Tuesday, December 6, 2016

Overwhelmed, Underpaid, Stretched Too Thin: The Case of Multi-Office Compliance Administrators

Managing compliance with multiple offices at different locations can be challenging, but it is possible if done right.

Rita just finished talking with the Tampa office, as they have been struggling with some compliance issues. She begins drafting her report when the phone rings again. This time it is another issue with a misinterpretation of a compliance issue, but this one is at their office in Atlanta. Rita clarifies the issue and makes notes for her next report that will be done after she has completed the one from the Tampa office. "That's two offices in the last few minutes," Rita says aloud. "As long as I don't hear from the other seven offices I should be alright." At that moment, Rita's phone rings again.

Being responsible for the compliance regulations (HIPAA, OSHA, Human Resources, and Medicare) at one office is a demanding and time consuming job. Being responsible for all of the compliance regulations at multiple offices is, in all likelihood, overwhelming and ineffective. There are three specific areas that we are going to be reviewing where having a "multi-office Compliance Administrator" is a challenge.

So Many Duties, So Little Time
In many offices, the person who is assigned to be responsible for the compliance duties within that office, is also responsible for many other duties that have been assigned. These conflicts often lead to one or more of the person's assigned duties being neglected. Far too often, the duties that are often left neglected within an office turn out to be those duties that the person wants to do the least . . . compliance. Neglecting compliance, even if unintentional, will lead to an increase of liability for the organization as a whole. An adequate amount of time needs to be accounted for in order for the assigned person to be able to protect the organization by being effective in their compliance duties.

Compliance Representation

Even in a multi-office structure, it is essential to have compliance representation for each individual office. Examples of compliance representation include:

  • Office specific compliance policies and procedures
  • Compliance forms identified for each individual office
  • Subject matter expert (SME) at each location as the go-to person for compliance questions or patient concerns
Compliance and Employee Awareness
Being aware of what is happening within each individual office is a big challenge for multi-office Compliance Administrators. However, this is the most important factor in determining the success for failure of a compliance program.
  • Needs and Circumstances - Each office has its own uniqueness in terms of compliance needs, focus, and circumstances. For example, restricted access areas within the office might be a huge issue at one office. Where as, verbal protected health information (PHI) exposure could be a concern at a different location. Each office is unique and has its own challenges. One office could have a ramp safety issue and another office could be facing IT security issues. Each office is unique and should be treated as such.
  • Employees - Do you know what your employees are doing and saying when it comes to compliance? This is the biggest liability challenge for any organization. Having the ability to identify and quickly correct any possible compliance issue brought on by your employees lack of understanding or poor attitude, is a big difference maker for any compliance program. This goes a long way to creating the all too important culture of compliance within any healthcare office. Lacking employee awareness will leave your organization open to compliance issues and liability. It is also the quickest way for the multi-office Compliance Administrator to have an involuntary job change.
Can one person be the multi-office Compliance Administrator? The answer is, yes. If one person wants to be responsible for the compliance of the entire organization, they can do that, but they need to ensure that they have the following at each location:
  • Written and customized policies and procedures
  • Customized compliance material (forms, Business Associate Agreements, etc.)
  • Compliance Representative/SME
Having an effective compliance program and developing a culture of compliance within each healthcare office can be achieved. However, having one person trying to do all of the compliance program themselves for multiple healthcare offices is not the sign of a hard worker. It is a risky course to take that is laden with pitfalls and unnecessary liability.

Take a moment to review your current compliance situation. Ask yourself, "is my current compliance program protecting the organization or putting it at risk?" Could your current compliance program be better based on the needs of your organization and its individual offices? We can all do better improving our compliance efforts and meeting the needs of the organization. Rita has begun reviewing her compliance situation, maybe its time to review yours as well.




To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Tuesday, November 22, 2016

Healthcare’s Uncertain Future

Discussing Healthcare's Variable and Evolving Paths
From contributing author Mendel Zilberberg, attorney and founder of Mendel Zilberberg & Assoc P.C., specializing in legal and allied legal services to healthcare related entities.

The recent election has had a reeling effect on most Americans. There is a prevailing sense of uncertainty about many important matters that are vital to this country’s future. However, healthcare, which currently represents approximately 17% of GDP looms large in the uncertainty column.
Irrespective of anyone’s particular view as to the advantages or disadvantages of Obama Care, or whether the plan initiated by President Obama adequately, substantially, or even substantively addresses the underlying healthcare issues, it is most certain that healthcare cannot  be steered like a sports car, but maybe and hopefully it can be navigated like a cruise ship. Even if change can be effected, it is reasonable to assume that even if there were quick fixes, it most certainly would have to be phased in over time to allow the economy, marketplace and government to efficiently implement and absorb the changes. What I’m trying to say is that any hope or promise of somehow pulling a rabbit out of a hat is unrealistic, irrespective of the ultimate plan and corresponding changes, particularly, given the time needed to adjust for and to the unintended consequences of the seismic changes that have been promised. Simply stated, to those who believe that healthcare can be transformed overnight – please be ready to readjust your sights.


One challenge that I see in the future is that it is easy to promise lower cost and higher quality healthcare, however, in a sense the quality and cost of healthcare pull in opposite directions unless there is a new paradigm – a paradigm that has not yet been articulated.  If you add quality, it raises the cost, and if you lower the cost of insurance you have less money to pay for whatever benefits you are offering. To further complicate matters, President-elect Trump said that he intends to leave coverage for pre-existing conditions. Aside from the actual cost of covering those situations, the ability for adverse selection looms large. Essentially, adverse selection means that the people who are most likely to buy the insurance are the people who need it the most. Let’s face it, insurance, by its very nature is a redistribution of risk. If you cannot distribute the risk between those who are less likely to need medical care and those who are more likely to need medical care the general principles of insurance become inapplicable.

Another issue is the apparent failure to distinguish between the cost of healthcare and the cost of healthcare insurance. I think it is best understood by way of example in which someone goes to lease a car. The marketplace  can in an effort to lower the cost of an auto lease focus on lowering monthly lease rates by squeezing markups charged by the dealer, negotiating lower interest rates, or have subsidized interest rates promoted by the automaker , but ultimately one gets to the point where if you don’t lower the actual underlying cost of the car you can’t lower the monthly or overall cost of the lease. Similarly, with healthcare, you can squeeze the doctors in terms of their reimbursement, you can squeeze the hospital in terms of their margins, but you reach a certain point (a point that we may have already reached) in which you cannot achieve any material efficiencies unless you lower the underlying cost of healthcare. There seems to be some mental block between understanding that increased insurance premiums reflect increased cost of providing medicine and the increased cost of underlying medical care.


Of course, when we get to this point in the conversation the big target is Pharma. The general argument is a call to arms to get those high-priced drugs out of the stream of commerce. However, the insurance companies seemingly have already negotiated down the cost of these drugs, and many of these drugs actually save lives. Even if Medicare started negotiating prices, it would be a small step in the right direction which carries its own potential consequences. But, do we really want to suppress innovation in healthcare?  A very small percentage of potential drugs make it to or through clinical trials, and then a very small percentage make it through the lengthy and torturous FDA approval process. If the few winners do not earn enough money to pay for the other laggards (those drugs that either don’t make it to the finish line or will only treat a few people) big Pharma may cut R&D budgets, which ultimately will impede our progress. The bottom line is that ultimately it will lead to debilitated health or loss of life. This is a decision that we will have to make as a society. The issue of the propriety or ability of the government to dictate pricing to private industry is beyond the scope of this article.

Lower cost higher quality healthcare is a great tagline. However, I think it is easier said than done.

As a final note, it pains me to see American healthcare in a state of suspended animation. As just one example, I recently saw a flyer for a very large convention from the American Bar Association for its Health Law practitioners which is scheduled for the beginning of December. I am sure that in the months leading up to this convention there were numerous and highly detailed discussions relating to prevailing regulations, future trends, emerging strategies and various other very important topics. I can only wonder what they will be discussing as they look at their notes and PowerPoint slides for the scheduled presentations, all the while twiddling their thumbs and trying to figure out whether (or how) to keep on saying that we will have to see how much of the presentation will be around in six months, whether the stroke of a pen will make the presentation wholly irrelevant, or that thanks to the new administration they won’t have to wait a year for another health law convention.

What do you think?

---
DISCLAIMER - This post and the analysis submitted are not a legal conclusion and should not be construed as such but are presented for discussion and informational purposes only. In addition, in some jurisdictions this post may be considered to be attorney advertising.

About Mendel ZilberbergAn attorney, visionary and entrepreneur admitted to practice in New York, New Jersey and Florida who has represented and counseled clients with nationwide interests in many areas of the healthcare arena.

MZ blog : www.stateofthought.com

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Friday, November 4, 2016

Chiropractors and MDs in Integrated Practice – A Good Idea?

This article was submitted by contributing author Jordan Saint John.

I.                   What is a Multi-Discipline Practice?

Healthcare in America is becoming increasingly integrated. For instance, the American Medical Association (“AMA”) notes rapid changes in healthcare delivery and an expanding environment of integrated modes of practice.[1] A strong impetus for this change was the enactment of the Affordable Care Act, which created a broad regulatory framework for such initiatives as clinical integration, care coordination, quality and other performance metrics, and cost containment. However, the AMA understandably focuses on physician-led practices that integrate several medical specialties.
By contrast, this article discusses multi-discipline practices, which delivers non-medical modalities alongside more conventional medical services. These non-medical modalities, such as chiropractic, naturopathy and acupuncture, are often designated by the term “complementary and alternative medicine” (“CAM”) and are widely accepted in the general populace.[2] Confusingly, such multi-discipline practices are also sometimes known as integrated medicine.
More particularly, this article focuses on multi-discipline practices that integrate medical services with a chiropractor-operated entity, which we will refer to as DC/MD integrated practices. These practices are almost invariably set up by the chiropractor, who arranges with a physician to either oversee medical services provided by a mid-level medical practitioner, or to enter a contractual relationship whereby the chiropractor provides administrative services through a management service organization (“MSO”) to a medical practice, and also offers chiropractic services to this pool of patients.
Increasing numbers of chiropractors are utilizing or considering this model, for good reason. For one, it allows the chiropractor to offer more healthcare services to his/her patients. A typical example is the alleviation of chronic pain through injections that a chiropractor otherwise could not provide. Alternatively, chiropractors seek the financial benefit of a business relationship with a medical doctor’s practice. Meanwhile, the medical doctor benefits either through an additional income stream for his/her oversight role, or through handing off the administrative side of the practice, allowing him/her to concentrate on the practice of medicine.
Despite the attractiveness of these arrangements to both parties and the fact that if properly structured they are not per se illegal, pitfalls abound, especially when the practice serves federal healthcare program ("FHP") beneficiaries. Along with a discussion of a typical model of a DC/MD collaboration, this article presents some of the possible pitfalls of these arrangements, and is meant to be a cautionary tale.

II.                Potential Pitfalls of a DC/MD Integrated Practice

The possible pitfalls of a DC/MD integrated practice that is either poorly structured or operated are many and potentially ruinous. As every practitioner surely knows, active fraud in the healthcare arena can result in criminal liability at both the federal and state level. However, even well-intentioned practitioners can find themselves facing criminal charges, civil penalties, licensing board sanctions and financial collapse. The following discussion presents the greatest areas of concern.

A.                Legal Structure – the Corporate Practice of Medicine

Most states have some form of prohibition against the corporate practice of medicine (“CPOM”).[3] This doctrine generally prohibits a business corporation from practicing medicine or employing a medical doctor to provide professional medical services. Even where a distinct law may not exist, this doctrine is often embodied in the prohibitions against practicing medicine without a license and against fee-splitting between someone with a medical license and someone without. It is this doctrine that generally disallows a chiropractor from co-owning an entity with, or employing – even as an independent contractor – a medical doctor.
The basic public policy reason behind the prohibition against CPOM is the conflict between the interests of a corporation and the needs of a patient. However, most states make some exceptions to their CPOM doctrine, such as for hospitals, health maintenance organizations, and professional corporations. Thus, the first step in setting up a DC/MD integrated practice is to understand the CPOM doctrine of the state where the entity will be formed and operate, and to structure the entity or entities accordingly.
An additional source of rules and regulations concerning the CPOM is state medical licensing boards. For example, California’s Medical Board finds problematic a number of scenarios that are foreseeable in a DC/MD integrated practice.[4] In California, the following health care decisions would constitute the unlicensed practice of medicine if performed by an unlicensed person:
·         Determining what diagnostic tests are appropriate for a particular condition.
·         Determining the need for referrals to, or consultation with, another physician/specialist.
·         Responsibility for the ultimate overall care of the patient, including treatment options available to the patient.
·         Determining how many patients a physician must see in a given period of time or how many hours s/he must work.
Also, the following business or management decisions and activities, resulting in control over the doctor's practice of medicine, may not be made by an unlicensed person or entity:
·         Selection, hiring/firing (as it relates to clinical competency or proficiency) of medical doctors, medical assistants, and allied health staff.
·         Decisions regarding coding and billing procedures for patient care services.
·         Approving the selection of medical equipment and medical supplies for the medical practice.
The Board states that these “business” or “management” decisions and activities cannot be delegated to an unlicensed person, “including management service organizations,” and that while may consult with unlicensed persons in making these types of decisions, the medical doctor retains ultimate responsibility.
Additionally, the Board prohibits the following types of medical practice ownership and operating structures, deeming them the unlicensed practice of medicine:
·         Non-physicians owning or operating a business that offers patient evaluation, diagnosis, care and/or treatment. . .
·         Management service organizations arranging for, advertising, or providing medical services rather than only providing administrative staff and services for a physician’s medical practice . .
·         A physician acting as ‘medical director’ for a business providing medical procedures.
Nevertheless, even in states which are widely considered to have robust CPOM laws, such as California, it is possible to set up a DC/MD integrated practice that will not run afoul of state law.

B.                 Additional Legal and Regulatory Requirements

Laws and regulations governing the healthcare arena can apply to any healthcare entity or be specific to certain programs such as Medicare. For example, the Health Insurance Portability and Accountability Act (“HIPAA”) established national standards for electronic health care transactions which apply to nearly every healthcare practice. On the other hand, the federal Physician Self-Referral law applies specifically to Medicare and Medicaid. However, some states have their own versions of such laws which may be even broader than the federal version, such as applying to all healthcare payers not just FHPs. The regulatory schemes where a DC/MD integrated practice would most likely run afoul are briefly discussed below.

1.                  Anti-Kickback and Fee-Splitting Statutes

A medical practice operating in collaboration with a non-medical practice implicates both anti-kickback and fee-splitting prohibitions. Anti-kickback laws prohibit any kind of remuneration for referrals. A “safe harbor” in the federal anti-kickback statute ("AKS") is that of referring a patient to a practitioner of another specialty in return for an agreement to refer that patient back, as long as there is no remuneration or splitting of a global fee for the referral other than the compensation each practitioner receives for his/her services.[5] Presumably, this would protect the passing back and forth of a patient between a medical doctor and a chiropractor in a DC/MD integrated practice. However, states can have their own anti-kickback laws which could be broader than the AKS and not include such a safe harbor.
Meanwhile, fee-splitting is the sharing of fees across professions for services provided to a single healthcare consumer. Fee-splitting is generally prohibited because it raises similar issues to that of CPOM laws, in that financial considerations may run counter to professional judgment. It also raises issues similar to those addressed by anti- kickback laws, in that healthcare referrals may be made for financial reasons, rather than the patient’s best interests.
Fee-splitting prohibitions derive from state statutes and professional licensing boards; therefore, while prohibiting similar behavior, these laws are state specific. In Florida, for example, it is a criminal offense for a healthcare provider or facility to split fees, a practice known there as “patient brokering.”[6] The prohibition does not apply to a group practice, but a chiropractor and medical doctor could not form a group practice in Florida because by statutory definition, each member of the group must provide “substantially the full range of services which the health care provider routinely provides, including medical care, consultation, diagnosis, or treatment.”[7] However, in Florida as elsewhere, DC/MD business arrangements can operate legally and compliantly.

2.                  False Claims Act

The federal False Claims Act (“FCA”) prohibits the knowing presentation of false claims to the government.[8] While every healthcare practice must avoid submitting claims known to be false to any FHP, the  DC/MD integrated practice can create particular opportunities to run afoul of this law, especially where an chiropractor-owned MSO submits claims on behalf of the medical doctor’s practice.
The FCA allows private persons to file a false claims suit in their own name and in the government’s stead. This is known as a qui tam action, and is designed to bring to light wrong-doing that only an insider would know about. The government may decide to intervene, taking over the action as its own after examining the complaint and supporting evidence. While a qui tam action is a powerful tool for genuine whistleblowers, this law is sometimes invoked in retaliation, often by a disgruntled ex-employee terminated for good cause. Even where meritless, such actions can create big headaches for the healthcare practice.

3.                  Physician Self-Referral (“Stark”)

Self-referral is the practice of referring patients to healthcare entities in which the referring provider has a financial interest. Because of the inherent conflict this creates between the provider’s financial considerations and his/her medical judgment regarding the patient, such referrals are prohibited by most states and under federal law.  The federal physician self-referral law is known as the “Stark” law, after the bill’s initial sponsor, California congressman Pete Stark.[9] It specifically prohibits self-referral by physicians regarding eleven “designated” healthcare services that are reimbursable by Medicare or Medicaid. However, state self-referral laws may be even broader, perhaps applying to all healthcare providers, or entailing even more healthcare services, or involving any healthcare payer.
A DC/MD integrated practice, unless properly structured, could implicate federal and/or state self-referral laws. Assuming that the collaboration is structured as two entities, if the chiropractor or medical doctor owns an interest in both entities, there could be a self-referral problem. Each scenario would have to be evaluated on a case by case basis, in accordance with applicable law.

4.                  Scope of Practice, Collaboration Agreements and Supervision

Finally, states have laws governing the scope of practice and supervision of mid-level medical practitioners. Scope of practice refers to the services a licensed practitioner is authorized to provide. A chiropractor looking to expand services to offer to his/her patients might choose to develop, for example, a pain management practice. The diagnosis and treatment of chronic pain due to causes beyond spinal subluxations would involve medical diagnosis and treatment which could often be provided by a mid-level provider, such as a nurse practitioner (“NP”). Depending on applicable state law, a NP may function largely autonomously, giving injections and even prescribing medications, but must usually have a collaboration and supervision agreement in place with a local medical doctor. The doctor would also regularly review patient charts.
Such an arrangement usually means that the doctor is off-site but immediately accessible by phone or email to help with questions or concerns. Thus, this can become a secondary income stream for the doctor, and will usually pass regulatory muster if the doctor’s compensation for this arrangement is fixed and reasonable. Compensation that is based on percentages of patients seen, or beyond fair market value for the services rendered by the doctor, can be construed as either fee-splitting or a kickback.
However, such services must be billed under the practice, with the rendering practitioner duly noted. Where Medicare, for instance, is billed under the doctor’s NPI for services rendered by a mid-level, this is known as “incident to” billing, resulting in reimbursement at the doctor’s rather than the mid-level’s rate. Proper “incident to” billing involves exacting rules, which, if not followed, can lead to an unpleasant audit experience and the repayment of a portion of Medicare payments received.

III.             The MSO and other DC/MD Integrated Models

Despite the regulatory risks involved in operating a DC/MD integrated practice, many undertake this collaboration for the reasons mentioned earlier.  Some ways a chiropractor and medical doctor collaborate include:
·         the chiropractor is employed by a medical practice;
·         the chiropractor leases space to the medical practice;
·         the chiropractor provides administrative services to the medical practice (MSO);
·         the doctor becomes the "medical director" for any medical procedures to be offered at the clinic.
Sometimes, the collaboration involves a number of these options, often the last three, so they will be discussed as a single, MSO-hybrid model. (The first will not be discussed, as self-explanatory). For brevity, the MSO-hybrid model will be referred to simply as an MSO.
While the collaboration entails advantages for both parties, as discussed earlier, it is typically the chiropractor who seeks the collaboration. The chiropractor contacts a medical doctor to discuss a proposed arrangement. The chiropractor offers to provide billing, accounting, marketing, and other management services to the medical practice (MSO model). Usually, the chiropractor also asks the medical doctor to oversee a staff of mid-level practitioners who will provide a range of medical procedures the chiropractor would like to offer his/her patient base, such as pain management injections ("medical director" model). The arrangement will often also include the leasing of space by the chiropractor-owned business to the medical practice.
To avoid the unlicensed practice of medicine, fee-splitting or CPOM concerns, two entities either already exist or will be created: the chiropractor-owned administrative entity and the physician-owned clinical entity. The chiropractor/MSO, in its administrative role, often sets up the clinical entity for the doctor, usually employing an attorney to do so. However, this attorney typically specializes in business law and does not necessarily understanding the nuances of health law. Despite the fact that in many states, as in California, it would be the unlicensed practice of medicine for a person other than a medical doctor to hire and fire medical staff based upon competency, the MSO nonetheless usually sees to the hiring of the mid-levels as just another administrative function, and the medical doctor provides oversight only through regular review of an established number of medical records in return for the agreed compensation.
To expand its revenue, the practice may decide to accept, for example, Medicare beneficiaries. The MSO either directly provides staff to handle the Medicare billing or contracts with a third party biller. By becoming a Medicare provider, the practice has accepted the imposition of a vast set of regulatory requirements, and by billing Medicare, the practice has invited the scrutiny of the Medicare contractors overseeing its jurisdiction. For several years, the practice may submit Medicare bills and be promptly paid. This appears to be a validation of everything that the practice is doing.
However, Medicare scrutiny includes data analysis of coding and billing patterns which raise red flags if they fall outside the norm for the geographical area. If so, the practice is notified, sometimes only for educational purposes. But if medical records are requested, an audit has begun, and the practice may soon learn, to its utter dismay, about two extremely powerful aspects of CMS's authority to protect the Medicare trust fund: the four-year look back period and the extrapolation of a medical review of a statistical sample of claims into the practice's history of paid claims.[10]
To put it simply, based upon a small but "statistically valid" sample of claims, the denial rate, based on a medical review by the Medicare contractor, will be projected into the four-year history of similar paid claims and a resulting overpayment assessed. Supposing a denial rate of 80% based on a review of 100 claims comprising perhaps 20 different procedure codes, 80% of the money the practice was paid for those codes for up to a four year period will be demanded back. The practice is faced with either a long and arduous appeal process or the specter of immediate recoupment of the funds. Depending on the practice's viability and the amount of the assessed overpayment, the practice may or may not survive.
Obviously, this fate could happen to any Medicare provider but this appears to be a special vulnerability of the DC/MD integrated practice because in the typical, the MSO bills Medicare on the practice's behalf. The MSO may indeed have experience in Medicare billing but it may not actually have or retain credentialed Medicare billing expertise. Worse, the clinical protocols and procedures, usually furnished by mid-level medical practitioners such as NPs who are often hired by the MSO rather than the medical doctor, can sometimes be subtly influenced by the chiropractor's ambition or judgment, who tends to view the whole enterprise as his/her own. The medical doctor sees the occasional patient, reviews the mid-levels' work, is often busy with other medical offices and collaborations, and having paid for competent management, tends to view little else about the practice as his/her responsibility. There may be too much of a disconnect between the medical judgment and supporting records, on the one hand, and the coding/billing function, on the other, for the medical procedures to be reimbursed under Medicare's rules. Both the chiropractor and medical doctor can find themselves under increasing government scrutiny, facing financial pressure and even legal sanctions. Often, the medical doctor's license is at risk. This is the DC/MD collaboration gone bad, especially in the context of a FHP, and the practice will be lucky to get through intact, with merely hundreds of thousands of dollars to repay.

IV.             Conclusion

This article is meant to be a cautionary tale. No doubt DC/MD integrated practices operate legally and successfully in nearly every state, and it may be that the majority, even those serving FHP beneficiaries, never face significant problems. But for those that do, the challenges can be daunting and sometimes insurmountable. Any chiropractor or medical doctor contemplating such a collaboration is well advised to consult a knowledgeable health law attorney before proceeding.

V.                Takeaways

·         Healthcare is becoming increasingly integrated, and the American healthcare consumer expects convenience and a wide array of options in making healthcare choices.
·         Chiropractor/doctor (DC/MD) integrated practices are attractive to both parties because of the potential financial benefits; however, it is the chiropractor who tends to initiate the collaboration.
·         DC/MD integrated practices are not illegal in most states but care must be exercised to structure them in compliance with state law and professional licensing boards.
·         The potential pitfalls of such arrangements multiply if the practice will also serve federal healthcare program beneficiaries.
The MSO model, or some hybrid which includes it, appears to be the most common form of collaboration, but it comes with the risk that the MSO may not have or retain the actual expertise in Medicare billing required to shield the practice from serious financial and legal liability.



To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Wednesday, October 19, 2016

Ten HIPAA Security Tips Saving Small Practice’s Time, Money and Reputation


This article was submitted by contributing author, Vic Berger.

My business practice focuses on helping organizations understand their risks related to security. Cyber Security is one risk every organization struggles with. Small businesses face the same types of risks as bigger companies but lack the staffing and resources to respond the same as a large organization. I am frequently asked by small business owners “What cost effective recommendations would you make for my business to make it more secure?” Here are my top ten recommendations for small businesses when dealing with information security.

1.                  Have A Written Security Policy
Every business needs a good written information security policy. This is the basis for your security plan, as well as your legal safety net when something happens. There is no single action a company can take that is more important. Yet this is often the first issue I find in audits of companies of every size, and in every sector.  The plan needs to be well written; read and understood by every employee in the company; and consistently maintained.  There are numerous templates and examples of security policies on the internet. Many consulting companies will tailor a stock plan to suit your organization.

2.                  Encrypt Everything
The first rule of I.T. security is “no solution is perfect 100% of the time”. You cannot always trust prevention methods to keep your data safe. The only way to consistently assure the protection of your data is to encrypt it so it cannot be read. This is especially important with cloud or internet based storage accounts. Dropbox, Google Drive, OneDrive, Box, and Egnyte are all great tools, but no cloud provider will guarantee the security of your data, and all have recently been breached. My basic rule of thumb is: if it is on the internet, consider it public access unless you have encrypted it. You can encrypt your cloud storage using a simple to use (and free for personal use) encryption program from nCryptedcloud that supports Dropbox, Box, Google Drive, OneDrive, and Egnyte available at https://www.encryptedcloud.com/  You can also use a portable USB format hardware encryption and key management device from BlackSquare called Enigma, at www.blacksquaretechnologies.com for personal and small business encryption on portable devices, computers, and cloud accounts.
  
3.                  Protect Your Website
Current information security statistics indicate that 85% of all websites have one or more significant security vulnerabilities. I apply patches to my websites almost daily to keep up with newly discovered vulnerabilities. There are three basic types of websites, with three different recommendations based on what you use:
A.      A static web page with basic company information that doesn’t change. Your biggest risk is disruption or defacing of this type of website. Your hosting provider or ISP will take care of the service disruption. For defacing, keep a good site backup and do a complete CLEAN restore as soon as possible (hackers leave behind gotchas).
B.      An interactive or dynamic web site with user content and/or e-commerce. Often these are created using a standard Content Management Software (CMS) package like WordPress, Joomla, or Drupal.  These are best left to a professional company to update and manage if possible. If you must do it yourself, get a good book on securing your type of CMS. Subscribe to the vulnerability notification feed for your CMS type (all of the common solutions have this). Check your website against new vulnerabilities often.
C.      A site dedicated to internet e-commerce or a highly interactive site where users log in to access content.  Hire this one out! Do not try to do this yourself unless information security is your core business, or you have an I.T. staff with specialized training and certifications in internet security.

4.                  Data Backups
I see irreplaceable data lost almost every day. I have seen it in government agencies, fortune 500 companies, and in every industry vertical. It can be from a data breach, a hardware failure, a natural disaster, or from human error. Whatever the reason, there is no excuse for not having good backups. You should have at least one full data backup per week. More if your data changes frequently. Store the backups offsite, and somewhere safe.  I suggest the granite vault at Perpetual Storage www.perpetualstorage.com, it is the safest storage site in the country. You should also buy a GoBox and store everything you would need to rebuild your business after a major disaster.

5.                  Avoid Consumer Grade
If you can buy an I.T. product at a local box store, electronics retailer, or office supply store it is probably consumer grade, and not designed for business. This includes firewalls, routers, wireless access points, servers, storage, networking devices, tape drives, or anything that protects, moves, or manages your data. Yes, commercial grade is more expensive, for a reason: It Is Commercial Grade! Consumer grade security equipment was designed to protect a few ports and protocols commonly used by consumers. Business applications use different ports and protocols. It either does not run behind consumer grade equipment or you have to poke holes in your security to make it work. Consumer grade security is also easy to breach. Commercial grade uses much better security methods, and is consistently tested. Call your local I.T. reseller and ask them what they recommend.

6.                  Know Your Risks
Knowing what you have, that would be of value to someone else, helps you determine what to focus on to protect. Do you have sensitive or privileged data? Is your data unique or valuable? Are there government regulations like HIPAA or Sarbanes-Oxley that affect your industry? Are customers or consumers ever given access to your data? How many employees do you have, and what risk areas do they create? Beyond what is already addressed elsewhere in this whitepaper, as a minimum you need: Antivirus (web search free antivirus), Anti spyware (web search free anti-spyware), and a good security shell for your organization (Try Arellia www.arellia.com). If you have customers that are EVER by your work computers you need an anti-keystroke logging solution (StrikeForce www.strikeforcetech.com). Your mail and web should have mandatory content filters (either through your ISP or your firewall).

7.                  Plan For BYOD
BYOD stands for bring your own device. This is a huge shift in the government and corporate sector, but probably business as usual in small businesses. Small businesses often use what they have, even if it is a personal device. This is increasingly creating security issues. What your employees, knowingly or unknowingly, have on their devices, and what they do with them in their own time is now brought into your environment. This can open up security holes as well as create liability issues. Make sure that BYOD is clearly defined and covered in your security policy. There is technology that can restrict the security vulnerabilities of personal devices, so ask your local I.T. reseller for assistance. Finally, make sure your employees clearly understand your expectations and limits where BYOD is concerned.
 
8.                  Who Is Guarding The Sheep
This applies whether you are a fortune 500 company or a small business. I.T. administrators have great power. They can view privileged information, and have an extremely high level of system access and control, more than even the owners and senior executives of the company. This is a great responsibility, but also a huge temptation. It is very common to discover that I.T. administrators have been inside payroll files, HR files, or other personal or sensitive material. A good security shell like Arellia (see #6) creates log files to review, but that means that someone has to faithfully do this. Again, start with policy and clearly define responsibilities and expectations. Two person integrity is always prudent where money and manpower permit. And as always, rule #2 applies: Encrypt everything!

9.                  Physical Security Is Information Security
Theft is about opportunities, and criminals use them very effectively. Data from a stolen laptop is easier to obtain than hacking. Why brute force passwords when you can easily install a keystroke logger. A screwdriver to the back door is as good as a key if there is no other security. You must have good physical security policies and practices to have good information security. Cameras are effective and have become reasonably cheap. Programs that wipe stolen devices are commonly available. Keeping sensitive information and records locked away after hours deters opportunistic thieves. Think like a criminal, and then protect yourself from what you would exploit.

10.              Know When To Call For Help
             I am a passable plumber, marginal carpenter, and just plain dislike auto mechanics. I can do all three if required but usually end up spending more time, effort, and money than what I had intended. I can tackle small jobs but I leave the major projects to the professionals. I.T. Security is a highly specialized field with significant training and experience necessary to operate at a professional level. Your whiz kid nephew, who is good with computers, does not have that level of training or the required experience. This is especially important when there is an incident. Less than 3% of all I.T. professionals have the security experience and certification necessary to handle a data breach. I leave significant plumbing, carpentry, and auto mechanics jobs to the professionals, leave your major I.T. security issues to the professionals as well.

This article was submitted by a contributing author:
Vic Berger
CEO, Opsis Technologies
855-99OPSIS


For more information on protecting your office regarding this issue or additional HIPAA, OSHA, HR, and Medicare resources, please visit our web site: http://www.hcsiinc.com or email support at: support@hcsiinc.com.



To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Tuesday, October 18, 2016

2016 Ongoing HIPAA Training: Saving You 3 Months When You Breach PHI




Time for a HIPAA Check Up From the Neck Up!

This training will Save You 3 Months After You Breach PHI! 

Recovering from the Breach:
1) Steals Your TIME!
2) Destroys Your REPUTATION!
3) Ruins Your CAREER!

Creating a Culture of HIPAA Privacy and Security is one of the biggest challenges facing Healthcare Providers and Business Associates today! Why? You Don't Have ANY SPARE TIME!

In this training HCSI will guide you through the process of how to develop a Culture of Compliance so that when the Auditor comes knocking at your door you are spending minutes with him instead of MONTHS!

What to Expect in the Training:
1-How to develop an effective Risk Analysis.
2-How to develop policies and procedures.
3-How to develop a Compliance Plan in case of an audit.


For more information on protecting your office regarding this issue or additional HIPAA, OSHA, HR, and Medicare resources, please visit our web site: http://www.hcsiinc.com or email support at: support@hcsiinc.com.



To subscribe to this blog, enter your email address:


Delivered by FeedBurner