Monthly Archive: April 2014

Risk Analysis: Prepare Now or Pay Later

MeetingManaging risk to confidential patient health information (PHI) is not only a critical component of healthcare today; it is also a mandate of the HIPAA Omnibus Rule (HIPAA).

HIPAA mandates that organizations conduct a regular risk analysis to identify and mitigate risks to patient records and the PHI they manage in their electronic health records systems (EHRs). Failure to secure PHI and mitigate the threats and vulnerabilities identified in a risk analysis can result in investigations by the Department of Health and Human Services (HHS) and other federal and state regulatory agencies. These agencies have authority to impose millions of dollars in penalties and fines as well as extended regulatory oversight, and can do so simultaneously for the same offense.

The Situation

According to the HIPAA Omnibus Rule (HIPAA Omnibus Rule) [1], Failing to protect patient records and prevent disclosure of PHI can damage patients’ financial status, job prospects, and reputation, far exceeding the impact of their medical conditions.

The HIPAA Omnibus Rule requires Covered Entities and Business Associates to conduct regular risk analyses [2] to identify and address threats and vulnerabilities to the confidentiality, integrity and availability of patient records and the PHI they manage and maintain in electronic health information systems.

Millions of dollars in penalties and fines as well as extended regulatory oversight can result from these failures, levied after investigations by the Department of Health and Human Services (HHS) and other federal and state regulatory agencies.

Nearly 30 million patient records have been reported to HHS as compromised in breaches since 2009, according to surveys conducted by healthcare IT security consultants as recently as February 2014[3]. The report states that “(i)n 2013 alone, 199 incidents of breaches of PHI were reported to HHS impacting over 7 million patient records, a 138% increase over 2012.” These statistics do not include breaches that have not been reported to HHS.

Furthermore, HIPAA requires notification of HHS and the patients whose PHI has been breached. Such notification can negatively impact patients’ confidence in as well as the reputation of the service provider. The flip side is that patients build trust in and strengthen their loyalty for their healthcare providers when their PHI is securely managed. A reputation for private and secure management of health information can also serve as a marketing tool for the provider.

In the early roll-out of HIPAA, HHS’ history of lax oversight and few consequences for non-compliance resulted in minimal implementation of the privacy and security standards. Covered Entities lacked comprehensive compliance planning, allocating responsibility over multiple departments to provide workforce training and accountability programs and taking the position that electronic health records systems (EHRs) successfully producing electronic records and bills was sufficient to demonstrate HIPAA and HITECH compliance.

Meanwhile, reports of patient complaints and breaches poured into HHS by the millions. Eighty-three per cent of all large HIPAA privacy and security breaches are the result of theft, according to surveys from HHS sources reported by Healthcare IT News. More specifically, the surveys report that approximately 22% of breaches since 2009 were due to unauthorized access to PHI, 35% were attributed to theft or loss of unencrypted devices containing PHI, and 6% were due to hacking[1].

The results of HITECH’s pilot audit program demonstrated that covered entities lacked understanding of the actual privacy and security standards as well as grounding in the specific implementation requirements the standards impose on internal systems, operations and resources necessary to meet HIPAA compliance requirements.

The HIPAA Omnibus Rule amendments confirm that anything short of a comprehensive, documented and implemented risk management process will not meet HIPAA compliance requirements today. It also requires that risk management program incorporate the results of a comprehensive complaint and breach investigation procedure focused on identifying and addressing workforce errors and patient complaints within the organization. Finally, the HIPAA Omnibus Rule extends these compliance requirements to Business Associates performing services or functions for or on behalf of covered entities.

The Solution

Risk management begins with an organization-wide risk analysis– i.e. an accurate and thorough assessment and mapping out of actual use and disclosure procedures in place for PHI in all formats throughout the whole organization. This includes satellite and multi-state offices, subsidiaries, patient portals, remote access to its PHI/ePHI, and PHI/ePHI disclosed to its Business Associates.

A key component of the assessment involves identifying and planning for mitigation of reasonably anticipated human, natural and environmental threats and vulnerabilities to the organization’s internal and external processes and systems. To be most effective, a risk analysis should be conducted regularly and at key intervals when changes, upgrades and/or mergers take place. The findings from the risk analysis should be incorporated into a document comprehensive and regularly updated risk management strategy for the organization. This documentation is what the OCR will likely request during investigations or audits to evaluate the organization’s compliance efforts.

The next round of OCR audits is scheduled to begin in October 2014. Covered Entities’ and Business Associates’ compliance with the HIPAA security standard’s risk analysis and risk management standard is in the OCR’s cross hairs. Failure to take affirmative steps towards compliance before the OCR comes a’knocking can add additional sanctions for willful neglect to corrective action plans and/or settlement agreements.

Whether the OCR is knocking on your door or not, the private and secure management of the Covered Entity’s or Business Associate’s health information is a critical aspect of quality healthcare services today. Leaders in the industry have this as a critical core value for their organizations, making compliance with the HIPAA Omnibus Rule just par for the course. The availability of secure and reliable healthcare information and data to support quality treatment and services requires the practice of good IT governance and due diligence[2].

Click here to learn how to mitigate these risks with an organization-wide risk analysis.


[1] The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defined privacy and security standards for management of protected health information (PHI) in all formats, including oral, paper and electronic (ePHI). HIPAA was amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) which incorporated provisions of the Genetic Information Non-discrimination Act of 2008 (GINA). HITECH, among other provisions, addressed gaps in HIPAA, expanded categories of Business Associates and pulled Business Associates into the regulatory authority of the Department of Health and Human Services (HHS) and other federal and state agencies, and increased sanctions for non-compliance with HIPAA introducing a new punitive sanction for willful neglect. HITECH focuses on ePHI only and provides incentive payments for meaningful use of electronic health records systems (EHRs). HITECH’s ultimate goal is to develop a national network of health information and data which will drive efficiencies and improve the administration of healthcare in the US. The final HIPAA Omnibus Rule of 2013 (HIPAA Omnibus Rule) is HHS’ final rulemaking focused on strengthening the privacy and security provisions for PHI originally defined by HIPAA.

[2] See 45 CFR subsections 164.530 (c) [Privacy Standard] and 164.308(a)(1)(ii)(A) [Security Standard]

[3] See Redspin Report on the “State of Healthcare IT Security” (February 5, 2014) at www.redspin.com/redspin-reports-state-healthcare-security-130000284.html.

[4]   See HIPAA Data Breaches Climb 138% atHealthcare IT News (February 6, 2014) www.healthcareitnews.com/news/hipaa-data-breaches-climb-138-percent

[5]   See In Defense of HIPAA: How Compliance Drives Innovation at algonquinstudios (April 1, 2014) http://blog.algonquinstudios.com/2014/04/01/in-defense-of-hipaa-how-compliance-drives-innovation/


© 2014 Merit Career Development. All rights reserved. For more information, please contact Jim Wynne at jwynne@MeritCD.com.

Permanent link to this article: http://meritcd.com/blogs/risk-analysis-prepare-now-or-pay-later/

Overcome Training Obstacles in the Virtual Workplace

Communicating with your virtual team; ShutterstockIn today’s age of electronic interaction, new technologies can be mechanisms for better leadership and training—or they can create serious obstacles.

The Digital Age has given rise to numerous information technologies that have had both positive and negative effects on leadership. Because of this, there has been a fundamental change in the relationship between business leaders and their followers – both employees and clients.

The original dynamic of the leader-follower connection has been forever altered by the advent of communication technologies, according to John Juzbasich, CEO of Merit Career Development. As a result, leaders face different challenges when conducting training in the virtual workplace…mainly fluid communication.

The Challenge of Communication

In today’s age of electronic interaction, new technologies are mechanisms for leadership and management. Social platforms such as Facebook and LinkedIn can reduce the remoteness of followers and allow for more instantaneous communication, but they can lead to breakdowns in communications as well. Although oratory interaction can convey a clearer, message, between 60 and 80 percent of communications are non-verbal, Juzbasich explained.

When the voice is taken out of the equation, all that is left are words on a screen. At this point, messages can become misinterpreted, which is one of the biggest challenges in leading in the Digital Age. Because of this, leaders have to be more cognizant of how they speak and present themselves.

In order to avoid being misunderstood, Juzbasich suggests utilizing video technology to both communicate on a daily basis, and to create effective training. Video not only leverages digital technology in a popular way that people relate to, but it regains the visual and audio components of conversation.

Leading in the Digital Age

Juzbasich recently represented Merit at Penn State Great Valley on a panel that discussed e-leadership with other leading industry experts called “Leading in the Digital Age: Are You Connected For Success?” The event featured insight into cutting-edge research and best practices for leveraging rising technologies to be an effective leader in today’s business environment. Topics ranged from using avatars and emotion-reading technologies to advanced uses of social media. “We have come a long way over the past decade in understanding what works and what does not in a virtual teaching/learning environment. It is critical to redesign training to take advantage of today’s technologies and educational research on Best Practices,” Juzbasich added.

Merit Career Development offers a wide array of learning methodologies that enhance professional education in today’s virtual workplace, including Virtual Instructor-Led Training, online self-paced courses, webinars and web-based assessment tools. To learn more about what Merit can do to enhance your leadership and employee training, please contact us.


© 2014 Merit Career Development. All rights reserved. For more information, please contact Jim Wynne at jwynne@MeritCD.com.

Permanent link to this article: http://meritcd.com/blogs/overcome-training-obstacles-in-the-virtual-workplace/

$6.8 Million Dollar Fine Levied for HIPAA Violation

ID fraud; istockThe HITECH law puts a cap on fines that the Department of Health and Human Services (HHS) can assess for HIPAA violations at $1.5 million per incident per year. However, other federal, state and regional regulatory agencies have authority to impose fines for violations of the HIPAA privacy and security standards, and can do so simultaneously for the same offense.

Health insurer, Triple-S Management Corporation (Triple S) of San Juan, was recently fined $6.8 million by the Puerto Rico Health Insurance Administration (PRHIA) for improperly handling protected health information (PHI) of 13,336 of its beneficiaries who were dual-eligible for Medicare and Medicaid. Accreditation requirements to sell insurance in Puerto Rico required Triple S to sign a contract agreeing to maintain compliance with HIPAA or face fines and additional sanctions for violations.

The breach resulted from a September 20, 2013 incident where Triple S mailed out pamphlets to its beneficiaries with their Medicare numbers visible from the outside. Medicare numbers are unique client identifiers deemed PHI when held by or on behalf of a HIPAA covered entity. As a result of the HIPAA violations, the PRHIA assessed a $6.8 million fine and called for Triple-S to suspend dual-eligibility enrollment, notify affected individuals of their right to end their enrollment, and implement a corrective action plan to prevent future breaches.

Cooperation is key

In this case, the fine was assessed at $500 for each of Triple S’ 13,336 affected beneficiaries in accordance with the contract Triple S signed with PRHIA. An additional $100,000 was assessed for its failure to cooperate with PRHIA’s investigation into the incident, providing misleading information, and, in response to some requests, not supplying any information to PRHIA at all, as reported by 4Medapproved HIT Security in HIPAA Enforcement Blind Spots (March 3, 2014).

The fines levied against Triple-S put Covered Entities and Business Associates on notice about their absolute obligation of full compliance with HIPAA and implementing proper procedures for reporting and investigating breaches. This is an essential part of HIPAA compliance planning. Further, Covered Entities and Business Associates need to be aware of the concurrent authority of the Federal Trade Commission (FTC) to address HIPAA violations. The FTC can exercise regulatory oversight through corrective action plans for up to 20 years for HIPAA violations. Complying with HIPAA privacy and security standards is the right thing to do for your healthcare practice and/or business—but most important, for your patients and clients.

Click here to learn how to mitigate these risks with an organization-wide risk analysis.


© 2014 Merit Career Development. All rights reserved. For more information, please contact Jim Wynne at jwynne@MeritCD.com.

Permanent link to this article: http://meritcd.com/blogs/6-8-million-dollar-fine-levied-for-hipaa-violation/

Improve Your Decision-Making, Improve Your Leadership

Decision-MakingDid you know that we make about 35,000 decisions a day? Learn about the many factors, conscious and sub-conscious, that affect our choices, and how we can control the ones that will help us make the best decisions.

The brain is a powerful machine constantly working behind the scenes, absorbing and dissecting information at an unimaginable rate. Without even realizing it, most people make thousands of decisions every day, from choosing a snack to making swift decisions while driving. Of course, there are the tougher decisions that we really contemplate, too.

Making the best decision is critical to success in most fields and disciplines. Our lack of understanding of how our minds work has profound consequences. Modern psychologists are studying the processes in our complex and sophisticated brain and have identified common errors in thinking, shortcuts used in the decision-making process, and cognitive biases that influence our decisions without our knowledge.

We know that good decision-making is critical to business success and will impact the bottom line. Daniel Kahneman, PhD, a Nobel-prize winning psychologist and author, explains how the brain functions in making decisions. In his book, “Thinking, Fast and Slow,” he breaks down the decision-making process into two systems: System 1 and System 2.

System 1 works quickly and deals with automatic, unconscious thinking, such as finishing thoughts and sentences. It’s deeply rooted in our intuition and emotional mechanism. System 2 works more slowly, focusing on logic and problem solving. It is associated with deliberative thinking and complex computations, while System 1 is more reactive and creates impressions and feelings. Leveraging these two aspects of decision-making can be enormously beneficial.

One of the most significant of the biases that affect our decisions Kahneman calls “pervasive optimistic bias” which gives us the feeling of having control. That is also referred to as “illusion of control,” the tendency for people to overestimate their ability to control events In their lives. Other biases that need to be understood and considered include: ”framing”, where familiar numbers form the context for our decisions, although there may not be any reason for them to be relevant or accurate, and “loss aversion,” a tendency to fear losses more than value gains.

Professional assistance and career development

At Merit Career Development, we stay on top of the latest proven research and integrate these findings into our unique and engaging programs. As a result, participants can learn about many different features that are integral to the decision-making process. We help our clients understand how the two primary systems generate actions for quick thinking and more thought-requiring decisions.

Participants in our “Better Decision Making” program will learn about traps like biases and blind spots that can unconsciously and negatively affect best decision-making practices. Merit teaches the tools to develop effective listening techniques and how to adapt and apply this knowledge to different types of situations.

Like most Merit programs, this highly engaging and interactive workshop is ideal for optimizing learning retention of valuable information. Numerous rational tools and practical techniques ensure that the lessons taught will be carried over into real-life workplace scenarios.

Interested leaders can review the course outline for Merit’s “Decision Making and Problem Solving” to discover why it is the one-stop for dynamic workforce training.


© 2014 Merit Career Development. All rights reserved. For more information, please contact Jim Wynne at jwynne@MeritCD.com.

Permanent link to this article: http://meritcd.com/blogs/improve-your-decision-making-improve-your-leadership-2/

Merit’s May 2014 Book Giveaway

Thinking,_Fast_and_SlowAt Merit, we read a lot. From current thought leaders, to the latest research on critical management skills and adult learning theory. The concepts in these books inform our professional education programs. This month we will give away another of our favorites.

In the international bestseller, Thinking, Fast and Slow, Daniel Kahneman, the renowned psychologist and winner of the Nobel Prize in Economics, takes us on a groundbreaking tour of the mind and explains the two systems that drive the way we think. System 1 is fast, intuitive, and emotional; System 2 is slower, more deliberative, and more logical. The impact of overconfidence on corporate strategies, the difficulties of predicting what will make us happy in the future, the profound effect of cognitive biases on everything from playing the stock market to planning our next vacation-each of these can be understood only by knowing how the two systems shape our judgments and decisions. Engaging the reader in a lively conversation about how we think, Kahneman reveals where we can and cannot trust our intuitions and how we can tap into the benefits of slow thinking. He offers practical and enlightening insights into how choices are made in both our business and our personal lives-and how we can use different techniques to guard against the mental glitches that often get us into trouble. (Amazon.com)

Click here to enter Merit’s Monthly Book Giveaway

The deadline for entries is May 15, 2014.

 

© 2014 Merit Career Development. All rights reserved. For more information, please contact Jim Wynne at jwynne@MeritCD.com.

Permanent link to this article: http://meritcd.com/blogs/merits-may-2014-book-giveaway/

Optimize Your Training by Engaging Your Employees More Effectively

Senior executives can commit vast resources in time and money to manage their employees, but if the staff does not feel valued or engaged in the business, it’s likely that the desired results may not be achieved.

Improve employee engagement with training and professional education.

According to a study from Gallup Inc., titled “The State of the American Workplace: Employee Engagement Insights for U.S. Business Leaders,” effectively engaging and retaining employees is one of the biggest challenges that leaders can face. Over a three-year period, from 2010 to 2012, the research firm surveyed more than 350,000 respondents, Forbes magazine reports.

The findings indicated that 70 percent of American workers are “not engaged” and are disconnected from the workplace, which in turn can make them less productive. This lack of engagement can be significantly detrimental to business profits. Gallup estimated that disengaged employees can cost companies between $450 and $550 billion per year in lost productivity. These employees can also negatively influence their fellow employees, drive clients away and miss workdays completely.

With only 30 percent of employees working at their optimal potential, leaders need to begin improving their engagement strategies to retain staff and bolster their productivity as a business.

Trickle-down engagement

Rather than focus strictly on lower levels of the organization, Gallup suggests that management leaders center their efforts at the top and have it disseminate throughout the company. As mid-level managers and employees feel empowered, they can begin to identify barriers to effective engagement and help develop methods for organizational improvement. Staff members can be the most knowledgeable when it comes to the company’s processes and clients, which might result in better performance when given the right tools for the job.

The training process can be an area where leaders engage their employees effectively for the betterment of the company, according to Training magazine. Merit Career Development offers a range of teaching techniques that engage employees and increase learning retention. To learn more contact us by phone, 610-225-0193 or send us an email.


© 2014 Merit Career Development. All rights reserved. For more information, please contact Jim Wynne at jwynne@MeritCD.com.

Permanent link to this article: http://meritcd.com/blogs/optimize-your-training-by-engaging-your-employees-more-effectively/