Kusserow on Compliance: Effective compliance document management system

All effective health care compliance programs should implement some type of compliance Document Management System (DMS), which involves the process of organizing, filing, controlling, and storing documents. The primary purpose is to ensure that all documents, including the Code of Conduct, charters of compliance functions, compliance-related policies and procedures, records of hotline and investigation activity, etc. are current with applicable laws, regulations, and requirements and are properly maintained. A well-managed compliance DMS evidences the effectiveness of the compliance program. Compliance officers need to ensure that their records management policy is being followed and is in line with any retention schedules required by law. When audited by a government entity, it would be necessary to produce evidence about the operation and management of the compliance program. A well-structured DMS will ensure the organization meets regulatory compliance mandates, provide the availability of documents evidencing compliance program effectiveness, and, in turn, mitigate exposure to liabilities.

The 2020 Eleventh Annual Healthcare Compliance Benchmark Survey conducted by SAI Global and Strategic Management Services included questions that focused on management of policy and compliance documents. Results from the latest survey found that compliance offices were split nearly in half between those that manually manage compliance-related documents and those who used automated assistance. One-third reported using some sort of document management software to assist. Only one-fifth reported using a comprehensive document management system. The trend from review of past surveys clearly indicate a movement away from manual processes to DMS. The following are tips to consider when managing compliance-related documents:

  1. Document Management System (DMS). Develop a compliance Document Management System to track, administer, and store compliance related documents and health care compliance policies and procedures.

 

  1. Set-up a Records Retention Schedule. As part of the DMS, schedule how long records should be kept from an operational and legal standpoint, and that outdated records are disposed of in a timely, systematic manner. When determining the retention period for records, it’s important to: (a) perform a record inventory of all physical and electronic records; (b) establish a standardized record classification system; and (c) conduct research on all federal, state, and local records retention requirements.

 

  1. Policies and Procedures. Develop and implement policies and procedures for the creation, distribution, retention, storage, retrieval, and destruction of compliance related documents and health care compliance policies and procedures. Ensure that the compliance records management policy addresses protection of patients’ protected health information. Keep all revised or rescinded policy documents. Should an issue arise concerning a policy, it will be the document in effect at that time and not a current version.

 

  1. Accessibility and Location. The DMS must include being able to find and access information, when needed. It is advisable to index records by date, subject matter, creator, and location of the record.

 

  1. Ongoing Monitoring and Auditing. It is important to have ongoing monitoring of the records management system to ensure compliance with the policy and procedures. Periodic independent audits of compliance should also take place to ensure retention schedules are being followed, timely reviews are made to keep documents current, destruction of documents are in accordance with policies, etc.

 

  1. Records Disposal/Destruction. There are times when documents are no longer needed and should be destroyed. Maintaining unnecessary records longer than necessary increases exposure to possible breaches. Disposing or destroying records must follow closely the written policy guidance, including the means for doing it. It is also important to keep a record of the record disposal.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Increase guard on cybersecurity during COVID-19 pandemic

Many health care organizations are facing attacks by cyber-criminals who are using the COVID-19 crisis to get individuals to be less vigilant about security. Hackers are taking advantage of the fears and uncertainty about the pandemic to gain access to systems through malware. These hackers impersonate health authorities such as NIH, CDC, and FDA to get individuals to open attachments that purportedly have important information on the spread of the disease, lockdowns, and quarantine. These new phishing scams have been rapidly spreading during the crisis. As organizations move to expanded teleworking, the vulnerabilities to such attacks greatly increase. As new systems are being introduced for remote working, steps need to be taken to ensure that security and privacy controls are in place. This is particularly important because employees may lower their guard when introduced to new unfamiliar communication methods. Even government agencies are subject to attack. HHS had a cyber-attack on its computer system, intended to disrupt and undermine the response to the coronavirus pandemic. The attack involved overloading the HHS servers with millions of hits over several hours in order to impair operation of the systems. Fortunately, HHS had no degradation of the functioning of its networks.

Tips and Reminders

  1. Alert employees to beware of COVID-19 communications
  2. Re-educate employees on phishing and social engineering defense tactics
  3. Remind employees to not click on email links/attachment, or respond to inquiries
  4. Review third-party vendors’ access to information systems
  5. Authenticate access, particularly as more employees work remotely
  6. Regularly test users to make sure they are on guard
  7. Configure email servers to block zip or other files that are likely to be malicious
  8. Monitor those accessing sensitive data

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Not all data breaches are from accidents or cyber attacks

1,182 Beaumont Health patient records compromised

Employee passed patient information to a personal injury law firm

Undetected for 3 years

Not found by hospital but from an alert by the Attorney Grievance Commission

OCR not notified because it was not a data breach

An employee for Beaumont Health, an eight-hospital health system in Michigan, was caught siphoning sensitive patient information without permission then handing it over to a personal injury attorney. The medical records involved 1,182 individuals. The identity of the law firm was not identified and it is not clear how the law firm used the information. The case is under investigation and all persons whose records were compromised are being notified.

The Michigan Health & Hospital Association was notified to alert other hospitals about the incident and guard against similar intrusions. The breach was discovered on December 10, 2019, and resulted in an internal investigation. The matter was not discovered by Beaumont, but as result of an alert by the Michigan Attorney Grievance Commission—a watchdog to maintain ethical law practices in the state. How the Commission learned of the issue was not reported.

It was determined that from February 1, 2017, until October 22, 2019, the employee accessed and disclosed protected health information (PHI) without authorization. The information accessed included names, addresses, dates of birth, phone number, email addresses, reason for treatment, insurance information, and Social Security numbers. Notified individuals have been advised on how to further protect their information and monitor financial accounts for fraud. They also were asked to closely review health insurance claim information. Those having Social Security numbers exposed have been given information about enrolling in free credit monitoring, Beaumont said.  Beaumont reported that they have no experienced or reported a data hack or unauthorized patient data loss to the Office of Civil Rights that tracks and investigates breaches of patient data.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 202o Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Health care remains a top target for cyber-criminals

Data has value and businesses and individuals rely upon imperfect systems to store their information. Those committing fraud focus on sensitive data and targets with weak controls. For these reasons, data breaches are becoming more common in the health care sector where sensitive data can be found. Thus, organizations which have yet to protect themselves need to take proper cautionary steps to control access to that information. Among the best targets are hospitals and other health care institutions that are dependent on immediate access to their data in order to provide necessary treatment for their patients. They also have a treasure chest of data about their patients, including addresses, date of birth, Social Security numbers, family members, phone numbers, contact details, and more. Once obtained, this information can be sold on the “black market.” Gaining access to this valuable data can be extremely profitable, but locking the entity out of access to their information, as in the case of ransomware, can be a calamity for providers that must have immediate access to their patient data. A further attraction to cyber-criminals is the fact that many health care entities have weak controls. In this regard, entities’ major weakness is their employees, who through ignorance or carelessness open the door to cyber-attacks. With that in mind, health care firms should put more resources into proper training for their employees.

Cyber-Attack Prevention Tips

  1. Implement policies and procedures for taking precautions against malware
  2. Provide training on recognizing phishing and the danger of malicious links and attachments
  3. Ensure everyone creates complex passwords that are difficult to penetrate
  4. Conduct regular systems tests to help flag vulnerabilities before a hacker can gain access
  5. Limit employee access to systems on a need to know standard.
  6. Review/restrict privilege by limiting the people accessing files on a single server
  7. Monitor email carefully and don’t open email attachments from unknown parties
  8. Train employees (the weak link) to recognize and prevent cybercrimes
  9. Train against clicking email links/attachments, or responding to “pfishing” inquiries
  10. Ensure employees don’t leaving the workplace with data and files
  11. Monitor external exchanges
  12. Continuously monitor employee and vendor networks
  13. Establish an aggressive patching schedule for all software
  14. Update software to include improved controls
  15. Establish and monitor the use of encryption of transmitted information
  16. Regularly test users to make sure they are on guard
  17. Configure email servers to block zip or other files that are likely to be malicious
  18. Focus security efforts on those files that are most critical—patient records

For more information on this subject, contact Dr. Cornelia Dorfschmid at cdorfschmid@strategicm.com

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.