Breaking Compliance News Blog

Margaret Scavotto & Scott Gima

Recent Posts

Is your HIPAA Security Risk Analysis outdated?

Posted by Margaret Scavotto & Scott Gima on 8/16/22 9:00 AM

big risk

The HIPAA Security Rule requires covered entities and business associates to complete a HIPAA Security Risk Analysis, and to periodically update it. Per industry standards, the Security Risk Analysis should be updated annually at the very minimum.

When investigating a breach, the OCR also reviews the organization’s compliance with the HIPAA Security Rule. One of the OCR’s top findings is the failure to conduct and/or update a comprehensive risk analysis.

In a recent interview, Lisa Pino, HHS OCR Director stated: “We are a law enforcement agency and we have to instill that sense of accountability when obligations of the law are not in compliance.” And that “hacking and IT incidents are still a growing threat.” She goes on to state that “this is really a time for organizations to bolster their security profile. This is an opportunity for them to reset and really establish, if not already, an enterprise-wide risk analysis instead of a reactive stance… an ongoing risk management is a must from a business perspective.”

Most entities failed OCR audit of risk analysis

Pino also referenced the OCR’s 2016-2017 HIPAA Audit Industry Report released in December 2020. She points out that the report provides valuable information that is still relevant today. In that report, the OCR found that only 14% of covered entities “are substantially fulfilling their regulatory responsibilities to safeguard ePHI they hold through risk analysis activities.”

For the 86% of covered entities who failed to meet risk analysis requirements, there were some common issues:

  • “Some entities provided irrelevant documentation, such as a document that describes a patient’s insurance prescription coverage and rights; a document that discusses pharmacy fraud, waste and abuse; and a conflict of interest and code of conduct employee sign-off page.”
  • "Providers commonly submitted documentation of some security activities of a third-party security vendor, but no documentation of any risk analysis that served as the basis of the activities.”
  • "Entities offered third party template policy manuals that contain no evidence of entity-specific review or revision and no evidence of implementation."

If you have not conducted a HIPAA Security Risk Analysis, or if it has been more than one year since you have updated yours, that’s a big risk.

Perhaps as risky as driving a vehicle without insurance. Or eating the marshmallow casserole someone plopped down on the picnic table on a hot, sunny day four hours ago.

It’s not worth the risk.

Without a current HIPAA Security Risk Analysis, organizations do not know where their security risks are – which means they are likely unmitigated. Think of it as a data breach waiting to happen.

Every day, security risks in healthcare increase:

  • According to IBM’s Cost of a Data Breach 2022, the healthcare industry has had the highest average data breach cost for 12 years in a row – and the average cost of a data breach in the healthcare industry is $10.10 million


  • According to the 2022 SonicWall Cyber Threat Report, ransomware attacks decreased 23% globally in the first half 2022. But, in the healthcare industry, ransomware attacks increased by 328% during this timeframe.


What’s your HIPAA breach risk tolerance?

Do you update your HIPAA Security Risk Analysis at least annually, and mitigate risks you identify in a timely manner? If so, you have reason to sleep well at night. Keep up the good work.

Or, are you more of the dangerous-casserole-taster type, operating with an outdated HIPAA Security Risk Analysis – or, worse, none at all? If so, has your organization calculated the likelihood of experiencing a breach (very high), and the expected costs of a breach (also very high)?

MPA can handle your HIPAA Security Risk Analysis

The HIPAA Security Risk Analysis is a lot to tackle. We all know it’s even more challenging to accomplish during COVID times. MPA can conduct your HIPAA Security Risk Analysis, saving you time and improving your security. Reply to this email to learn more information.

Read More

Topics: HIPAA, security, risk analysis


Posted by Margaret Scavotto & Scott Gima on 6/29/22 8:09 PM

Today, CMS issued new and revised guidance for long-term care surveyors. This guidance includes the following updates:
  • Clarifications and technical corrections of Phase 2 guidance issued in 2017
  • New guidance for Phase 3 requirements that went into effect November 28, 2019
  • Arbitration requirements and guidance which went into effect September 16, 2019
  • Changes to the Psychosocial Severity Guide
The new guidance for Phase 3 requirements includes the long-awaited F-Tag F895: Compliance and Ethics Programs.
In addition to the surveyor guidance, CMS has posted training on the new compliance guidance for surveyors, and the updated State Operations Manual provisions related to F895 (Appendix PP). Here’s what you need to know:


CMS will begin reviewing nursing home Compliance and Ethics programs via survey on October 24, 2022.


The State Operations Manual uses the original Compliance and Ethics Programs rule that was issued as part of Phase 3 – not the proposed rule. Nursing homes should make sure their compliance programs are built to the original rule (plus OIG guidance). MPA has summarized the requirements for you below.


All nursing homes must have the following:
  • Written compliance and ethics policies and procedures that:
    • Reduce the risk of criminal, civil and administrative violations
    • Promote quality of care
    • Designate a compliance contact to receive reports
    • Include an anonymous way to report non-compliance without retribution
    • Include disciplinary standards
    • Apply to contractors and volunteers
  • Policies and procedures communicated to all staff, contractors, and volunteers
  • Assigned high-level personnel oversight for the compliance program, and sufficient resources and authority for such high-level personnel
  • Due care not to delegate substantial discretionary authority to individuals the SNF knew or should have known had a propensity to commit a crime
  • Auditing and monitoring
  • A reporting system
  • Consistent enforcement via discipline
  • Annual review. 
Organizations with five or more facilities must also have:
  • A mandatory annual compliance training program, and
  • A compliance officer who reports directly to the governing body, with designated compliance liaisons at each site
(For a comprehensive list of requirements, please see 42 CFR 483.85).


The CMS guidance also addresses other Phase 2 and Phase 3 provisions of the long-term care regulations. You can read the other changes here


MPA is ready to help you meet these compliance and ethics requirements, MPA has nursing home compliance programs available for download on our store.
And, we can review your existing compliance program, or do your annual review. Reply to this email for more information.

Read More

Topics: Penalties and Enforcement, Affordable Care Act, compliance, surveys

Cold hard HIPAA stats

Posted by Margaret Scavotto & Scott Gima on 1/25/22 8:15 AM

As we enter a new year, it’s a good time to review the status of data breaches, HIPAA hazards, and the state of security risk with some statistics:

  • The average cost of a data breach in the United States is $9.05 million. The average cost is higher in organizations with greater compliance failures.

  • Only 25% of employees are “very confident” they can identify a social engineering attack.

  • 76% of healthcare employees have received security awareness training. That means 24% have not.

  • 24% of employees believe “clicking on a suspicious link or attachment in an email represents little or no risk.”

  • Only 31% of employees think “allowing family members of friends to use work devices for personal activities outside of work” is risky.

  • In the past 12 months, 94% of organizations have had an insider data breach. The most common cause is human error.
  • As many as 90% of data breaches are phishing attacks

It is always eye-opening to review the latest HIPAA stats – because they get colder and harder every year. Especially in healthcare.

What you can do

Read More

Topics: HIPAA, data breach, security

When HIPAA security is a public health issue

Posted by Margaret Scavotto & Scott Gima on 1/18/22 9:00 AM

Read More

Topics: HIPAA, data breach, security, compliance, webinar

CMS & OSHA Vaccine Rules Are Here!

Posted by Margaret Scavotto & Scott Gima on 11/11/21 11:07 AM

Read More

Topics: guidance, compliance, COVID-19

Free Webinar: HIPAA Security - Board of Governance Responsibility

Posted by Margaret Scavotto & Scott Gima on 9/3/20 10:32 AM

Join HIPAAtrek and MPA's Executive VP Scott Gima for a complimentary webinar:

Read More

Topics: HIPAA, security, webinar

Download MPA's HIPAA, COVID-19 & Social Media Roadmap

Posted by Margaret Scavotto & Scott Gima on 7/8/20 8:38 AM

The rise of social media has revolutionized the way people connect. In the health care workplace, social media also brings countless opportunities for employees to violate HIPAA. Balancing this new landscape of increased sharing through technology and unchanged patient privacy rights is a minefield for healthcare providers.

Without education and policies from their employers, health care employees can easily get into trouble, quickly putting their employers at risk for HIPAA penalties, lawsuits, and devastating PR consequences. The pandemic has only exacerbated the privacy challenges associated with social media. MPA’s HIPAA, Social Media & COVID-19 Roadmap tells you what you need to know about this challenge, and what you can do about it.

Taking on the unstoppable world of social media might seem impossible. But it's better to help employees use it properly--and know when they aren't - than to do nothing and wait to hear it from the patients (or the media).

Click here to download.

Read More

Topics: HIPAA, COVID-19

Know your risk: HIPAA breach stats

Posted by Margaret Scavotto & Scott Gima on 2/6/20 8:15 AM

Read More

Topics: HIPAA, security, breach notification

CMS Changes SNF Compliance Program Requirements – Again

Posted by Margaret Scavotto & Scott Gima on 9/10/19 7:13 AM

Ladies and gentlemen, long-anticipated compliance program requirements are changing, one more time. Let’s take a look at what has changed – and what hasn’t.

The proposed rule

On July 16, 2019, CMS published a proposed rule that would modify multiple aspects of Phase III of the Long-Term Care Facilities Requirements for Participation (the “Proposed Rule”). The goal of the Proposed Rule is to reduce regulatory burdens and costs, allowing nursing homes to focus resources on providing quality resident care. Some of the most discussed proposed amendments are those to the Compliance and Ethics Program requirements (42 CFR 483.85), which, if finalized, will become effective one year later. With comments from the public due September 16, 2019, our best guess is that enforcement will begin October or November 2020.

Good news: fewer compliance-related F-tags ahead

Nursing homes: LeadingAge (and other associations) successfully lobbied on your behalf. 

Read More

Topics: Affordable Care Act, OIG compliance resources, skilled nursing, compliance

Why Compliance Should Care About the War on Opioids

Posted by Margaret Scavotto & Scott Gima on 6/18/19 8:51 AM

We have an opioid problem

In the United States, 134 opioid-related deaths occur daily. In 2016, more than 60,000 Americans died from drug overdoses, and two-thirds of those deaths were opioid related. Fentanyl is now responsible for more overdose deaths (28.8%) than heroin. And, three out of four new heroin users first misuse prescription opioids.

In 2017, almost one-third of Medicare Part D beneficiaries received opioids. About 460,000 beneficiaries received high amounts of opioids; 71,000 beneficiaries were at serious risk of misuse or overdose; and almost 300 prescribers had questionable prescribing. Everyone agrees our country has an opioid problem.

Read More

Topics: Quality Assurance, Excluded Providers, Opioids, compliance

    Privacy Policy           Terms of Use