First Healthcare Compliance CONNECT- January 2018

® 

CONNECT 

An Exclusive Monthly Publication for Clients 

Certificate vs 

Certification? 

January 2018 

Patient Safety 

Gaps 

Preventing 

a HIPAA 

Breach 

Introducing 

our 

Compliance 

Super Ninja!

Important Compliance Dates 

January 

1 

January 

1 

July 

1 

December 

1 

December 

February 

15 

2018 EHR Stage 2 Medicaid reporting period is a minimum of any 

continuous 90 days between January 1 and December 31, 2018. 

2018 EHR Stage 3 Medicaid (for all new and returning participants) 

reporting period is a minimum of any continuous 90 days between 

January 1 and December 31, 2018. 

Beginning July 1, 2017, practitioners in 9 states are required to 

report claims data on post-operative visits furnished during the 

global period of specified procedures using CPT code 99024. 

Virtual Group submissions due to CMS via email to 

MIPS_VirtualGroups@cms.hhs.gov by December 1, 2017. 

December 15, 2017 is the new extended deadline for electronic 

submission of OSHA 300/300A Illness and Injury forms for required 

establishments. 

In This Issue: 

Important Compliance Dates 

Compliance Super Ninja 

Patient Safety Gaps 

Preventing a HIPAA Breach: Phishing Attacks and Access 

2 

First Healthcare Compliance, LLC © 2018

Compliance Super Ninja 

Kristine Papa 

Director, Compliance 

West Dermatology 

How would you describe your experience with First Healhcare Compliance? 

I absolutely enjoy working with 1st HCC. The customer service is always excellent! 1st HCC is open to suggestions 

and allows clients to submit their own training modules. Working with 1st HCC you feel as if you are part of the 1st 

HCC family. They go above and beyond to assist client requests – even working on a holiday to do so. 

What do you enjoy most about working with West Dermatology? 

The professionalism of the staff and how everyone goes out of their way to work as a team even across state lines. Of 

course no team could function without the support of management. They do all they can to make us feel we are part of 

the West Dermatology family in ways you may not expect from such a high level company. I am especially proud of the 

West Dermatology commitment to community as evidenced by the support provided, both emotionally and financially, 

to the victims of the October 1st shooting in Las Vegas. 

Would you prefer to permanently be transported 500 years in the 

future or 500 years in the past? 

500 years in the future. It’s exciting to see where compliance and technology 

has come and I can only image where it will be 500 years in the 

future. 

Each month we highlight one exceptional compliance 

professional chosen by our client services team. If our team 

notices your compliance chops, you might be the next Ninja! 

Addressing Unauthorized Access with Ray Ribble 

Understand the Difference: Certificate vs Certification 

Naughty or Nice? The Rules of Giving and Receiving in Healthcare 

Upcoming Learning Opportunities 

Contact Toll Free: 888-54-FIRST 3

Don’t miss out on free stuff! 

Please enjoy one set of complimentary 

compliance posters available from our store at 

1sthcc.com/shop 

Use coupon code: 

TISTHESEASON 

Good through 1/31/18 

4 


Get the eBook! 

When a patient safety incident, medical error or adverse event occurs, patients are 

rarely the only victims. Join us to explore the impact on caregivers and understand 

the lasting damage to those providers. 

® 

Patient Safety Gaps 

Medical Errors and Second Victims 

Read more about: 

• Background of Patient Safety Gaps 

• Scope of the Problem 

• Medical Errors and Accountability 

By David M. Sommers MD JD LLM 

Download your copy today! 


By Jill Brooks, MD, CHCO 

Your organization’s security risk analysis and security awareness 

training are the best defense against nefarious cyber criminals. 

In reviewing breaches from 2017, cyberattacks with ransomware 

brought organizations to a standstill if they lacked a pre-emptive 

back-up plan for the data hostage situation; a few had no choice 

but to succumb to the hackers’ payment demands. When healthcare 

entities were the intended ransomware targets, breach of 

protected health information (PHI) was not their only concern— 

the delivery of patient care was significantly altered or even 

completely blocked. To mitigate your organization’s potential 

security risks for 2018, specific areas to address must include 

your staff’s awareness of phishing emails and proper termination 

procedures for employee access, if necessary. 

As part of security awareness training, your staff must understand 

the potentially disastrous effects of phishing emails. Tips 

on detection of phishing emails should include methods of reporting 

to prevent other employees from possibly falling victim to the 

same scam. One notable scheme in 2017 involved a fake survey 

sent to employees’ emails at a healthcare center. Hackers gained 

access to the accounts of those employees who submitted the 

survey and were able to re-direct the employees’ paychecks 

into the hacker’s bank account. During the investigation, it was 

also determined that the email accounts contained patients’ PHI. 

Although uncertain if the hacker actually accessed the PHI, the 

HIPAA breach notification protocol had to be followed, including 

costly identity theft monitoring for those affected. 

Knowledge of common phishing email schemes will help staff 

realize how sneaky the cybercriminals can be. Simply clicking on 

a link, attachment or just opening an email may allow the hacker 

to insert malware, ransomware or a virus. Employees should 

exercise caution if they receive an email letter from their CEO 

or another executive in the organization even when appropriate 

logos are present. An email containing multiple misspellings or 

poor word structure should always give pause. An email request 

for password information should be a glaring red flag. Staff 

should always avoid URLs beginning with http://. The S in https:// 

6 


stands for “secure”, encrypting the data exchange to prevent 

others from eavesdropping on the computer communication. 

Any URLs lacking the domain name of the specific organization 

immediately following the https:// are also suspect. 

Termination of employee access may be necessary to maintain 

the security of the organization. Access must be terminated 

immediately upon employee termination. While a breach 

may result from a current employee’s malicious intent, other 

breaches have been attributed to unauthorized access by prior 

workforce members whose access was not appropriately terminated. 

In November 2017, the Office for Civil Rights (OCR) issued 

guidance on how to terminate electronic and physical access 

when an employee quits or is terminated. A few of the key steps 

include the following: notification of the IT department or security 

official; deactivation or deletion of user accounts; retrieval of 

all remote devices; and erasure of any ePHI on personal devices. 

Procedures should also be in place for any changes to employee 

job descriptions and how the level of access should be altered 

to reflect the new job classification. 

Unfortunately, many of these cyberattacks on the healthcare 

industry were not easily prevented such as the multiple attacks 

by the infamous TheDarkOverlord (TDO). Due to the serious 

ramifications of ransomware attacks on healthcare facilities, the 

OCR issued guidance on what to do in this hostage situation. 

The following processes are recommended for security incident 

procedures: 

• detect and conduct an initial analysis of the ransomware; 

• contain the impact and propagation of the ransomware; 

• eradicate the instances of ransomware and mitigate or 

remediate vulnerabilities that permitted the ransomware 

attack and propagation; 

• recover from the ransomware attack by restoring data lost 

during the attack and returning to “business as usual” operations; 

and 

• conduct post-incident activities, which could include a 

deeper analysis of the evidence to determine if the entity 

has any regulatory, contractual or other obligations as a 

result of the incident (such as providing notification of a 

breach of PHI), and incorporating any lessons learned into 

the overall security management process of the entity to 

improve incident response effectiveness for future security 

incidents. 

Since it’s that time of year to report all breaches affecting under 

500 individuals, be sure corrective action has been implemented 

in your organization to prevent any possible recurrences. Most 

importantly, your employees must be aware of any changes to 

your security policies and procedures for 2018. 


Podcast 

Addressing Unauthorized Access with Ray Ribble 

Catherine Short, Partnership Marketing Specialist at First Healthcare Compliance, hosts Ray Ribble, 

founder of SPHER, Inc., a healthcare cybersecurity company, for an interactive discussion on 

“Addressing Unauthorized Access – Knowing who is looking at your PHI.” 

This podcast focuses on a discussion of the current landscape as it relates to unauthorized access of 

patient PHI within the healthcare community. Ray guides us to what measures can be deployed to 

protect and detect unwanted eyeballs. 

Objectives: 

1. Review status of PHI Protection 

2. How is PHI monitored today 

3. What can I do to protect my patients PHI from unauthorized access? 

Looking for the latest compliance insights? 

Subscribe to our listen and learn podcasts and don’t miss a thing! 

Listen to the First Healthcare Compliance podcast! 

8 


This past September, First Healthcare Compliance released our 

certificate program to teach the essential principles and practices 

of compliance— The Fundamentals. This one of a kind 

program gives healthcare professionals the knowledge they need 

to meet compliance challenges in the heavily regulated healthcare 

industry. 

When learners successfully complete our four-hour course, they 

earn a certificate—not certification—by taking a 100-question 

exam to display their mastery of healthcare compliance 

fundamentals. It is important to note the difference between a 

certificate and certification program, as they are not one in the 

same. 

Typically, a certificate program proves that a compliance practitioner 

attended or completed a course or series of courses that 

have a specific focus. This type of program is open to newcomers 

as well as experienced professionals, and these programs do not 

allow the learner to place designations after their name when 

completed. 

To be defined as a certification program, a program must include 

both an educational component and an experience component, 

and it must require that learners pass an exam. Completing this 

type of program allows a practitioner to put a designation after 

his or her name. Also, certification requires recertification, which 

ensures that practitioners keep their knowledge current through 

continuing education. 

Unfortunately, there are programs being offered that are mislabeled 

as certifications so healthcare professionals and those 

looking to enter this industry need to be careful in how they 

increase their knowledge and enhance their careers. 

If you’re looking for an excellent certificate program that will give 

you an abundance of practical knowledge, you’ll do well by taking 

The Fundamentals. But if you are interested in a certification, be 

sure to find a program that includes both education and experience, 

requires that you pass an exam, and includes recertification 

so you keep up with current teachings. 

If you’re considering compliance education, don’t be misled— 

take a close look at the credibility of the programs available and 

choose one that best fits your career development and current 

objectives. 


Join us on Social Media! 

10 


The most comprehensive healthcare 

compliance course yet! 

The Fundamentals is a user-friendly, four-module course designed 

to help healthcare professionals understand the 

essential principles and practices of compliance. 

Written by our “dream team” of 

healthcare providers and attorneys, 

The Fundamentals Course is packed 

with useful, easy-to-understand 

information that covers HIPAA, OSHA, 

employment law and enforcement of 

Federal healthcare laws. The course 

takes less than four hours to complete. 

The Compliance Certification Board 

(CCB)® has approved this event for up 

to 4.4 non-live CCB CEUs. 

Visit 1sthcc.com/shop to 

register today! 


Join Us for These Upcoming 

Learning Opportunities! 

Complimentary CEU Webinars 

January 23rd @ 12pm ET 

Red Flag Rule - HIPAA Compliance 

Todd Sexton 

Identillect Technologies 

Listen and Learn Podcasts 

February 6th @ 12pm ET 

Current Inspections - What to Expect 

When the Surveyor Arrives 

Bridget Smudrick, CLIA Specialist 

DoctorsManagement 

Featured January 16th 

Unauthorized Access 

Ray Ribble 

SPHER, Inc. 

Featured January 30th 

Security Management in 

Healthcare Facilities 

Steven S. Wilder, BA, CHSP, STS 

Sorensen Wilder and Associates 

Now available in our training zone! 

CEUs from the following organizations: 

AAPC 

ADCA 

AHCAE 

AHIMA 

APMBA 

ARHCP 

HBMA 

MAB 

NAMAS 

NHCLA 

PAHCOM 

PAHCS 

PHIA 

PMI 

PMRNC 

POMAA 

Contact our Client Services Team with any questions! 

888.54.FIRST or clientservices@1sthcc.com 

12

First Healthcare Compliance CONNECT- January 2018

Create successful ePaper yourself

Delete template?

Save as template?