First Healthcare Compliance CONNECT September 2019
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
®<br />
<strong>CONNECT</strong><br />
An Exclusive Monthly Publication for Clients<br />
<strong>First</strong> <strong>Healthcare</strong><br />
<strong>Compliance</strong> Announces<br />
Expert Presenters for<br />
HIPAA Privacy and<br />
Security Summit<br />
Surviving an OCR Audit<br />
– Lessons Learned<br />
Q&A: HIPAA and<br />
Health Apps<br />
<strong>First</strong> <strong>Healthcare</strong><br />
<strong>Compliance</strong> Welcomes<br />
Nicholas Heesters of<br />
OCR as Distinguished<br />
Speaker<br />
Medical Cannabis – How<br />
it’s Working in Maryland<br />
& Nationally<br />
New Training<br />
Modules<br />
Client FAQ Corner<br />
<strong>September</strong> <strong>2019</strong>
Got a Minute? Please Rate Us!<br />
The health of our company depends on our best<br />
clients spreading the word about us.<br />
That’s you!<br />
Share Your Success Story<br />
An endorsement by you is the greatest compliment we<br />
could receive! Please take a moment of your time to rate<br />
us online so that others can benefit from your experience.<br />
It’s a simple way to help us grow and improve.<br />
We appreciate your support and look forward<br />
to hearing from you!<br />
In This Issue:<br />
Share Your Success Story<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong> Announces Expert Presenters for HIPAA Privacy and Security<br />
Summit<br />
Surviving an OCR Audit – Lessons Learned<br />
2<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2019</strong>
<strong>Compliance</strong> Super Ninja<br />
Pamela Setufe, MHA, FACMPE, CPCS, CPCO<br />
Chief <strong>Compliance</strong> Officer, Director of Contracting, Credentialing & Insurance Risk Gonzaba Medical Group<br />
How would you describe your experience with <strong>First</strong> <strong>Healthcare</strong><br />
<strong>Compliance</strong>?<br />
Amazing! The response from the support team, especially Desiree has been great. I<br />
can always count on the support and technical staff to help address any questions<br />
or help I need in a timely manner. The system is easy to use, and I want to add that<br />
the trainings are also up to date with the current changes in healthcare law and<br />
regulations. Thank you for a great product and service!!!<br />
What do you enjoy most about working with Gonzaba Medical Group?<br />
Gonzaba Medical Group is where to send your family, if you want a trusted provider to<br />
care for them in San Antonio, TX. I have been working here since January 2008 and I<br />
can’t stop talking about the miracles that happen here every day. I especially love the<br />
diversity of what I do in my role…and one thing I truly appreciate is how everybody<br />
strives to live by the purpose of GMG, which is to “Serve our Patients Como Familia –<br />
Like Family”. Most of our facilities are considered a one-stop-shop, and if not, care is coordinated to make sure our patients only<br />
see specialists that have proven outcomes that yield healthier lives for our family. I tell people, what can be better than to work<br />
at a place where everyone you work with is considered family, and all you do together all day is to take care of family members<br />
(patients) who come to pay us a visit! Simply the best!<br />
Would you rather travel the US to see the sights in a motorhome or by plane? Why?<br />
Motorhome of course...! – I definitely want to see and explore the sights and sounds of the US in<br />
person and up close. Even though traveling by plane would be faster, nothing beats engaging with<br />
the locals on the ground, enjoying the diverse sights, food, music and cultures along the way…<br />
definitely something to add to the bucket list!<br />
Client FAQ Corner<br />
1st Talk <strong>Compliance</strong> - Medical Cannabis – How it’s Working in Maryland & Nationally<br />
Q&A: HIPAA and Health Apps<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong> Welcomes Nicholas Heesters of OCR as Distinguished Speaker<br />
Contact Toll Free: 888-54-FIRST 3
Surviving an OCR Audit – Lessons Learned<br />
By Catherine Short<br />
Raymond Ribble is the founder of SPHER<br />
Inc. and co-founder of Fusion Systems<br />
Co., Ltd. Ray leads the SPHER organization<br />
as they deliver privacy & security<br />
cybersecurity solutions in healthcare.<br />
He will lead the presentation Surviving<br />
an OCR Audit – Lessons Learned at the<br />
upcoming HIPAA Privacy and Security<br />
Summit on November 14.<br />
SPHER represents the leading SaaS-based privacy<br />
monitoring security solution for HIPAA <strong>Compliance</strong>,<br />
Meaningful Use, and MIPS offering overall protection of<br />
patient health information.<br />
Ray participates in a number of healthcare groups, speaks<br />
at universities, industry conferences and webinars, while<br />
actively contributing to the growing awareness of the need<br />
to identify unauthorized access to PHI and breach detection.<br />
With over 25 years in the technology industry, Ray has been<br />
involved in delivering solutions for multiple industries from<br />
Aerospace with Northrop, to investment banking financial<br />
systems in Asia for many of the world’s top banks, to the<br />
recent creation of machine learning-based solutions for the<br />
US <strong>Healthcare</strong> markets.<br />
Ray remains active in international businesses and<br />
technology communities including: PHI Protection Network,<br />
Medical Identity Fraud Alliance, the American Chamber of<br />
Commerce in Japan (ACCJ) as past Co-Chairman of the ICT<br />
Committee, the Japan America Society, the YMCA, as well<br />
as many charities.<br />
Ray holds a BSc. in Aerospace Technology & Management<br />
from Western Michigan University, and completed his<br />
advanced Japanese Studies at UCLA.<br />
4<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2019</strong>
Client FAQ Corner<br />
Are healthcare providers required to provide HIPAA training to<br />
independent contractors?<br />
If the individual is not part of the provider’s workforce and they perform certain<br />
functions or activities that involve the use or disclosure of protected health information<br />
on behalf of, or provides services to, the provider, then they are a business associate.<br />
Workforce is defined as employees, volunteers, trainees, and other persons whose<br />
conduct, in the performance of work for a covered entity (provider) or business<br />
associate, is under the direct control of such covered entity or business associate,<br />
whether or not they are paid by the covered entity or business associate.<br />
It is common to overlook a business associate who has been working in your<br />
organization for a long period of time. If the individual is an independent contractor,<br />
issued a 1099 form, and performs functions that involve PHI, he/she must sign a<br />
Business Associate Agreement. And not doing so can be costly. Every time a business<br />
associate accesses your patients’ information without the proper agreement, your<br />
organization is potentially exposed to very large fines stemming from noncompliance<br />
with the HIPAA Privacy Rule. Equally important is hiring independant contractors that<br />
are aware of their HIPAA requirements. If they have not participated in an annual<br />
HIPAA training program, then it is best to assign these individuals training from our<br />
system.<br />
Explore the FAQs tab in your compliance solution to find<br />
answers to your compliance questions!<br />
Contact Toll Free: 888-54-FIRST 5
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong> Announces Expert<br />
Presenters for HIPAA Privacy and Security Summit<br />
By Julie Sheppard, BSN, JD, CHC<br />
Delaware Law School and <strong>First</strong> <strong>Healthcare</strong><br />
<strong>Compliance</strong> Announce Schedule of<br />
Expert Presenters for HIPAA Privacy and<br />
Security Summit<br />
November 14, <strong>2019</strong><br />
The HIPAA Privacy and Security Summit is a joint effort<br />
of Widener University Delaware Law School and <strong>First</strong><br />
<strong>Healthcare</strong> <strong>Compliance</strong> to provide timely updates for<br />
professionals serving in healthcare, business and legal<br />
roles. The full day event will be held on November 14,<br />
<strong>2019</strong> in Ruby R. Vale Moot Courtroom at the Delaware<br />
Law School and will include continental breakfast, lunch,<br />
CLE and CEUs, and a complimentary copy of the HIPAA<br />
Privacy and Security book by <strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>.<br />
Registration is open to the public.<br />
Expert presenters will discuss regulations and real-life<br />
scenarios related to HIPAA privacy and security including<br />
Business Associates, responses to cybersecurity incidents,<br />
audits, breaches, HIPAA best practices and more. Attendees<br />
will be eligible to receive multiple learning credits. The fastpaced<br />
schedule provides ample opportunity for networking<br />
in addition to expert educational sessions.<br />
8−8:15 a.m.<br />
Registration and Continental Breakfast<br />
8:15−8:30 a.m.<br />
Opening Remarks and Welcome<br />
8:30−9:30 a.m.<br />
Iliana Peters, Esq.<br />
It’s Midnight. Do you know where your data<br />
is?<br />
9:30−9:40 a.m. Break<br />
6<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2019</strong>
9:40−10:40 a.m.<br />
Jo-Ellyn Sakowitz Klein, CIPP/US<br />
Buying a Breach: HIPAA Best Practices in<br />
M&A<br />
10:40−10:50 a.m. Break<br />
10:50 a.m. -11:50 a.m.<br />
Rebecca Rakoski, Esq.<br />
HIPAA is Not the Only Game in Town: How<br />
New Domestic and International Data<br />
Privacy Regulations are Changing the Face<br />
of <strong>Healthcare</strong><br />
11:50 a.m. − 12:20 p.m.<br />
Lunch Break and Announcements<br />
12:20−12:50 p.m.<br />
Distinguished Speaker<br />
Nicholas P. Heesters, Jr., MEng, JD, CIPP<br />
Health Information Privacy Security<br />
Specialist<br />
HIPAA <strong>Compliance</strong> & Enforcement<br />
U.S. Dept. of Health and Human Services<br />
Office for Civil Rights<br />
12:50−1:50 p.m.<br />
Rachel Rose, Esq.<br />
HIPAA and the HITECH Act: Recent Case Law,<br />
Statutory Changes and<br />
Penalty Assessments<br />
1:50−2:50 p.m.<br />
Ray Ribble, President of Spher, Inc.<br />
Surviving an OCR Audit – Lessons Learned<br />
2:50−3:00 p.m. Break<br />
3:00−4:00 p.m.<br />
Jennifer Brady, Esq.<br />
Business Associates under HIPAA:<br />
<strong>Compliance</strong> Requirements, Liability<br />
Considerations, and the Anatomy of a<br />
(Business Associate) Breach<br />
4:00−5:00 p.m.<br />
Kathleen McNicholas MD, JD, CHC, CCEP<br />
HIPAA and Ethics<br />
REGISTER NOW<br />
Early Bird<br />
Tickets Ends<br />
October 1!<br />
Contact Toll Free: 888-54-FIRST 7
Q&A: HIPAA and Health Apps By Catherine Short<br />
Rachel V. Rose, JD, MBA, presented the<br />
webinar “HIPAA and Health Apps.” Rachel<br />
returned to answer many commonly<br />
asked questions on our blog.<br />
How has HIPAA evolved to address mobile<br />
technology?<br />
HIPAA was signed into law in August 1996. Subsequently,<br />
the Privacy Rule and Security Rule were implemented.<br />
In 2009, the HITECH Act passed and with it came an<br />
increased focus on security of protected health information<br />
(PHI) and breach notification. Finally, on January 25, 2013,<br />
the Final Omnibus Rule was published (78 Fed. Reg. 5566<br />
(Jan. 25, 2013)). In general, the U.S. Department of Health<br />
and Human Services – Office for Civil Rights has primary<br />
jurisdiction over HIPAA enforcement for covered entities,<br />
business associates and subcontractors. Other agencies<br />
such as the Federal Trade Commission (FTC) and the Food<br />
and Drug Administration (FDA) also play a role.<br />
In terms of mobile technology and health apps in particular,<br />
HHS recently published FAQs – a series of five questions<br />
and answers that target a covered entity’s liability when<br />
transferring a patient’s data to an app. Additionally, over the<br />
past couple of years, the FDA has released guidance on<br />
mobile medical apps – specifically those medical apps the<br />
8<br />
FDA will regulate and those that it won’t, which depends on<br />
the app’s function.<br />
What is covered under ePHI?<br />
ePHI, which is also known as electronic protected health<br />
information, is protected health information that is<br />
produced, saved, transferred or received in an electronic<br />
form. This can include USB drives, CD-ROMS, email, apps<br />
and VoIP technology. The management of ePHI is covered<br />
under the Security Rule.<br />
What steps can companies take to ensure<br />
compliance?<br />
One can think of compliance as an inverted triangle –<br />
start with a broad base at the top and narrow the focus<br />
into different departments and the relevant technical,<br />
administrative and physical safeguards set forth in the<br />
Security Rule. The top should include forming an enterprise<br />
risk management team and conducting an annual,<br />
comprehensive risk analysis that every team member<br />
reads. From there, understanding the ingress and egress<br />
of protected health information, the vulnerabilities and<br />
compliance solutions identified in the risk analysis can be<br />
addressed.<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2019</strong>
Get our eBook by Andrew Wilson!<br />
• What is Telemedicine?<br />
• Telemedicine FAQ’s<br />
• Elements of a<br />
Telemedicine Program<br />
• Are You Ready For<br />
Telemedicine?<br />
And don’t miss Andrew’s past<br />
webinar with us, “Telemedicine<br />
<strong>Compliance</strong> Primer – Using<br />
Delaware as a Model” available<br />
in podcast or on YouTube format.<br />
Download your copy today<br />
Are there any National Institute for<br />
Standards and Technology (NIST)<br />
publications that address privacy,<br />
security and mobile apps?<br />
Yes. Two key NIST special publications are SP 800-124,<br />
Rev. 1, Managing the Security of Mobile Devices in the<br />
Enterprise and SP 800-53, Rev. 5, Security and Privacy<br />
Controls for Info Systems and Organizations. Both of these<br />
publications provide useful frameworks for achieving<br />
compliance to ensure that the confidentiality, integrity and<br />
availability of the data is maintained, even on an app.<br />
Be on the lookout for Rachel on our radio program, 1st<br />
Talk <strong>Compliance</strong> in October <strong>2019</strong>. Take a look at our<br />
brand-new book: HIPAA Privacy and Security, and our<br />
online compliance training courses such as What is<br />
HIPAA?, and HIPAA Business Associate Agreements<br />
Under HITECH. And check out Rachel’s other blog Recent<br />
HHS Guidance Underscores the Importance of HIPAA<br />
<strong>Compliance</strong>. Come hear Rachel Rose speak live at the<br />
HIPAA Privacy and Security Summit, November 14, <strong>2019</strong><br />
at Delaware Law School.<br />
Rachel V. Rose – Attorney at Law, PLLC (Houston,<br />
Texas) – represents clients on healthcare, cybersecurity,<br />
securities and qui tam matters. She also teaches bioethics<br />
at Baylor College of Medicine. She has been consecutively<br />
named by Houstonia Magazine as a Top Lawyer<br />
(<strong>Healthcare</strong>) and to the National Women Trial Lawyer’s Top<br />
25. She can be reached at rvrose@rvrose.com.<br />
Be on the lookout for Rachel on our radio program<br />
1st Talk <strong>Compliance</strong> in <strong>September</strong> <strong>2019</strong>. 1st Talk<br />
<strong>Compliance</strong> in <strong>September</strong> <strong>2019</strong>.<br />
Contact Toll Free: 888-54-FIRST 9
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong> Welcomes Nicholas<br />
Heesters of OCR as Distinguished Speaker<br />
By Catherine Short<br />
Delaware Law School and <strong>First</strong> <strong>Healthcare</strong><br />
<strong>Compliance</strong> announce that Nicholas<br />
Heesters of the HHS Office of Civil Rights<br />
will serve as the Distinguished Speaker<br />
at the second annual HIPAA Privacy and<br />
Security Summit on November 14, <strong>2019</strong>.<br />
Nicholas Heesters is a certified information privacy<br />
professional with over 25 years of experience supporting<br />
technology and information security across many diverse<br />
industries. Mr. Heesters earned his Master of Engineering<br />
in Computer and Software Engineering from Widener<br />
University and Juris Doctor from the Widener University<br />
School of Law. Currently, Mr. Heesters leads a team of<br />
security professionals supporting OCR’s HIPAA Security<br />
Rule compliance and enforcement activities for the U.S.<br />
Department of Health and Human Services Office for Civil<br />
Rights.<br />
HIPAA is an important issue among healthcare, business,<br />
and legal professionals nationwide. This presentation will<br />
focus on trends in breaches of protected health information<br />
(PHI) reported to OCR as well as updates with respect to<br />
OCR’s HIPAA policy and enforcement activities. Attendees<br />
will have the opportunity to participate in a helpful question<br />
and answer session.<br />
The HIPAA Privacy and Security Summit is a joint effort of<br />
Delaware Law School and <strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong> to<br />
provide resources for professionals facing the challenges<br />
of HIPAA compliance. The full day event will be held in<br />
Ruby R. Vale Moot Courtroom at the Delaware Law School<br />
and will include continental breakfast, lunch, and multiple<br />
opportunities for continuing education credits. Attendees<br />
are eligible to receive 7.5 CLE credits (6.5 substantive, 1<br />
10<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2019</strong>
ethics) in Delaware, New Jersey, and Pennsylvania. This<br />
program has been approved for 7.5 continuing education<br />
unit(s) by Practice Management Institute® and PAHCOM.<br />
The <strong>Compliance</strong> Certification Board (CCB)® has approved<br />
this event for up to 10.2 CCB CEUs. Continuing Education<br />
Units are awarded based on individual attendance<br />
record. Granting of prior approval in no way constitutes<br />
endorsement by CCB of this event content or of the event<br />
sponsors. Registration is available to the public.<br />
About Delaware Law School: Widener University is a<br />
metropolitan university that connects curricula to social<br />
issues through civic engagement. Dynamic teaching,<br />
active scholarship, personal attention, applied leadership,<br />
and experiential learning are key components of the<br />
Widener experience. Delaware Law School is the<br />
<strong>First</strong> State’s only law school, providing a Juris doctor,<br />
legal graduate and paralegal degree programs with<br />
an emphasis on developing legal professionals who<br />
reflect the Delaware Way and its traditions of civility,<br />
integrity and mutual respect. The school offers signature<br />
programs in corporate and business law, environmental<br />
law, family health law and policy, trial advocacy, and<br />
dignity rights.<br />
The most comprehensive<br />
healthcare compliance course<br />
The Fundamentals is a userfriendly,<br />
four-module online<br />
course designed to help<br />
healthcare professionals<br />
understand the essential<br />
principles and practices of<br />
compliance.<br />
Written by our “dream team”<br />
of healthcare providers and<br />
attorneys, The Fundamentals<br />
course is packed with useful, easy-to-understand<br />
information that covers HIPAA, OSHA, employment law<br />
and enforcement of federal healthcare laws.<br />
The course takes less than four hours to complete, and<br />
the modules can be viewed in any order. A certificate<br />
of course completion is provided following successful<br />
completion of the online course and exam.<br />
Buy Course Today<br />
Early Bird<br />
Tickets Ends<br />
October 1!<br />
Contact Toll Free: 888-54-FIRST 11
hosted by Catherine Short<br />
Catherine Short speaks with Gene M. Ransom, III, CEO of the largest and oldest physician<br />
organization in Maryland, MedChi, The Maryland State Medical Society. As MedChi’s chief<br />
executive, Ransom spearheads MedChi’s mission as an advocate for physicians, patients, and<br />
the public health of Maryland. Today, we will be discussing “Medical Cannabis – How it’s<br />
Working in Maryland & Nationally.” We will be examining the use of Medical Cannabis in<br />
Maryland, review the legal framework regarding its use, and discuss the practical aspects of<br />
the dispensing of medical cannabis from the healthcare provider’s perspective, including the<br />
unique role of the recommender.<br />
Listen weekdays at<br />
7:30am, 3:30pm, 11:30pm ET<br />
Check out our Show Page!<br />
Looking for the latest compliance insights?<br />
Subscribe to our feed and don’t miss a thing!<br />
12<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2019</strong>
WORD SEARCH<br />
J L P V R L H C N R D Z M R F Z S L Q B<br />
H K J M J C H O A H E A L T H C A R E K<br />
Y P M D M O Z H E V B A Q R T P Z V W E<br />
V O L P G O Z O F K D Q Y X M B B T M L<br />
Y A D K Q L A D N A L Y R A M V T H D A<br />
Z F L I V A O A Y G O L O N H C E T C L<br />
W D M S D R A D N A T S T K E J T B I D<br />
L K H W T D H H F H I P A A A R Q S I Y<br />
W C E C N A I L P M O C I S H G K U E U<br />
S A C T V Y V H C A N N A B I S E M J A<br />
M R I X U R Y X N M M B H Q E U Z M L B<br />
M K D R X P X C Y B E R S E C U R I T Y<br />
P R O T E C T I O N H E Y A J S D T K J<br />
F M T C M E F S C Q K A I T K J Q K A I<br />
D Y E T L W R Q W L D C D E L A W A R E<br />
G C U I U W F V F D E H H J P Q Q X O E<br />
V C B J F J H O T S X C Z X L J F O J S<br />
U O F U P E Z E A J W Q X Y C A V I R P<br />
M T B B D H G R V M Z M Q P M K D B Z R<br />
G V S S E C U R I T Y R Y Z V R F X M Z<br />
SUMMIT CYBERSECURITY COMPLIANCE<br />
DELAWARE PRIVACY SECURITY<br />
STANDARDS MOBILE HEALTHCARE<br />
CANNABIS TECHNOLOGY MARYLAND<br />
HIPAA BREACH PROTECTION<br />
Contact Toll Free: 888-54-FIRST 13
New Training Modules Now Available!<br />
Training<br />
Eliminating Kickbacks in Recovery Act<br />
(EKRA): Summary and Status<br />
HIPAA and Health Apps<br />
Managing Drug Use in the Workplace<br />
Got Diversity. Get Inclusion! and the<br />
Pending FLSA Changes<br />
How to Navigate the Ever-Changing<br />
Anti-Harassment Regulations<br />
Join us on Social Media!<br />
Contact our Client Services Team with your questions!<br />
888.54.FIRST or clientservices@1sthcc.com<br />
14<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2019</strong>