Healthcare Compliance Solutions, Inc.: February 2016

Friday, February 26, 2016

5 Keys To A Successful Budget

Having a successful budget will give financial peace to any organization.

One of the biggest challenges of any organization is ensuring that the amount of capital available enables that organization to accomplish the goals it has set. Having a budget in place will enable an organization to understand if that capital is available or if additional funds are required.

Below are five keys to having a successful budget:

Work Together - In order to establish and maintain a successful budget, it is important for all areas of an organization to work together in its creation. The budget should be established based on the goals of the organizations for the upcoming fiscal year. This should be done during an annual budget meeting.
Understand the True Income - True income is all income that a business earns. This income could include cash, credit, investments, etc. It is necessary to understand the true income of the organization in order to create a successful budget.
Review on a Monthly Basis - It is important to review and prioritize the budget on a monthly basis. If any changes have occurred to the income or expenditures of the organization, then the budget should be adjusted. It may also be necessary to adjust the budget based on a sudden shift within the organization or change in its goal. Any changes to the budget should be approved by all involved areas of the organization.
Write Your Budget Down - Having a written budget helps clarify the budget for all involved. In addition, it helps speed-up the approval process by enabling all involved to discuss and adjust the budget during the budget meeting.
Emergency Funds - Unpredictable occurrences happen during the fiscal year. It is fiscally responsible for any organization to have emergency funds worked into the budget. These funds should only be accessed in an emergency situation and if all areas of the organization who are involved in the budget agree.

When an organization understands the amount of capital it has to work with, then it is more likely to better utilize that capital in order to achieve its intended goal.

Thursday, February 25, 2016

Your Compliance Officer Needs A Seat At The Table

Put Your Compliance Officer On Speed Dial

At most healthcare facilities, the compliance officer is very busy, as are the administrator, privacy officer, security officer, and the person in charge of purchasing and contracting. These people wear many hats, and don't have time to collaborate - or the organization doesn't have processes in place to facilitate collaboration.

Does this sound familiar? This scenario is common, perhaps even the norm. It's also very risky from a compliance standpoint. Here are some examples of what can go wrong when the compliance officer is left out of business decisions at a nursing home.

A director of nursing wants to buy laptops for nurses, in order to improve the accuracy of documentation. The administrator approves the cost, and IT makes the purchase. After the laptops arrive, the compliance officer finds out. She advises the organization to buy encryption and anti-virus software for HIPAA security purposes - and is told it's not in the budget.

In another example, the CEO or a board member comes across an opportunity to enter an arrangement with a nearby hospital. The hospital will pay a fee to reserve a number of SNF beds in case the hospital needs them for its patients. The CEO or board member works out the details without contacting the compliance officer. It turns out that the arrangement violates the Anti-Kickback Statute. If the officer had known, she could have involved legal counsel to structure the arrangement in a way that is appropriate.

The compliance officer needs a seat at the table for business decisions in long-term care facilities to avoid these common pitfalls. Here are some steps you can take to make this happen:

Use your compliance committee. If the committee meets quarterly, listens while the compliance officer reads the meeting agenda. If there's no discussion, you have a missed opportunity. Leverage your compliance resources - in this case, your leaders and experts - to share information about emerging risks and upcoming contracts and deals. By getting committee members in the habit of including each other in big decisions, you can avoid costly communication breakdowns.
Work on your work flow. If your managers aren't used to collaborating, it might be hard to get started. Get everyone together, and write down examples of situations where the compliance officer (or another compliance leader, such as a HIPAA officer), should be involved. For example, you might write down "IT purchase" and "contract with a referral source," to start. Encourage your team to add to this list and share it at regular compliance committee meetings.
Put the compliance officer on speed dial. This one is pretty basic, but can make a big difference. Identify who needs the compliance officer on speed dial, starting with your HIPAA officers, and anyone in a position to enter a contract. You might even add a "Call the Compliance Officer" sticker to their phone or computer as a friendly reminder. You have a compliance officer for a reason: to keep your organization compliant. Make sure everyone in your organization understands when and how to use this person, and everyone will make better decisions.

Source(s): Margaret Scavotto, http://www.mcknights.com, www.hcsiinc.cm

Thursday, February 18, 2016

Still Not Strivig Enough For That Culture Of Compliance

Mishandling of PHI Still Excessive

Covered Entities are still not always investing enough serious commitment into ensuring the safety of PHI and the crucial development of this culture of compliance among staff members. The following data breach stories have been reported on Becker's Hospital Review in just the past three weeks.

1. During a Thanksgiving Day trip to a public recycling center, a man stumbled upon hundreds of medical records belonging to patients of Springfield, Ohio-based Community Mercy Health Partners.

2. Naples, Fla.-based NCH Healthcare reported a data breach compromising employee information stemming from two servers in the CernerDataCenter in Kansas City, Mo.

3. A mailing error resulted in 700 patients of Borgess Rheumatology in Kalamazoo, Mich., being sent information that did not belong to them, the clinic reported.

4. Two overly curious Miami-based Jackson Health System employees were fired for accessing NFL player Jason Pierre-Paul's medical record after he received treatment there for a finger injury.

5. In a separate instance, another 'rogue' Jackson Health System employee is suspected of stealing the confidential information of more than 24,000 health system patients over the past five years, including sensitive information like Social Security numbers and addresses.

6. Seim Johnson, a hospital auditing company, reported that a laptop containing information from nearly 31,000 patients was stolen. One hospital affected by the breach, McCook, Neb.-based CommunityHospital, notified 4,200 of its patients that they may be affected. It is still unclear who the remaining approximately 26,800 patients are and where they may have received care.

7. Hackers accessed and dumped the personal information of more than 9,000 Department of Homeland Security employees on Monday. The hackers reportedly entered through a Department of Justice email account and hope to send a message to the U.S. government to cut its ties with Israel and rally support for Palestine.

8. Apple Health, Washington state's Medicaid program, reported that two employees of different state agencies exchanged the personal health information of more than 91,000 individuals in a manner not compliant with HIPAA.

9. PortlandHealth & ScienceUniversity reported a hard drive stolen from a student's car that contained information from a number of infants who were enrolled to participate in a research study in the hospital's neonatal intensive care unit in 2013.

10. Centene, a St. Louis-based payer who in January reported hard driving containing information from nearly 1 million individuals missing, has found the missing data. The drives had been placed in a secure receptacle to be destroyed.

11. The federal government announced it will not pursue action against University of Rochester (N.Y.) MedicalCenter over a 2015 data breach in which a nurse shared a list of patient names without permission. URMC did however fork over $15,000 in December for a HIPAA settlement.

12. The Atlanta VA Medical Center accidentally gave a veteran who requested a copy of his medical record and incomplete version of that record, along with the records of 10 other people the man had never met.

...and last but not least... Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoin to a hacker who seized control of the hospital's computer systems and would give back access only when the money was paid, the hospital's chief executive said Wednesday. The assault on Hollywood Presbyterian occurred Feb. 5, 2016 when hackers using malware infected the institution's computers, preventing hospital staff from being able to communicate from those devices, said Chief Executive Allen Stefanek.

Source(s): http://www.beckershospitalreview.com/, http://www.latimes.com/

For more information on this and other healthcare compliance topics related to HIPAA, OSHA, Medicare and HR, simply email your questions to support@hcsiinc.com,

visit our website at http://www.hcsiinc.com or post a question on our LinkedIn group at: http://bit.ly/1FWmtq6

Friday, February 12, 2016

5 Characteristics of A Winning Culture

What difference does culture make in an organization?

Organizational culture is defined as: the values and behaviors that contribute to the unique social and psychological environment of an organization.

The effects of culture on an organization's success or failure cannot be over stated. Here are two examples:

In 1958, the Green Bay Packers had 1 victory, 10 losses, and 1 tie. Needless to say, the season was a complete failure. At the end of that season, Green Bay fired their coach and hired somebody who had never been a Pro Football Head Coach, Vince Lombardi. When Vince Lombardi came to Green Bay, he was determined to make the organization into a winning organization. This transformation started with and ended with changing the culture of the Green Bay Packers. Here are the things Coach Lombardi did:

He got rid of poor performing players and brought in better performing players.
He instilled in his players a winning attitude.
He encouraged the players to work hard and showed them the amazing results that come from hard work.
He helped his players have better focus in accomplishing their goals.
He found within the team natural leaders and put them in place where they could have the most influence.

Over the next 9 years, the Green Bay Packers won 5 NFL Championships and 2 Super Bowls. It is clear, that the turnaround of the Green Bay Packer culture was a complete success. The Green Bay Packer organization now had a winning culture.

In a more recent example, the Denver Broncos recently won the Super Bowl. How did this happen? Only five years earlier, the Denver Broncos had a record of 4 wins and 12 losses. They had a loosing culture within their organization. After that terrible season ended, John Elway was hired as the Vice President of Operations. During Elway's earlier days as the Bronco's Quarterback and leader, he was part of a winning culture. Elway and the Broncos went to five Super Bowls and won two of those five. He was part of a winning organization. His task now was to bring back the winning culture to the Denver Broncos. Here are the things John Elway did:

He got rid of poor performing players and brought in better performing players.
He instilled in his organization an aggressive and physical style of play and thus improving the teams attitude.
He encouraged the players to work hard and showed them the amazing results that come from hard work.
He helped his team have better focus in accomplishing their goals.
He found natural leaders and put them in place where they could have the most influence.

The similarities between Green Bay's cultural turnaround and Denver's is consistent with the methods an organization can use in instilling a winning culture within itself. Here are the five characteristics of a winning culture:

High Quality Employees - Low performing employees who are not dedicated to the success of an organization, should not be a part of it. In order to improve the quality of employees, it is important to find the ones that have the right skill set, talent, knowledge, work ethic, and attitude. This type of employee will have a positive effect on others around them.
Attitude - It is important for employees to have a winning attitude. When employees are positive and truly believe in what they are doing, it will show in their quality of work and interactions.
Work Ethic - Employers need to encourage and reward hard work through promotions and other incentives. If an organization wants its employees to work hard, then it needs to demonstrate the results of hard work and the great results that come from it.
Focus - Having employees coming to work truly focused on the goals of the organization and what they need to do in order to accomplish those goals is a wonderful and unique thing to have. Look for and promote those employees. Employees that only come to work to "punch-in and punch-out" have no place in a winning culture.
Leadership - The employees that are put into leadership positions, should embody the qualities that the organization is looking to develop within its culture. This is a critical component of developing a winning culture. It is the leaders within the organization that help drive and mold the desired culture.

Does the culture of an organization make a difference? Yes, it is the biggest determining factor between success and failure. Does the culture of your organization embody the characteristics of a winning culture? If not, start making the necessary changes to help your organization have a winning culture!

Tuesday, February 9, 2016

ONC Clarifies TPO and Health IT Interoperability Under HIPAA

Some providers are not sharing PHI due to organizational policies, procedures or protocols, even if the sharing is permitted under HIPAA.

In general, a Covered Entity (CE) may use and disclose protected health information, without authorization, for treatment, payment, and health care operation activities (TPO). Treatment includes the provision, coordination, or management of health care and related services among health care providers; consultation between providers regarding a patient; or patient referrals from one provider to another. A CE may disclose PHI for its own treatment activities and the treatment activities of any another health care provider. Payment includes all health plan activities associated with obtaining premiums, fulfilling coverage responsibilities, providing plan benefits, and obtaining reimbursement for furnished health care and provider activities related to payment and reimbursement. A CE may use PHI for its own payment activities and may disclose PHI to another covered entity or health care provider for the payment activities of the entity receiving the information.

Many providers believe that HIPAA restrictions prevent them from moving protected health information (PHI) in certain patient care situation. However, that’s a common misconception potentially hindering health IT interoperability when, in fact, HIPAA enables PHI to be accessed, used or disclosed when and where it is needed for patient care.

In a blog post published Feb. 4 on Health IT Buzz, Lucia Savage, JD, and Aja Brooks, JD, of the Office of the National Coordinator for Health IT (ONC) introduced two new government fact sheets that give examples of when electronic PHI can be exchanged without requiring written authorization from the patient as long as other protections or conditions have been met.

ONC, which oversees interoperability aspects of handling PHI, developed the materials in conjunction with the Office of Civil Rights (OCR), which administers policy and enforcement of the HIPAA privacy rules.

“Some providers are not sharing PHI due to their health care organization’s policies, procedures, or protocols, even if the sharing is permitted under HIPAA, or because laws in the provider’s state apply in addition to HIPAA. Interestingly, this lack of exchange of PHI runs contrary to consumer perception, with research demonstrating that patients assume their PHI is automatically shared between their treating physicians,” wrote Savage and Brooks.

The new fact sheets describe permitted uses and disclosures of PHI by a HIPAA covered entity (CE) without first having to obtain written authorization from the patient.

In “Permitted Uses and Disclosures: Exchange for Health Care Operations” (available here), the agencies explain that HIPAA allows a CE to disclose PHI to another CE (or that CE’s business associate) for the following operations activities of the recipient CE without needing patient consent or authorization:

Conducting quality assessment and improvement activities.
Developing clinical guidelines.
Conducting patient safety activities as defined in applicable regulations.
Conducting population-based activities relating to improving health or reducing healthcare cost.
Developing protocols.
Conducting case management and care coordination (including care planning).
Contacting healthcare providers and patients with information about treatment alternatives.
Reviewing qualifications of health care professionals.
Evaluating performance of health care providers and/or health plans.
Conducting training programs or credentialing activities.
Supporting fraud and abuse detection and compliance programs.

The aforementioned activities are, however, subject to three requirements that must also be met:

Both CEs must have or have had a relationship with the patient (can be a past or present patient).
The PHI requested must pertain to the relationship.
The discloser must disclose only the minimum information necessary for the healthcare operation at hand.

In “Permitted Uses and Disclosures: Exchange for Treatment” (available here), ONC and OCR explain permissible disclosure of PHI by CEs to another provider for treatment activities without needing patient consent or authorization.

The document explains what happens when a hospital discloses PHI in a permissible way to a receiving provider, who subsequently experiences a breach of the information. The receiving physician is “responsible for safeguarding the PHI and otherwise complying with HIPAA, including with respect to subsequent uses or disclosures or any breaches that occur.” At the same time, the disclosing hospital is responsible for transmitting the PHI in a permitted and secure manner, which includes taking reasonable steps to send it to the right address. The fact sheet also includes sample scenarios in the areas of PHI exchange for care planning and downstream treatment.

ONC and OCR plan to publish three additional blogs on PHI exchange as related to: the goal of nationwide health IT interoperability; care coordination, planning and management; and population-based activities.

Source(s):https://www.healthit.gov, http://www.hhs.gov/ocr/, http://www.healthinfolaw.org/,
http://healthitinteroperability.com, Frank Irving

For more information on this and other healthcare compliance topics related to HIPAA, OSHA, Medicare and HR, simply email your questions to support@hcsiinc.com,

visit our website at http://www.hcsiinc.com or post a question on our LinkedIn group at: http://bit.ly/1FWmtq6

Friday, February 5, 2016

Avoid Being On The Wall Of Shame In 2016

Lessons Learned from 2015 Health Data Breaches

Nine of the top 10 incidents in 2015 on the Department of Health and Human Services’ “wall of shame” tally of major breaches involved hacker attacks, a huge shift from previous years, when hacker attacks were relatively rare.

The biggest health data breach of 2015 - the cyber attack on health insurer Anthem Inc. - affected nearly 79 million individuals, making it, by far, the biggest healthcare breach on the list since its inception in late 2009. And the top six hacker attacks affected a combined total of 90 million individuals.

While hacker attacks account for less than 11 percent of the incidents listed on the HHS tally so far, they account for 75 percent of breach victims. Some 56 hacker breaches added to the tally in 2015, affecting a total of nearly 112 million individuals.

And a Dec. 31 snapshot of the wall of shame shows 1,425 breaches impacting a total of more than 154 million individuals. That’s more than three times the number of victims affected by health data breaches as of one year ago - a result of the massive hacker attacks.

So what are the top lessons to be learned from the epidemic of mega-hacks in 2015?

“Healthcare organizations need to become more mature in their security posture and be a lot more proactive about protecting data,” says Jay Trinckes, senior practice lead for healthcare and life sciences at the consulting firm Coalfire. “We see many small organizations basically doing the bare minimum when it comes to security, such as ‘checking the box’ type activities for HIPAA compliance. But it’s interesting to note that the top breaches are happening to the large covered entities believed to have a higher security maturity level.”

The hacker attacks point to the need for continual risk analysis, says privacy attorney Kirk Nahra. “These ‘cyber’ risks really aren’t new, but the form they take keeps evolving, and other risks change as well,” he says. “Security protection - whether as a regulatory requirement or just as smart business - cannot be stagnant; it must be reviewed, assessed and improved almost constantly.”

The cyberattacks in 2015 also point to the need to conduct more rigorous and thorough penetration testing on a regular basis, Trinckes says.

Healthcare entities, as well as their business associates, also need to comply with industry standards that go far beyond the HIPAA Security Rule, he stresses. The wall of shame indicates that business associates have been involved in about 20 percent of all breaches.

“A trend we’ve noticed is that business associates are realizing the benefits of assessing risk against many compliance standards/frameworks - including HITRUST, SOC, ISO, PCI - as a competitive differentiator to increase revenue,” Trinckes says. “They’re using this level of thoroughness as a marketing tool to demonstrate their high bar of data protection and to meet customer demands. This is also particularly evident with cloud service providers that serve the healthcare industry.”

Another important step that healthcare entities and BAs can take to bolster breach prevention and detection in 2016 is to improve their communication, Nahra says.

When it comes to BA’s alerting the organizations they serve about breaches, Nahra says, “make sure that reporting channels are clear - that people know where to go as soon as possible. Also make sure that reporting suspicions [about breaches] is incredibly important. People need to know that they should report, even if it turns out to be nothing, and that they shouldn’t try to ‘figure things out’ before reporting. The faster that these problems can be stopped, the better for everyone.”

Organizations in the healthcare sector also should consider performing social engineering tests in an attempt to prevent falling victim to phishing attacks, which are frequently at the center of major hacking incidents, Trinckes says. “Results of this testing often lead to identifying the need for more effective internal training,” he says.

Healthcare organizations are also under pressure to bolster their breach detection and incident response plans, he adds. They should consider implementing sophisticated intrusion detection and prevention solutions along with log monitoring systems, he suggests. But they must ensure they have “the resources to maintain and monitor these solutions on a continuous basis.”

Looking ahead to 2016, Nahra predicts the cyberattack epidemic will endure. “These breaches will continue on a large scale, and will continue to be in the news because they have a long tail - both in cleaning up problems and in subsequent enforcement, if any, which can occur several years later,” he says.

The increased value of protected health information and personally identifiable information in the black market underground for use in such crimes as identity theft and fraud is fueling the surge in breaches, he adds.

“We will see more healthcare organizations pursuing the purchase of cyber insurance coverage, and these insurers will require these organizations to demonstrate a high level of data security practices, along with having a comprehensive, proactive information security program,” he predicts.