Friday, November 17, 2017

Preventing Harassment Depends On Your Organizational Culture


Individual behaviors do not present as much of a risk factor for harassment as does the organizations' culture

Sarah was surprised when Mike came into her office to file a harassment complaint. Everyone within the organization had just completed Harassment Training the previous week, but yet here is Mike sitting in Sarah's office. Mike is complaining that he is being bullied in the office by multiple staff members. Sarah is very aware that this is covered within the organizations Harassment Training, so why was it happening? This situation has the potential of getting messy and dragging on for quite sometime.

Harassment is a decision made by an individual when his or her 
work environment allows for it.

Yes, the above statement is a hard fact to face. When an individual decides to take action in an inappropriate manner, that decision was made using various factors:
  • What is the character of the individual in question?
  • Does he or she have a history of inappropriate actions or words, but not held accountable for those actions or words?
  • Did the individuals' supervisor report any suspicious activity, words, or mannerisms?
  • Is there motivation behind the individuals actions or words?
All of the above questions do not necessarily point to the individual, but rather the organization and the culture that lives within that organization. Harassment thrives in organizations that lack respect, a healthy culture, and accountability.

Victoria Lipnic of the Equal Employment Opportunity Commission (EEOC) stated the following:
"Too much of the effort and training to prevent workplace harassment over the last 30 years has been ineffective an focused on simply avoiding legal liability. In simplest terms, training must change. That does not mean we are suggesting that training be thrown out - far from it - but training needs to be part of a holistic, committed effort to combat harassment, focused on the specific culture and needs of a particular workplace. Above all, employees must have faith in the system." (1)

Simply having a reactive system in place that responds to harassment claims is not enough. Out of fear of retribution, employees may not report the harassment when it occurs. It is becoming vital for organizations to lessen the opportunity for harassment from happening so significantly, that it is nearly non-existent within the organization. This type of harassment free environment is created from the culture that exist within the organization. Here are some suggestions to help create a harassment free culture:
  • Hire not just for skills and knowledge. The character of the individual must be a top priority when considering who to bring into the organization.
  • When an individual does act inappropriately, they must be held accountable. A slap on the wrist or a simple "tongue lashing" will not deter the individual or others from inappropriate actions in the future.
  • Effective supervisor training is a critical component. Supervisors must receive proper training that enables them to identify strange behaviors, words spoken, or mannerisms. When something odd occurs, it should be documented and monitored.
  • Create an environment of positive thinking, mutual respect, and support for fellow co-workers.
  • Ensure that your harassment policies are equal for everyone within your organization. One classification of worker should not have an advantage over another or receive special treatment.
  • Be sure everyone within the organization (at all levels) receives harassment training and this training is acknowledged through documentation. As part of your harassment training, ensure that all members of the organization understand what is considered harassment.
  • False harassment accusations should not be tolerated. A growing number of employees have been falsely accusing their co-worker of harassment in order to gain a competitive advantage over that co-worker.
Creating a "harassment free" culture within your organization will never completely eliminate harassment from occurring. However, it will greatly reduce the opportunity for it to occur.

Don't put your organization at risk by having a reactive approach to harassment. Take measures to be more proactive in your approach. Your employees will be grateful for the safer work environment that will be created and it will reduce the liability risk to the organization.

Individuals will be who they are. Try to ensure that you have the best people within your organization who, through their character, actions, and words are representatives of an organizational culture that you can be proud of!



To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Tuesday, October 31, 2017

Importance of Written Time Off Policies

Managing time off requests effectively
will help reduce your liability

There are certain times of the year, summer and holidays, when a significant number of employees request time off from work. While it would be nice to accommodate all of the time off requests, work still needs to get done. In addition to reduced productivity, there is another factor with time off requests that increases liability, reduces morale, and sours the great culture that has been building within the organization. All of these are the result of unfair time off practices.

Reduce Liability
All of your time off requests should be done by following a written policy and procedure. Time off policies should be the same for the same type of employee (part-time or full-time). Be sure that the written time off policies are in no way discriminatory of gender, race, religion, or other factor.

Keep Morale High
If the written policies and procedures are not deviated from and are followed, then there should be no appearance of favoritism. It is the appearance or perception of favoritism that has a destructive influence on the morale of other employees.

Culture is Still Great
Any type of special allowances of time off could have a souring effect on the culture of an organization. Remember, everyone would like to have a special day off and get paid for it. If it is not written in the policies and procedures, don't do it. If someone really needs to have a day off and it is outside of the written policies, then the day off can be granted to the employee, but it would not be an unpaid day off. This would not have the same souring effect on the culture as a paid day off would have.

Reduce liability, keep the morale high, and maintain a great culture by having fair and written time off policies and procedures that are strictly followed.



To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Wednesday, October 18, 2017

OSHA's New Fact Sheet on Preventing Zika Virus Exposure in Healthcare Workers

OSHA has released a new fact sheet on preventing Zika virus exposure in biomedical laboratory and other healthcare workers.
The Zika virus was found in the Americas and the Caribbean in 2015. Symptoms include fever, rash and joint pain. The virus, which can spread from a pregnant woman to her fetus, has been linked to a serious birth defect of the brain known as microcephaly.

Zika virus is primarily spread through the bites of infected mosquitoes. There is no vaccine to prevent Zika virus infection, and there is no specific treatment for people who become infected. Although Zika virus is primarily spread by infected mosquitoes, exposure to an infected person’s blood or other body fluids may also result in transmission. 
Outdoor workers may be at the greatest risk of exposure to Zika virus.  Some workers, including those working with insecticides in areas of active Zika transmission to control mosquitoes and healthcare workers who may be exposed to contaminated blood or other potentially infectious materials (OPIM) from people infected with Zika virus, may require additional protection. 
Although, to date, there are no absolutely confirmed reports of transmission of Zika virus from infected patients to health care personnel or other patients in the United Sates; minimizing exposure to body fluids is important to reduce the possibility of such transmission. The CDC has previously recommended Standard Precautions in all health care settings to protect both health care personnel and patients from infection with Zika virus as well as from blood-borne pathogens (e.g., human immunodeficiency virus [HIV] and hepatitis C virus [HCV]).


The New OSHA fact sheet on the Zika virus details how laboratory exposures occur, often through bodily fluids, and how to prevent exposures. Labs should undergo risk assessments, OSHA advises, with the fact sheet detailing the standards, recommendations and biosafety practices to follow.
OSHA also looks at worker training required under its (BBP) Bloodborne Pathogens Standard (1910.1030), and what employers should do in the case of an exposure or if a worker shows signs/symptoms of the virus.
Guidance to Healthcare and Laboratory Workers
  • Employers and workers in healthcare settings and laboratories should follow standard infection control and biosafety practices (including universal precautions) as appropriate, to prevent or minimize the risk of Zika virus transmission.
  • Standard precautions include, but are not limited to, hand hygiene and the use of (PPE) Personal Protective Equipment to avoid direct contact with blood and other potentially infectious materials, including laboratory specimens/samples. PPE may include gloves, gowns, masks, and eye protection.
  • Hand hygiene consists of washing with soap and water or using alcohol-based hand rubs containing at least 60 percent alcohol. Soap and water are best for hands that are visibly soiled. Perform hand hygiene before and after any contact with a patient, after any contact with potentially infectious material, and before putting on and upon removing PPE, including gloves.
  • Laboratories should ensure that their facilities and practices meet the appropriate (BSL) Biosafety Level for the type of work being conducted (including the specific biologic agents – in this case, Zika virus) in the laboratory.
  • Employers should ensure that workers: Follow workplace standard operating procedures (e.g., workplace exposure control plans) and use the engineering controls and work practices available in the workplace to prevent exposure to blood or other potentially infectious materials.
  • Employers should ensure workers do NOT bend, recap, or remove contaminated needles or other contaminated sharps. Properly dispose of these items in closable, puncture-resistant, leak-proof, and labeled or color-coded containers. Workers should use sharps with engineered sharps injury protection (SESIP) to avoid sharps-related injuries.
The fact sheet notes that the Zika virus is “a nationally notifiable condition” and labs should consult the Centers for Disease Control and Prevention for reporting guidelines.
HCSI - sharps
If an employee becomes infected, the CDC recommends that infected individuals rest, drink fluids, and take acetaminophen for fever and pain reduction. Infected persons should avoid further mosquito bites by covering skin and using an insect repellent containing DEET.

Employers should ensure that workers receive prompt and appropriate medical care for suspected Zika infection. If the exposure falls under OSHA’s BBP standard, employers must comply with OSHA medical evaluation and follow-up requirements. Also employers should consider options for granting sick leave during the active period of infection.

Sources: www.hcsiinc.comwww.osha.govwww.cdc.gov, www.safetyandhealthmagazine.com 
 Healthcare Compliance Solutions Inc.

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Friday, September 29, 2017

Time To Remind Staff About Holiday Decoration Safety Rules

Workplace Holiday Season Safety
Halloween, Thanksgiving, Christmas, Hanukkah, Kwanzaa, New Years and other holidays inspire staff members to set up decorations. These initiatives are often done with good intentions, meant to bring a touch of cheer or team festivity to a sometimes sterile healthcare office environment, but you will bear the blame if any decorations result in fire or occupational safety hazards.

Decorating the workplace can result in falls and dangerous tripping hazards. Avoid placing trees, gifts, Halloween decor (particularly dangerous or flammable cob web, steamers and banners) or other freestanding decorations in busy areas where people might run into them or trip over them. Always use the proper step stool or ladder to reach high places safely, not chairs or other unstable furniture. Before using a ladder, read and follow the manufacturer's instructions and do not exceed recommended usage limits. Potential trips over cords or decorations, slips and falls are workers’ compensation claims waiting to happen.

It's also essential to make sure that your holiday decor does not block exits, cover exit signage, or block access to fire safety equipment. Do not place any type of decorative items in exit corridors or hang decorations from or covering fire sprinklers.

General Holiday Safety Tips

Holiday Decorations
Holiday decorations should create higher morale at the workplace, not hazards and potential for accidents and injuries, so take proper precautions. Choose artificial greenery made of fire retardant materials for office decorating. All decorations (including trees, wreaths, curtains/drapes, hangings, etc.) should be either noncombustible (not all artificial trees are), inherently flame retardant (the label will say so), or have been treated with a flame retardant solution.

Trees

  • Consider an artificial tree, which poses less risk than a live one.
  • Make sure live tree has water at all times so as not to dry out & become a fire hazard.
  • Live trees can be safer when sprayed with flame retardant.
  • Live trees should be in a location that does not interfere with foot traffic. Do not allow blockage of your escape route--doorways, exits, or pathways.
  • Live trees do not belong near heat sources (vents, flames, space heaters, etc.) where they can dry out.
  • Keep in mind trees can be top heavy, so use a sturdy stand. Consider safely using support from thin guy wires attached to walls or ceilings, to keep them from falling over and injuring someone.

Electric Lights

  • Before plugging in electrical decorations, carefully check each set of lights, new or old, for broken or cracked sockets, frayed, loose or bare wires, or loose connections. Damaged sets may cause a serious electric shock or start a fire; if damaged, discard - do not attempt to repair. Always unplug a light string or electrical decoration before replacing light bulbs or fuses.
  • Don't overload extension cords, which could overheat and start a fire. Extension cords have different ratings so be sure to check before plugging in multiple light string sets.
  • Never tack or staple an extension cord to the wall or woodwork--it could damage the cord and create a fire hazard. Make sure cords do not dangle from counters and table tops where they can be pulled or tripped over.
  • If an extension cord is used in a busy area or crosses a walkway, secure with duct tape or cover with mats or carpet.
  • Consider using miniature lights with cool-burning bulbs. Use only lights that have been tested for safety, identified by a label from an independent testing laboratory, such as Underwriters Laboratory (UL). Use indoor lights only indoors and outside lights outdoors.
  • Fasten outdoor lights securely to trees, building, walls or other firm support to protect from wind damage. Don't mount or support light strings in any way that might damage the cord's wire insulation.
  • Never use electric lights on a metallic tree. The tree can become charged with electricity from faulty lights, and any person touching a branch could be electrocuted. To avoid this danger, use colored spotlights above or beside a tree, never fastened onto it.
  • Turn off all lights on trees and other decorations when you leave the workplace. Lights could short and start a fire.

Trimmings/Other Decorations

  • Use only non-combustible or flame-resistant materials. Choose tinsel, artificial icicles, plastic or non-leaded metals.
  • Wear gloves while decorating with spun glass "angel hair," which can irritate eyes and skin. A common substitute is non-flammable cotton. Both angel hair and cotton snow are flame retardant when used alone. However, if artificial snow is sprayed onto them, the dried combination will burn rapidly.
  • When spraying artificial snow on windows or other surfaces, be sure to follow directions carefully. These sprays can irritate your lungs if you inhale them.
  • Never place trimmings near open flames or electrical connections.

Candles

  • Contribute to 10,000 fires per year. They are generally not safe to use in the workplace.
  • Never use candles to decorate trees; keep away from flammable materials, such as boughs or wreaths, other decorations or wrapping paper, and curtains/drapes.
  • Never leave lit candles unattended, and extinguish before leaving the workplace.

Parties

  • Preparation for holiday parties: Decorate only with flame-retardant or noncombustible materials. If guests will be smoking, provide them with ashtrays and check them frequently. After the party, check around furniture and in trashcans for cigarette butts that may be smoldering.
  • Holiday food preparation: Thoroughly cook and serve foods at proper temperatures.  Refrigerate cooked leftovers within 2 hours at 40 degrees Fahrenheit (F) or below. More information can be found at http://www.foodsafety.gov/.
                                                                                                                            
To summarize, using the list below should help keep you on the plus side of OSHA, your local fire authority and provide your staff a safe work environment during the holidays.
                                                                       
        NO decorative electrical lights of any kind in the patient vicinity (i.e., any room where a patient receives care).
        NO decorations that create a trip hazard (e.g. electrical cords or extension cords across halls or walkways).
        NO natural cut or once-live evergreen trees or garlands.
        NO artificial Christmas trees unless labeled or otherwise identified or certified as “flame retardant” or “flame resistant.”
        NO decorations that obstruct exits.
        NO combustible decorations. All decorations must be flame retardant and labeled as such. These decorations should always be kept away from ignition sources (e.g., light fixtures, electrical receptacles, etc.).
        NO decorations that are explosive or highly flammable (e.g., decorative crepe paper or pyroxylin plastic decorations).
        NO decorations that impair the visibility of an exit sign or portable fire extinguisher.
        NO decorations that impair the proper operation or the fire sprinkler system. Do not attach anything to sprinkler heads.
        NO decorations attached to painted surfaces with tape or staples. Hanging decorations from a ceiling grid is preferable.
        NO wall decorations in excess of 10% of the wall surface area.
Also consider declaring a date on which all holiday decorations must be taken down, which can help to eliminate any lingering compliance problems. Many facilities set the date of January 3 to conclude all holiday decorating activities.


Be safe and  enjoy the holiday season from HCSI!

 HCSI

Source(s): www.hcsiinc.com, http://www.foodsafety.govhttp://www.statefundca.com, http://www.nsc.org


To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Tuesday, September 12, 2017

Discussing Pay at the Office

Many employers restrict their employees from conversations about pay at the office, but is this legal?

It is a common practice in many companies for the employee policy manual to contain some verbiage about not discussing compensation and pay with other employees. This policy is easily agreed to by the employees and thus the company has achieved its goal of keeping the often times illegal practice of pay secrecy in place.

Is Pay Secrecy Illegal?

In 1935, Congress passed a law entitled, the National Labor Relations Act or the “Wagner Act”. Under this act, private-sector employees have the right to engage in “concerted activities for the purpose of collective bargaining or other mutual aid or protection.” For this reason, restricting private-sector employees from discussing their compensation with one another is illegal. There is a limit as to who can discuss pay with other employees. Supervisors, for example, would not be considered an “employee” and therefore they can be prohibited from discussing pay. In addition, employees who have access to a company’s payroll could also be prohibited from sharing other employee’s private salary information.


Why is the Wagner Act in Place?



It was the purpose of the Wagner Act to protect employees against unfair pay practices. Giving the employees the freedom to discuss their compensation does a lot to help avoid unfair pay practices and puts pressure on a company to ensure pay-for-value (pay based on experience, education, skills, and the assigned responsibilities of the job) is in place. If an organization has a pay-for-value system in place, then they would not be afraid of employees discussing their compensation with each other. It is when a company has something to hide within their pay practices that problems arise when pay is discussed.

Employers Who Violate This Law

Employers who violate this law could have repercussions that would range anywhere from a wrongfully terminated lawsuit to the possible loss of federal contracts.

If an employee has been wrongfully fired for discussing their pay, they are may contact the National Labor Relations Board (NLRB) and file a complaint. The NLRB may begin an investigation into the matter regarding their former employer.

In most cases, pay secrecy is against the law. Employer should have a pay-for-value system in place and avoid any possible penalties for violating the Wagner Act.




To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Friday, September 8, 2017

Navigating The Storm: HIPAA Compliance and Repairing Natural Disasters

NAVIGATING THE STORM: HIPAA COMPLIANCE AND PREPARING FOR IRMA
As Hurricane Irma approaches, hospitals, medical professionals and emergency medical personnel in the path of the storm are actively preparing for the storm’s arrival.  Making sure that health information is available before, during and after the storm is a critical part of that preparation. U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) wants to make sure medical professionals and emergency personnel understand when the HIPAA regulations may apply to them – and when those regulations apply, how they can share individually identifiable (protected) health information (PHI) during emergency situations. The Privacy Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur.  The HIPAA Security Rule’s requirements with respect to contingency planning also help HIPAA covered entities and business associates assure the confidentiality, integrity and availability of electronic PHI (ePHI) during an emergency such as a natural disaster.   
Planning
OCR makes available on its website an interactive decision tool designed to assist emergency preparedness and recovery planners in determining how to gain access to and use PHI consistent with the HIPAA Privacy Rule. The tool guides the user through a series of questions to find out how the Privacy Rule would apply in specific situations.  By helping users focus on key Privacy Rule issues, the tool helps users appropriately obtain health information for their public safety activities. The tool is designed for covered entities as well as emergency preparedness and recovery planners at the local, state and federal levels. To utilize the Disclosures for Emergency Preparedness Decision Tool, click here.
Covered entities and business associates should also look to recent guidance issued during Hurricane Harvey for more information on how the HIPAA Privacy permits sharing of PHI in circumstances that arise during natural disasters.  https://www.hhs.gov/sites/default/files/hurricane-harvey-hipaa-bulletin.pdf
Security
The HIPAA Security Rule is not suspended during natural disasters or emergencies and specifically requires covered entities and business associates to implement strategies to protect ePHI during an emergency and assure ePHI can be accessed during and after an emergency.  https://www.hhs.gov/hipaa/for-professionals/faq/2005/is-the-security-rule-under-hipaa-suspended-during-a-public-health-emergency/index.html

 In particular, covered entities and business associates must have contingency plans that include or address the following elements: 

1) Data backup plan (required);

2) Disaster recovery plan (required);

3) Emergency mode operation plan (required); 4) testing and revision procedures (addressable); and 5) application and data criticality analysis (addressable).   

For further information, please see:

Please also view the Civil Rights Emergency Preparedness page to learn how nondiscrimination laws apply during an emergency.
 HCSI


To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Tuesday, August 29, 2017

Where Is Your PHI Data Traveling Today?

Understanding "The Cloud" and it's regulatory relationship with HIPAA and PHI.

With most vendors offering and pushing cloud computing solutions and offsite data backup, or guaranteeing offsite backup of data they process for you, many HIPAA covered entities (CEs) and business associates (BAs) are questioning whether and how they can take advantage of cloud computing while complying with regulations protecting the privacy and security of electronic protected health information (ePHI). 

What "Cloud" computing means is that instead of all the computer hardware and software you're using sitting on your desktop, or somewhere inside your company's network, it's provided for you as a service by another company and accessed over the Internet, usually in a completely seamless way. Exactly where the hardware and software is located and how it all works doesn't matter to you, the user -- it's just somewhere up in the nebulous "cloud" that the Internet represents. 

The business decision to "move to the cloud" is often financially motivated. Companies used to have to buy their own hardware equipment, the value of which depreciated over time. But now with the cloud, companies only have to pay for what they use. This model makes it easy to quickly scale use up or down and to have data backed up for you as part of that provided service.

The rise of offshore IT services, including distributed storage, by cloud data providers creates issues that most healthcare providers have not yet realized. Even if some of the issues are realized, many covered entities and their business associates do not know where their data is currently being processed, stored, or backed up. In fact, storage or processing of protected health information (PHI) overseas may or may not be permitted or at least require additional resources, such as additional or more detailed risk assessments.

There are currently no federal regulations or statutes that prevent storing or processing PHI offshore or overseas; however, the Centers for Medicare and Medicaid Services (CMS), the U.S. Department of Health and Human Services (HHS), and the U.S. Office of Civil Rights (OCR) within the HHS, have all issued regulations or provided guidance that restrict storing or processing PHI offshore. In addition, there are four states that ban any Medicaid data from being stored or processed overseas (Arizona, Alaska, Ohio and Wisconsin), two more that only allow offshore contracts under extremely limited circumstances, and nine more that have specific requirements that must be met before any offshore processing or storage of Medicaid data is allowed. 

Even if a healthcare provider is not located in one of the above states, if the provider has treated a patient of those states, state regulators may argue that the healthcare provider must comply with their laws, regulations, and guidance, as applied to the resident of their state. Even more concerning is that even though Delaware does not have any laws or statutes banning offshore processing or data storage, Delaware recently started adding provisions to all of their contracts (similar to Wisconsin) that the State (Delaware) will not permit project work to be done offshore. There may be additional states adding these prohibitions to their contracts in the future.
If extra regulatory burden and potential state law bans were not enough by themselves, any PHI stored offshore likely will be subject to local law of the country in which it is stored. Furthermore, these local laws may allow for actions or even access to the data that directly conflicts with requirements on healthcare providers under HIPAA/HITECH, even if the vendor signed a Business Associate Agreement (BAA). Due to the issues in enforcing HIPAA and HITECH, and even a BAA against an overseas vendor, HHS has basically stated that it is the duty of the healthcare provider or vendor for deciding how to vet data services vendors and comply with expected additional requirements when conducting a risk assessment on overseas providers. 
At this point, most healthcare providers question if any offshore or offsite data storage or processing is worth any potential cost savings, or if OCR has any further guidance. In the fall of 2016, OCR prepared guidance that explained how federal health information privacy and data security rules apply to cloud services. In summary, this guidance helped data service companies, but at the expense of covered entities by primarily placing the burden on the covered entities, specifically hospitals, insurers, doctors, and other healthcare providers.

In looking at data service vendors, OCR decided that data service subcontractors of the covered entities’ business associates are actually business associations of the business associates. According to the OCR, covered entities must assess the cloud services providers’ or offshore providers’ data security efforts, but HIPAA does not require the cloud services providers to allow covered entities audit them. As such, covered entities are required to determine how well a cloud services provider handles system reliability, data security, and data backup and recovery, without the ability to perform an audit. While this is problematic when dealing with domestic cloud service providers, it creates additional issues when dealing with overseas cloud service providers. 
While OCR allows use of overseas providers, as of right now the rules of HIPAA and HITECH fail to address any international aspects, leaving no requirements but also no protections for covered entities. If you select a domestic provider, the laws and regulations regarding PHI apply to both parties, but if an overseas provider is selected, HIPAA and HITECH will not apply, unless they contractually agreed to comply with such laws and regulations. If there is a breach and the overseas provider refuses to defend against or pay any fines or fees levied related to the breach, the covered entity may be liable for paying. It is also important to note that while an international provider may agree to sign a BAA, many international providers do not understand the requirements of HIPAA and HITECH, while most domestic providers have a greater understanding.
Even if you know where the company with whom you are contracting is located, do you know where they send the backup data? Do they send data for processing or backup to other agents, subcontractors, vendors, or other data providers overseas? You may not realize your data is regularly taking international trips, and may be better traveled than you are. In addition, if a relationship is terminated with an international provider, how will you ensure that the data is wiped from the system? Healthcare providers generally must require a certificate of destruction when terminating data services, and will you be able to comply with this provision with an offshore provider?
In contracting with cloud service providers, including backup providers, e-mail providers, and other processing entities, covered entities and their business associates must determine where their data is located, and if it is offshore, they must analyze if any of the information is prohibited from being exported by any state or local regulations. If not, next it must be determined if there is an extra compliance burden associated with the data being offshore, and if that extra compliance burden and the associated risk of being offshore are worth any cost savings by using the offshore provider. If an entity knows that some of its data may be banned from being exported overseas, or would raise too much risk or compliance burden, then language banning such exports should be placed in the agreements, including any BAAs. 
 HCSI

Used with permission from: Craig A. Phillips council member of Dickinson Wright
To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Friday, August 25, 2017

Preparing Your Practice For Emergencies and Disasters: The Risk Assesment

A crucial step in preparedness for your practice in the even of a emergency or disaster is a Risk Assessment. 
A risk assessment is a process to identify potential hazards and analyze what could happen if a hazard occurs. A business impact analysis (BIA) is the process for determining the potential impacts resulting from the interruption of time sensitive or critical business processes.

As an employer, make sure your workplace has a building evacuation plan that is regularly practiced. The preparedness program is built on a foundation of management leadership, commitment and financial support. Without management commitment and financial support, it will be difficult to build the program, maintain resources and keep the program up-to-date.
Implementation
Write a preparedness plan addressing:
  • Resource management
  • Emergency response
  • Crisis communications
  • Business continuity
  • Information technology
  • Records Managment
  • Employee assistance
  • Incident management
  • Training
Find more information on Implementation here.
Testing And Exercises
  • Test and evaluate your plan
  • Define different types of exercises
  • Learn how to conduct exercises
  • Use exercise results to evaluate the effectiveness of the plan
Find more information on Testing and Exercises here.
Program Improvement
  • Identify when the preparedness program needs to be reviewed
  • Discover methods to evaluate the preparedness program
  • Utilize the review to make necessary changes and plan improvements
Find more information on Program Improvement here.
Visit the Deparment of Homeland Securities Business site for more information.
  • Take a critical look at your heating, ventilation and air conditioning system to determine if it is secure or if it could feasibly be upgraded to better filter potential contaminants, and be sure you know how to turn it off if you need to.
  • Think about what to do if your employees can't go home.
  • Make sure you have appropriate supplies on hand.
  • Read more at Build a Kit and Staying Put.
There are numerous hazards to consider. For each hazard there are many possible scenarios that could unfold depending on timing, magnitude and location of the hazard. Consider hurricanes for an example. A Hurricane forecast to make landfall near your business could change direction and go out to sea. The storm could intensify into a major hurricane and make landfall.

There are many “assets” at risk from hazards. First and foremost, injuries to people should be the first consideration of the risk assessment. Hazard scenarios that could cause significant injuries should be highlighted to ensure that appropriate emergency plans are in place. Many other physical assets may be at risk. These include buildings, information technology, utility systems, machinery, raw materials and patient records. The potential for environmental impact should also be considered. Consider the impact an incident could have on your relationships with customers, the surrounding community and other stakeholders. Consider situations that would cause patients to lose confidence in your organization and its services or protection of vital records.
As you conduct the risk assessment, look for vulnerabilities—weaknesses—that would make an asset more susceptible to damage from a hazard. Vulnerabilities include deficiencies in building construction, process systems, security, protection systems and loss prevention programs. They contribute to the severity of damage when an incident occurs. For example, a building without a fire sprinkler system could burn to the ground while a building with a properly designed, installed and maintained fire sprinkler system would suffer limited fire damage.
The impacts from hazards can be reduced by investing in mitigation. If there is a potential for significant impacts, then creating a mitigation strategy should be a high priority.
Risk Assesment process diagram
Use the FEMA Risk Assessment Tool to complete your risk assessment. Instructions are provided on the form.

Please also request the supplementary and supportive HCSI HIPPA Security Risk Analysis health checkup checklist to coincide with your office risk assessment or by clicking here HCSI Support - Risk Anlysis or entering your email address in the top right side of the blog.
 HCSI
Source(s): http://www.hcsiinc.com, https://www.ready.gov/, http://www.fema.gov/

To subscribe to this blog, enter your email address:


Delivered by FeedBurner