Category Archive: HIPAA/HITECH

Why Success is More Likely with Active Listening

Listening includes a lot more than just hearing words. Frequently, we need to interpret or infer a deeper or underlying message beyond the spoken word. We deploy many of our senses to detect non-verbal cues and assimilate our life experiences with the verbal message when we actively listen.

Usually, the objective of a conversation is to expand the listener’s knowledge, perspective or sensitivity to a topic that impacts behavior or beliefs. In the workplace, managing projects can implode due to poor communications. These can result in missing a critical deadline, budget overages, decreased sales, and in some cases, costly lawsuits.

The most effective communication takes place when both parties are actively listening. So what is “active listening” and how do we do this?

Your active listening is apparent to the other party through your audible or visible signals. This can include something as subtle as raising our eyebrows, leaning towards the speaker, or using certain gestures (like a thumbs up, high five, etc.) Tilting our heads when we listen, on the same angle as the speaker, generally reflects a subconscious agreement  Uttering sounds like “uh huh” or “hmm” also tell the speaker that you’re paying attention. In America, making eye contact is considered a must in showing that you are listening, although this does vary in some cultures.

Of course asking good questions is one of the best ways to demonstrate that you are listening.
If you don’t have any questions (perhaps, because the message is crystal clear to you) then paraphrase the speaker’s message. You can preface your restated summary by saying something like: “Ok, now, if I understand what you’re telling me, you’d like to … (paraphrased summary of speaker’s objective).”

It is important to be authentic, too! In your effort to make it evident that you genuinely hear the speaker’s message, do not diminish your own persona or credibility. Be sure to phrase your introduction to your rephrased statement in a style that is consistent with the way you speak.

Why not find out if you’re as good a listener as you think you are? If you haven’t taken this insightful (and free) listening assessment yet, you can right now – or later when you have about 45 minutes and no distractions. When you’re ready, take the Active Listening Assessment here. Upon completion, you will receive an explanatory report along with tips and techniques that you can use to become a better active listener and communicator.

If you or your staff would benefit from mastering effective communications, improving active listening and learning “meaning-centered communication”, we can help. Please contact Jim Wynne at jwynne@meritcd.com or call him at 610-225-0449.

NOTE: PMPs: This assessment qualifies for one PDU and you will receive a certificate.

Permanent link to this article: http://meritcd.com/blogs/why-success-is-more-likely-with-active-listening/

The Pre-Mortem Technique

During my research on how to make better decisions I came across the pre-mortem in the writings of Nobel Prize winner Daniel Kahneman. He notes in his book, Thinking, Fast and Slow (2011), that the pre-mortem technique is valuable in the decision-making process because it has two main advantages. PreMortemFirst, it overcomes “groupthink” that affects many teams once a decision appears to be made. When groupthink is in effect, the wisdom of a plan or decision is gradually suppressed and eventually come to be treated as evidence of disloyalty. The collective suppression of doubt contributes to the group’s overconfidence, which is often a tragic flaw.

Second, it unleashes the imagination of knowledgeable individuals in a much needed direction—the opposite direction of the decision. The principal advantage of the pre-mortem technique is that it legitimizes doubts and encourages everyone, even supporters of the decision, to search for possible threats not considered in the decision-making process. I immediately recognized it as an excellent technique for decision-making, risk management and general leadership.

Because this has proven to be of great value, I would like to share this excellent technique with you. The pre-mortem is easy to implement once the team reaches a decision or finalizes a course of action. Here’s what you need to do:

Step back and state the following: “Imagine that we are one year into the future. We implemented (the decision and plan) exactly as decided here today. The outcome was a total complete disaster. Take 5 to 10 minutes to write a brief history of that disaster.” If someone asks: “What do you mean by a total disaster?” Reply: “In any and every way imaginable it was a total failure.”

Then, explore all the possible reasons that the decision or plan failed. By taking this opposite approach to brainstorming the ideas, your team will likely realize that there are more points that need to be thought through before the plan is implemented.

Merit Career Development incorporates this technique into our leadership, strategic decision-making, risk management and project management classes and it is very well received.  In one recent class the participants clutched the flip charts from the group discussion. I saw this and asked what were they going to do with them? I was told that they were going to present the findings to upper management; they had never participated in such a rewarding experience.

Merit can help guide your team through various tools and techniques to optimize your team’s knowledge, skills and ability with techniques and tools such as pre-mortem and many others. Please contact Jim Wynne at jwynne@meritcd.com or call him at 610-225-0449 to schedule training to learn this and other valuable decision-making techniques.

Permanent link to this article: http://meritcd.com/blogs/the-pre-mortem-technique/

What your peers are planning for 2016

The results are in!

On behalf of all of us at Merit Career Development, we’d like to thank everyone who participated in our 2nd annual 3-Question Training Planning Survey last month. As promised, we are reporting on the results – which have, interestingly, shifted even from a year ago.


Snip_1_Table_1Hot Topics

Although project management professionals represented more than 60% of our invitation mailing, the topics in greatest demand for 2016 are Leadership, Team-Building, Communications, and Critical Thinking and Decision-Making. These ranged from 38% to 29%, while the overall category of Project Management (PM) dropped to 13% this year (from 45% last year.) In the PM arena, both years, “Identifying and Managing Project Risks” were in the top third ranking at 29%. See the Q1 chart above for details:

 

Delivery Methods

Snip_1_Table_2The preferred delivery methods have changed, as well. For the past few years, there was a growing interest in
web-based learning and self-paced, DIY courses. This year, on-site, full day courses have re-gained their
popularity, with 54.4% of respondents choosing this as their preferred delivery method. In 2014 on-site, full day courses were only requested by 34.2% of respondents. For more details, see the Q2 chart:

 

Snip_1_Table_3Choosing Course and Provider

The basis for choosing a course and provider were measured differently last year, but in both instances, the primary driver is the course topic and/or area that most needs development, followed by convenience of timing, and location. The program cost was lower in priority. See Q3 chart on the left for details.

 

 

 

If you are seeking to reduce your organization’s gaps in skills, improve cooperation and productivity through better communications and decision-making knowledge, or provide some morale-improving, team-building workshops, let’s talk. With a wide variety of courses, delivery techniques and a highly skilled training team, we will help you achieve your training goals for 2016 and beyond.

Contact Jim Wynne at 610-225-0449 or at jwynne@meritcd.com.

Permanent link to this article: http://meritcd.com/blogs/what-your-peers-are-planning-for-2016/

Crossfit Training; Your Body and Your Mind

The start of a new year brings with it many changes, professionally as well as personally. Many of us choose to start the New Year by making goals and resolutions, whether resolving to stick to a budget, or picking up a new hobby. Mine? I’m in the majority of the population: lose weight. To help me achieve my resolution I’ve started an exercise program called CrossFit training.

What is CrossFit training? The CrossFit training program, as explained by its founder Greg Glassman, is a system of performing functional movements that are constantly varied at high intensity. CrossFit is a strength and conditioning program that optimizes physical competence in each of ten recognized fitness domains: Cardiovascular and Respiratory Endurance, Stamina, Strength, Flexibility, Power, Speed, Coordination, Agility, Balance, and Accuracy.

Glowing_ManThe CrossFit program was developed to enhance an individual’s competency at all physical tasks. Athletes are trained to perform at multiple, diverse, and randomized physical challenges. This type of fitness is demanded of military and police personnel, firefighters, and many sports requiring overall physical prowess.

CrossFit training benefits the body by training your individual muscles over time to work together to provide an overall greater level of personal fitness than can be achieved by only conditioning one set of muscles at a time. This got me thinking: are there other areas in my life where I can use this approach? How can I “crossfit” my skills to become better at my job? How can I crossfit new learning opportunities to become a more valuable employee?

How can CrossFit training the body carry over to crossfit training your mind? If we consider our skills, hobbies, and responsibilities in our careers as muscles, we can make the analogy that those skills are muscles needing exercise. Some muscles are used more than others; some are barely used at all. All too often in our jobs, there is a set way of doing things that is like performing a repetitive workout. However, the brain is a muscle that like all muscles must be exercised to be kept in peak condition.

Modern cognitive psychology has demonstrated that the brain is not a static entity. Rather, the brain is continually and constantly developing and pruning pathways across skillsets, linking new knowledge to existing knowledge, or destroying old pathways which aren’t utilized to make room for new synaptic links. You can take advantage of this process by crossfit training your brain with a new skill or area of knowledge, which is seemingly unrelated to your existing career or job responsibilities.

people teaching each otherHow can crossfit training your mind benefit you in your workplace? Cross-functional training has many benefits for organizations as well as employees. At an organizational level, cross training skillsets help safeguard the organization against widening skills gaps. Organizations that cross-train employees across a range of functions put themselves in a good position to prevent sudden shortfalls and manage surges in specific areas when there is a spike in demand. On an individual level, cross training enables employees to explore and assess alternative interests and abilities. It also enables managers to identify and nurture employees who show exceptional talent in a particular function. Cross-training yourself to learn new skills, can increase your employability and enable you to stay relevant.

A few examples …learning the components of Strategic Leadership as a Project Manager (PM) can help reduce the probability of failure by sharpening leadership skills that enable the PM to better understand, motivate and build consensus with other members of a project team.  Or, learning to identify the role emotions and subconscious biases play in the decision making process can enable an individual to make more effective decisions. Learning Risk Management skills can enable a Human Resources manager to better anticipate potential problems and know how to create effective solutions before a problem arises.

In 2016, give consideration to learning things outside the scope of your role or responsibilities. Even if learning new skills may not seem directly related to your current work position, you will be increasing your value. Soon, you’ll wonder how you ever got along without these new skills.

If you are seeking to reduce your organization’s gaps in skills, improve cooperation and productivity through better communications and decision-making knowledge, or provide some morale-improving, team-building workshops, let’s talk. With a wide variety of courses, delivery techniques and a highly skilled training team, we will help you achieve your training goals for 2016 and beyond.

Contact Jim Wynne at 610-225-0449 or at jwynne@meritcd.com.

 

Permanent link to this article: http://meritcd.com/blogs/crossfit-training-your-body-and-your-mind/

A New Medicare Patient Identifier: An Impossible Dream?

Using SSNs as a Medicare patient identifier causes serious problemsDespite nearly a decade of studies and warnings, Medicare cards continue to display participants’ SSNs prominently on the face of the card as their Health Insurance Claim Number (HICN) or patient identification number.This number is also displayed on all claim forms mailed to participants’ homes.

As the studies and warnings clearly point out, this practice leaves participants vulnerable to identity theft when Medicare cards are stolen or claim forms are mailed to the wrong address.This is a common occurrence. It also leaves the Medicare program itself more vulnerable to fraud when identity thieves use stolen Medicare cards to obtain personal medical care and/or to submit fraudulent claims. Using SSNs as a patient identifier is just an bad idea, particularly in light of the fact that other state and federal laws specifically prohibit the use of SSNs in this way.

Both the (CMS) and the U.S. Government Accountability Office (GAO) have studied this issue in some depth. Yet, despite across-the-board agreement that the practice needs to change, no relevant government agency, nor Congress, has taken the necessary action to require the change.

A key reason for this inaction, beyond the studies, is the cost. A 2012 GAO Report examined two options to address the issue:

  1. Continue to use SSNs, but hide the first five digits.
  2. Replace SSNs with a new Medicare Beneficiary Identifier (MBI).

However, CMS concluded that implementing either option would involve between 40 to 48 government IT systems and would take approximately four years to complete. Early CMS estimates indicated that replacing SSNs with the new MBIs would cost up to $845 million. More recent GAO estimates bring that number down considerably to between $255 million to $317 million. Note that these estimates do not include costs hospitals and providers would incur when making changes to accommodate the new MBIs.

So things stand pretty much where they have stood since this issue first became a key point of study and discussion years ago. The most recent GAO Report (September 2013) on the matter concluded that despite the many warnings resulting from the studies and the increasing level of Medicare card theft, CMS still had not given the green light to any project that would remove SSNs as the Medicare card patient identifier. CMS has also failed to follow the lead of other existing state and federal laws prohibiting the use of SSNs as patient identifiers.

But hope springs eternal. Maybe CMS will seize the opportunity to make the change during the current modernization project of CMS’s overall IT systems. As proposed in the September 2013 GAO Report, “. . . one of CMS’s high-level modernization goals is to establish an architecture to support ‘shared services’—IT functions that can be used by multiple organizations and facilitate data-sharing. . .” This effort includes a crosswalk function that could translate existing SSNs on claims to the new MBIs and vice-versa. The transition from the SSN to the new MBI would be much more efficient by receiving information on CMS’s modernized system with the new MBI, rather than by processing the information into the modernized system with the SSN and then making the transition.

Is it an impossible dream that the common sense state and federal regulations already prohibiting SSNs from being used as patient identifiers will also apply to Medicare? It remains to be seen.


© 2014 Merit Career Development. All rights reserved. For more information, please contact Jim Wynne at jwynne@MeritCD.com.

Permanent link to this article: http://meritcd.com/blogs/a-new-medicare-patient-identifier-an-impossible-dream/

Sloppy Records Disposal Triggers $800K Fine and Corrective Action Plan

Sloppy Records DisposalWith all the talk about HIPAA over the past decade, most people in the U.S. now expect their confidential health care information and records (collectively “PHI”) to be just that…confidential. We expect our providers to assure its privacy and security. But this is not always the case. Read about this incident.

In September 2008, Parkview Hospital in Ohio took custody of approximately 5,000 to 8,000 patient records pertaining to a retiring physician’s medical practice. Parkview was considering purchasing some of the physician’s practice and was assisting the retiring physician to transition her patients to new providers. By taking custody of the PHI, Parkview assumed the responsibility for the private and secure management of the retiring physician’s PHI. However, on June 4, 2009, despite having custody of the records and with knowledge that the retiring physician was not at home at the time of the incident, Parkview employees left 71 cardboard boxes of medical records on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. This action exposed the PHI to unauthorized access and constituted a HIPAA breach.[i]

The retiring physician reported the breach to the Department of Health and Human Services (HHS), resulting in an investigation by its Office of Civil Rights (OCR). Parkview cooperated with the OCR investigation. The outcome was an $800,000 civil money sanction and a corrective action plan requiring the revision of Parkview’s policies and procedures, staff training and regular reports to OCR on compliance with the corrective action plan. The extended regulatory oversight and related costs for auditors can be a greater sanction and intrusion into daily operations than any sanction check that has to be written.

HIPAA and HITECH mandate that healthcare providers and managing healthcare entities are responsible for the privacy and security of PHI from the time it is created until the time it is securely destroyed.  This includes implementing and monitoring PHI policies and procedures as well as training and monitoring staff compliance with them. Failure to do so can subject healthcare providers or entities to sanctions and regulatory oversight through corrective action plans. HIPAA regulations have been in effect since 2003. HITECH regulations, enacted in 2009, have heightened sanctions for failing to protect PHI, including added sanctions up to $1.5M per year for willful neglect levied against covered entities that can demonstrate no reasonable efforts towards HIPAA/HITECH compliance.

It’s hard to believe that breaches such as the above incident are still taking place. But the OCR confirms that it is quite busy with similar investigations. It is starting up its random audit program again in October 2014 to get the message across that HIPAA/HITECH compliance is mandatory. The message from HHS is that sanctions will increase when non-compliance is identified such as in the case cited above and those noted on its Wall of Shame at www.hhs.gov.


[i] See $800,000. HIPAA Fine- Blatant Violations Continue to Occur, www.Medlaw.com, posted June 25, 2014


© 2014 Merit Career Development. All rights reserved. For more information, please contact Jim Wynne at jwynne@MeritCD.com.

 

Permanent link to this article: http://meritcd.com/blogs/sloppy-records-disposal-triggers-800k-fine-and-corrective-action-plan/

Cyber Criminals’ Target of Choice: Healthcare

Cyber Criminals’ Target of Choice: HealthcareData thieves are feasting at the healthcare information and data buffet. The healthcare industry needs to act quickly to manage this problem.

Last year, the healthcare industry experienced more data breaches than any other industry. There were 269 incidents reported with more than 8.8 million healthcare records compromised, equaling 43.8% of breaches reported across relevant industries, according to the Identity Theft Resource Center (ITRC). So far in 2014, ITRC found that healthcare organizations are trending even higher representing 45.8% of breaches industrywide. And these statistics are only for breaches that have been reported.

The vulnerability of healthcare information and data is increasing. The FBI warned healthcare providers that their data security systems lag behind other industry sectors. This warning asserts that the healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors. Therefore the possibility of increased cyber intrusions is likely.

The results of risk analyses performed across the healthcare industry, including the results of the initial Office of Civil Rights (OCR) audit program, point to a lack of investment by healthcare in privacy and data security, a lack of attention to these issues at the executive level, and a tendency to spend only minimal resources to implement HIPAA/HITECH compliance plans. As the above statistics confirm, healthcare remains not only vulnerable but a preferred target for cyber criminals.

Why are cyber criminals focused on healthcare? Quite simply, that’s where the money is. The value of medical data is proving to be far more lucrative than other types of personal data. For example, a single person’s medical identity information can fetch hundreds of dollars compared to just a dollar or two or even less for a Social Security or credit card number, according to experts. Such medical identity information can provide access to prescriptions for drugs that can be re-sold, and can cover expensive medical treatment for the wrong party.

Healthcare data breaches are not only the work of shadowy hackers working out of foreign countries. In as many cases, the breaches are the work of healthcare providers’ own employees. Failure to invest in and implement verifiable privacy and security programs within the organization itself which include meaningful and appropriate workforce training programs is costing healthcare providers millions of dollars in sanctions and corrective action settlement agreements to combat carelessness such as loss of laptop computers and other devices with unencrypted data and unauthorized snooping into or copying patient records and data. Breach reports and complaints are patient and consumer driven and can be made directly to the Department of Health and Human Services (HHS) by disgruntled individuals. Breaches can also result from criminality by an employee acting on his or her own to steal healthcare data outright for personal gain.

Also, as electronic health records systems (EHRs) become more prevalent and sophisticated, the risk of medical identity theft continues to grow. Providers are accountable for data security efforts to remain on top of current threats, identify emerging problem areas and stay ahead of the myriad of new threats. Further, HITECH has pulled Business Associates and Business Associate sub-contractors into the HIPAA/HITECH regulatory realm.

Healthcare, as an industry, has a long way to go to match their counterparts in the financial and banking sectors, which have invested heavily in data privacy and security. These industries experienced only 3.7% of data breaches and less than 1% of compromised records. Excuses are no longer being tolerated by HHS, willful neglect (failure to demonstrate any effort at HIPAA/HITECH compliance) is being sanctioned at a rate of $1.5 M per year on top of corrective action settlements, and random audits by OCR are beginning again in October of 2014. Now is the time to act.

For assistance with your HIPAA/HITECH compliance efforts, contact Patricia Wynne, Esq., CIPP at pwynne@meritcd.com or by phone at 610-225-0193.


© 2014 Merit Career Development. All rights reserved.

Permanent link to this article: http://meritcd.com/blogs/cyber-criminals-target-of-choice-healthcare/

$4.8 Million, Highest Fines Issued by HHS to Date

ePHI breach on internetMay 2014

The Department of Health and Human Services (HHS) entered into settlements totaling $4.8 million with New York-Presbyterian Hospital (NYP) and Columbia University Medical Center (CU) for failing to implement appropriate administrative and technical safeguards to secure the ePHI of approximately 6,800 patients[i]. This is HHS’ highest financial sanction issued to date as a part of breach settlement agreements, confirming its commitment to enforce HIPAA compliance.

Breach Report, Investigation and Findings

NYP and CU received a complaint from an individual who found confidential health information (ePHI) including status, vital signs, medications, and laboratory results of a deceased relative, a former NYP patient, on the Internet. The HIPAA regulations require such ePHI be maintained in secure systems and kept confidential. In accordance with HIPAA requirements, they submitted a joint report of the complaint to HHS dated September 27, 2010 resulting in an investigation by HHS’ Office of Civil Rights (OCR).

OCR’s investigation found that NYP and CU have a joint healthcare services arrangement wherein CU faculty members work as attending physicians at NYP. To support the services, NYP and CU operate a shared data network including firewalls administered by employees of both entities with shared links to NYP patient information systems.

OCR identified the breach to have occurred when a CU physician employed to develop applications for both entities attempted to de-activate a networked server containing NYP patient ePHI. Due to a lack of technical safeguards in place on the network, the de-activation attempt resulted in NYP ePHI becoming accessible to internet search engines.

OCR found that neither NYP nor CU could demonstrate that its servers were secure or contained software protections prior to the breach. OCR found an additional lack of administrative safeguards, specifically that neither entity had conducted a risk analysis to identify all systems with access to NYP’s ePHI or had a risk management plan in place to address potential hazards or threats to the security of its ePHI.

Finally, OCR found that NYP failed to implement its own technical safeguards including procedures for authorizing access to its databases and information access management processes. In addition to the financial sanctions, NYP and CU agreed to a corrective action plan requiring implementation of the administrative and technical safeguards and to monitor compliance with regular reports back to HHS.

Increased HHS Enforcement of HIPAA Compliance

This action gives notice to Covered Entities and Business Associates that HHS has heightened its enforcement efforts since the enactment of HITECH and the HIPAA Omnibus Rule.

It is imperative that a healthcare organization ensure that its workforce understands the privacy and security regulations, not just completes rote training programs, and recognizes the impact that non-compliance—from even one employee—can have on an organization.

The mandated HIPAA safeguards must be in place to identify risks and threats to ePHI and patient information systems, including insider threats from its own workforce. The safeguards must be regularly monitored through risk analysis as a part of a comprehensive risk management program.

Click here to learn how to mitigate these risks with an organization-wide risk analysis.


[i] See http://www.hhs.gov/news/press/2014pres/05/20140507b.html


© 2014 Merit Career Development. All rights reserved. For more information, please contact Jim Wynne at jwynne@MeritCD.com.

Permanent link to this article: http://meritcd.com/blogs/4-8-million-highest-fines-issued-by-hhs-to-date/

HIPAA Privacy and Security, Perfect Together

PrivacyIn this era of HIPAA enforcement, it is important to understand the fundamental role of the privacy regulations. Privacy outlines the big picture for compliance. Failing to understand and implement privacy’s administrative, technical and physical safeguards can be a costly miscalculation.

Privacy regulations have been in effect since 2003 and are updated regularly on the Department of Health and Human Services’ (HHS) website.

These regulations list compliance requirements for protected health information (PHI) in all formats (oral, paper or electronic). Security regulations are a subset of privacy limited to PHI in electronic format (ePHI). Privacy encompasses the big picture for compliant access, use, and disclosure of all PHI, including ePHI. Investing the staff, resources and time necessary to meaningfully implement privacy regulations is the entrée to compliance and a prudent business decision.

Prior to 2009, regulated organizations were primarily self-monitoring. The lack of outside accountability precipitated the major investment of staff and resources allocated for HIPAA compliance being directed towards building and supporting electronic health records systems. Fewer resources were dedicated to the less concrete, yet more comprehensive, role of privacy. Responsibility for patients’ and clients’ rights; uses and disclosures of PHI; role-based access issues; business associates; and other privacy issues were disbursed over many departments. This resulted in insufficient compliance, lax oversight and a high occurrence of violations.

HITECH’s enactment in 2009 refocused HIPAA enforcement on the privacy regulations.

HITECH mandates the implementation of complaint and breach report procedures, requires accountability for management of PHI, establishes higher sanctions for violations including a new category for willful neglect, and initiated a random audit program for an expanded list of regulated organizations by HHS’ Office of Civil Rights (OCR).

More federal and state regulatory agencies, including FTC and states’ attorney generals, now coordinate with HHS’ enforcement actions. Their websites regularly post results of enforcement actions as notice and guidance for regulated organizations. Most violations settle with corrective action plans (CAPs); some include fines tipping millions of dollars.

Many CAPs require hiring auditors to monitor and report to HHS on CAP compliance, particularly revising policies and procedures and workforce training programs (basic privacy administrative safeguards) over a period of years. As the following three cases from HHS’ website confirm, HHS is serious about privacy compliance.

Cignet Health failed to respond to requests of 41 patients to access their medical records, a right guaranteed by privacy regulations. These patients filed complaints directly with HHS. OCR investigated and demanded release of the records. Cignet failed to cooperate or engage in any reasonable resolution. OCR then subpoenaed the records; Cignet did not comply. OCR’s subpoena was enforced by the District Court whose Final Determination mandated their release, levied a $1.3M fine for its breach of patients’ privacy rights and an additional $3M fine for willful neglect of privacy regulations and failure to cooperate with OCR. It took a $4.3M fine for Cignet to implement privacy regulations.

RX bottlesCVS Caremark (CVS) incurred a $2.25M fine for disposing PHI on labels of medication vials and old prescriptions with its regular trash. Privacy regulations confirm that CVS is responsible for its PHI from creation until its secure destruction. Unsecured trash containers are an all too common source of confidential information for identity thieves today. This issue was the focus of a local news investigation which reported on CVS’s trash disposal practices. FTC coordinated with OCR’s investigation addressing consumer protection issues. CVS agreed to a CAP which included a $2.25M fine and required it to implement policies and procedures for secure disposal of PHI as well as accountability procedures for staff violations, and workforce retraining programs throughout the corporation. CVS was also required to retain an independent auditor to report back to HHS on its CAP compliance for a three year period. Further, CVS was subject to FTC monitoring for 20 years.

photocopierAffinity Health Plan paid a $1.2M fine for failing to erase PHI from photocopier hard drives before returning the photocopiers to its leasing agents. CBS news uncovered the breach as a part of an investigative report wherein it purchased a photocopier previously leased by Affinity and analyzed its hard drive. It contained the PHI of over 300,000 of Affinity’s patients, the type of PHI protected directly by the privacy regulations. Affinity self-reported the breach to HHS, notified its clients, and agreed to a CAP requiring revision of policies and procedures and workforce training programs, completing regular internal risk analyses to identify threats and vulnerabilities to its PHI, and implementing a plan including technical safeguards to purge and dispose of PHI in all formats in a private and secure manner. The CAP also required Affinity to use its best efforts to retrieve all hard drives returned previously to leasing agents.

These are costly errors for regulated organizations’ failure to implement privacy regulations into their compliance plans. Patients and the public are aware and looking for violations. OCR audits are scheduled to start up again in October 2014 but violations can generate an OCR contact at any time. Privacy regulations, at a minimum, require organizations to remain on top of the flow of all PHI, including ePHI, under its control from the time of its creation, throughout its lifespan, to its secure destruction. Don’t miss the big compliance picture by a myopic focus on ePHI.


© 2014 Merit Career Development. All rights reserved. For more information, please contact Jim Wynne at jwynne@MeritCD.com.

Permanent link to this article: http://meritcd.com/blogs/hipaa-privacy-and-security-perfect-together/

Risk Analysis: Prepare Now or Pay Later

MeetingManaging risk to confidential patient health information (PHI) is not only a critical component of healthcare today; it is also a mandate of the HIPAA Omnibus Rule (HIPAA).

HIPAA mandates that organizations conduct a regular risk analysis to identify and mitigate risks to patient records and the PHI they manage in their electronic health records systems (EHRs). Failure to secure PHI and mitigate the threats and vulnerabilities identified in a risk analysis can result in investigations by the Department of Health and Human Services (HHS) and other federal and state regulatory agencies. These agencies have authority to impose millions of dollars in penalties and fines as well as extended regulatory oversight, and can do so simultaneously for the same offense.

The Situation

According to the HIPAA Omnibus Rule (HIPAA Omnibus Rule) [1], Failing to protect patient records and prevent disclosure of PHI can damage patients’ financial status, job prospects, and reputation, far exceeding the impact of their medical conditions.

The HIPAA Omnibus Rule requires Covered Entities and Business Associates to conduct regular risk analyses [2] to identify and address threats and vulnerabilities to the confidentiality, integrity and availability of patient records and the PHI they manage and maintain in electronic health information systems.

Millions of dollars in penalties and fines as well as extended regulatory oversight can result from these failures, levied after investigations by the Department of Health and Human Services (HHS) and other federal and state regulatory agencies.

Nearly 30 million patient records have been reported to HHS as compromised in breaches since 2009, according to surveys conducted by healthcare IT security consultants as recently as February 2014[3]. The report states that “(i)n 2013 alone, 199 incidents of breaches of PHI were reported to HHS impacting over 7 million patient records, a 138% increase over 2012.” These statistics do not include breaches that have not been reported to HHS.

Furthermore, HIPAA requires notification of HHS and the patients whose PHI has been breached. Such notification can negatively impact patients’ confidence in as well as the reputation of the service provider. The flip side is that patients build trust in and strengthen their loyalty for their healthcare providers when their PHI is securely managed. A reputation for private and secure management of health information can also serve as a marketing tool for the provider.

In the early roll-out of HIPAA, HHS’ history of lax oversight and few consequences for non-compliance resulted in minimal implementation of the privacy and security standards. Covered Entities lacked comprehensive compliance planning, allocating responsibility over multiple departments to provide workforce training and accountability programs and taking the position that electronic health records systems (EHRs) successfully producing electronic records and bills was sufficient to demonstrate HIPAA and HITECH compliance.

Meanwhile, reports of patient complaints and breaches poured into HHS by the millions. Eighty-three per cent of all large HIPAA privacy and security breaches are the result of theft, according to surveys from HHS sources reported by Healthcare IT News. More specifically, the surveys report that approximately 22% of breaches since 2009 were due to unauthorized access to PHI, 35% were attributed to theft or loss of unencrypted devices containing PHI, and 6% were due to hacking[1].

The results of HITECH’s pilot audit program demonstrated that covered entities lacked understanding of the actual privacy and security standards as well as grounding in the specific implementation requirements the standards impose on internal systems, operations and resources necessary to meet HIPAA compliance requirements.

The HIPAA Omnibus Rule amendments confirm that anything short of a comprehensive, documented and implemented risk management process will not meet HIPAA compliance requirements today. It also requires that risk management program incorporate the results of a comprehensive complaint and breach investigation procedure focused on identifying and addressing workforce errors and patient complaints within the organization. Finally, the HIPAA Omnibus Rule extends these compliance requirements to Business Associates performing services or functions for or on behalf of covered entities.

The Solution

Risk management begins with an organization-wide risk analysis– i.e. an accurate and thorough assessment and mapping out of actual use and disclosure procedures in place for PHI in all formats throughout the whole organization. This includes satellite and multi-state offices, subsidiaries, patient portals, remote access to its PHI/ePHI, and PHI/ePHI disclosed to its Business Associates.

A key component of the assessment involves identifying and planning for mitigation of reasonably anticipated human, natural and environmental threats and vulnerabilities to the organization’s internal and external processes and systems. To be most effective, a risk analysis should be conducted regularly and at key intervals when changes, upgrades and/or mergers take place. The findings from the risk analysis should be incorporated into a document comprehensive and regularly updated risk management strategy for the organization. This documentation is what the OCR will likely request during investigations or audits to evaluate the organization’s compliance efforts.

The next round of OCR audits is scheduled to begin in October 2014. Covered Entities’ and Business Associates’ compliance with the HIPAA security standard’s risk analysis and risk management standard is in the OCR’s cross hairs. Failure to take affirmative steps towards compliance before the OCR comes a’knocking can add additional sanctions for willful neglect to corrective action plans and/or settlement agreements.

Whether the OCR is knocking on your door or not, the private and secure management of the Covered Entity’s or Business Associate’s health information is a critical aspect of quality healthcare services today. Leaders in the industry have this as a critical core value for their organizations, making compliance with the HIPAA Omnibus Rule just par for the course. The availability of secure and reliable healthcare information and data to support quality treatment and services requires the practice of good IT governance and due diligence[2].

Click here to learn how to mitigate these risks with an organization-wide risk analysis.


[1] The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defined privacy and security standards for management of protected health information (PHI) in all formats, including oral, paper and electronic (ePHI). HIPAA was amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) which incorporated provisions of the Genetic Information Non-discrimination Act of 2008 (GINA). HITECH, among other provisions, addressed gaps in HIPAA, expanded categories of Business Associates and pulled Business Associates into the regulatory authority of the Department of Health and Human Services (HHS) and other federal and state agencies, and increased sanctions for non-compliance with HIPAA introducing a new punitive sanction for willful neglect. HITECH focuses on ePHI only and provides incentive payments for meaningful use of electronic health records systems (EHRs). HITECH’s ultimate goal is to develop a national network of health information and data which will drive efficiencies and improve the administration of healthcare in the US. The final HIPAA Omnibus Rule of 2013 (HIPAA Omnibus Rule) is HHS’ final rulemaking focused on strengthening the privacy and security provisions for PHI originally defined by HIPAA.

[2] See 45 CFR subsections 164.530 (c) [Privacy Standard] and 164.308(a)(1)(ii)(A) [Security Standard]

[3] See Redspin Report on the “State of Healthcare IT Security” (February 5, 2014) at www.redspin.com/redspin-reports-state-healthcare-security-130000284.html.

[4]   See HIPAA Data Breaches Climb 138% atHealthcare IT News (February 6, 2014) www.healthcareitnews.com/news/hipaa-data-breaches-climb-138-percent

[5]   See In Defense of HIPAA: How Compliance Drives Innovation at algonquinstudios (April 1, 2014) http://blog.algonquinstudios.com/2014/04/01/in-defense-of-hipaa-how-compliance-drives-innovation/


© 2014 Merit Career Development. All rights reserved. For more information, please contact Jim Wynne at jwynne@MeritCD.com.

Permanent link to this article: http://meritcd.com/blogs/risk-analysis-prepare-now-or-pay-later/

Older posts «