Kusserow on Compliance: Use of temporary compliance and privacy officers

By now every health care provider is aware of the need for an effective compliance program under direction and management by a compliance officer, as well as a privacy officer to ensure HIPAA compliance. It is common these days for organizations to have compliance and privacy officer vacancies as result of a retirement, termination, someone changing jobs, or any other of a dozen reasons. Sometimes it may have been triggered by an audit or investigation by the HHS Office of Inspector General (OIG), Department of Justice (DOJ), HHS Office for Civil Rights (OCR), or a CMS contractor. In other cases, a board or new executive leadership may wish to use proven experts to promote and/or elevate the programs to a higher level. Regardless of the reason, the departure of a long time incumbent creates a vacuum that needs to be filled quickly for day to day management and responding to emerging issues to avoid serious problems and potential liability. The worst time to have a vacancy is when entering the holiday season and the end of the calendar year. For a variety of reasons, it is a time when many problems and issues arise needing prompt attention.

Steve Forman, CPA, is an expert on the subject with over 25 years as a healthcare compliance officer and consultant, including serving on multiple occasions as an interim compliance officer.  He notes that the sudden departure of a compliance or privacy officer makes the problem of finding someone properly qualified in a timely manner a serious issue. Confronted with a rapidly evolving regulatory and enforcement environment, health care organizations cannot afford to take the chance on having a gap in these positions. When such a gap occurs, engaging an expert on a short term engagement can hold the reigns of the program together, while a permanent replacement is found. Using a properly qualified outside expert presents a lot of advantages.  They can bring the experience of having served in other organizations and dealing with many of the same issues already addressed by prior jobs. It is also important that they have not been invested in any prior decisions, nor have they been aligned with any parties in the organization.  Most importantly, they bring “fresh eyes” to the program. They can provide objective assessment on the state of the compliance program, offer suggestions, and give guidance for improvements.

Suzanne Castaldo, JD, who specializes in providing interim compliance and privacy officers for healthcare clients, noted that clients to whom she has provided interim officers, usually take three to five months to find that hire a permanent replacement with necessary experience and qualifications. When they seek temporary officers, she provides experienced professionals with previous experience as a compliance or HIPAA privacy officer. Over the last 25 years, her firm has worked with over 3,000 health care organizations in building, evaluating, managing, and building compliance program that provide a unique level of knowledge and expertise. Using the right professional with a lot experience and technical skills can make significant improvements for any compliance program in a relatively short order.

Camella Boateng is another highly experience compliance professional who has served as an interim compliance and privacy officer for several organizations. She has found that organizations have a tendency to understate the needs in the vacant position.  In every case where she has been called upon to fill a vacancy, she has encountered serious problems that were hidden or not recognized by the organization. In fact, these unattended problems often were the reason for the departure of the incumbent. As such, those seeking temporary compliance or privacy officers require more than someone just to monitor and manage day to day work. They should look to added benefits and services an outside expert can bring, including providing an independent assessment of the status of the compliance program and high-risk areas warranting attention. Before leaving the engagement they can develop a “road map” for the incoming compliance officer to follow. All this can result in developing comprehensive briefings for management and board on the state of the program

Lisa Shuman is a consultant that has served as an interim privacy officer for organizations. She observed that the work flow is different from that of a compliance officer. She has found from her experience that most engagements can be part time with much of the work done remotely.  The first month usually involves focusing on reviewing adequacy of existing policies, procedures, controls, and training content. After that, the work focuses primarily on privacy violation investigations that arise, however, it is important that the interim privacy officer be available at any time to deal with issues

 

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

House committee takes interest in ‘NotPetya’ malware attack fallout

House Energy and Commerce Committee leaders are concerned that a malware attack from late June 2017, known as “Petya” or “NotPetya,” may have lingering effects on Merck & Co, Inc. The leaders sent letters to Merck’s CEO and HHS Secretary Price expressing this concern and requesting additional information about the attack and the effects on the company.

NotPetya

The malware infection began on June 27, 2017, and spread across the world, infecting businesses from a variety of sectors. At the time of the attack, the extent of Merck’s vulnerability was not precisely known, although an employee reported that they were told to stop working and some computers appeared to be wiped and that all U.S. offices were affected by the attack. The committee letters referred to information provided in Merck’s second-quarter 2017 financial outlook, which stated that packing operations were mostly restored, formulation operations were partially restored, and active pharmaceutical ingredient operations were partially restored but bulk product was not yet being produced.

Patient risk

The committee’s interest in the matter stemmed from concern that patients may have been negatively impacted by manufacturing disruption. Although evidence of such risk was not present, the committee pointed to an announcement from the Centers for Disease Control and Prevention (CDC) that certain formulations of Merck’s Hepatitis B vaccine would not be available. The committee requested that Merck provide a formal briefing to the committee on the initial infection and Merck’s steps to recover and resume manufacturing by October 4, 2017. The committee also requested an HHS briefing on the agency’s steps to understand and respond to the situation as well as plans for addressing drug shortages or other consequences stemming from cyberattacks.

Kusserow on Compliance: FBI on cybersecurity—advice and tips

The FBI recently made presentations on cyber security at the Boston Conference on Cyber Security and at the American Hospital Association annual meeting. Key points from these presentations included, underscoring that the FBI is the lead federal agency for investigating cyber-attacks by criminals, overseas adversaries, and terrorists. The FBI views cyber threats seriously, as a growing problem as cyber intrusions are becoming more commonplace, more dangerous, and more sophisticated. Both private and public sector networks are targeted by adversaries for trade secrets, sensitive business data, and privacy information. Universities are targeted for their research and development. Individuals are targeted by fraudsters and identity thieves. Children are targeted by online predators. The FBI has been gearing up to the challenges from these threats by enhancing its Cyber Division’s investigative capacity to sharpen its focus on intrusions into government and private computer networks. However, they are struggling against a number of challenges, including finding talented workers in competition with the private sector, and the fact that a majority of cyber-attacks are never reported because parties want to address the problem without getting entangled in an FBI investigation. This hampers their work. The FBI desires to encourage better reporting, emphasizing that the agency has an interest in protecting private information and data; any internal information received will not be used against a provider, as they will be treated as a victim. The FBI recognizes that health care organizations are major targets for cyber-criminals, because the sensitive data they collect in droves can be sold at a high price for use in fraud and identity theft. Medical devices are also increasingly becoming a target.

The FBI is encouraging health care companies to share some basic network information with their local FBI offices, before an attack occurs, and to join an information-sharing group with other companies in their industry. The following observations and advice came from the two FBI presentations:

FBI Advice and Tips

  1. People are “weak links” in cyber-attacks, so train them to recognize and prevent cybercrimes.
  2. Review if everyone with high-level access to a hospital’s database needs to have that access.
  3. It is important to update and patch systems regularly to prevent intrusion.
  4. More people with security access, the easier it is to breach.
  5. Conduct regular systems tests to help flag vulnerabilities before a hacker can gain access.
  6. Develop a business continuity plan to prevent down time.
  7. Establish real-time data backups to permit work to continue.
  8. Organizations should establish closer ties with the local FBI before there is any incident.
  9. Those harmed in a cyber-attack will be treated like victims of a crime.
  10. Called for building a relationship with the local FBI.
  11. Organizations should join information-sharing groups with others in their industry.
  12. Regular systems tests can also help flag vulnerabilities before a hacker can get in.
  13. Don’t assign responsibility for cyber security to someone at a low level in the organization.
  14. Cyber security is an enterprise risk and executive and board level interest is needed.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

AMA preparing to tackle questions surrounding physician-patient texting

Regulators are serious about privacy and violations of the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191), and crackdowns keep providers on their toes. The evolution of technology provides innovative and efficient ways to practice medicine and communicate with patients, but this evolution brings with it new obstacles that can easily trip up a provider who is not paying close attention. At the end of a long day, a tired doctor might send a quick text to a mother who does not want to bring in her sick child if over-the-counter medicines will do the trick, trying to be as accommodating as possible and truly caring for the patient’s well-being. Both mother and doctor will be relieved that an unnecessary trip was avoided, but is this type of communication appropriate?

The American Medical Association (AMA) provides guidelines for providers on issues just like this one, and the AMA House of Delegates will consider expanding its advice on email communications to include text messaging at a June meeting. Although the AMA maintains that a face-to-face meeting is the foundation of a physician’s relationship with a patient, it recognizes that patients and physicians may prefer text message communications in various settings.

Considerations when texting

As expected, the AMA’s first basic standard of engagement to consider is HIPAA. The Board of Trustees (BOT) recommends discussing obligations under HIPAA’s Security Rule with both information technology (IT) staff and legal counsel. This rule requires that entities transmitting electronic protected health information (ePHI) ensure that these transmissions are confidential and secure. The AMA provides an educational tool to assist providers in achieving compliance with the rule, and HHS offers advice on protecting ePHI when using cell phones.

Providers should keep in mind potential differences in communication with patients, as opposed to colleagues. While doctors and nurses in the same office may think nothing of texting one another, a patient needs to consent to communication. Current guidance indicates that a patient’s initiation of a text conversation may serve as consent, but some providers might obtain written consent that acknowledges risks in such transmissions. Patients should be reminded that security is not guaranteed and that privacy can be breached as easily as someone they know using their phone and seeing a text.

Boundaries

In addition to consent and security issues, the AMA raises several points more along the lines of etiquette but that must be approached within the patient-physician relationship framework. A physician should establish boundaries with patients, such as establishing reasonable response times and appropriate times of day for texting. Additionally, extensive conversations are not recommended, and if a patient requests a lengthy explanation the physician should request that the patient come into the office.

When texting, the AMA recommends keeping a formal tone, cordial but refraining from using jokes, emoticons, or emotionally charged or sarcastic speech. The recommendations even extend to ending texts with the physician’s full name and business affiliation, accompanied by a request to acknowledge receipt of the message. Although it may seem obvious, the AMA also reiterates refraining using identifying information such as name or Social Security number and keeping text records.