A colleague shared a post on HCCA.net today simply asking others to share where they were located along the “Path of Totality” of today’s Solar Eclipse. Some responded they were in an area where they would only experience 60% – 70% totality; others were in areas that would experience totality in the 90% – 99% range, while some were in the direct path and would experience the eclipse at “totality”. Some had even traveled to areas where it has been advertised would be the best viewing areas to experience totality. As I read the responses, the thought occurred to me “What lessons can we as Compliance Professionals learn from this natural phenomenon regarding how we see risk in our organizations?” [Read more…]
It was 20 years ago today (more or less) that the Health Care Compliance Association was born. Back then ER was the top-rated TV show, most people didn’t know what Y2K was yet, and the internet boasted a whopping 45 million users.
And back then compliance was a relatively new profession with health care compliance professionals largely operating independently, learning as they went along, with few peers to turn to, and few resources that they could rely on.
Today things are changed. A whole generation has been born after Y2K, and I doubt if there are 45 million people who haven’t used the Internet. More importantly, healthcare compliance professionals no longer need to toil alone.
At the 2016 Compliance Institute we will be celebrating the 20th anniversary of the HCCA. But what we will really be celebrating is the maturing of this noble profession. From a few stray souls laboring alone, we now count 10,000 active members. Networking used to be limited to phone calls to strangers you heard were in compliance. Now it’s online via HCCAnet, and in person at dozens of meetings a year. And a get together of a few compliance professionals back in 1996 has grown to a Compliance Institute of 3,000.
Twenty years ago it was very much just a few souls in Sgt. Pepper’s Lonely Healthcare Band. Today, though, we celebrate that band growing into a powerful symphony.
Don’t miss the celebration. Join us April 17-20th at the 2016 Compliance Institute.
By Brian Sprowl of QI Express
When patients go to their healthcare providers, they go with the hope that the information that they share is going to be protected. So much of the information shared is private and should never see the light of day outside of a doctor’s or physician’s office.
While doctors, physicians and medical providers do a lot to help those that they serve, they can’t always do everything by themselves or in-house. Many covered entities (healthcare providers, health plans and health care clearinghouses) employ the services of Business Associates (BA’s) to help with the processing of Personal Health Information (PHI) or Personal Health Records (PHR). Business Associates include billing and collection companies, medical laboratories, staffing agencies and legal professionals. Business Associates play an integral role to covered entities because they not only handle sensitive information, but they facilitate certain tasks using the information that they are provided.
HIPAA has set in place certain rules and regulations to ensure the protection of private information, and those rules apply to Business Associates. But when Business Associates fail to adhere to the rules and regulations required by HIPAA, the Business Associates can greatly undermine the healthcare organizations that they are working in conjunction with. There can be a breakdown in trust and communication, which can lead to great harm for the person whose information has been leaked.
Business Associates handle a plethora of sensitive information. If a Business Associate is lackluster and carefree in the responsibility of protecting that information, the effected parties can be severely compromised. For instance:
Let’s say that I am your doctor, and you, the patient, share personal information with me. As a healthcare provider, your information is (or should be) protected. If I then pass on this information to my Business Associate, and they don’t protect that information, the Business Associate has not only failed you, the customer, but it has also failed the covered entity which has employed it. So in essence, the Business Associate not only has to look out for the well-being of the partner they worked for, but it also must keep in mind that it is also representing another entity, the patient.
If for some reason there is a leak of information due to the negligence of a Business Associate, it is the responsibility of the Business Associate to contain that breach so that it doesn’t get worse. If necessary, the covered entity should end the contract with the Business Associate if the problem isn’t addressed and fixed immediately. Quick action is a necessity to limit the potential damage that can be done to the person(s) whose information has been compromised. This is required by the HIPAA regulations.
Business Associates must follow the rules and regulations that HIPPA has set in place. Otherwise, this can lead to a major set of issues for all parties involved, and headaches that could have ultimately been avoided if the Business Associate took the proper steps in the first place.
At the end of the day, Business Associates are given sensitive information to help carry out certain integral functions and duties of the health care providers that they work with. Business Associates should protect the information being shared with them as if the information were their own.
[bctt tweet=”The Dangers of a Lackluster Business Associate @HIPAAExpress” via=”no”]
We are on the eve of our 20th anniversary and I want to share a brief history of our time. About 20 years ago I was asked to be the compliance officer for the University of Wisconsin Medical Foundation by a forward thinking COO named Marc Dettmann. I was given a copy of the Sentencing Guidelines and a business card of a compliance officer named Mary Dunaway. She and I set up a one day conference for compliance officers in Minneapolis, 30 were invited… 60 showed up.
At the end of the meeting I suggested we form a group. At dinner, Brent Saunders and I wrote the name and a mission statement for HCCA on the back of a napkin. Don’t ask, it’s lost, who knew a napkin would be relevant? The next day I asked Debbie Troklus to help. (8,600+ people from 70 countries currently hold a compliance credential she created.) Modern Healthcare Magazine called and wanted to do a story on compliance officers. They put me and the statement “Growth Industry” on the cover. That helped the evolution of the Health Care Compliance Association (HCCA). After some success the Board approved a proposal to have Dan Roach and Odell Guyton start the Society of Corporate Compliance and Ethics (SCCE). At one point there were 3 members, now there are over 15,500 from about 80 countries. The problem with a short story about the evolution of an organization like SCCE/HCCA is that you have to leave out hundreds of very important people like Boehme, Murphy, Vacca, and on and on and on. Every Board member, employee and volunteer helped to get SCCE/HCCA where it is today.
Modern Healthcare seems to have made an accurate prediction, “Growth Industry.” It may seem like an easy prediction in hindsight, but I assure you it was a leap of faith at the time. Some said compliance would simply be another methodology like Total Quality Management and fade away. Some thought it would be just another activity of the legal department and follow the path of preventative law. Ethicists downplayed compliance to focus on culture. Risk thought compliance was a subset of risk. Audit thought it was their responsibility but did not commit. Some just simply didn’t want compliance. Many people intentionally or unintentionally tried to grab the wheel and head for the ditch. However, countless volunteers and staff created a framework called SCCE/HCCA that allowed thousands of compliance professionals to represent and define their profession. The profession leading the profession… as it should be.
[bctt tweet=”SCCE/HCCA A Brief History of Time @RoySnellSCCE” via=”no”]
Adam Turteltaub and I go off to see people in our profession a few times a year. They are always interesting trips with a wide spectrum of meetings and topics. The goal is to help the profession and our organization. I thought I would share what one of those weeks look like. Last week went something like this….
We traveled to the Global Ethics Summit in NYC and sat in a booth for a couple of days. We saw some SCCE members and met people considering membership or certification. I spoke at the NY Regional Office of the Center for Medicare and Medicaid services. They were interested in finding more about our organization and certification. I met with Alison Taylor Director, Energy and Extractives at BSR (Business for Social Responsibility) and discussed ways our two organizations could work together. CSR/Sustainability efforts have interesting interconnections. Adam Turteltaub and I then went to Philly and saw Joe Murphy’s office, home town of Haddonfield and museum quality collection of presidential campaign memorabilia. We then went to DC and met with Dulce A. Zahniser, Managing Director, Towpath Group International, LLC an expert in export controls compliance who may be getting more involved in our organization and bring greater expertise to our membership. We stopped by and met with our former Board member Mike Horowitz who is now the IG of the DOJ. In all my travels I have to say Michael is one of the most impressive professionals I have ever met. We met with longtime colleague Ronnie Kann, Senior Executive at the Corporate Executive Board (CEB) about projects we may work together on in the future. And we met with Kelly Welsh, the General Counsel at the Department of Commerce, and his team. He will be one of the general sessions speakers at the Compliance and Ethics Institute. I finished up speaking on Friday at a local HCCA conference. It was great to spend time with our members.
[bctt tweet=”@RoySnellSCCE Last Week Was Interesting” via=”no”]
Chris Apgar – CEO at Apgar & Associates, LLC
Andy Nieto – Health IT Strategist at DataMotion
Data security has certainly been a hot topic in recent months, especially in the healthcare industry. In today’s HCCA webinar, Chris Apgar and Andy Nieto discuss the need for data encryption, and where some of the industry’s key risks lie.
The first, and sometimes most daunting, question is where to start when deciding how to protect your organization from data breaches. One of the most important steps in this process is to assess the risk. When assessing your organization’s risk, keep in mind that, in the event of a breach, encryption is typically considered a reasonable safeguard. In other words, you’ve got to do it! In the past, ORC has fined entities for lost, unencrypted laptops, and has emphasized the need for encryption in 2014 HIPAA/CLIA Rule.
A second point that was brought up during the session is the importance of investigating where the organization stores its data. Mr. Apgar told an interesting anecdote about conducting an assessment for a healthcare provider that insisted none of its patient data was stored on workstations. However, upon investigation, it was found that around 75% of the workstations stored PHI. Investigating where patient data is stored is definitely something that should not be overlooked when assessing an organization’s risk and deciding on an encryption policy.
A third consideration is whether vendors are inadvertently putting your organization at risk. When employing key vendors, a best practice is to be sure to inquire about their security policies and processes on a routine basis. At times, vendors can unintentionally be putting your organization at risk, no matter how well your own internal security and encryption policies are implemented.
A fourth point of emphasis is the importance of having and maintaining a “bring your own device” (BYOD) policy. The mobile nature of the world we live in opens an organization up to a whole host of data breach risks, especially when employees are using personal devices to access PHI. A study was presented that shows about 96% of physicians use a smartphone as their primary device to support clinical communications. Encryption of patient data is especially important in these situations.
As our world becomes more mobile, the policies must change to accommodate new technology and practices. When designing and updating policies, it is important not to overlook the data that is “in motion” and be sure to account for encryption and security protocols in those situations as well. Training on such policies is crucial. OCR reminds us to employ a “culture of compliance” and be sure that employees are aware of the organization’s policies, and that the policies are enforced. Having a policy that is not enforced puts the organization at risk as much as not having a policy at all.
Finally, there are budgetary considerations. An informal study has shown that the average cost of a breach is around $201 per compromised document. This is not taking into account any potential fines that may follow for HIPAA violations. Given the fact that a data breach can be costly, not only to an organization’s budget, but to its reputation and customer base, it is important to carefully weigh these factors when choosing encryption and policy implementation strategies.
The key is to find the encryption solution that works best for an organization’s culture, and of course – implement.