Friday, March 31, 2017

Your Biggest Liability Is Standing Right Next To You

The greatest risk to any organization comes from within

Donna felt confident that she had terminated Kate's employment with just cause. Within a week of Kate's firing, Donna received notice that Kate filed for unemployment insurance. Donna was surprised with the news. Kate was let go because she was doing something that was against company policy. She was, in the eyes of the organization, steeling and falsifying documentation. Donna thought that not doing these things was simply common sense. During Donna's conversation with the unemployment representative, he asked her a question that stunned her. He asked, "do you have documentation that you trained Kate in these matters?" Donna's reply was very similar to how many others might have replied in her situation, "why would I need to do training on something that is common sense?" Kate began receiving unemployment benefits.

An organization relies on its employees and their productivity. Close relationships are sometimes formed. Even the occasional lifetime friendship is created. Employees are one of the greatest resources to an organization. It is for all of the reasons listed above, and many others, that an organizations biggest liability comes from its employees.

Yes, the statement above is cold and harsh, but so are certain workplace realities. Employees present the biggest risk to an organization. Here are some examples where employees are a liability:
  • Compliance (HIPAA, Medicare, etc) - Employees are human and sometimes their curiosity gets the better of them. They also tend to say or do things that could get an organization in trouble or audited.
  • Harassment - Employees have a bad history of being mean and spiteful to each other. If an employee enters a department where they are either not liked or resented, the other employees will make the unwanted employee's work environment unbearable until they are no longer there.
  • Social Media - People love to vent their frustrations. As it turns out, people now have a way to vent their frustrations about their jobs to the entire world. Employees of any organization are no different. If an employee feels slighted at their job or does not like their job, the world will hear about it.
  • Employment Termination - There is always a level of risk when an organization has to terminate an employees employment. Although the supervisor feels that he or she did everything right, there are times when something unexpected comes back to bite the organization right in the bank account. Here are two facts to remember: 1. some employees will lie and 2. unemployment officers and the courts tend to lean in favor of the employee (particularly if the employer has little or no documentation to back up their side of the story and it boils down to a "he said, she said" situation).
What has been said here is just a taste of reality. However, with that reality, there are things an organization can do to lessen its liability:
  • Training and Documentation - It is vital that an organization deliver training on every topic that is relevant to that organization. No matter how trivial it might appear. Do not assume that people will just know stuff because it's "common sense". In addition, it is critical that there is documentation of any given training. Include the names of the attendees, date, and the topics covered.
  • Policies and Procedures - Having established, written, and communicated policies and procedures will help an organization protect itself from employees who claim that they had no idea this or that was against the organization's policies. Having written policies and procedures will also protect an organization if an audit should occur.
  • Organizational Culture - What does the culture within an organization say about it? For employees, the culture of an organization says a lot. Having an organizational culture where the employees are supportive of one another, where there is a positive attitude, and where new ideas and thoughts are free to flow, helps lessen negative attitudes and bad feelings within the organization. It helps to bring in the right type of person who would fit the culture within an organization.
  • Employment Termination - This goes back to the idea of having effective policies, procedures and documentation in place. For example, if an employee quits, do not ask him or her to come back to the office to train another employee. When an employee quits, there IT access should be cut and they should not be doing any more work for an organization. This should be a written policy and followed the same way every time. Avoid showing favoritism towards employees and be sure that managers/supervisors know to avoid getting too close and personal with their employees. Managers and Supervisors should stay objective and focused on developing the employees in order to help them become more valuable within the organization.
Employees are a vital component to the success of an organization. Your employees will have diverse backgrounds, skills and personalities. However, they are still employees of an organization. Any organization who looses sight of this fact is putting itself at risk.

Organizations should treat their employees well and give them every opportunity to succeed in their position of employment. However, it is up to the organization to protect itself from the liability that comes with employees being imperfect people.

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Thursday, March 16, 2017

Policies and Procedures, Compliance Training and HR

Maintaining Compliance and also Keeping HR in the Loop
In your ongoing efforts to provide an office culture of compliance, it is important to remember that HIPAA requires covered entities to establish and implement written policies and procedures that are consistent with its Privacy and Security Rules.  It can also be important for your Human Resource officer(s) to be involved with HIPAA compliance related issues in the business.

The U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) has begun its Phase 2 HIPAA Audit Program.  The Program will focus on the policies and procedures adopted and employed by covered entities and their business associates to meet the requirements of the Privacy, Security, and Breach Notification Rules.  Furthermore, if a group health plan is selected for an audit, it would have a very short time to produce its policies and procedures (i.e., 10 business days).  If the group health plan does not comply (for example, because it does not have policies and procedures), the OCR will likely impose corrective measures which could include costly civil monetary penalties.

HIPAA policies and procedures have important functions, including but not limited to:
  • Limiting uses and disclosures of Protected Health Information (“PHI”) to the minimum amount reasonably necessary to achieve the purpose of the use or disclosure;
  • Identifying the workforce members who need access to PHI and electronic PHI (“e-PHI”) to carry out their duties, the categories of PHI that they need, and any conditions under which they need the PHI to do their jobs;
  • Ensuring appropriate protection of e-PHI when it is transferred, removed, disposed and electronic media is re-used; and
  • Ensuring that e-PHI is not improperly altered or destroyed.
However, it is not sufficient for a covered entity to merely adopt its HIPAA policies and procedures.  The health practice office must also:
  • Designate a privacy and security official to develop and implement policies and procedures; 
  • Train applicable workforce members on its policies and procedures as necessary for them to carry out their functions, and apply appropriate sanctions against workforce members who violate its policies and procedures;
  • Periodically assess how well its policies and procedures meet the requirements of the Security Rule; and
  • Designate a contact person responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.
There is no template for HIPAA policies and procedures.  Instead employers have the flexibility to design policies and procedures that are appropriate for their size, organizational structure, and risks to PHI and e-PHI.  Furthermore, as employers evolve, so should their policies and procedures.  For example, if an employer adopts a telework policy, it may wish to review whether its policies and procedures appropriately address issues involving remote access.

Summarizing, although not a new requirement, due to new technologies, evolving business and regulatory practices, along with impending HHS audits, employers may want to review their HIPAA policies and procedures to make sure that they are compliant and up-to-date. Many HIPAA policies inherently overlap with Human Resource's duties: training, disciplinary actions and employee health information for examples.
The increase in audits — combined with everything from changes in technology, the addition of a health and wellness program and concerns about hacking — serve as a good reminder why employers should revisit HIPAA training often and collaborate with HR to ensure compliance.

Many of the employers facing fines are healthcare providers, health plans or healthcare clearinghouses (organizations considered as covered entities under HIPAA). But most HR professionals also handle protected health information (PHI) to some extent, which puts them in danger of violating the HIPAA Privacy Rule.

Employers should have a written policy in place about how they handle PHI and designate PHI handlers and a HIPAA privacy officer. The policy should outline what types of information are considered PHI and how employers may and may not use it. It should also include a procedure for handling complaints and a process for employees to file them if they think their privacy rights are being violated.

Employees who may handle PHI should be trained on the dos and don’ts of handling protected health information, especially as it relates to electronic information. It’s vital for the HR team to understand the implications of handling PHI in emails, storing it on the cloud, or communicating about it over other electronic formats. And when discussing matters containing PHI with an employee, it’s important to have a signed HIPAA authorization form for the release of employee health information.

Lastly, the HIPAA privacy officer should review compliance documents and ensure that agreements with vendors who handle PHI, called “business associate agreements,” are up to date. The federal government considers vendors and subcontractors to be business associates if they handle PHI on behalf of the covered entity.

Source(s):, http://www.jdsupra.com,

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Thursday, March 9, 2017

Ethics Training in Healthcare

Having no ethics training within the organization, will put any healthcare professional at risk!

I received a call from a client who was attempting to dispute an Unemployment Claim stating that the employee was terminated for an unethical situation. I asked if the employee ever received documented ethics training, specifically in the particular situation at hand. The client's response was no. As many healthcare professionals do, this client assumed that ethical situations should be understood by all without documented training being necessary. With the requested documented training, this healthcare professional will most likely loose their Unemployment Claim dispute. This entire situation could have been avoided by having ethics training in place.

Ethics is defined as: moral principles that govern a person's behavior or the conducting of an activity.

In the past, moral principles were assumed to be standard among most people. In today's ever changing social world, this is no longer the case. It can no longer be assumed that all employees have the same, or at least, similar moral principles and standards.

There are two major factors that are creating this new dynamic for employers:

  • New Principles/Standards For a New Generation - Baby Boomers and Generation X's have, for the most part, bring a similar set of principles and standards to the workplace. This is not always the case with Millennial's. Many of the Millennial Generation have similar principles as the the previous two generations, however, there is a significant number of the Millennial Generation who do not hold to the same principles and standards as the Baby Boomers or Generation X's. These particular Millennial's have their own set of ethic principles as they see the old ones as "dated" or "behind the times". When they act outside of the assumed principles that have been recognized by previous generations, they do not understand why what they did was wrong. Their actions follow their own set of principles and standards.
  • Dramatic Influx of Unique Cultures - With the recent influx of refugees and immigrants from places that have cultures most people are not familiar with, new challenges will arise within the workplace. Some assumed principles and standards could be unfamiliar with people of various backgrounds and cultures.
Due to the two major factors listed above, and the other factors not listed, it is strongly recommended that all healthcare professionals have established and documented ethics training within their organization. Do not assume anything is "just understood" without formal and documented training. Ethics training should be created based on the culture the organization is attempting to establish or has already established. In addition, having ethics training as part of an organizations' already established compliance training, will only strengthen the employees understanding and desire to follow compliance regulations.

Some employees may feel that ethics training is unnecessary and is a silly waste of time. However, by not having established and documented ethics training in place, an owner is putting him or herself at risk of monetary loss, a damaged reputation, and a decrease in employee moral.

It is the simple things that make a big difference in the success of an organization. Ethics training is one of those simple things that will make a big difference.

To subscribe to this blog, enter your email address:

Delivered by FeedBurner