on lightning, and more on helping the flowers grow?

How has your compliance program helped your organization this year?

Odds are, your compliance program bears good news.

Did your hotline encourage employees to report potential false claims internally, so they could be self-reported? Did this hotline call possibly avoid a whistleblower situation?

Did routine compliance audits find a documentation issue – so you could correct it before it became a widespread problem?

Maybe the compliance department collaborated with the HIPAA Security Officer to run a ransomware and phishing campaign, educating employees about potentially hazardous emails and links. As a result, the Compliance Officer and Security Officer received dozens of calls from employees reporting suspicious emails and links that potentially contained ransomware or malware. Can you put a price tag on potentially avoiding a costly ransomware attack?

Did your quality assurance program reduce adverse events? Lower the amount of pressure ulcers? Improve patient care? Did that lead to an increase in census? Higher patient satisfaction? Positive perception in the community?

Perhaps your annual employee compliance survey shows a more supportive workplace due to a recent compliance education effort, and that employee turnover has also decreased.

What else did compliance do? Did compliance boost the bottom line? Make it easier for employees to do their jobs? What processes did compliance improve? How did the compliance department contribute to your organization’s culture? Make your company a better place to work? A better place to receive care?

Once you have taken a moment to tally up everything your compliance program has done for your organization this year, ask a second question:

Who did you tell?

Did you tell your managers, so they can see how the compliance department is working for them?

Did you share the good news with your staff?

I repeatedly hear from compliance officers who have trouble getting money in the budget for compliance. So I ask them: What has compliance done for you lately? A lot, I bet. Who have you told? Did you share the good news with  your senior leadership and board? (Or the president, or CEO, or whomever else is at the helm of your organization?) They are in charge of the budget. Do they know that investments in compliance have yielded greater advances in quality care, patient satisfaction, employee satisfaction, billing accuracy, occupancy, and more.

Because if you don’t tell anyone, no one will know how powerful your compliance effort really is. Spend more time on the good news, and less time talking about lightning.

Read More

Topics: compliance

Earn CEUs with MPA’s Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 3/6/23 10:34 AM

4.5 NAB CEUs!

4 AHIMA CEUs!

April 26th, 9:00 a.m. to 2:00 p.m. CST
Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

Lessons from a Federal Government Email Phishing Scam

Posted by Scott Gima on 2/28/23 9:00 AM

Everyone knows email phishing scams are common. A CISA advisory provides details of a new email phishing scam that uses remote management software to steal money.
 
According to a recent Cybersecurity and Infrastructure Security Agency (CISA) joint advisory, the attacks were directed at federal civilian employees. But it is noteworthy because similar strategies can be used to target anyone, including healthcare providers.
On January 25, 2023, the Cybersecurity and Infrastructure Security Agency released a National Cyber Awareness System Alert, “Protecting Against Malicious Use of Remote Monitoring and Management Software” jointly with the National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC).
 
Why the Alert?

  • The attackers recently used phishing emails to gain access to a victim’s computer using legitimate remote monitoring and management (RMM) software in financial schemes.
  • The same tactics can be used for other purposes such as cybersecurity attacks or network backdoor access to conduct cyber espionage.
  • Attackers use legitimate remote management software that cannot be detected by normal security measures that prevent unauthorized software installation.

What is portable executable RMM software?
  • RMM software is commonly used by IT departments and managed service providers to provide remote technical support and troubleshooting.
  • Every managed service provider and IT department use RMM software.
Background of Attacks
  • In mid-June 2022, a federal civilian employee received a phishing email containing a phone number.
  • The employee called the number, which led them to visit the malicious domain, myhelpcare[.]online. CISA found additional similar attacks on multiple federal civilian department networks.
  • Attacks also used emails with a malicious link that downloaded the RMM software.
  • The CISA alert mentioned that legitimate RMM software vendors AnyDesk and ScreenConnect were identified in these attacks. CISA indicated that any legitimate RMM software can be used in these types of attacks.
 
The CISA alert provided a copy of an actual phishing email. It includes urgency (response needed within 24 hours), a common theme of phishing emails:
Read More

Topics: HIPAA, data breach, security

Earn CEUs with MPA’s Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 2/22/23 8:30 AM

4.5 NAB CEUs!

4 AHIMA CEUs!

April 26th, 9:00 a.m. to 2:00 p.m. CST
Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

Fake Nursing Degree Scam Involving Three Florida Nursing Schools

Posted by Scott Gima on 2/21/23 9:15 AM

The scheme

  • 25 people were charged with wire fraud – administrators and employees of three Florida nursing schools as well as recruiters.
  • The recruiters sought out individuals that were willing to pay $10,000 to $15,000 for fake nursing school documents that allowed them to take national nursing licensure examinations.
  • A total of 7,600 fake nursing diplomas and transcripts (completion of required courses and clinicals) were provided to individuals from all over the US. The buyers wanted to take licensing exams to become registered nurses, licensed practical nurses, or licensed vocational nurse licenses.
  • The three now closed nursing schools that issued the fake documents were Siena College, Sacred Heart International Institute, and Palm Beach School of Nursing.
  • None of the individuals that bought the fake documents have been charged (yet).

Why is this Important?

  • In a NY Times article, the special agent in charge for the Miami region of the Office of Inspector General said approximately 2,800 buyers passed the licensure exam.
  • A large percentage of the 2,800 that passed are working.
  • The NY Times article stated that providers that hired these nurses “included Veterans Affairs hospitals in Maryland and New York, a hospital in Georgia, a skilled nursing facility in Ohio, a rehabilitation center in New York and an assisted-living facility in New Jersey.”

What to do?

Read More

Topics: HIPAA, data breach, security

OCR Announces Settlement for Banner Health’s 2016 Data Breach

Posted by Scott Gima on 2/15/23 10:52 AM

The OCR notes serious concerns with Banner Health’s pervasive noncompliance with the HIPAA Security Rule

Banner Health

  • OCR’s investigation of Banner’s data breach in 2016 found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity.
  • Banner Health is one of the largest non-profit health systems in the country, with over 50,000 employees and operating in six states.

Findings

  • No analysis to determine risks and vulnerabilities to electronic protected health information (ePHI) across the organization
  • Insufficient monitoring of its health information systems’ activity to protect against a cyber-attack
  • Failure to implement an authentication process to safeguard its ePHI
  • Failure to have security measures in place to protect ePHI from unauthorized access when transmitted electronically

The Attack

  • Banner Health discovered unauthorized access to process payment card data at some Banner Health food and beverage locations during a two-week period in June and July 2016.
  • The attackers targeted payment card data, including cardholder name, card number, expiration date, and internal verification code, as the data was being routed through affected payment processing systems.
  • Banner Health learned that attackers accessed patient information, health plan member and beneficiary information, and physician and other healthcare provider information.
  • The attack hit 27 locations and 3.7 million individuals.

Why is this Important?

  • The OCR indicated that hacking is the largest threat to ePHI, with 74% of 2021 reported breaches involving hacking/IT incidents.
  • This settlement and corrective action plan remind us that healthcare providers must take action to protect the privacy and security of PHI. It is just as important to document all measures taken to secure ePHI.
  • The corrective action plan states that Banner must do the following to address the findings of the OCR’s investigation:
    • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization.
    • Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
    • Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically.

What you should do

(Hint: Turn Banner’s Corrective Action Plan into a checklist)

Read More

Topics: HIPAA, data breach, security

Earn CEUs with MPA's FREE Compliance & HIPAA Webinars!

Posted by Margaret Scavotto, JD, CHC on 2/14/23 9:15 AM

 

 

Sign up for MPA's FREE Compliance & HIPAA webinars:

All webinars start at 11:00 a.m. CST and are presented by Margaret Scavotto and Scott Gima

 

Plan a Successful Compliance Week in 2023

February 22, 2023

90 minutes

1.8 CCB CEUs
1.5 NAB CEUs

Your compliance program is only as strong as the culture behind it - and the knowledge and buy-in of your team. It takes year-round activities and awareness to support that culture. In this webinar, we will discuss approaches to plan a fun and engaging Compliance Week for your staff. Whether it's been a year since you held Compliance Week - or whether compliance has been back-burnered during the pandemic and your culture needs a boost - it's time to schedule a Compliance Week!
 
Learn how to plan a Compliance Week that includes employee feedback, and reinforces compliance as a positive force in your organization.

SIGN UP

This program has been approved for Continuing Education for 1.5 total participant hours by AB/NCERS—Approval #20240221-1.50-A90033-DL.

 

SNF Compliance Update

April 19, 2023

90 minutes

1.8 CCB CEUs

1.5 NAB CEUs

It’s been a long road since the Affordable Care Act mandated compliance and ethics programs for nursing homes in 2010. Since then, we have had rules issued; enforcement delayed; a pandemic; and, as of October 24, 2022, enforcement via CMS survey. Compliance is never easy in the highly regulated world of long-term care – but it has only gotten harder since this mandate was announced.
 
In this webinar, we will discuss the status of compliance and ethics programs for nursing homes; review other reasons to comply (DOJ, OIG, OCR, etc.); walk through a step-by-step process to implement or review your program; and identify best practices for a compliance program that lasts.
 

This program has been approved for Continuing Education for 1.5 total participant hours by NAB/NCERS—Approval #20240418-1.50-A90034-DL

The Compliance Certification Board (CCB)® has approved these events for up to 1.8 ive CCB CEUs based on a 50-minute hour, each. Continuing Education Units are awarded based on individual attendance records. Granting of prior approval in no way constitutes endorsement by CCB of this event content or of the event sponsor.

Read More

Topics: Training and Education, HIPAA, compliance

    Privacy Policy           Terms of Use