Walter E. Johnson Director of Compliance & Ethics Kforce Government Solutions

Transcription

1 GAMING THE SYSTEM! 2016 HCCA Compliance Institute Walter E. Johnson Cindy Hart Adam Weinstein Dawn Lambert Panelists Walter E. Johnson Director of Compliance & Ethics Kforce Government Solutions Adam K. Weinstein Vice President, Regulatory Affairs NewYork-Presbyterian/Queens Cindy Hart Audit Manager CHAN Healthcare, LLC Dawn E. Lambert Chief Privacy Officer IASIS Healthcare 1

2 Agenda Introductions Discussion Topics Monitoring Integrity Using the COSO framework Hotline Promotion & Reporting Closing Questions Case Overview Bucks County, Pennsylvania Government employees Dependents Restitution 2

3 Monitoring Integrity Employee Snooping Social Media Monitoring Integrity What do you think is the most common cause of HIPAA security breaches? 3

4 Most common cause of HIPAA security breaches is employee snooping. Veriphyr study HIPAA requires adequate physical, administrative, and technical safeguards A single unauthorized access is not reportable to OCR WHY?? 4

5 Only breaches that expose must be reported BUT It is still a HIPAA violation and could trigger an OCR investigation Organizations compliant with MU must ensure security of patients ephi 5

6 Big challenge preventing improper access to PHI What are snoopers looking at? Celebrities X-factor Ex-spouse Ex-friends Ex-colleagues 6

7 Health Information Technology for Economic and Clinical Health (HITECH) Act, Public Law 111-5, Section Business Associate to notify Covered Entity upon discovery of breach Not required to notify if data was encrypted or destroyed 7

8 Example: Nurse in TX hospital accessed patient records on another unit Example: Walgreens pharmacy customer prescription provided to 3 rd party by snooping pharmacist 8

9 Example: Largest snooping settlement is $865,000 paid by UCLA in 2011 Kaiser Permanente Bellflower paid $250,000 What to do? 1. Training on the topic 2. No-Peeking policy 3. Limit access to minimum necessary 4. Monitor VIP records 5. Discourage log-in piggybacking 6. Focus on people issues 9

10 Guidance from the Annual Report to Congress (8/24/09): Encryption & destruction are best methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized persons Social Media (continued) Think your employees know better than to post PHI on social media? THINK AGAIN!! For example: Hospital employee posts a patient s picture and chart along with his comments on her condition, because it was only Facebook and therefore not real. The employee thought it was funny. ED personnel posted pictures to the Internet of a man s fatal knife wounds. 10

11 Social Media (continued) Sometimes employees post with the best of intentions: In California, 5 nurses used FaceBook to provide shift change updates to their coworkers. While they did not post patient names, they did post enough specific information that the incoming nurses could prepare for their shift. Social Media (continued) Social Media is clearly HERE TO STAY So, what is a company to do? Develop a social media policy (and review it as often as guidance is published) Provide focused training on Social Media Monitor social media activities (lawfully) 11

12 Social Media (continued) Social Media Policy: It should clearly state that the conduct that the employer wants to prevent (don t make them read between the lines) Social Media Monitoring: Implement a structure for electronic monitoring to reduce exposure to potential claims and protect the company. Social Media (continued) TRAIN, TRAIN, TRAIN DO: Understand what is considered a HIPAA violation on social networks DO: Train employees thoroughly DON T: Post anything you wouldn t say in public for all to hear DON T: Overlook the severity of HIPAA violation penalties 12

13 Social Media (continued) Companies may not freely snoop through social media pages to glean otherwise undisclosed information about applicants and employees. But companies cannot turn a blind eye to their employees social media activities. So what is a company to do? Look to technology and legal counsel! Social Media (continued) Last, but certainly not LEAST ---- Be consistent with disciplinary actions Document, document, document 13

14 COSO Framework A. What is COSO (Internal Controls) B. Is it important? and Why? and How? COSO Framework (continued) COSO s components make these internal controls effective and reliable for operations and financial reporting! 14

15 COSO Framework (continued) COSO Documents are available on Internal Control-Integrated Frameworks Executive Summary Internal Control-Integrated Framework & Appendices 175 Pages Illustrated tools for Assessing Effectiveness of a System of Internal Control COSO in the Cyber Age: Report Offers Guidance on Using Frameworks to Assess Cyber Risks (2015) Improving Organizational Performance and Governance: How the COSO Frameworks Can Help (2014) Enhancing Board Oversight: Avoiding Judgment Traps and Biases (2012) Hotline & Direct-Line Promotion & Analysis B.o.D. Enterprise Effectiveness REPORT In Board of Directors Meetings and/or reports share Hotline data. Share Direct-line data. PROMOTE In addition to website and bulletin boards, promote the Hotline in all presentation materials such as Town Halls, s, & announcements. ANALYZE Use data from hotline calls, direct-line calls, and compliance training to determine +/- in reporting and/or inquiries. 15

16 Hotline & Direct-Line Promotion & Analysis (continued) Quarter 1 Quarter 2 Quarter 3 Quarter 4 0 Hotline Direct line Training Communication Quarter 1: Communications on upcoming Fraud Training Quarter 2: Fraud Training Quarter 3: Follow-Up Communication on Fraud Prevention Questions 16