Category Archives: Corrective Action Plan

Western State Hospital (Tacoma, WA), Could Lose $65 Million in Federal Funds as CMS Finds Serious Risk for Exposed Fire System Devices that could be used by Patients to Commit Suicide by Hanging

 

 

 

 

RISKALERT  #1040 – Report Updated:  May 30, 2018

In a memo sent to top staff earlier in the week, “CMS identified a serious risk of harm to patients due to ligature risks
from the fire system in patient care areas of Building 21
,” said the memo, which was obtained by public radio. Building 21 is where civil, or non-criminal, patients are treated on five different wards. Typically a ward has 30 patients. Western State Hospital is a Psychiatric Residential Treatment Center (PRTC) with over 800 beds.

A CMS finding of serious risk of harm is also known as an “immediate jeopardy.”  The memo also said that if the issue is not resolved, funding could be lost in 23 days.

Since 2015, Western State Hospital has been under scrutiny for serious repeat violations that inspectors said put patients and staff at risk. The litany of troubles included violent assaults on patients and staff, the 2016 escape of two high-risk patients and scores of unauthorized patient “walkaways.”

The safety violations were discovered by a team of 22 federal surveyors who were re-inspecting the hospital last week as part of a turnaround plan that is approaching the two-year mark. The sprawling hospital, which serves civil and forensic patients, must meet standards on 26 federal “Conditions of Participation” in order to continue receiving federal funding.

A “root cause” report in 2016 identified ineffective management, staff reductions and turnover leading to patients who felt “neglected” and a “culture of helplessness” among staff. A review by the Department of Corrections also found numerous security gaps including 25,000 master keys unaccounted for.

LESSONS LEARNED

1.   CMS requires all residential treatment facilities to maintain a safe physical environment, and any
identified risk situations should be addressed immediately to prevent loss of CMS reimbursement funds..

  1.  Management must take the lead even in facilities related issues, instead of leaving the improved
    implementations up to lower level staff members.

    THANKS FOR READING THE RISKAlert Report
    ©For more information and a free subscription:  write to:  caroline@riskandsecurityllc.com

    We provide the best Active Shooter Training, Workplace Violence Assessments, and & CMS Facility All-
    Hazards  Risk   Assessments, Drills &  Training Programs.

www.riskandsecurityllc.com   and   www.caroline-hamilton.com

What Happens if OCR Shows up – Asking about your HIPAA Compliance?

With only 2 weeks (15 days) left to meet the HIPAA Omnibus Rule, let’s say you have
done everything you could 
possibly do, to be in full compliance with every part of HIPAA:

1.  Finish a current HIPAA Risk Analysis – CHECK
2.  Rewrite Business Associate agreements – CHECK
2.  Rewrite Policies & Procedures – CHECK
3.  Get PHI off the office copiers – CHECK
4.  Gather Documentation in one place – CHECK
5.  Start HIPAA Security Awareness Program – CHECK
6.  Update HR Sanctions Policies – CHECK
7.  Finalize Contingency Plans – CHECK
8.  Add more encryption – CHECK
9.  Implement Plan for Smartphones & Mobile  Devices – CHECK
10. Have staff sign new affirmation Agreements – CHECK

And in spite of your careful preparation, you walk into work on Monday, and the regulators from
OCR are sitting in the Lobby, and they’ve been there since 7:00 AM!

No matter what else you have done, or started, and have not done, your insurance policy is to be
able to pull out your most current (in months, not years) HIPAA Risk Analysis and then pull out all
your supporting documentation including:

1. All information, including network diagrams, on where the PHI is on your network, and the automated
network controls you have implemented.

2.  A record of every application, every database, etc. that hold PHI, are used to create, manage, or
share PHI, in both electronic and paper form.

2.  Rosters going back 3 years of everyone in the organization who’s taken HIPAA training.

3.  A copy of the Policies and Procedures, and Security Plans, printed out and labeled in 3-ring
Binders.

4.  List of all HIPAA controls that are currently in place and verification documents.

5.  Copies of all Business partners agreements and contracts

6.  A notarized statement signed by the Board Director, CEO or Administrator re-stating
the organization’s Commitment to HIPAA Security & Privacy & Omnibus Rules..

7.  Copies of recent employee surveys validating their stated compliance with all HIPAA
Security,  Privacy, and Omnibus rules.

All of these elements should be printed in their most current versions and put in D-Ring
binders, which you will pull out of a cabinet designed for high security.  Nothing thrills a regulator
or auditor more than getting everything you ask for in a neatly labeled, giant 3-ring binder.

It says “PREPARED”  in a way that having files on the network never will.

And, BTW, you HAVE completed all these steps – right?

 

 

 

 

HIPAA COUNTDOWN – 26 DAYS LEFT TO COMPLY WITH HIPAA OMNIBUS RULE!

The HIPAA Countdown continues, with the HIPAA Omnibus Rule compliance date of September 23rd looming in the distance.

Now that everyone is coming back to work, relaxed from the long weekend (we hope), it’s time to get back to work.

As a HIPAA Risk Analysis expert, I have gotten more than 300 calls and emails in the last 5 days (yes, even on Sunday) about
what NEEDS to be done right now.   Here’s a sample of the questions,

“Should I do a penetration test before Sept 23rd?”
“Should we update our policies before Sept. 23rd?”
“Should I hurry and get the laptops encrypted by Sept 23rd?” 
“We re-wrote our business agreements – what else do I need to do before Sept. 23rd?

To quote Leon Rodriguez, the Director of the Department of Health and Human Services, Office of Civil Rights, which is
the lead federal agency for HIPAA Enforcement, “The Number One Thing you need to do before September 23rd
is to update, or start a new 
HIPAA Risk Analysis.”  

According to the OCR Guideline on Risk Analysis,  “Conducting a risk analysis is the first step in identifying and
implementing safeguards that comply with and carry out the standards and implementation specifications in the Security
Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful
guidance that specifically addresses safeguards and technologies that will best protect electronic health information.”

This is why the First Area that OCR will address when they visit is:  “Where is your HIPAA Risk Analysis?”

Where is yours?  And has it been updated lately?

And did you know that Leon Rodriguez is on Twitter!  His twitter handle is @OCRLeon.

 

 

 

Why HIPAA Compliance is Related to Federal Contracts

Most healthcare organizations take Federal money – whether it’s reimbursement for Medicare services, or if it’s a federal grant for
providing special care or even addiction treatments, or whether they are part of an NIH trial, or receiving grant money for research.

If your organization is part of state government, county government or even city government, your organization probably takes federal money too.

When the hospital, clinic or treatment center gets that Federal check, they have to first sign a contract saying they verify that they are in compliance WITH ALL FEDERAL LAWS, RULES AND GUIDELINES.  In the old days, this may have meant that you didn’t discriminate in your hiring policies, or that you complied with the Americans with Disabilities Act (ADA), or that you complied with federal reporting requirements, like for a GSA Contract, or for billing protocols.

But HIPAA is also a law, and a Federal Rule, and so when you signed that contract, you attested, or ‘represented’ that your organization was in compliance with all the HIPAA laws and rules, too.

I recently talked to a CEO of a large hospital that, as a Level 1 trauma center, received millions of dollars each year from the Federal government – and he wasn’t aware of their HIPAA status!  He didn’t know if a HIPAA risk analysis had been done (it hadn’t), or whether they had amended all their business associate agreements (hadn’t even started), and also had no idea that some of these HIPAA Rules had elements that needed to be formally approved by the Board.

If you’re the HIPAA Compliance Officer, the Privacy Officer, the Information Security Officer, or any functional title that means, the HIPAA Buck stop with you — you need to explain this to your manager or director.  This will get any administrator’s attention, because they don’t want to have to give any of that money back, and they also don’t want to get into a lawsuit over a compliance issue.

So keep talking about that HIPAA Compliance deadline of September 23, 2013, and you’ll get the support you need, and maybe the budget you need to keep all your HIPAA activities in full swing!

 

Photocopier Misuse Triggers $1.2 Million Dollar Fine for Affinity Health

A HIPAA fine of $1,215,780 has been assessed against Affinity Health Plan,  a not-for-profit managed care plan serving the New York metropolitan area.  The Settlement was announced on August 14, 2013 at 11 pm.

This is the first settlement involving a copier.  Affinity Health Plan had a copier that they returned to the vendor, and it was re-sold to CBS Evening News, without erasing all the files that the printer had stored for year.

CBS News found that the hard drive of the used copier contained health records of The new copier owner found the files and it was determined that over 344,579 individuals had their Protected Health Information exposed by the Breach, which was initially reported in April of 2010.

Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.  In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

In addition to the $1,215,780 payment, the settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.

The settlement included violations of both the HIPAA Privacy and HIPAA Security Rule.  Increases in audits and, subsequently, fines at other healthcare organizations are expected to increase after the new HIPAA Omnibus Rule goes into effect on September 23, 2013.

To read the entire Department of Health and Human Servies (HHS)  Resolution Agreement and Corrective Action Plan can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/affinity-agreement.html.