emPowerbpo
Live Chat | Login | Blog | Careers

emPower eLearning: December 2011

emPower eLearning

Friday, December 30, 2011

Health organizations not prepared for HIPAA audits

A new survey's report comes as federal authorities say they would expand enforcement of patient privacy and security requirements.

In July, the Dept. of Health and Human Services' Office for Civil Rights made clear that it would start doing a better job at making sure entities covered by the Health Insurance Portability and Accountability Act were taking the necessary steps to protect patient data and comply with patient privacy and security laws.

What have health care organizations been doing since then to prepare for the tighter enforcement? Not much, according to the results of a survey of more than 400 HIPAA compliance officers and health information management directors.

In November, HCPro, a health care regulation and compliance consultancy firm in Danvers, Mass., conducted a survey to gauge how prepared health care organizations are for a HIPAA audit. In a Dec. 2 blog post on the survey's findings, HCPro said it found that only 17% of those surveyed were fully prepared, and 70% said they were only "somewhat prepared." A full report on the survey's findings is scheduled to be published in January 2012.

These findings come just four months after the HHS Office for Civil Rights, the department tasked with enforcing HIPAA compliance, awarded a $9 million contract to the McLean, Va.-based consulting firm KPMG to create an audit program. It will verify that health care organizations, payers and business associates are prepared to meet strengthened HIPAA requirements that were laid out in the 2009 Health Information Technology for Economic and Clinical Health Act. Part of KPMG's plan is to conduct random, on-site audits of 150 organizations by Dec. 31, 2012.

According to the contract, the site visits would include interviews with organization leaders such as chief information officers, privacy officers, legal counsel, health information management officers and medical records directors; an examination of the organization's physical features and operations, and its consistency in following policy; and observations of compliance with regulatory requirements.

Organization leaders told HCPro in its survey that they were not fully prepared for these audits for several reasons, including a lack of commitment to HIPAA compliance by senior management. One survey respondent, according to HCPro's blog posting, said most organizations say they don't have time to implement HIPAA regulations on a regular basis. "There needs to be an outside agency coming into the hospital and interviewing the employees on a regular basis," the respondent said.

Although the number of entities KPMG plans to audit is small compared with the number of HIPAA-covered entities in the U.S., any organization could be chosen, according to HHS. KPMG was instructed to audit a wide range of covered entities in terms of scope and size, and could include anyone from individual physicians to business associates.

Under the HIPAA Security Rules, organizations must complete a risk analysis and have policies in place detailing their approach to patient privacy and security and sanctions for those who do not comply. Experts say not only do organizations need to prepare those documents for the possibility of a random audit by KPMG, but the Office of Civil Rights also has the authority to conduct an audit based on complaints made by patients who feel their privacy was violated.

This article was originally posted at  http://www.ama-assn.org/amednews/2011/12/19/bisf1222.htm

Labels: , , ,

Monday, December 26, 2011

Red Flags Rule Compliance: The Feds May Be The Least Of Your Concerns

After several false begins, the FTC has finally initiated enforcement of the Honest and Correct Credit Transactions Act’s, Crimson Red Flags Rule Compliance, and has placed the burden of policing identification theft activity squarely on the shoulders of both big and small businesses. However, the FTC could be the least of your issues if you happen to originate credit score for an identification thief as a result of attorneys across the country have been eagerly awaiting this dangerous and virtually inconceivable regulation. Your downside? Verifying the identification of your customer. If you don’t have required and accepted procedures in place to do so, it might cost you the whole lot you’ve got ever labored for. Your Required Crimson Flags Rule Policy & Program. First, your operation should develop and implement a Crimson Flags Rule Policy which should embody 4 required key elements in addition to other laws and points that must be addressed. To demonstrate the importance the FTC places on the Rule, your operation’s Board of Directors is required to approve your Crimson Flags Rule Policy and Program. For these operations with out a board, a committee of senior management should approve the preliminary Program and monitor it on an annual basis.

But don’t be misled! Simply downloading a “template” from the internet might presumably get you off the hook with the feds, nevertheless it in all probability will not suffice in litigation with an identification theft sufferer’s lawyer. Attorneys already view this regulation as a “cash cow”, and if one among your prospects points the finger at your organization as a result of somebody was using their identification unchallenged, relaxation assured the sufferer’s attorney will request your written Crimson Flags Rule Policy and documentation of required employees training. If you don’t have a Policy, or it is poorly written, the plaintiff will most likely allege a breach of responsibility to protect a shopper’s identification info, or in other phrases, “wilful non-compliance”, which is as bad as it sounds. Required Employees Compliance Training. The Rule additionally requires your operation to supply formal Crimson Flags Rule compliance training in your staff… and be capable to show it! If your thought of “training” is nothing more than permitting your employees to read your Policy, that faint odor of diesel gasoline you smell is from the bus about to run over you. Let’s be honest. The federal government is asking you to do the inconceivable to prevent identification theft. Your only protection, not if it occurs, but when it occurs, is that you have put forth a valid effort to prevent it from occurring.

Actually, virtually all compliance litigation, federal or civil, comes down to one basic question: “…did the business do the whole lot within cause to prevent this unlawful act from occurring, and if that’s the case, the place is the proof?” Any attorney price his pinstripes will tell you that there are two keys in a compliance litigation protection – periodic training and documentation. Your operation ought to prepare newly hired workers as part of their orientation, and all employees at the least every year, full with documentation, with a purpose to fend off the potential for huge fines, penalties and jury awards. The Identification Data Verification Process. The days of simply making a copy of a shopper’s driver’s license as a premise for identification verification are over. Throughout the Crimson Flags Rule, there are 26 listed potential pink flags dangers that designated institutions should contemplate when performing a lined transaction. In theory, if any of those flags exist within the identifying info introduced by an individual, what you are promoting should search outside third celebration sources to confirm the identification of the person. The problem is that virtually all of those potential pink flags are open to interpretation… in other phrases, a guess!

What one among your employees views as a pink flag, another employees member might not, and due to this fact your nicely-intentioned effort to grow to be compliant is undermined and may cost you. And if that is not enough to trigger you concern, there’s the potential for allegations of bias or discrimination if you happen to do not perform the same identification verification course of on every customer opening a new lined account. It isn’t exhausting to think about a plaintiff accusing what you are promoting of discrimination because you carried out an identification verification scan on them because of their ethnic heritage, and not on most Caucasians. Picture an identification theft sufferer’s attorney ripping through all your information within the discovery part of litigation like a kid attacking presents on Christmas morning. For what function, you ask? How about the fact that you carried out identification verification procedures on 80% of your minority candidates, but on 20% of the time for Caucasians. The smart thing is to take the guesswork out of trying to interpret pink flags in your customer’s identifying info by utilizing a compliant identification verification scan, and whereas we’re on this topic, it may not be wise to depend on the one included in your client’s credit score report.

The Rule requires identification verification from outside knowledge sources, or as the Rule states; “… cannot be from info contained in a shopper credit score report, or info typically contained in a wallet.” Authenticating Your Buyer’s Identification Through Challenge Questions. If you have not developed an involuntary twitch by now, this will put you over the edge. There’s a distinction between verifying the identifying info introduced by an individual, and really authenticating the identification of the individual presenting the information. For example, the person applying for a loan might in actual fact be an identification thief providing you with stolen information. The remedy is to concern “Challenge Questions” to authenticate that the individual is in actual fact whom they signify themselves to be. The questions ought to be framed in such a matter that only the individual whose identification is in question can answer, and in a well timed manner. And once more, in response to the Rule, these questions cannot be shaped from info contained in a shopper credit score report or info typically contained in a wallet, but from outside knowledge sources such as the SSN Verification Service, The SSN Demise Grasp File, state, federal, and international knowledge bases to verify DOB, all associated addresses, telephone number assignment, etc.

All of this might take a complete day for just one client, or maybe it is time to contemplate a compliant Identification Verification Service that additionally offers Challenge Questions. Both way, if you happen to concern Challenge Questions on one, it is best to do it on all to distance your self from allegations of bias and discrimination. Your Lender Relationship. The Crimson Flags Rule prices your lenders with the duty of ensuring your compliance with the Crimson Flags Rule, and beneath the Rule, they might do so by contract. This gives your lender the precise to inspect and audit your procedures at any time, and already Brokers across the country have been denied companies until they’re deemed by the lender to be compliant. Non-Compliance Fines And Penalties. The Federal Trade Commission has made it abundantly clear that compliance with the Crimson Flags Rule will not be merely a suggestion, and has indicated they may employ “rolling enforcement” to ensure this regulation will not be taken lightly. Assuming that “rolling enforcement” means unannounced investigations and audits, here is what you can sit up for in case you are discovered to be non-compliant:

  • Federal fines for non-compliance are up to $3,5000 per occurrence. In other phrases, if what you are promoting performs 1,000 non-compliant transactions in a year, the high-quality will be $3.5 million.
  • Your state attorney basic could possibly file class-motion fits beneath “unfair and deceptive acts and practices” theories which normally permit both actual and punitive damages.
  • You might be held accountable for actual losses of a sufferer ($92,893 average) if you can’t produce a substantial written Crimson Flags Rule Policy and documented proof of required employees training.

In Summary. It’s no secret the FTC intends to come down exhausting on non-compliant businesses in their rounds of “rolling enforcement”, but more importantly, non-public attorneys eagerly await your wilful non-compliance. The same proliferation of hi-tech software program to make businesses more efficient, can also be out there to the identification theft prison element to phony up driver’s licenses, tax data, utility bills, credit cards, etc., for the purpose of providing you with false identification information. It’s an inconceivable activity to prevent identification theft – you realize it, I do know it, and the federal government is aware of it, and your only protection is to place forth your finest effort to grow to be compliant, and once more, be capable to show it with documentation. Don’t make the mistake of pondering this regulation is impotent or will simply fade away.

The drumbeat from shoppers concerning identification theft grows louder every day, and surely more laws will observe together with the horror stories of these institutions discovered to be non-compliant. Make sure that one of those horror stories is not about you; the perfect chance for you to get it right is from the beginning. NOTE: The content material on this article will not be providing authorized advice and is intended as an preliminary resource guide only. Moreover, the content material will not be intended to answer specific questions or counsel suitability of motion in a selected case or circumstance. The author recommends the reader seek the advice of authorized counsel for guidance concerning this compliance issue.

This article was originally posted at  http://www.solutionfinder.org.uk/red-flags-rule-compliance-the-feds-may-be-the-least-of-your-concerns/

Labels:

Friday, December 23, 2011

Health organizations not prepared for HIPAA audits

A new survey's report comes as federal authorities say they would expand enforcement of patient privacy and security requirements.

In July, the Dept. of Health and Human Services' Office for Civil Rights made clear that it would start doing a better job at making sure entities covered by the Health Insurance Portability and Accountability Act were taking the necessary steps to protect patient data and comply with patient privacy and security laws.

What have health care organizations been doing since then to prepare for the tighter enforcement? Not much, according to the results of a survey of more than 400 HIPAA compliance officers and health information management directors.

In November, HCPro, a health care regulation and compliance consultancy firm in Danvers, Mass., conducted a survey to gauge how prepared health care organizations are for a HIPAA audit. In a Dec. 2 blog post on the survey's findings, HCPro said it found that only 17% of those surveyed were fully prepared, and 70% said they were only "somewhat prepared." A full report on the survey's findings is scheduled to be published in January 2012.

These findings come just four months after the HHS Office for Civil Rights, the department tasked with enforcing HIPAA compliance, awarded a $9 million contract to the McLean, Va.-based consulting firm KPMG to create an audit program. It will verify that health care organizations, payers and business associates are prepared to meet strengthened HIPAA requirements that were laid out in the 2009 Health Information Technology for Economic and Clinical Health Act. Part of KPMG's plan is to conduct random, on-site audits of 150 organizations by Dec. 31, 2012.

According to the contract, the site visits would include interviews with organization leaders such as chief information officers, privacy officers, legal counsel, health information management officers and medical records directors; an examination of the organization's physical features and operations, and its consistency in following policy; and observations of compliance with regulatory requirements.

Organization leaders told HCPro in its survey that they were not fully prepared for these audits for several reasons, including a lack of commitment to HIPAA compliance by senior management. One survey respondent, according to HCPro's blog posting, said most organizations say they don't have time to implement HIPAA regulations on a regular basis. "There needs to be an outside agency coming into the hospital and interviewing the employees on a regular basis," the respondent said.

Although the number of entities KPMG plans to audit is small compared with the number of HIPAA-covered entities in the U.S., any organization could be chosen, according to HHS. KPMG was instructed to audit a wide range of covered entities in terms of scope and size, and could include anyone from individual physicians to business associates.

Under the HIPAA Security Compliance Rules, organizations must complete a risk analysis and have policies in place detailing their approach to patient privacy and security and sanctions for those who do not comply. Experts say not only do organizations need to prepare those documents for the possibility of a random audit by KPMG, but the Office of Civil Rights also has the authority to conduct an audit based on complaints made by patients who feel their privacy was violated.

Labels: , ,

Tuesday, December 20, 2011

This Year’s 10 Best TED Talks To Share With Students

In honor of the recent TED Live announcement, I thought it’d be a good idea to remind you why TED rocks. Below is just a small fraction of the amazing presentations put on by the folks over at TED. Each one of the presentations embedded below is perfect for sharing with students and showing in class*. Heck, assigning the viewing of these TED talks as homework isn’t a bad idea.

Do you use TED in the classroom? I’d love to hear about it if you did and I know the rest of the Edudemic community would too! Let everyone know about it in the comments.

*There are of course many more presentations but I picked these because I thought they resonated with me and would do the same with students.

Philip Zimbardo: The Demise of Guys?
Philip Zimbardo was the leader of the notorious 1971 Stanford Prison Experiment — and an expert witness at Abu Ghraib. Psychologist Philip Zimbardo asks, “Why are boys struggling?” He shares some stats (lower graduation rates, greater worries about intimacy and relationships) and suggests a few reasons — and challenges the TED community to think about solutions.



Pavan Sukhdev: Put A Value On Nature!
A banker by training, Pavan Sukhdev runs the numbers on greening up — showing that green economies are an effective engine for creating jobs and creating wealth. Every day, we use materials from the earth without thinking, for free. But what if we had to pay for their true value: would it make us more careful about what we use and what we waste? Think of Pavan Sukhdev as nature’s banker — assessing the value of the Earth’s assets.


Annie Murphy Paul: What We Learn Before We’re Born
Pop quiz: When does learning begin? Answer: Before we are born. Science writer Annie Murphy Paul talks through new research that shows how much we learn in the womb — from the lilt of our native language to our soon-to-be-favorite foods. Annie Murphy Paul investigates how life in the womb shapes who we become.




Joe Sabia: The Technology of Storytelling
Joe Sabia investigates new ways to tell stories — meshing viral video and new display technologies with old-fashioned narrative. iPad storyteller Joe Sabia introduces us to Lothar Meggendorfer, who created a bold technology for storytelling: the pop-up book. Sabia shows how new technology has always helped us tell our own stories, from the walls of caves to his own onstage iPad.





Allan Jones: A Map of the Brain
As CEO of the Allen Institute for Brain Science, Allan Jones leads an ambitious project to build an open, online, interactive atlas of the human brain. How can we begin to understand the way the brain works? The same way we begin to understand a city: by making a map. In this visually stunning talk, Allan Jones shows how his team is mapping which genes are turned on in each tiny region, and how it all connects up.




Yves Rossy: Fly With the Jetman
With a jet-powered wing attached to his body, Yves Rossy expands the possibilities of human flight. Strapped to a jet-powered wing, Yves Rossy is the Jetman — flying free, his body as the rudder, above the Swiss Alps and the Grand Canyon. After a powerful short film shows how it works, Rossy takes the TEDGlobal stage to share the experience and thrill of flying.




Ben Kacyra: Ancient Wonders Captured in 3D
Ben Kacyra uses state-of-the-art technology to preserve cultural heritage sites and let us in on their secrets in a way never before possible. Ancient monuments give us clues to astonishing past civilizations — but they’re under threat from pollution, war, neglect. Ben Kacyra, who invented a groundbreaking 3D scanning system, is using his invention to scan and preserve the world’s heritage in archival detail. (Watch to the end for a little demo.)






Jay Bradner: Open-Source Cancer Research
In his lab, Jay Bradner, a researcher at Harvard and Dana Farber in Boston, works on a breakthrough approach for subverting cancer .. and he’s giving the secret away. How does cancer know it’s cancer? At Jay Bradner’s lab, they found a molecule that might hold the answer, JQ1 — and instead of patenting JQ1, they published their findings and mailed samples to 40 other labs to work on. An inspiring look at the open-source future of medical research.






Todd Kuiken: A Prosthetic Arm That “Feels”
A doctor and engineer, Todd Kuiken builds new prosthetics that connect with the human nervous system. Yes: bionics. Physiatrist and engineer Todd Kuiken is building a prosthetic arm that connects with the human nervous system — improving motion, control and even feeling. Onstage, patient Amanda Kitts helps demonstrate this next-gen robotic arm.






Pamela Meyer: How to Spot a Liar
Pamela Meyer thinks we’re facing a pandemic of deception, but she’s arming people with tools that can help take back the truth. On any given day we’re lied to from 10 to 200 times, and the clues to detect those lie can be subtle and counter-intuitive. Pamela Meyer, author of Liespotting, shows the manners and “hotspots” used by those trained to recognize deception — and she argues honesty is a value worth preserving.





Source: Edudemic


Labels: , ,

Monday, December 12, 2011

5 tips for 11th hour HIPAA 5010 compliance

Like sand through an hourglass, time is trickling down to the HIPAA 5010 deadline. CMS recently granted the industry a grace period for transitioning to HIPAA 5010, but those grains of sand are dwindling ever faster, and there’s no time to lose for payers and providers still working toward compliance.

Even with the “enforcement-free” period, payers and providers who miss the original January 1, 2012 deadline aren’t off the hook. CMS plans to continue holding them responsible and will require them to provide evidence of their good-faith efforts to meet the federal mandate during the 90-day window.

This isn’t our first time running up against a HIPAA deadline. During the transition to HIPAA 4010, we saw many organizations develop contingency plans to operate beyond the deadline without achieving compliance. Unfortunately, many are still operating from contingency plans more than six years later. No deadlines were enforced back then, and as we approach the HIPAA 5010 deadline, CMS is working to counter the same attitude — as well as the same problem.

The big picture here is that HIPAA is crucial to administrative simplification, and continuing to accept long-running contingency plans as the status quo defeats the whole purpose and eliminates the value. The 90-day grace period for HIPAA 5010 shouldn’t be viewed as the latest example of an “always-provide-a-contingency-plan” mindset. Rather, with this extension, CMS has signaled it is in tune with the industry (more so now than with HIPAA 4010) and understands its current state of readiness to comply. As such, all of us should understand that CMS expects full HIPAA 5010 compliance by March 2012.

All of this implies that there’s a lot to accomplish in a short period of time for many payers and providers. Given the unimpressive number of HIPAA 5010 submitters, the meager volume of transactions currently taking place, and other testing data that reflects the industry's underwhelming efforts to date, it will be an uphill climb for some organizations. Many are still waiting on software upgrades — stuck in limbo and unable to progress toward the finish line. Whatever the holdup, compliance will require full cooperation between trading partners. Both internally and externally, it’s now an all-hands-on-deck effort to accomplish this task on time.

The following tips should help your organization make the most of the time that’s left:

1. Expand Your Use of Automation
Organizations that haven’t started internal testing should consider how best to automate both internal and external testing processes. By doing so, they will ensure consistent coverage across both types of testing and complete them in a shorter time span. Keep in mind, not every scenario can be tested, even with automation. Given time constraints, it’s vitally important to triage scenarios and prioritize those that will cause the greatest pain if not done correctly in production.

2. Conduct Concurrent Internal and External Testing
In an ideal world, it would be nice to complete internal testing prior to going outside the organization, but given time constraints, it’s no longer practical. Payers and providers should work together to allow internal and external testing to happen at the same time. The key to success is ongoing communication among teams during concurrent testing. Organizations will need to understand the root cause of each failure and identify whether the point of failure was due to internal or external issues.

3. Prioritize External Testing Based on Complexity
External testing is critical, but it can also be labor-intensive if you haven’t laid the right groundwork with internal testing. If you don’t have the luxury of completing internal testing before starting testing with trading partners, it’s a good idea to start with those who have simpler edits and easier issue resolution processes. That way, you can level-load your resources. While you’re still ironing out internal kinks, you can conduct external testing without overburdening your staff. If possible, wait to begin testing more complex trading partner relationships only once the majority of internal testing is complete. As time goes on, testing should become more of a “lather, rinse, repeat” model, rather than time-consuming efforts to troubleshoot and research appropriate issue resolution.

4. Establish a Business Readiness Plan and Triage Team
Very few healthcare organizations have unlimited time and resources available for HIPAA 5010 testing. Given those constraints, it’s reasonable to assume some issues will crop up in production, and organizations need to be prepared to handle them. Payers and providers should dedicate resources to handle these issues and have resolution processes in place prior to going live with 5010. The pain of mapping out the process after a problem rears its ugly head is immense, so take the time to figure it out beforehand. Part of the plan should also include a vendor warranty and support for a set period, so production problems aren’t treated with fast fixes that won’t resolve the underlying issue. Otherwise, the problems never go away, and they always cause more ongoing work for office staff.

5. Start Testing – Even if Things Aren’t Perfect
Testing is often an iterative process. That means even getting started in one area can yield benefits. For example, if a provider is still waiting for its practice management vendor to update their software, it could work with trading partners to get test response files; e.g., 835, 276, or 271. The team can evaluate the changes manually to identify issues and address them with the trading partner ahead of time. Time is of the essence here — and there is none to lose. Any testing that can be done now, should be done now, even if scenarios are not perfect and complete.

As the clock ticks closer to the 11th hour, it’s critical that the industry make a concentrated, collective effort toward successful HIPAA 5010 testing and transition. Even with a 90-day grace period, the entire industry — CMS, providers and payers — needs to collectively acknowledge that by dragging this process out any longer, we will continue to plod along in ruts of our own making. And we’ll continue to suffer from increasingly unbearable administrative burdens, making the concept of regulatory migration worthless.
HIPAA upgrades will not end with 5010. It’s in the best interests of both payers and providers to get all hands on deck and seize what’s left of the HIPAA 5010 transition timeline. After all, the transition to 6020 is just around the corner!

http://www.govhealthit.com/news/5-tips-11th-hour-hipaa-5010-compliance

Labels: , ,

Saturday, December 3, 2011

OSHA Updates Tire Servicing Materials Charts

The revised materials address OSHA's Materials Handling and Storage standard that protects workers who service single-piece and multi-piece rim wheels.


OSHA Compliance has revised its tire servicing materials to address current hazards in the industry and help workers safely perform maintenance on large vehicle tires.

The revised materials address OSHA's Materials Handling and Storage standard that protects workers who service single-piece and multi-piece rim wheels. Following recent talks with representatives from tire, rubber, and wheel manufacturers, OSHA determined a need for new materials with updates from sources such as the Tire Industry Association.

The updated information, available in a portable manual or as three poster-sized charts, is designed to be easier to access and use. OSHA's revised "Multi-piece Rim Matching Chart" provides an updated list of current and obsolete components, and the old "Demounting and Mounting Procedures for Truck/Bus Tires" chart is now expanded into two charts that deal individually with tubeless and tube-type tires.

"These updated materials will provide readily accessible information on how to prevent worker injuries and deaths from tire-servicing incidents," said Dr. David Michaels, assistant secretary of labor for OSHA. "The new format and easy access will simplify compliance with the standard by helping employers provide their workers with vital servicing information."

The revised tire charts are available for download on OSHA's Publications page.


Labels: , ,