Tuesday, December 29, 2015

The Importance Of Yearly HR/Compliance Training

HR Training Can Save Your Practice in the New Year

As we prepare for 2016, I remind our clients to think about annual HR and compliance training for all practice employees.  Not surprisingly, clients often complain that it’s unnecessary because “nothing has changed” or employees still remember their training from last year. In my experience, employees forget most of their training (almost immediately) and those who do remember are complacent about applying their knowledge or are unable to practically apply training to real-life situations.  For example, last year, just weeks after training a client’s practice, the following occurred:
A nurse in the practice (“Sue”) complained she had been sexually harassed by a male supervisor nurse (“Tim”).  Sue and Tim are immediately put on different schedules so they could no longer interact and statements were taken from both parties (which tell opposite stories).  There is no video evidence and no direct witness to the events, although statements are taken from other staff members.

Sue appears at work the next day apparently distressed and under the influence.  Another nurse “friend” (let’s call her "Jane") provides prescription medication to calm Sue and drives her to the hospital.  Later, Jane is “so concerned” about Sue’s condition that she accesses the hospital’s EHR system (to which the practice is connected) to check on Sue’s status.

Sue calls the practice manager the next morning to inform him that she considers herself on family and medical leave (FMLA) and further insists the practice should have to pay for her leave (due to her complaints) since she has no accrued paid time off (PTO) left.  The practice’s policy does not call for any paid FMLA leave (if Sue was to qualify).

This may seem like a crazy scenario, but it’s really not that surprising at all! What is unfortunate is that every one of the employees in the above scenario had been completely trained numerous times on the practice’s policies and yet various violations still occurred. 

First, with regard to the alleged sexual harassment, there could be no conclusions made after the investigation was complete.  The results of the investigation were still distressing since numerous witnesses, in addition to Sue and Tim, admitted there was a pattern of lewd, vulgar  and inappropriate discussions going on throughout the workday and numerous employees complained (during the investigation) that they had asked Sue, who seemed to be the main source, to cease such behavior.  It appeared that various staff and physicians were aware and participated in such sexual discussions, which clearly violated the practice’s sexual harassment policy.  Specific scenarios during training had covered the exact violations that occurred and yet no employee recognized there was a violation of the policy.  To address the matter, the practice issued warnings to all involved and hired an expert to bring in more training, which will now be repeated twice annually.  Every employee will acknowledge and sign a new policy as well. 
Another issue in the scenario that occurred was Jane’s violation of HIPAA by accessing another employee’s EHR at the hospital. She also went against practice policy by prescribing medications to an employee of the practice (who already appeared impaired).  This was not Jane’s first HIPAA violation and per practice policy, she was terminated.  Action is still being considered on the prescription issue and Sue’s appearance at work under the influence.

Finally, like other practices, this client has a policy for FMLA and paid time off. Our advice is that the practice should always try to follow its policies consistently and without exception. When a practice opts to reach a unique arrangement with an employee (such as letting them dip into future PTO), this should be documented.  Certainly, a practice should never pay an employee who has made threats against the practice without talking to counsel, as such payment could be deemed an admission of wrongdoing.

No matter how much training a practice provides, there are always going to be violations of a practice’s policies that occur.  The expense and hassle of dealing with the repercussion of such event is far greater than scheduling and/or paying for annual training.  If you think your staff remembers everything they have been trained on in the past — try asking a few random questions and see whether you are surprised by the results! 

By  from http://www.physicianspractice.com

For more information on this and other healthcare compliance topics related to HIPAA, OSHA, Medicare and HR, simply email your questions to support@hcsiinc.com
visit our website at http://www.hcsiinc.com or post a question on our LinkedIn group at: http://bit.ly/1FWmtq6
To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Wednesday, December 23, 2015

OSHA Slams Northridge Hospital for Health and Safety Violations


State workplace safety regulators fined the operator of Northridge Hospital Medical Center about $44,125 for violations that potentially exposed the hospital’s 1,700 employees to non-compliance health hazards.

Dignity Health was cited after Cal/OSHA determined that the hospital failed to record information in over a dozen cases where hospital workers were stuck with needles, and failed to provide closeable containers in emergency rooms that would keep biohazard waste from spilling, according to the state agency.

Northridge Hospital said in a statement that it is working “diligently” to address the agency’s findings.

“We have a longstanding relationship with Cal/OSHA and appreciate the regulatory body working with us to ensure the safety of our employees,” according to the hospital.

Cal/OSHA’s Van Nuys office opened an investigation in June after receiving a complaint, resulting in 13 health code violations, regulators said.

“California’s health and safety requirements are some of the strongest in the nation, and they’re meant to prevent hospital workers from becoming hospital patients,” Cal/OSHA Chief Juliann Sum said.

The findings included violations of bloodborne pathogens precautions, which require employers to protect workers from coming into contact with blood or other disease-carrying body fluids, according to Cal/OSHA.

Cal/OSHA also issued general and regulatory violations because Dignity Health kept broken gurneys in the working area, skipped essential elements of training employees in safe patient handling, and failed to take corrective action after accidents occurred, regulators said.

In summary, there were four serious violations of the bloodborne pathogens standard, which requires employers to protect workers from coming into contact with blood or other disease-carrying body fluids. A serious violation is cited when there is a realistic possibility that death or serious harm could result from the actual hazardous condition. In this case, the serious violations included:

• Failure to gather information required by the Sharps injury log, such as type and brand of needles involved in the 18 injury cases. The employer had no procedure in place to review the log, or to solicit required input from employees about factors contributing to contaminated needle injuries. Well-kept injury logs, and their regular review, help to identify the causes of injuries and prevent future occurrences.

• Failure to provide containers that would prevent spillage or protrusion of contaminated needles in emergency treatment and trauma rooms. Additionally, the employer did not provide readily accessible hand washing facilities for emergency room employees.

• Failure to provide appropriate sizes of gloves for employees using the medication cart in the trauma room and the after-hours intake area.
Cal/OSHA also issued eight general and regulatory violations because Dignity Health kept broken gurneys in the working area, skipped essential elements of training employees in safe patient handling, and failed to take corrective action after accidents occurred. 

Sources: Northridge-Chatsworth stateofreform.com

For more information on this and other healthcare compliance topics related to HIPAA, OSHA, Medicare and HR, simply email your questions to support@hcsiinc.com
visit our website at http://www.hcsiinc.com or post a question on our LinkedIn group at: http://bit.ly/1FWmtq6
To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Friday, December 18, 2015

Protect Your Livelihood By Creating A Culture of Compliance

Part of being an effective leader is developing and nurturing a culture within your office that leads to success

Sarah is a nurse at a hospital and she had just sat down at a table in the cafeteria to eat her lunch. It has been a stressful day so far and one patient in particular was weighing heavily on her mind. Three of Sarah's co-workers, who are also nurses, came to sit with Sarah and eat their lunch as well. While they were eating, the conversation about their day began. The four nurses did what many healthcare workers do, they talk about work. Nursing is a very challenging job and sometimes it helps to talk about patients when they are weighing heavily on your mind. Sarah began to tell her co-workers about the patient who is not doing too well and how the doctors were baffled about the case and quite concerned. Unknown to Sarah, some family members of the patient she was referring to were sitting near by and were able to hear the conversation. Sarah's use of identifiable information during the conversation, enabled the family members to know that it was their loved one she was talking about and the things she was saying were all new to them.

Merriam-Webster defines culture as:
A way of thinking, behaving, or working that exists in a place or organization

It is the culture of an organization that helps define the organization itself. An article from about.com written by Susan M. Heathfield best describes organizational culture, "Culture is the environment that surrounds you at work all the time. Culture is a powerful element that shapes your work enjoyment, your work relationships, and your work processes.  But, culture is something that you cannot actually see, except through its physical manifestations in your work place.".

Where Does Culture Develop?
Culture is developed and created by the leadership within an organization. They are the ones who plant the seeds of the organization's culture through their policies, procedures, actions, example they set, and the language they use. It is the workforce members who are the ones that refine and grow the culture within the organization. It is the leadership that plants the seed and the employees make it grow into the living organism that it will become.

Culture = Behavior and Attitude
Culture is something that is learned and developed through interactions. When an organization puts a policy in place, it is the responsibility of the leaders to ensure the policy is understood and that the procedure is followed. This begins with the leader's behavior and attitude toward that policy. If a leader demonstrates through their actions and example that the policy is important, than that behavior and attitude become part of the organization's culture.

Culture of Compliance
When employees see that the treatment and well being of a patient are important to their leaders (doctors, administrators, etc.), then the treatment and well being of a patient becomes important to them as well. This focus on the care of the patient then becomes part of the culture within that organization. When employees see that protecting the health information of the patient is not a high priority for their leaders (doctors, administrators, etc.), then protecting the patients privacy and health information will not be a priority for them either. This type of behavior and attitude will then become part of the organization's culture.

Protect Your Livelihood
How is it possible for the leadership of an organization not make compliance a priority, but expect their employee to make protecting their patients health information an important part of their job? The answer is, you can not. It is not possible to have one without the other. If the leadership of a health care office want their employees to protect their patients health information, then the leadership needs to ensure that they make being in compliance an important aspect of the organizational culture. If the employees do not believe that being in compliance is important, then they will not strive to protect the patients health information. This in turn will put the organization at serious risk of either an audit or a situation that could destroy the reputation of the organization itself.

By creating a culture of compliance within your organization, you are saying that protecting your patients health information is important to you and your employees. If Sarah worked in an organization that had a culture of compliance, maybe she would have been more aware of what she was saying in a public area. It is important to understand that a culture of compliance does not only apply to HIPAA. It also applies to OSHA, Human Resources, and Medicare. Having a culture of compliance within your organization will help protect your organization and build a positive reputation within your community.

If you have any questions on this or other topics, please feel free to email us at support@hcsiinc.com
To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Friday, December 11, 2015

5 Steps to an Effective Performance Management Program

Annual appraisals are only one aspect of effective performance management

Jackie walked apprehensively into her supervisors office. They were meeting to discuss her annual appraisal. She was nervous about what her supervisor would discuss with her. During their meeting, Jackie and her supervisor discussed things that occurred during the past year that had effected Jackie's' overall performance. Often, Jackie would try to recall the various instances, but so much time had passed that she could not remember the exact details the same way her supervisor did. As the meeting went on, Jackie began to feel defensive and irritated. Finally, the meeting was drawing to a close and Jackie had already checked-out mentally. She was done with this meeting and just wanted to get back to work. Here supervisor handed her a list of areas Jackie was to work on improving in her assigned position at the company. Jackie took the list, shook her supervisors hand, and walked back to her desk feeling a bit flustered by the whole experience. She put the list of areas to improve in her drawer and never looked at it again. She went back to work, relived that she would not have to go through that again for another year.

What is performance management?
Performance management is about establishing a shared understanding, between the employee and employer, about what is to be achieved at an organizational level. It is about aligning the organizations objectives and expectations with the employees skills, competency requirements, and resources in order to achieve a desired result. With performance management, the emphasis is on improvement, learning, development, and reaching set goals in order to create a highly productive workforce.

Annual appraisals
It is important to understand that annual appraisals are only a part of a overall performance management strategy. However, far too often, many organizations hold these annual meetings as their entire performance management process. Annual appraisals are often perceived as a painful process, by both participants, that result in no real change or improvement in employee performance. By only having annual appraisals, results in unintentional outcomes:

  • Too painful, emotionally charged
  • Poor understanding of expectations
  • Misdirected bonuses (favorable review, but organizational goals not met)
  • Poorly timed
  • Subjective supervisor opinion
  • Missed development opportunities
Effective performance management
Performance management, when done correctly, effectively links the organizations plans and goals with the employees individual performance. When an employees individual performance helps an organization achieve its goals, that employee would then be rewarded with favorable reviews and possible bonuses that are in-line with the employees performance and contribution. Here is a basic outline of a performance management program:
  1. Initial Meeting - Face-to-face planning meeting between the supervisor and the employee. During this meeting, the supervisor and the employee will work together to establish objectives, development plan, and a competency review for the next 365 days.
  2. Continuous focus - During the next six months, both the supervisor and the employee should be taking notes independently documenting performance milestones, progression, and set-backs.
  3. Interim review - An abbreviated meeting should be held between the supervisor and the employee to measure progression toward the objectives as discussed in the initial meeting. This is also an opportunity to discuss any updates or changes to the objectives based on any change of the overall organizational goal. In addition, this is the time to discuss any additional resources or training the employee might need in order to reach the objective within the next six months.
  4. Continuous focus - During the next six months, both the supervisor and the employee should be taking notes independently documenting performance milestones, progression, and set-backs.
  5. Final review - At the end of the 365 day period, the supervisor and the employee will meet to determine if the objectives set during the initial meeting were met. If the objectives were met, then the supervisor would have some form of recognition for the employee upon meeting their objective. If the objectives were not met, then the supervisor and the employee would discuss the nature of the objective and if it was obtainable. In addition, a discussion about available resources and training would also take place at this time. This is not a meeting where only the supervisor does the talking. The determination of meeting the objective should be discussed and decided upon by both the supervisor and the employee. If the supervisor does not feel that the objective was met, but the employee does, then their was a communication gap during the initial meeting and the interim review.
Outcomes of an effective performance management program

There are clear signs of an effective performance management program within an organization:
  • Communication improves
  • Everyone knows the objectives and expectations
  • Improved documentation
  • Reduction of stress
  • Final review (appraisal) becomes relevant and effective
  • Learning and development becomes part of the organizational culture
The difference between a standalone annual appraisal and a performance management program is striking. Improving employee morale, reduced turnover, promoting the right people into the right positions, earned job performance recognition, and growing employee skill sets are but a few of the results that will occur when an organization has an effective performance management program in place.

For more information, please feel free to email support@hcsiinc.com

    To subscribe to this blog, enter your email address:

    Delivered by FeedBurner

    Tuesday, December 8, 2015

    Protecting Employees from Workplace Violence

    Being Aware and Having an Emergency Action Plan

    The December 2nd, 2015 shooting in San Bernardino California, where 14 people were shot to death and 21 were injured at an office gathering, is a sobering reminder that violence in the workplace is an issue of concern for all of us. For employers, it is critical to ensure that all employees know the company's safety and violence prevention policies and procedures. In addition, companies can offer additional protections:


    • Verify information on all new hires through reference checking.
    • Screen applicants by conducting background checks. Condition offers of employment upon the completion of background checks, drug tests or medical exams.
    • Review workers’ compensation records and illness claims to identify patterns of assault or other workplace violence. Understand industry trends and specific job exposures.


    • Have a clear, written policy protecting employees from harassment, threats and intimidation. Policies should note that any complaints of harassment or threats will be investigated fully and appropriate steps taken, including discipline and discharge.
    • Establish a complaint/grievance procedure.
    • Establish/communicate how to access employee assistance program (EAP) services.
    • Offer outplacement counseling to employees being laid off or terminated.


    • Consider implementing the following security measures: monitoring systems, limited access key cards, employee identification cards, emergency warning systems, security guards, visitor sign-in policies, security escorts in case of emergencies.

    Crisis Plan

    Develop a crisis plan that outlines how to report incidents of workplace violence, instructions on who to notify and:

    • How to assess the situation, get help, warn other employees and secure the workplace.
    • When and how to involve the police and gather information to assist an investigation.
    • Follow-up activities like debriefing employees, resuming operations and long-term planning.
    All employers should and probably do maintain an evacuation plan, but few employees even drill about the plan.  Moreover, responding to a tornado, hurricane or other natural disaster is far different from responding to a fire, explosion, shooting, or collapse of the electrical grid. 
    •          Have you as an employer even thought about how you should respond to such events and protect your employees? 
    •          Do you maintain an Emergency Ection Plan (EAP) under OSHA regulations? 
    •          Do you even know what triggers the obligation to have an EAP?
    There is much talk about workplace violence, but have you assessed your operation to determine where risks are presented?  Do you have employees making deliveries or going to customers’ homes unaccompanied? Have you professionally assessed security for entrance and exits?  Do management and HR know when they should be concerned about potentially dangerous employee behavior and what to do next?

    If your answer is to simply point to the binder on a shelf or to be self assured that you have “competent people to take care of such matters,” then perhaps it is time to roll up your sleeves and check.
    OSHA Focus on Workplace Violence

    If you want additional motivation, OSHA is dead serious about inspecting employers for workplace violence exposures and issuing citations under its general duty powers. 

    Special Focus on Workplace Violence in Healthcare

    OSHA is also quite serious about conducting health care and hospital inspections which focus on workplace violence and ergonomic concerns.
    See Also
    Image credit: Chris Kuhlman 

    For more information on this and other healthcare compliance topics related to HIPAA, OSHA, Medicare and HR, simply email your questions to support@hcsiinc.com
    visit our website at http://www.hcsiinc.com or post a question on our LinkedIn group at: http://bit.ly/1FWmtq6

    To subscribe to this blog, enter your email address:

    Delivered by FeedBurner

    Friday, December 4, 2015

    Dr. Jones is a News Star and His Patients Will Never Forget

    The most misunderstood, unknown, or ignored of the HIPAA compliance rules is Breach Notification.

    Dr. Jones had a lot of work to do over the weekend. He took his laptop from his office and put it in his car to take home. On the way home, Dr. Jones made a quick stop at the store. Upon returning to his car, Dr. Jones noticed that his car had been broken into. The laptop from his office was one of the items that had been stolen. Having the laptop stolen did not constitute a breach. However, the patient's information on that laptop did not have proper security protections, so now this situation is a breach. With more than 650 patients and their protected health information in the hands of unauthorized individuals, according to the HIPAA Breach Notification Rule, Dr. Jones must report this incident to each individual patient, the local media outlets, and to the Secretary of Health and Human Services. In all likelihood, Dr. Jones' reputation and that of his practice will suffer greatly. He will lose the trust of his patients and the financial effects will be felt for a long time.

    What is the Breach Notification Rule?
    Simply put, the Breach Notification Rule requires all covered entities and business associates to provide notification if there is a breach of unsecured protected health information (PHI).

    What is considered unsecured PHI?
    PHI is considered unsecured when it has not been rendered unusable, unreadable, or indecipherable to unauthorized persons who access it through various means that have been specified in HIPAA guidance. Covered entities and business associates that secure their patients PHI, using documented policies and procedures, are not required to provide notifications following a breach of such information.

    What is considered a breach?
    Health and Human Services (HHS) states that a breach is, "an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information."

    Are there exceptions to the Breach Notification Rule?
    Yes, there are three exceptions to the Breach Notification Rule as defined by HHS:

    1. "Unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority."
    2. "Inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the privacy rule.
    3. If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
    When a Breach Occurs
    Following the discovery of a breach, the covered entity must notify each individual whose PHI was, or is reasonably believed to have been, inappropriately accessed, acquired, or disclosed. If the business associate discovers the breach, it must notify the covered entity and identify the affected individuals.

    Notification must be made without reasonable delay and no later than 60 days after discovery of the breach.

    Required Notifications
    • Individuals - Written notice must be mailed by first-class mail to the individuals last know address or sent via email if the individual has specified a preference for email communication.
    • Media - If the unsecured PHI of 500 or more residents of a state or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during a breach, notice must be provided to prominent media outlets serving the state or jurisdiction.
    • Secretary of HHS - All breaches must be reported by March 1st of each year. If the breach involved 500 or more individuals, notice must be provided immediately. Otherwise, the covered entity may keep a log of breaches and submit the information annually. You can find a list of covered entities experiencing breaches of 500 or more individuals here, http://1.usa.gov/1Q58Jgb
    It is important for your office to be compliant with the Breach Notification Rule. Not understanding the requirements will not help your office during a HIPAA audit. Privacy Rule, Security Rule, and Breach Notification are all areas that will be scrutinized during an audit of your HIPAA Compliance Program. Being out of compliance with the Breach Notification Rule will put your office at risk and could destroy your reputation that you have worked so hard to build.

    For more information on the Breach Notification Rule, visit:

    If you have any questions, feel free to email support@hcsiinc.com

    To subscribe to this blog, enter your email address:

    Delivered by FeedBurner

    Tuesday, December 1, 2015

    The Company Holiday Party - Tips to Help Avoid Liability

    Allowing Everyone To Fit

    The holiday party season is in full swing, and employers and employees alike are in the spirit to celebrate and unwind. Unfortunately, what makes for a fun holiday party doesn’t always jibe with company standards for professionalism in the workplace. An employer is just as legally accountable for what happens at the holiday party as it is for what happens around the water cooler. It shouldn’t come as a surprise, then, that holiday parties have been known to produce a lawsuit or two. Here are some tips to help avoid beginning your new year with litigation.

    1. Train/Warn Employees Beforehand. Your company’s policies and expectations for employee conduct are fully effective at the holiday party, and your employees need to know and understand this. Shortly before the party, an employer should consider sending out a memo to its employees reminding them of the company’s policies on harassment and discrimination, as well as any workplace code of conduct or expectations. Also explain to employees that the company’s policies apply to company-sponsored social events in the office and outside of the office. Clearly state that any before-party or after-party is not sponsored by the company.

    2. Alcohol. Clearly, not serving alcohol at the holiday party is the best way to go. Advising your employees that they are not permitted to bring their own alcohol is also smart. If you do allow alcohol at your holiday party, make sure you’ve hired an outside service provider to handle the bartending and related duties. Prohibit your management staff from serving alcohol to employees. Ensure there are a wide variety of non-alcoholic drink options available, including “mocktails.” Explicitly instruct service personnel not to serve anyone who appears intoxicated. Ask the bartenders to mix “weak” drinks. If the company is paying for the drinks, provide each employee with one or two drink tickets, and require employees to pay for any additional drinks. Cut off the alcohol service at least one or two hours before the end of the party. Provide alternative transportation home such as a shuttle service. At the very least, organize a carpool with volunteer sober-drivers. Drivers should be instructed to drop off employees at their homes and nowhere else.

    3. Keep it Secular. Unless your company has a legal religious exemption from employment laws, avoid company references to specific religions or religious practices. Title VII of the Civil Rights Act of 1964 prohibits religious discrimination and requires employers to accommodate employees’ religious beliefs. Beyond this legal requirement, taking religion out of the equation ensures that all employees will feel included, regardless of their beliefs.

    Make your “Christmas Party” a “Holiday Party.” When decorating, opt for seasonal as opposed to religious imagery. For example, choose pine trees, snowflakes, and poinsettias over nativity scenes and menorahs. Think of the party as a yearly celebration of the company and a "thank you" to employees. While the timing happens to coincide with many religious happenings, keep the company party strictly secular. This includes all music, gifts, decorations, and topics of conversation!

    4. No Racy Gifts, Games, or Gab. Holiday parties can become increasingly racy or controversial as the night wears on and employees’ inhibitions are lowered (and alcohol greases those wheels!). Gifts and games are not uncommon, and they often veer toward the inappropriate, as do topics of conversation. While there’s only so much a company can do about this, train your management-level employees to be on the lookout for such happenings and politely shut them down before they get out of hand. Just like in the workplace, managers with knowledge of inappropriate conduct are lawfully required to take appropriate measures to stop it and address the problem. Failure to do so because the conduct occurred at the holiday party will not fly in the courtroom.

    5. Make it Absolutely Voluntary. Do not require your employees to attend. Do not pressure your employees to attend. Do not insinuate, even in the slightest way, that failure to attend will adversely impact or reflect poorly on an employee. 

    Workers’ Compensation
    Several states have statutes that specifically address employee injuries from recreational or social activities. Some states limit the employee’s recovery to those activities for which the employee is paid to participate. Other states allow employees to recover compensation if the employee’s participation was specifically directed by the employer. Much of the analysis turns on the laws of the applicable jurisdiction and cannot be addressed without specific knowledge of the facts involved.

    But workers’ compensation laws often contain exceptions. For example, if the employee was ordered to participate or was paid wages or expenses while participating, then the employee may recover. Additionally, employees may recover if the injury occurred on the employer’s premises, the premises contained a known unsafe condition, the employer knew employees were participating in the activity, and the employer failed to stop the activity or cure the unsafe condition.

    Personal Injury
    Depending on the particular circumstances and state law, employers may face liability for negligent acts of the employee at a social event. For example, an employee hosts an annual holiday party to show its appreciation for its clients. After drinking too much at the client party, an employee causes an automobile accident. In some states, the employer may be liable for injuries caused by its employee.

    Finally, employers may face liability for employees attending outside events. For example, an employer who requires employees to attend a party sponsored by a customer may be liable if the employee commits an actionable intentional or negligent act while at the event. Courts have found that the employer is liable because it stands to benefit from the customer’s goodwill generated by the employees’ attendance.

    6. Respond Promptly to Post-Party Concerns. It’s not unusual for a company to learn of a potential problem a week or two after the holiday party. Have management appropriately trained and ready to respond to any concerns that are raised by employees or their party guests. How a company responds to an employee’s concerns about inappropriate workplace behavior can significantly impact whether that employee ultimately seeks out an attorney and pursues litigation. Furthermore, if an employee does sue the company, a prompt and appropriate company response to the employee’s complaint can provide a solid defense to a discrimination or harassment claim.

    Potential Claims
    No matter how well intentioned, office holiday parties tend to encourage employees to behave in ways that they normally would not when at work. Despite your best efforts to train supervisors and instruct your employees, someone is bound to forget about the employer’s anti-discrimination and anti-harassment policies as well as its more general code of conduct, all of which apply and must be enforced at any company-sponsored holiday party. In summary, employers should consider the following steps to reduce the risks of an employee violating these policies at the holiday party:
    • Confirm that your insurance policies cover your holiday party.
    • Remind employees of the company’s code of conduct as well as its anti-discrimination and anti-harassment policies the week before the holiday party.
    • Remind employees that these policies apply to company-sponsored social events both inside and outside of the office.
    • Remind employees that they will be subject to discipline if they violate these policies during the holiday party.
    • Remind employees that any “after party” is not sponsored by the company.
    • Remind supervisors of these policies and what to do if they learn of or witness any potential violation of these policies during the holiday party.
    • Consider inviting spouses and partners of employees to the party to potentially assist in reducing flirting and other possible harassment issues.
    • Consider implementing a dress code that maintains a professional environment.
    • If there will be gift exchanges, "legal" raffles or drawings for prizes, white elephant gifts, etc. make sure that All staff, even those who chose not to attend in the party, have an equal opportunity to share and participate if they wish.  Send and invitation to all and request an RSVP.
    • Exclude no one, even if they do not choose to reply or participate. They are all valuable members of your team! 
    Image from: coverlayout.com
    No amount of precautionary steps will entirely eliminate the risk of employee lawsuits associated with the holiday party but be sure to take the appropriate steps to minimize liability. The same is true for the workplace in general. Your holiday party can be a great success and an opportunity to boost employee morale and regroup for the new year. Have a happy and safe holiday season!

    Sources: http://www.dickinsonlaw.comhttp://www.shrm.org/http://www.constangy.com/, HCSI 

    For more information on this and other healthcare compliance topics related to HIPAA, OSHA, Medicare and HR, simply email your questions to support@hcsiinc.com
    visit our website at http://www.hcsiinc.com or post a question on our LinkedIn group at: http://bit.ly/1FWmtq6

    To subscribe to this blog, enter your email address:

    Delivered by FeedBurner

    Tuesday, November 24, 2015

    Why HIPAA Compliance is Lacking in Smaller Practices and Where to Begin

    Why Compliance and Security Are Still Lacking

    A number of healthcare data breaches have made the news of late, particularly involving large insurance companies and data clearinghouses. As the media portrays the situation, our private health information is leaking to the outside world at an alarming rate. Based on Bitsite's recently-released Third Annual Industry Benchmark Report, we should not be surprised. Based on the Bitsight report, the healthcare industry is near worst in overall security, with only education below them.

    The data available prompts one big question – why is the security of our most personal data so poor? By comparison, security in the financial industry (best in the Bitsight report) is well addressed, with significant guidance and oversight being provided by PCI, GLBA and other bodies of regulations. The healthcare world has HIPAA, which admittedly, as security standards go, is fairly weak. That being said, it does not appear that it is being followed well. 

    In her article Why are healthcare data breaches so common?, author Stephanie Tayengco suggests 5 reasons why 91 percent of healthcare organizations reported at least one breach over the last year: 
    1. Systems are old and complex
    2. Health IT is 95 percent manual work
    3. Disjointed monitoring
    4. "We’re already HIPAA compliant”
    5. Health data is valuable 
    I tend to work with smaller healthcare organizations, the front lines of the healthcare cyberwar. They have less data than the big guys, but are usually much easier to hack. While Tayengco's list is quite appropriate for the industry as a whole, I see a somewhat different story in the niche I work with:

    Transition to EMR without considering security 
    Many smaller practices are adopting electronic medical record (EMR) systems. This is prompted partly by financial incentives available under the HITECH Act, and partly because an EMR system is seen as a pathway to HIPAA compliance. In most cases, practices are selecting “HIPAA compliant software,” thinking that the selection constitutes their compliance and as a result resolves their security issues. Sadly, this is a myth often spread by software companies as a sales tool. Compliance impacts the totality of a practice, not just the software used. 
    Buy something that says “HIPAA,” and you are covered 
    HIPAA is a complex standard, and not documented in a way that folks in medical practices can easily comprehend the requirements. As such, I have observed that a practice will buy something that claims HIPAA compliance, be it a secure email system, an encrypted storage system, etc, and assume that the purchase makes them compliant, and therefore secure. Again, HIPAA applies to the totality of a practice. It cannot be met by the purchase of a single product, no matter what the sales person said. 

    No monitoring 
    Tayengco is exactly correct in her point about disjointed monitoring, but again, that applies to the larger organizations. What I see in smaller practices is the complete lack of monitoring. These folks generally have no idea how to even open a log file, let alone review it. They often assume that their IT provider is handling it for them, which is usually not the case. Their network may be under attack, and they don’t even know it. 

    Ignoring paper records 
    While adoption of EMR by smaller practices has been strong, paper records almost always remain. This may result from the decision not to add archival paper records to the EMR system, or because they serve as a bit of a security blanket. Whatever the reason, they often sit in unlocked file cabinets with no controls in place, leaving them open to insider threats

    Lack of basic network protection 
    In my experience, smaller practices are not much different from small business in general with their adoption of basic security controls like firewalls, strong wireless systems and data encryption. I rarely see these practices properly adopted in any small business, medical or otherwise. 

    No training or policies 
    Have you ever tried to put together a bike for one of your kids at Christmas without the instructions? Unless you happen to be an engineer, attempting this will result in a string of expletives, and a disappointed kid. In the HIPAA world, we seem to expect staff members to fill their roles in the compliance effort without understanding what they are, or having the necessary basic training or skills to pull it off. We would not think of putting a medical office employee with a patient without the necessary technical training, so why is compliance different? 

    I am just too small for anyone to mess with 
    This may be the most common excuse I hear in small practices, and small businesses in general. Those in smaller groups consider themselves invisible as compared to Anthem, Blue Cross, or a large hospital. They miss the fact that they are usually easy to breach, and readily found on the Internet. If they use Comcast as their internet provider for example, their business information is likely on the Comcast website as a public hot spot
    Unfortunately, while data breaches involving the big players usually become known reasonably quickly, patient data may be leaking from the smaller practices without anyone ever knowing. Once patient data hits the black market, we may never know its source. This makes the lack of security at smaller practices very dangerous. 

    Addressing compliance and security
    If you are reading this as a member of such a practice, here are the steps you should begin to take immediately to address compliance and security: 
    • Understand HIPAA requirements, and formulate a compliance plan
    • Implement essential security practices on your network
    • Training your employees, and give them policies and procedures to follow
    • Monitor your systems and logs for evidence of issues 
    If the above seems a bit overwhelming, there are many organization's available to help. If you are reluctant to spend the money for such help, keep in mind that you would never consider fixing your X-Ray machine yourself. If you don't have the time or expertise for HIPAA/security, hire someone who does. 

    Bottom line – as a small practice, you are not invisible. Rather, you are the front line of the battle. Recognize that you are at war with those who would steal patient data, and begin fighting back.

    For more information on this and other healthcare compliance topics related to HIPAA, OSHA, Medicare and HR, simply email your questions to support@hcsiinc.com
    visit our website at http://www.hcsiinc.com or post a question on our LinkedIn group at: http://bit.ly/1FWmtq6

    To subscribe to this blog, enter your email address:

    Delivered by FeedBurner