Thursday, October 29, 2015

Healthcare Pornography?

What is Healthcare Pornography?
We are all human, and as such, are naturally curious. Much like the Porn industry, there is a growing problem caused by the unbridled curiosities of workers within the Healthcare Industry.
Workers are being fired, reputations are being tarnished, and medical practices throughout the United States are being fined. All because curiosity got the best of one or two people.
Fortunately, there are ways to safeguard against this cancerous disease that is plaguing healthcare professionals everywhere. The first step is understand what record snooping is. 

What is Record Snooping?
Record snooping is unauthorized access to a patient’s information. This type of privacy invasion happens when an employee accesses a patient’s health information without cause, but rather for their own personal or somebody else’s desire to have knowledge of that patient's personal health information (PHI).
As you know, protecting the privacy of patient records is top priority as a health care provider, and that means both internally and externally.

Who is Affected by Record Snooping?
Record snooping is an intrusive act that has been done by healthcare workers for a long time. However, with the HIPAA Privacy rules, there are now serious repercussions for the healthcare worker and the office they work for.
The results of record snooping include the employee losing their job, public humiliation for the office involved, heavy monetary fines, and potential legal action. This intrusive act is a big problem for the employee involved and for their employer.
In order to fully understand the varying degrees of record snooping, and how to prevent and develop safeguards against one of the leading causes of fines in 2015, make 30 minutes to learn from others who have been affected: 

          5 Record Snooping Stories Medical Practices That Cannot Be Ignored

                                                   Download Slides: Click Here

About the Author: Lance King works with the team at Healthcare Compliance Solutions, supporting medical practices in adequately preparing for HIPAA, OSHA, Medicare, and HR compliance audits. He is a husband, father, consultant, church and community leader, and athlete.
Upon receiving his Masters in Business Administration, he continued maturing his consultative skills in healthcare because boundary systems are constantly expanding with new developments in technology. His mission is to help practice management do more with less with technology and innovation.
Lance regularly publishes compliance, leadership, and management articles for healthcare practice administration. Find these on LinkedIn.
To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Truth about Employee Referrals

Employee referral programs can be effective, but they must allow for personal accountability.

Tina has been working in her current position for about three years. About six months ago, Tina’s friend Amy was hired into the organization. This hire was based largely on Tina’s referral. Amy was happy to have a job and Tina enjoyed the $100 bonus she received due to the organizational employee referral program. However, things have changed. Amy’s performance is not very impressive and the organization is talking about terminating her employment by the end of the week. In conjunction with Amy’s poor performance, the organization has begun looking at Tina in a different light. Tina’s supervisors have started being more critical of her performance and she is feeling the pressure. Nothing in Tina’s performance has changed for the negative since Amy’s hire, but the perception of Tina has been affected.

Employee referral is an internal recruitment method employed by organizations to identify potential candidates from their existing employees’ social networks. An employee referral program encourages a company's existing employees to select and recruit the suitable candidates from their social networks. Typically, when a new hire is brought into the organization and an employee referral was the source of that hire, then the referring employee would receive some sort of “reward” (monetary, gift card, event tickets, etc.) for that referral. This type of program usually works well as social connections already exist as does a certain level of trust.

  • Documentation – An employee referral program needs to be detailed and in writing.
  • Expectations – It is important that each employee understand the type of person and the character of a person the organization is looking for.
  • Personal Accountability – When somebody is referred and hired into an organization, that organization must hold the newly hired employee and the original employee accountable for their own performance. If the newly hired employee does not perform well, then that cannot be a representation of the original employee. This accountability should begin with the first interview. The referral got the person into the door, but from then on, it is up to the individual to get the job and, if hired, perform well.

There is however, another side of employee referrals that has become an issue in recent years. When a company hires somebody who another employee has referred, far too often, the fate of both employees become intertwined. If the new employee does well, then the organization will look favorable upon the original employee. However, if the newly hired employee’s performance falters, then the organization begins to think differently and more critically about the original employee. This is big reason why people, in general, hesitate referring anybody to their organization. If somebody works in an organization knows of a job opening within that organization, they are most likely going to stay quiet about it. Staying quiet is a lot safer for them and their job status. Rather than risk “rocking-the-boat” the employee will look away as unemployed and talented people around them look for a job.

If you want to have a successful employee referral program, then these are the attributes that must be a part of it:

If your organization has an effective employee referral program, then it will be a valuable tool for you to use when filling open positions. Happy and energetic employees will refer people they know and this could bring in new employees who have wonderful talents and will contribute greatly to the success of your organization.

For more information or questions on this topic, please feel free to email me at

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Wednesday, October 28, 2015

OSHA Penalties

Types of OSHA Citations and Fines
OSHA issues different types of citations, depending on the nature and severity of the violation. Penalties are proposed based on the type of violation.
If you’re cited for OSHA violations following an inspection, penalties may vary depending on the type of citation. Note, however, that in settling a penalty, OSHA says it has a policy of reducing penalties for small employers and those acting in good faith.
         ●       Willful
A willful violation exists under the OSH Act where an employer has demonstrated either an intentional disregard for the requirements of the Act or a plain indifference to employee safety and health. Penalties range from $5,000 to $70,000 per willful violation. If an employer is convicted of a willful violation of a standard that has resulted in the death of an employee, the offense is punishable by a court-imposed fine or by imprisonment for up to 6 months, or both. A fine of up to $250,000 for an individual, or $500,000 for a corporation, may be imposed for a criminal conviction.

Section 17(k) of the OSH Act provides that “a serious violation shall be deemed to exist in a place of employment if there is a substantial probability that death or serious physical harm could result from a condition which exists, or from one or more practices, means, methods, operations, or processes which have been adopted or are in use, in such place of employment unless the employer did not, and could not with the exercise of reasonable diligence, know of the presence of the violation.” OSHA may propose a penalty of up to $7,000 for each violation.

This type of violation is cited in situations where the accident/incident or illness that would be most likely to result from a hazardous condition would probably not cause death or serious physical harm, but would have a direct and immediate relationship to the safety and health of employees. OSHA may impose a penalty of up to $7,000 for each violation.

       De Minimis
De minimis conditions are those where an employer has implemented a measure different from one specified in a standard, that has no direct or immediate relationship to safety or health. These conditions do not result in citations or penalties.

       Failure to Abate
A failure to abate violation exists when a previously cited hazardous condition, practice or non-complying equipment has not been brought into compliance since the prior inspection (i.e., the violation remains continuously uncorrected) and is discovered at a later inspection. If, however, the violation was corrected, but later reoccurs, the subsequent occurrence is a repeated violation. OSHA may impose a penalty of up to $7,000 per day for each violation.

An employer may be cited for a repeated violation if that employer has been cited previously, within the last five years, for the same or a substantially similar condition or hazard and the citation has become a final order of the Occupational Safety and Health Review Commission (OSHRC). A citation may become a final order by operation of law when an employer does not contest the citation, or pursuant to court decision or settlement. Repeated violations can bring a civil penalty of up to $70,000 for each violation.

Additional violations for which citations and proposed penalties may be issued upon conviction:
•  Falsifying records, reports or applications can bring a fine of $10,000 or up to 6 months in jail, or both.
•  Violations of posting requirements can bring a civil penalty of up to $7,000.
•  Assaulting a compliance officer, or otherwise resisting, opposing, intimidating, or interfering with compliance officers while they are engaged in the performance of their duties is a criminal offense, subject to a fine of not more than $5,000 and imprisonment for not more than 3 years.

Don’t Take the Risk!
Why risk citations and penalties when you can ensure OSHA compliance with an affordable and effective compliance training program? For more information on this and other topics related to HIPAA, OSHA, Medicare and HR compliance please email or visit our website at 
Become a member of our LinkedIn group at:

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Tuesday, October 27, 2015

Proper Sharps Disposal and Containers

Handling Sharps and Needles

Sharps Containers (also referred to as Sharps Disposal Containers, Medical Waste Disposal Containers, Biomedical Waste Disposal Containers, etc.) are specially made containers used to contain hazardous "piercing" instruments and reduce the chance of spreading infection. It is standard practice in developed and even underdeveloped countries for used needles to be placed immediately into a sharps container after a single use, with only a few exceptions to the general rule. Needles are dropped into the container without touching the outside of the container. Needles should never be pushed or forced into the container, as damage to the container and/or needlestick injuries may result. Proper use of a sharps container includes pick up by or delivery to an approved "red bag" or medical waste treatment site. In addition to this pre-existing safety measure, all U.S. medical and educational staff are federally required to be tested on their knowledge of bloodborne pathogens.

A sharps container is a term for a specially-made container that is predominantly used for medical needles and any other sharp medical instruments, such as an IV catheter. They are available in one of two types:

Single-use sharps containers - which are disposed of with the waste inside.

Reusable sharps containers - which are robotically emptied and sterilized before being returned for re-use.

Sharps is the term used to describe any item that is capable of puncturing the skin such as syringes, needles, lancets, broken glass with blood on it, scalpels, etc. Because these 'sharps' potentially have disease-carrying blood or other potentially infectious materials on them, they are capable of 'injecting' that blood or fluid into anyone who comes in contact with them. Examples of sharps include:
  • Needles, syringes, lancets, broken glass with blood on it
  • Suture needles, scalpel blades, butterflies (both traditional and safety)
  • Vacutainer tubes (both plastic and glass)
  • Phlebotomy needles with vacutainer tube holder attached
  • Capillary tubes (both plastic and glass)
  • IV catheters
  • Dental anesthetic carpules with blood
  • Dental wires and endodontic files
  • Other sharp objects contaminated with blood such as box cutters and broken glass
For regulated businesses, such as healthcare faculties, in addition to sharps, regulated medical waste is defined by OSHA as:
  • Pathology and microbiological waste
  • Liquid or semi-liquid blood or other potentially infectious materials (OPIM*)
  • Items caked with dried blood or OPIM
  • Items that could release blood or OPIM
*OPIM: semen, vaginal secretions; fluids from around the spine, brain, joints, lungs, heart, and abdomen; saliva in a dental procedure; any body fluid with visible blood; any unidentifiable body fluid; and unfixed tissue.
Examples of non-sharps regulated medical waste include Tubing with blood in it and Blood-soaked gauze. Regulated medical waste does not include urine, feces, sputum, sweat, tears, or saliva or any items containing or once containing these fluids such as urine cups, incontinence pads, or diapers.

Preventing Injuries
Before you use a sharp object, such as a needle or scalpel, make sure you have all the items you need close by. This includes items like alcohol swabs, gauze, and bandages.

Also, know where the sharps disposal container is. Check to make sure there is enough room in the container for your object to fit. It should not be more than 2/3 full.

Some needles have a protective device, such as a needle shield, sheath, or blunting, that you activate after you remove the needle from the patient. This allows you to handle the needle safely, without the risk of exposing yourself to blood or body fluids. If you are using this kind of needle, make sure you know how it works before you use it.

Follow these guidelines when you work with sharps.
  • Do not uncover or unwrap the sharp object until it is time to use it.
  • Keep the object pointed away from you and other persons at all times.
  • Never recap or bend a sharp object.
  • Keep your fingers away from the tip of the object.
  • If the object is reusable, put it in a secure, closed container after you use it.
  • Never hand a sharp object to someone else or put it on a tray for another person to pick up.
  • Tell the people you are working with when you plan to set the object down or pick it up.

Sharps Disposal
Make sure the disposal container is made for disposing of sharp objects. Replace containers when they are 2/3 full.
Other important tips include:
  • Never put your fingers into the sharps container.
  • If the needle has tubing attached to it, hold the needle and the tubing when you put it in the sharps container.
  • Sharps containers should be at eye level and within your reach.
  • If a needle is sticking out of the container, do not push it in with your hands. Call to have the container removed. Or, a trained person may use tongs to push the needle back into the container.
  • If you find an uncovered sharp object outside of a disposal container, it is safe to pick it up only if you can grasp the non-sharp end. If you cannot, use tongs to pick it up and dispose of it. 
According to OSHA, healthcare employees must have access to sharps containers that are easily accessible to the immediate area where sharps are used (29 CFR 1910.1030(d)(4)(iii)(A)(2)(i)).
The FDA recommends that used needles and other sharps be immediately placed in FDA-cleared sharps disposal containers. The FDA has evaluated the safety and effectiveness of these containers and has cleared them for use by health care professionals and the public to help reduce the risk of injury and infections from sharps.
FDA-cleared sharps disposal containers are made from rigid plastic and come marked with a line that indicates when the container should be considered full, which means it’s time to dispose of the container.

How do the Bloodborne Pathogens standard and the Needlestick Safety and Prevention Act apply to you?  OSHA's Bloodborne Pathogens standard (29 CFR 1910.1030), including its 2001 revisions, applies to all employers who have an employee(s) with occupational exposure (i.e., reasonably anticipated skin, eye, mucous membrane, or parenteral contact with blood or other potentially infectious materials (OPIM) that may result from the performance of the employee's duties). These employers must implement the requirements set forth in the standard. Some of the new and clarified provisions in the standard apply only to healthcare settings, but other provisions, particularly the requirements to update the Exposure Control Plan and to keep a sharps injury log, apply to non-healthcare as well as healthcare settings. Make sure your staff are properly trained in OSHA compliance standards and have the required tools to perform their job safely.

Sources:, www.fda.govU.S. National Library of Medicine and

For more information on this and other topics related to HR, HIPAA, OSHA, and Medicare, please email or visit our website at 
Become a member of our LinkedIn group at:

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

HIPAA Definitions

Here are some of the basic definitions of HIPAA compliance

Business Associate: A person or company that acts on behalf of a covered entity performing functions that involve the use or disclosure of Protected Health Information (PHI) for claims processing, billing, quality assurance, etc. Members of a covered entity’s work force are not business associates.

Covered Entity: All health plans, all health care clearinghouses, and any health care provider who transmits health information in electronic form in connection with a covered electronic transaction.

Designated Record Set (DRS): A record that contains information utilized and maintained for the purpose of making decisions about an individual’s health care.

Electronic Protected Health Information (ePHI): Individually identifiable health information that is transmitted, maintained or stored in electronic form.

Privacy: Scalable set of standards governing the patient’s rights over the use and disclosure of their own protected health information (PHI).

Protected Health Information (PHI): Individually identifiable health information maintained or stored in electronic or any other form or medium. It includes medical, demographic, and financial information about the patient.

Security: Specific measures a health care entity must take to protect ePHI from unauthorized breaches of privacy, or loss of integrity. It is scalable, flexible, and generally addressable.

Transactions: Electronic transmission of information between two parties to carry out financial or administrative activities related to health care.

Understanding these basic HIPAA terms is vital to your office being successfully compliant with the HIPAA regulations.

For questions about this topic, email me at

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Monday, October 26, 2015

Do You Truly Understand the ADA?

Understanding the ADA and how it applies to your office will help you and your organization.

The Americans with Disabilities Act (ADA) is intended to enhance and protect the rights of individuals with disabilities in all life activities and to provide clear, consistent, enforceable standards for addressing discrimination against individuals with disabilities.

A disability under the ADA is defined as a known physical or mental impairment which substantially limits one or more of an individual’s major life activities. Individuals are also entitled to protection under the law if they have a record of such an impairment, are regarded as having such an impairment but who are not disabled, or have an association of an individual with a disability.

The Act is comprised of five separate titles which prohibit discrimination in employment, transportation, public accommodations, and telecommunications, as well as several other miscellaneous areas. Title I, employment, and Title II, public accommodations, have the greatest impact on employees and job applicants.

The employment title ensures that qualified individuals with disabilities, including both applicants and current employees, have available to them the same employment opportunities as people without disabilities. It includes, but is not limited to, the following areas:

  • Hiring (application procedures, recruitment, etc.)
  • Promotion and transfers
  • Discharge (layoffs, terminations, rehires, etc.)
  • All forms of compensation
  • Job training
  • Fringe benefits
  • Job descriptions/classification
  • All leaves of absence
  • Other aspects of employment

When working with a quailed individual with a disability, employers are required to determine whether there are any reasonable accommodations that could be made which would allow the individual to compete on the same level as those without disabilities.

Having an understanding of the ADA requirements will enable you to properly implement those requirements into your organization.

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Friday, October 23, 2015

HIPAA Breach Notification Rule

HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.

Breach Notification Requirements

Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.

  • Individual Notice
Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information. Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other means.  
These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).
With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate.  Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.
  • Media Notice
Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.  Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area.  Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.

  • Notice to the Secretary
In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entities will notify the Secretary by visiting the HHS web site ( and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.

  • Notification by a Business Associate
If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach.  A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach.  To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals.

When a breach occurs in your office, it is required that you report it!

This information was supplied by:

For more information on this and other topics related to HIPAA, HR, OSHA, and Medicare, please or visit our website at

Be sure to become a member of our Linkedin group by visiting;

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Thursday, October 22, 2015

3 Warning Signs Your Employees Are Burning Out

Today’s stress-driven lifestyle may spell out “success” to many, but it’s doing a lot of harm.

Employees everywhere are on the brink of burnout, and it’s damaging to their health and your business. Stressed out employees cost organizations $300 billion annually and drive 46 percent higher healthcare costs. What’s more, 64 percent of employees with high stress levels say they feel extremely fatigued and out of control, and it’s costing 35 percent of people at least an hour of productivity each day.
Without overhauling society, what can you do? The key is to recognize the telltale symptoms of burnout before it’s too late. But that’s often easier said than done, especially because on-going, low-grade stress can feel exhilarating (similar to working against a deadline), it is common for even employees to miss the signals.
Here are three warning signs to watch for:
1.      A slump in productivity or quality.
When top-notch employees start becoming unreliable, something’s up. Keep your eyes peeled for someone who’s regularly missing deadlines, racking up frequent complaints from patients, or whose performance has declined over the past couple of months.
2.      A detached, disengaged employee.
Notice an A-plus employee suddenly seems to disconnect or lose their spark? Intervene ASAP. These feelings could manifest in the form of poor communication with co-workers, an overall lack of enthusiasm, or an unwillingness to collaborate with the group.
3.      An unusually pessimistic person.
If a former department cheerleader’s attitude suddenly becomes negative, it is reason enough to raise the alarm. Be on the lookout for on-going negativity, endless complaints, and a previously high-performer who you can no longer encourage.
Now that you know burnout looks like early on, make it your goal to help employees stop the stress from progressing further.
Create a culture that discourages employees from burning the candle at both ends, and help managers and supervisors form caring team environments. When employees know they’re supported, they’ll feel more comfortable speaking up when they feel like they’re starting to fizzle.
Offering tools and resources that support all areas of well-being is just as critical as company culture. Programs like these communicate you care, while helping your people manage everything they’ve got going on and protecting your workforce against the damaging effects of burnout.

If this article was helpful, you may also want to read about the 7 signs your employee is about to quit:

For more information on this and other topics related to HR, HIPAA, OSHA, and Medicare, please or visit our website at

Be sure to become a member of our Linkedin group by visiting;
To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Wednesday, October 21, 2015

Email Risk and HIPAA

Incident at Sutter Health Emphasizes Email Risks

Sutter Health’s revelation that a former employee inappropriately sent patient information to a personal email account in violation of the organization’s policy is yet another reminder of the privacy risks posed by email communication.
In a Sept. 11 statement, the California healthcare delivery system says the billing documents for 2,582 patients that were inappropriately emailed included names, dates of birth, insurance identification numbers, dates of services and billing codes. For one patient, compromised information also included a driver’s license number. For another, the a driver’s license number and Social Security number were included.

The organization says it discovered the email-related incident during a review of the former employee’s email activity and computer access. Sutter launched an investigation on Aug. 27 after the organization learned of possible “improper conduct” by the former employee, who worked at Sutter Physician Services, which handles billing for Sutter Health’s physician medical foundations.
Most of the patients whose data was involved in the April 26, 2013, incident reside in the greater Sacramento region and are patients of Sacramento-based Sutter Medical Foundation, Sutter Health says. The California healthcare provider says it has no evidence that any of the patient information was misused or disclosed to others. But it’s offering affected patients are being offered free credit monitoring services for one year.
“Sending any confidential information to a personal email account is strictly prohibited,” Sutter Health says in a statement. “Sutter Health now has sophisticated software that helps block confidential information from leaving the organization unless appropriate safeguards are in place to securely send the information. Employees are also required to annually acknowledge and sign Sutter Health’s confidentiality agreement, which states that the employees agree to abide by and protect Sutter Health’s confidential data.”
A Sutter Health spokeswoman says that the former employee emailed copies of the information without authorization before more technology safeguards were installed and that Sutter Health now uses encrypted email. “Sutter works hard at protecting patient information, including implementing new technologies to enhance protection. I cannot provide specific details of those technologies - that’s among our safety efforts,” she says.
Unfortunately, privacy breaches involving unsecured email, as well as text messages, are a common problem in the healthcare arena, security experts say.
“My experience is that doctors and medical practice employees send PHI through unsecure e-mail all the time,” says security and privacy expert Mike Semel, founder of Semel Consulting. “During our assessments, we often hear that doctors and nurses text each other all day with no concern that the information is PHI,” he says. “When we explain that PHI is any communication that includes a patient identifier and information about their treatment, diagnosis or payment for healthcare, and not just the information in the chart, we are often met with surprise.”
Besides implementing encrypted email communication, such as by using the “Direct Exchange” protocol, healthcare entities can take other steps to safeguard patient information. For example, they can use data loss prevention programs that scan emails and documents containing sensitive data, such as Social Security numbers, before they’re transmitted, security experts say. Depending on the technology, the sensitive data can either be blocked from transmission or automatically encrypted.
Organizations also need to be wary of employees who work around measures that have been put in place to prevent breaches involving email, Semel stresses.
“When doctors have privileges in multiple hospitals, it is easy to use free webmail for communications wherever they are,” he says. “Even if you have a secure e-mail server in your practice that allows for secure messaging within your organization, sending a message to someone else, like a specialist, [using webmail] is not secure.”
Employees and clinicians need to be educated on the secure methods for sending communication involving PHI, Semel says.
Independent HIPAA attorney Susan Miller says many breaches involving unsecured communication likely aren’t being reported to the Department of Health and Human Services’ Office for Civil Rights, which tracks healthcare data breaches.
“I think they are as under-reported as sending a fax the wrong way,” she says. Tips on the do’s and don’ts related to email encryption are “not part of any training that most staff get,” she says. “I have been talking to my clients about just use WinZip for some protection,” she notes, referring to the zip utility web application, which encrypts email.

For more information on this and other topics related to HIPAA, HR, OSHA, and Medicare, please or visit our website at

Be sure to become a member of our Linkedin group by visiting;

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Tuesday, October 20, 2015

Safety First... It's and old slogan but make it a daily event.

Safety First!... 

I want to talk a little bit about a safety saying that we use in the industry all the time. As a matter of fact, I hear it everywhere. I hear it at workplaces, I hear it outside of workplaces, I hear it at seminars as well as conferences. I see signs everywhere that contain the saying. This saying has become so overused that I believe that it has lost any meaning. It has become a cliché. I even hear it used sarcastically at times.

The saying is...wait for it... safety first. Now you may think it’s weird that a safety professional is kind of dissing a safety slogan that has been around forever, but unless something has real meaning, it does nothing to enhance the safety or the welfare of our coworkers.

I have recently asked groups of employees during training sessions if they think safety first is a good idea. Knowing that I’m a safety guy, the response has been without a doubt: YES IT IS. The tricky part is when I ask them to explain what safety first means. Some in the classes looked at me like I was an alien. I saw some chin rubbing and head scratching. Eventually some brave soul would blurt out, “It means safety first," or "Don't ever do anything that could put you at risk of getting hurt."

So let’s step back and try to understand what that answer means. I think it means that safety first is really an undefined, feel-good saying that is parroted to employees so many times that they have no clear meaning of the definition, so they just parrot it back.

The Cambridge Dictionaries Online definition: Said to ​mean that it is ​best to ​avoid any ​unnecessary ​risks and to ​act so that you ​stay ​safe. Not bad, but when an actual dictionary definition begins with "Said to mean," I tend to be a bit skeptical that there is a proper and accepted definition. Take for example this same dictionary's definition of safety glasses: Special  ​pieces of ​strong ​glass or ​plastic in a ​frame that ​fits​tightly to a person's ​face to ​protect ​their ​eyes from ​dangerous ​chemicals or ​machines. Nope, not one "said to mean" in that definition!

Taken to its extreme, safety first could mean elimination of all risk. Safety above all else. Wouldn’t it be awesome if safety first could eliminate all risk! I would love it; I care about employees and their welfare; but as we all know, you cannot do anything without risk. Did you drive today? Driving is a huge risk. Better sell the car. Remember--safety first!

I’ve found that I have totally quit using the term safety first, because I believe it has completely lost its meaning. It’s been so overused it has become such a cliché or platitude, that I just choose not to use it anymore.

I do believe you can reduce and even eliminate the risk of injury and illness in the workplace, but it’s going to come from well-trained and well-informed employees, as well as supervisors and managers who are on board with auditing and enforcing safety policies and procedures. Not some tired old safety slogan hung on a big sign in the work area.

So if in a crazy world I were able to rewrite the definition for safety first at work so that I would start using it again, that definition would be something like this: As I approach my job for the day, say I was a machine operator, or an office worker, or any other of a million types of jobs there are in the world, I would first stop and make sure my work area is safe. Is my truck ready for the day? Is my machine guarding in place? Is my computer workstation set up correctly? Another set of questions would be: Am I aware of chemical and other hazards present? Do I have appropriate personal protective equipment and is it in good working order? Have I been trained, and are there procedures for safely doing my job?

Once this assessment was finished, I would have the ability to be a safe, productive, and quality-oriented employee.
Safety, productivity, and quality really are the three legs that support a company’s profits. It is my firm belief that you must keep focus on all three legs for the good of all.

So my vote is that safety first is something that I think we, as safety professionals, should stop using as freely as we do. I mean it seems like everywhere you look you see safety first, and you hear safety first everywhere. And as I said, unless something has meaning, what use is it?

If I ever chose to use safety first in the workplace again, I will define it clearly. If I were to use it, the definition I would use would go something like this:

Safety First: Before starting a job or task, survey it for anything that may cause you or others harm, and mitigate the risks following process and procedures as you were trained.

Did you notice there was no "said to mean" in my definition?
Written by Daniel Rebarcak - Published: 12 October 2015 -

For more information on this and other topics related to HR, HIPAA, OSHA, and Medicare, please email or visit our website at

Become a member of our LinkedIn group at: