Kusserow on Compliance: Not all data breaches are from accidents or cyber attacks

1,182 Beaumont Health patient records compromised

Employee passed patient information to a personal injury law firm

Undetected for 3 years

Not found by hospital but from an alert by the Attorney Grievance Commission

OCR not notified because it was not a data breach

An employee for Beaumont Health, an eight-hospital health system in Michigan, was caught siphoning sensitive patient information without permission then handing it over to a personal injury attorney. The medical records involved 1,182 individuals. The identity of the law firm was not identified and it is not clear how the law firm used the information. The case is under investigation and all persons whose records were compromised are being notified.

The Michigan Health & Hospital Association was notified to alert other hospitals about the incident and guard against similar intrusions. The breach was discovered on December 10, 2019, and resulted in an internal investigation. The matter was not discovered by Beaumont, but as result of an alert by the Michigan Attorney Grievance Commission—a watchdog to maintain ethical law practices in the state. How the Commission learned of the issue was not reported.

It was determined that from February 1, 2017, until October 22, 2019, the employee accessed and disclosed protected health information (PHI) without authorization. The information accessed included names, addresses, dates of birth, phone number, email addresses, reason for treatment, insurance information, and Social Security numbers. Notified individuals have been advised on how to further protect their information and monitor financial accounts for fraud. They also were asked to closely review health insurance claim information. Those having Social Security numbers exposed have been given information about enrolling in free credit monitoring, Beaumont said.  Beaumont reported that they have no experienced or reported a data hack or unauthorized patient data loss to the Office of Civil Rights that tracks and investigates breaches of patient data.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 202o Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Tips for an effective compliance exit interview program

– Useful only if done correctly

Carrie Kusserow has developed and evaluated many compliance-related exit interview programs and has found that one that is properly designed and constructed may give early warning of a potential liability and permit corrective action to prevent escalation of the problem. There is the added benefit that the program may deter departing employees from becoming “whistleblowers” after they have secured new employment and are free of the fear of retribution or retaliation. By affording these employees an opportunity to provide information prior to departure permits the individual a legitimate path for redress of grievance and reduces the likelihood they will turn outside the company to “blow their whistle.”

She found the most cost effective, efficient, and useful programs are those that separate the last day HR exiting process of filling out forms, turning in company property, providing COBRA and other needed information. On the last day, departing employees are often preoccupied with the process of leaving and what is required and may be reluctant to reveal the full and true reasons for leaving. Exit interview should be conducted as far in advance of the last day as possible. They should be a live exchange and not just “fill out the form” process and those conducting the interviews should be properly trained and with the skills to obtain useful information.

If done properly, exit interviews allow departing employees to describe experiences and identify issues for management that could otherwise remain unknown. Most such interviews will likely only take 15 to 30 minutes. The biggest challenge is defining those that the compliance officer should debrief. There is only a limited number that can be done. Generally, the individuals are limited to members of management and those identified as potentially having a grievance against the organization.  She offered the following tips for those considering establishing or enhancing their exit interview program.

 

  1. Create a policy document as to what level of management should be debriefed by the compliance officer. It is important to carefully define covered persons to avoid individuals resisting being interviewed. It should be considered just another formality in the exiting process. It then can be presented as yet another formality that must be followed before exiting the organization.

 

  1. Interviews should be scheduled as soon as possible after the decision to the leave the organization has been made. This permits the organization to take remedial action to any problems raised during the interview before the person leaves.

 

  1. Conduct the interview away from the person’s office to avoid distractions or interruptions in a place where the conversation can be overheard.

 

  1. Use open-ended questions, where the departing employee supplies the answer, are much more effective than having answers given from a predetermined list. Departing employees are typically reluctant to say or do anything that might prejudice their opportunities for future employment. The reliability and usefulness of the results is strongly affected by the skill of the interviewer and whether the employee trusts the interviewer.

 

  1. Include questions about the departing employee’s experience, especially where it involves compliance matters, discrimination, and harassment, etc. The debriefing should include very pointed questions about their work place experience with regards to compliance.

 

  1. Questions should include whether they observed any violations of laws, regulations, Code of Conduct, policies, etc. If so, the compliance office should be alerted.

 

  1. Any management, regulatory, or legal issue raised should be addressed, if possible, before the employee leaves the control of the organization. Taking corrective action while the person is still an employee may forestall that person from taking the same issues with an attorney, government agency, media, etc.

 

For more information or assistance in establishing Compliance Program Exit Interview Programs, contact ckusserow@strategicm.com.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Choosing a location for investigation interviews

Regardless of whether you are conducting a debriefing of a complainant, interviewing a witness, or confronting a subject in an interrogation, determining the location and setting of the interview is important. The objective is to create privacy and eliminate any possible interruptions or distractions. It should be conducted away from any traffic or other distracting influences, or where others may observe or overhear what is occurring. Interviewing someone in their own office should be avoided in that it invites interruptions or reasons why the person may turn their attention to some other matter. It also gives the interviewee the advantage of being on their “own turf.” By interviewing someone away from their own area, the investigator receives an advantage. The following are some additional tips and considerations in deciding upon the interview location and setting:

1. Privacy. Fewer the people in the room, the better the results
2. Quiet. Don’t want external sounds or outsiders to hear
3. Room Size. Small enough to convey intimacy
4. Well Lighted. Permits closer observation of individual
5. Plain. Avoid distractions (e.g. window, pictures, wall clocks, etc.)
6. Telephone. Shut if off to avoid incoming calls/messages
7. Furniture. Avoid having furniture in between (barrier to rapport)
8. Seating. Interviewer should sit directly across from interviewee
9. Positioning. Avoid the person being able to look out a window and not at you

It is recognized that there are practical constraints that may necessitate compromise on these considerations. Also, most interviews will be persons who are witnesses or who otherwise provide limited information. As such, many of these tips may not be necessary. However, if the person to be interviewed is the subject of the investigation, applying these principles become important elements to successful outcomes.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Preparing for compliance investigations

Most compliance officers are not professionally trained investigators and are unsure how to decide whether an issue warrants a formal investigation. Also, the great majority of issues presented to compliance officers can be resolved relatively easily without need of an investigation.  However, when situations arise warranting an investigation, it is important to know what needs to be done and how. At every step in an investigation, there are rules that must be followed regarding how things must be done—working with other internal or external parties, determining how to manage the records of investigations, and so on. It is important for anyone who may be called upon to investigate, to take time to learn some of the fundamentals of the process. The first step for any investigation is taking time to analyze all known facts upon receipt of a complaint, allegation, or information suggesting a potential wrongdoing. After this, the next step is to decide upon a course of action, such as:

  1. Closing the matter without the need of further action
  2. Having enough information to take adverse or corrective action on the issue
  3. Need to investigate to clarify issues
  4. Referring the matter to legal counsel
  5. Disclosing a violation to a duly authorized governmental authority

The following should be considered when the decision is to investigate:

  • Knowing who the deciding authority is and what they will need to make a decision
  • Development of the investigative plan
  • Establishing the scope of the investigation
  • Who is the person best qualified to conduct the investigation?
  • Whether the investigation should be under direction of legal counsel

Time is a major enemy and is a force with which to contend in any internal investigation. There is a lot involved in even a simple investigation.  It includes two key elements: documentary evidence and conducting interviews. Knowing what documents are needed is important but knowing how to properly conduct interviews requires some training and skill to produce optimum results and reduce the risks of losing valuable information and time. Writing reports of interviews and the final Investigations Report is also very important. There is both a right and wrong way to do these things.

Conducting successful compliance investigations requires professional competence and friendly persuasion, not upon the authority and power of a government agency backed by the courts. One of the most common and costly mistakes is for individual to conduct investigations without having proper training and experience. It is advisable to engage an expert to teach basic investigation fundamentals on how to: (a) conduct interviews, (b) gather evidence, and  (c) file and store documents and evidence. A few hours of training will not create a professional investigator but may provide enough guidance to ensure that proper steps are followed to avoid costly mistakes. It is also advisable to have protocols in place and in advance of being confronted with an investigation to provide guidance on how to proceed.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.