*Free Issue* MPA’s Compliance and HIPAA News Reports
Posted by Margaret Scavotto, JD, CHC on 1/26/23 12:03 PM
Topics: Training and Education, compliance
Earn CEUs with MPA's FREE Compliance & HIPAA Webinars!
Posted by Margaret Scavotto, JD, CHC on 1/18/23 8:15 AM
Sign up for MPA's FREE Compliance & HIPAA webinars:
All webinars start at 11:00 a.m. CST and are presented by Margaret Scavotto and Scott Gima
HIPAA Security Update
January 25, 2023
90 minutes
1.8 CCB CEUs
Plan a Successful Compliance Week in 2023
February 22, 2023
90 minutes
1.8 CCB CEUs
1.5 NAB CEUs
This program has been approved for Continuing Education for 1.5 total participant hours by AB/NCERS—Approval #20240221-1.50-A90033-DL.
SNF Compliance Update
April 19, 2023
90 minutes
1.8 CCB CEUs
1.5 NAB CEUs
This program has been approved for Continuing Education for 1.5 total participant hours by NAB/NCERS—Approval #20240418-1.50-A90034-DL
The Compliance Certification Board (CCB)® has approved these events for up to 1.8 ive CCB CEUs based on a 50-minute hour, each. Continuing Education Units are awarded based on individual attendance records. Granting of prior approval in no way constitutes endorsement by CCB of this event content or of the event sponsor.
Topics: Training and Education, HIPAA, compliance
Earn CEUs with MPA's FREE Compliance & HIPAA Webinars!
Posted by Margaret Scavotto, JD, CHC on 1/11/23 10:40 AM
Sign up for MPA's FREE Compliance & HIPAA webinars:
All webinars start at 11:00 a.m. CST and are presented by Margaret Scavotto and Scott Gima
HIPAA Security Update
January 25, 2023
90 minutes
1.8 CCB CEUs
Plan a Successful Compliance Week in 2023
February 22, 2023
90 minutes
1.8 CCB CEUs
1.5 NAB CEUs
This program has been approved for Continuing Education for 1.5 total participant hours by AB/NCERS—Approval #20240221-1.50-A90033-DL.
SNF Compliance Update
April 19, 2023
90 minutes
1.8 CCB CEUs
1.5 NAB CEUs
This program has been approved for Continuing Education for 1.5 total participant hours by NAB/NCERS—Approval #20240418-1.50-A90034-DL
The Compliance Certification Board (CCB)® has approved these events for up to 1.8 ive CCB CEUs based on a 50-minute hour, each. Continuing Education Units are awarded based on individual attendance records. Granting of prior approval in no way constitutes endorsement by CCB of this event content or of the event sponsor.
Topics: Training and Education, HIPAA, compliance
My kids sometimes ask me why they have to brush their teeth every day. Or put away their dirty laundry EVERY DAY. We did that yesterday, Mom. Isn’t that enough? Come on.
This always prompts a conversation about habits, and what happens when we skip them.
If we skip brushing our teeth once, we are likely to skip brushing our teeth again. And again. And again. Until not brushing our teeth becomes the habit.
Until…. It’s time to go to the dentist. If we’ve skimped on brushing, we might not get that sticker. No Dora the Explorer toothbrush. Nope, you’ve got cavities. That means TWO trips to the dentist. For grown-ups, who always have the most fun, it could mean a root canal or an impacted tooth – maybe even THREE trips to the dentist.
You know where I’m going with these oral hygiene horror stories.
How are your compliance habits?
Compliance is a routine. It’s not a one-and-done job. There are annual, quarterly, monthly, weekly, and daily tasks.
What happens if we forget to log a compliance complaint? Just one. Or two? What does that do the integrity of our documentation? How will we defend questions or concerns about this complaint at a later date? How will it impact the data we have available to identify complaint trends? How can we prove we handled this complaint?
What happens if we forget to do our HIPAA walk-through audit this quarter? And maybe next quarter, because things are still really busy? How long have employee passwords been left up on post-it notes for visitors to see? How long have the water cooler patient conversations gone unchecked? What are we missing that we haven’t even thought about?
What happens if we skip our weekly compliance rounding, when we walk the halls and interact with employees? How many interactions do we miss? How many employees stop recognizing us – and think a little less about compliance?
The biggest habit of all is, of course, a semi-annual visit to the dentist. In the compliance world, this is your annual compliance program review. If we have been keeping up compliance habits, that annual review will find more successes to celebrate (Dora the Explorer toothbrushes for everyone!) If, however, we have let those habits fall by the wayside, we might need to fill some cavities in the next year. Or worse – conduct a root canal.
At the dentist’s office and in the compliance department, habits matter. Skipping them can have a big impact. Focus on the habits that keep your compliance program effective and commit to them. And do not, under any circumstances, make a habit of skipping the annual compliance program review.
So I ask you: Are you regularly brushing your teeth?
Topics: compliance
What is Rackspace?
Rackspace Technologies is a tech company that provides cloud-based servers, data storage and data backup services.
What Happened?
On December 2, 2022, at 2:49 a.m. EST, Rackspace posted a message stating that customers that used their hosted exchange email servers did not have email access. The Hosted Exchange services include mailboxes (up to 100GB), Microsoft Outlook, Outlook Web Access, mobile device synchronization, anti-spam and anti-virus protection.
On 12/6, Rackspace indicated that they suffered a ransomware attack.
Rackspace has not yet indicated when email service will be restored to their clients. In the meantime, email accounts and domains are being migrated to Microsoft 365. This temporary solution only provides access to new emails. Clients currently have no access to existing emails.
Rackspace has not reported the number of impacted customers. It has been speculated that the number of small and medium sized customers may be in the thousands.
Why is this Important?
In the old days, Microsoft Outlook and Office programs were installed on your company’s server. Email Exchange Servers were also physically located within your company. All emails, email attachments, documents, and spreadsheets were also stored on the server or on your desktop. Today, companies like Rackspace and Microsoft provide these applications with data storage in the cloud.
The Rackspace incident provides a sobering example that cloud applications and cloud stored data are not as safe as you think. Rackspace customers lost the ability to receive and send emails. According to news reports, many customers have email after Rackspace moved them over to Microsoft 365. But there is an ongoing concern of archived email data loss once email service is restored. Think about the impact to your organization and your job tasks if you lost the ability to send and receive emails, plus access to all of your old emails, both sent and received. My guess is that you will come to the same conclusion as me – the impact would be significant if not catastrophic.
Impact?
Loss of email typically means lost revenue. What is your organization’s tolerance to downtime? In other words, how long can you go without email? These are questions that need to be posed to each department. The loss of access to the EHR is the #1 issue, but that can be handled by going old school with paper documentation. The impact on other departments must be reviewed in detail.
Let’s start with the business office. Is there enough cash if billing Medicare, Medicare Advantage, Medicaid and private pay stops or takes longer than normal? What about follow-up of unpaid claims? Referrals? Communication with referring hospitals is typically handled by email. How do you review payor eligibility? How will you recruit staff for open positions without receiving email notifications from recruiting websites? Background checks and review of exclusion lists? The list goes on and on.
All of us are heavily dependent on emails to do our daily tasks. The temporary loss of being able to send or receive emails for a week or two is tolerable, but the tipping point may well be the possible loss of old emails and attachments.
What to do?
I reached out to Scott Wolff, President and Director of IT Operations at LanServ, Inc., a managed service provider (MSP) in St. Louis, and asked him: What do companies need to do to limit their email downtime and prevent the loss of archived (old) emails and attachments? Here is a list of recommendations from Scott W:
Topics: HIPAA, security, compliance
Compliance Lessons from Mistletoe, the Elf on our shelf
Posted by Margaret Scavotto, JD, CHC on 12/19/22 10:40 AM
Topics: compliance
Compliance Lessons from the #BettyWhiteChallenge
Posted by Margaret Scavotto, JD, CHC on 12/14/22 8:45 AM
Topics: compliance
Ask a kid what they want to be when they grow up, and you’ll hear a lot of “I want to sing like Taylor Swift!” and “I want to play football like Tom Brady!” or “I want to go to outer space like Elon Musk!”
It’s good to have a goal, and I want these kids to reach for the stars – as long as they remember what they bring to the table.
Taylor Swift, for example, is an alto. Tom Brady is a quarterback. And Elon Musk has lots of billions of dollars.
If the child is a soprano, she will never sing like Taylor Swift. Only one human in the world can be Taylor Swift. Anyone who tries to sing like Taylor Swift will inevitably fail.
The same is true for the aspiring quarterback who is also an excellent sprinter and would, in fact, make a great running back. And while you don't need billions of dollars to succeed as an entrepreneur and travel to outer space just for fun, the path might look different.
Lest you think I’m the anti-hero, keep this in mind: A child who wants to be a famous singer should use their own unique, beautiful voice. A child who wants to be a professional football player should play lots of football and figure out which position suits their natural talents. And an aspiring entrepreneur should spend their formative years learning which of their unique talents are most likely to translate into a successful business venture.
Cover bands don’t get record deals.
It’s good to have role models and to look elsewhere for inspiration. But what we bring to the table comes from within, that uniqueness, should not be underestimated.
A new Compliance Officer inheriting a decades-old compliance program from an experienced predecessor should soak up the lessons that are handed down. But the new professional should not stop there. He or she should also look inward and ask: What do I bring to this job? What ideas and strengths do I have that will make this program into something new?
New eyes often provide a fresh perspective. What can you change for the better?
Topics: Compliance Officer & Committee, compliance
Workforce statistics: An (ISC)2 workforce survey of 11,779 cybersecurity practitioners and decision makers reported strong increases in cybersecurity workers:
- The US cybersecurity workforce increased by 5.5% between 2021 and 2022.
- Globally, the increase was 11.1%, or 464,000 new workers.
- 70% of organizations don’t have enough cybersecurity staff to be effective.
- More than half believe their organization is at a “moderate” or “extreme” risk of cyberattack.
- Oversights in certain procedures have been made.
These vulnerabilities worsened in 2022:
- Not enough time for proper risk assessment and management
- Oversights in process and procedure
- Slow to patch critical systems
- Not enough time to adequately train each cybersecurity team member and not enough training resources
- Misconfigure systems
The top four reported reasons for the shortage:
- 43% - my organization can’t find enough qualified talent.
- 33% - My organization is struggling to keep up with turnover and attrition.
- 31% - My organization doesn’t pay a competitive wage.
- 28% - My organization doesn’t have the budget.
Topics: HIPAA, security, compliance
IImplementation of Recognized Security Practices (RSPs) for at least 12 months provide covered entities and business associates with the opportunity to reduce fines and penalties for violations of the HIPAA security rule.
On January 5, 2021, Congress passed an amendment to the HITECH Act that requires the OCR to take into account the Recognized Security Practices of covered entities and business associates when they are able to show that RSPs have been in use for the 12 months prior to a HIPAA breach incident.
If RSPs are in place, the OCR may mitigate fines and remedies and allow an early and favorable termination of an audit..
Over the past months, the amendment has generated questions related to the uncertainty about what constitutes RSPs, and how to demonstrate their implementation. In response, on October 31, 2022, HHS-OCR released a video that addresses some of these concerns about RSPs.
What Are Recognized Security Practices?
Topics: HIPAA, security, compliance