Compliance

Chicago Hospital Ordered to Pay More than $10 Million Dollars to a Female Doctor and 6 Nurses who Filed a Lawsuit for Two Separate Harassment Incidents Including Being Choked by a Doctor, and Another Doctor who installed a Toilet Cam in the Women’s Locker Room

Posted on November 2, 2018 1:30 pm by Caroline Ramsey-Hamilton Comment

RISKAlert Report #1073 Sept. 19, 2018 Chicago, Illinois

The former employees of Advocate Illinois Masonic Medical Center in Chicago won a lawsuit against the
hospital after reporting that hospital doctors harassed them. The Chicago Tribune reported that the hospital received
reports about violent incidents but did nothing. The women accused the hospital of failing to act when violations of the hospital own written policies were reported and then ignored.

$7 million of the total amount was awarded to Dr. Caroline Ryan, an anesthesiologist who was choked and
pushed by Dr. Stephen F. Laga, in 2013. The attack was witnessed by several hospital staff members
and also by patients. Dr. Ryan was asked by hospital administration to drop her report against Laga, who
had a “long and documented” history of violent behavior, says the complaint. Laga was never disciplined.

The following year, a hidden camera was found on the toilet (Potty Cam?) in the women’s locker room where
women changed clothes and used the restroom. The camera was planted by Dr. Robert Weiss, an eye surgeon
at Illinois Masonic, who viewed and possibly shared the content. Weiss was arrested when the camera was
discovered. Although aware of his arrest, the hospital delayed suspending Weiss’ medical privileges.

The women’s complaint also pointed out that the hospital had ignored previous reports of inappropriate
sexual behavior from Weiss. The six women were awarded $1.75 million for violations of their privacy and
an additional $2 million for punitive damages. “The jury was sending a clear message”, said the women’s
attorney, Jeffrey Kulwin. He said he believes doctor misconduct has been tolerated because of the money the
doctors bring in to the hospitals.

“Today’s verdict against Advocate sends a strong message to Advocate, and employers everywhere,
that violence in the workplace cannot be tolerated, especially at a place as important as a hospital,”

LESSONS LEARNED:

1. Having, and Enforcing a strong policy against workplace violence and harassment is a critical
component of creating a safe workplace, no matter who is being violent against others!

2. The hospital lost the lawsuit because they blatantly refused to enforce their OWN POLICIES!

THANKS FOR READING THE RISKAlert Report©

For more information write to: caroline@riskandsecurityllc.com
We provide the best Facility Risk Assessments, as well as Active Shooter Assessments, Training,
Workplace Violence Assessments, and & CMS All Hazards Risk Assessments, Facility Drills & Training.

www.riskandsecurityllc.com www.caroline-hamilton.com

#RiskAssessment #CMSImmediateJeopardy #HospitalViolence

MAN AT SOCIAL SECURITY OFFICE STABS HIS MOTHER AND GRANDMOTHER IN WORKPLACE VIOLENCE INCIDENT BEFORE BEING SHOT TO DEATH BY FEDERAL SECURITY OFFICER

Posted on July 10, 2018 3:28 pm by Caroline Ramsey-Hamilton Comment

RISKAlert Report Updated: July 9, 2018 McComb, Mississippi

MAN AT SOCIAL SECURITY OFFICE STABS HIS MOTHER AND GRANDMOTHER IN WORKPLACE
VIOLENCE INCIDENT BEFORE BEING SHOT TO DEATH BY FEDERAL SECURITY OFFICER

A 21-year-old Mississippi man, Branen Carter, went into the McComb, MS, Social Security Administration office with his mother and grandmother, and then he stabbed his mother and grandmother in the lobby before he was shot to death by a federal FPS (Federal Protective Service) security officer.

The incident happened at 11 am, and the facility was put on lockdown after the incident. Large numbers of law enforcement officers responded to the one-story brick building on the edge of McComb, which is about 100 miles south of Jackson.

Carter’s mother, Lee Anna Turnage, and grandmother, Ann Carter, were in stable condition at Southwest Mississippi Regional Medical Center, after what was reported as a family fight that turned violent.

Mississippi court records show Branen Carter was indicted in Marion County in December 2016, when he was 20, on two felony charges — one count of statutory rape and one count of sexual battery of a child between the ages of 14 and 16. He pleaded guilty in May 2017 after the two felony charges were reduced to misdemeanors (WHY?), and he was given two six-month suspended sentences, which means he did not have to serve jail time. The attorney who represented him was out of the office Monday and could not immediately be reached for comment.

The Director of Communications for the Federal Protective Service, Robert Sperling, said that the FPS agency has a long history of using armed security guards at federal agencies it oversees. “It’s a cornerstone. We have officers in social security offices and most federal agencies across the country, such as the IRS,” Sperling said.

LESSONS LEARNED:

1. Workplace Violence can happen anywhere, and family disputes often spill over into
public workplaces. This attack happened in the lobby of the federal agency.

The FPS did an excellent job of countering the threat and probably saved the
lives of both women.

THANKS FOR READING THE RISKAlert Report©

For more information and a free subscription: write to: caroline@riskandsecurityllc.com
We provide the best Active Shooter and Facility Risk Assessments & Training Programs.

Find out more at www.riskandsecurityllc.com .

#Stabbing #WorkplaceViolence

Western State Hospital (Tacoma, WA), Could Lose $65 Million in Federal Funds as CMS Finds Serious Risk for Exposed Fire System Devices that could be used by Patients to Commit Suicide by Hanging

Posted on May 30, 2018 10:50 pm by Caroline Ramsey-Hamilton Comment

RISKALERT #1040 – Report Updated: May 30, 2018

In a memo sent to top staff earlier in the week, “CMS identified a serious risk of harm to patients due to ligature risks
from the fire system in patient care areas of Building 21 ,” said the memo, which was obtained by public radio. Building 21 is where civil, or non-criminal, patients are treated on five different wards. Typically a ward has 30 patients. Western State Hospital is a Psychiatric Residential Treatment Center (PRTC) with over 800 beds.

A CMS finding of serious risk of harm is also known as an “immediate jeopardy.” The memo also said that if the issue is not resolved, funding could be lost in 23 days.

Since 2015, Western State Hospital has been under scrutiny for serious repeat violations that inspectors said put patients and staff at risk. The litany of troubles included violent assaults on patients and staff, the 2016 escape of two high-risk patients and scores of unauthorized patient “walkaways.”

The safety violations were discovered by a team of 22 federal surveyors who were re-inspecting the hospital last week as part of a turnaround plan that is approaching the two-year mark. The sprawling hospital, which serves civil and forensic patients, must meet standards on 26 federal “Conditions of Participation” in order to continue receiving federal funding.

A “root cause” report in 2016 identified ineffective management, staff reductions and turnover leading to patients who felt “neglected” and a “culture of helplessness” among staff. A review by the Department of Corrections also found numerous security gaps including 25,000 master keys unaccounted for.

LESSONS LEARNED

1. CMS requires all residential treatment facilities to maintain a safe physical environment, and any
identified risk situations should be addressed immediately to prevent loss of CMS reimbursement funds..

Management must take the lead even in facilities related issues, instead of leaving the improved
implementations up to lower level staff members.

THANKS FOR READING THE RISKAlert Report©For more information and a free subscription: write to: caroline@riskandsecurityllc.com

We provide the best Active Shooter Training, Workplace Violence Assessments, and & CMS Facility All-
Hazards Risk Assessments, Drills & Training Programs.

www.riskandsecurityllc.com and www.caroline-hamilton.com

RISKAlert November, 2014 Updated Incident Planning for Healthcare Facilities

Posted on December 16, 2014 6:34 pm by Caroline Ramsey-Hamilton Comment

Incorporating Active Shooter Incident Planning into Health Care Facility Emergency Operations Plans

National preparedness efforts, including planning, are based on U.S. Presidential Policy Directive (PPD) 8: Preparedness, which was signed by the President in March 2011. This updated directive represents an “evolution” in understanding of national preparedness based on lessons learned from rom natural disasters like Hurricane Sandy, terrorist acts like the Boston Bombing and active shooter and other violent incidents.

Preparedness is centered in five areas: Prevention, Protection, Mitigation, Response, and Recovery. These concepts are applied to Health Care Facility (HCFs) Planning for active shooters and other violent incidents.

Emergency Operations Plans for Health Care Facilities (EOPs) should be living documents that are routinely reviewed and consider all types of hazards, including the possibility of an active shooter or terrorist incident. As law enforcement continues to draw lessons learned from actual emergencies, HCFs should incorporate those lessons learned into existing emergency plans or in newly created EOPs.

It advises a whole community approach that includes staff, patients, and visitors as well as individuals with access and functional needs. Examples of these populations include children, older adults, pregnant women, individuals with disabilities, etc.

The key concepts include not only familiar concepts like “Run-Hide-Fight” but also concepts on addressing a wider range of risks (threats), how to do drills, improvement of situational awareness activities, expanding the definitions of risks, how to do Psychological First Aid (PFA), and how to integrate these with HIPAA guidelines and Rules and the importance and role of Security in Emergency Operations Planning (EOPs).

Lesson Learned : Don’t Wait to Respond!

A 2005 investigation by the National Institute of Standards and Technology into the collapse of the World Trade Center towers on September 11, 2001, found that people close to the floors impacted waited longer to start evacuating than those on unaffected floors. Similarly, during the Virginia Tech shooting, individuals on campus responded to the shooting with varying degrees of urgency. (ref: Federal Building and Fire Safety Investigation of the World Trade Center Disaster: Occupant Behavior, Egress, and Emergency Communications.)

Frequent Security Situational Awareness Training, and Active Shooter –
Disaster Drills can prevent this “frozen” phenomena and save lives in
a violent incident , a terrorist attack, or a disaster scenario.

RISKAlerts are publications of Risk & Security LLC

Loss of Malaysian Airlines Flight Points Out Airline Security Weaknessess

Posted on March 24, 2014 12:02 pm by Caroline Ramsey-Hamilton Comment

Monday, March 25, 2014.

This morning the Malaysian Government stated that based on all their “new”
calculations, they have concluded that Flight 370 went down in the southern
Indian Ocean.

Has terrorism been counted out for this flight – no. Until the whole story is known,
it will be impossible for anyone at this point to say that this happened because of pilot
error, mechanical failure, bad weather, or anything else. However, as we watched
the near continuous news coverage of this ill-fated flight, it was impossible to ignore
the many security weaknesses that were revealed as the drama played out, and
experts proposed possible new theories, even alien abduction!

The airlines around the world, and even the Federal Aviation Administration (FAA),
have always maintained their unique security standards, unlike other industries
which have generally accepted security practices that are used worldwide. This
standardization of security elements has made it easier for multinational corporations
with offices worldwide, to secure their supply chains, ensure improved safety and
security for their employees, contractors and vendors, and, in my opinion,
contributed to making the world a safer place.

Unfortunately, this uniformity and standardization of security practices is not
mirrored in the airline industry globally, and even blatantly ignored by other
airlines, operating in other countries.

International travelers often see the little sign that says something like: THIS
AIRPORT HAS BEEN CLASSIFIED AS UNSAFE. Of course, because these
airports are often the only airport in the country, they are used anyway.

But the fate of Flight 370 has shocked some security experts by uncovering the
lack of security at a respected airport, generally thought to be safe and secure.

For example, right after 9/11, the FAA moved quickly to security the cockpit of
U.S. planes, and keep them locked and secure during flight. So it was quite a
surprise to have a young girl smiling and telling CNN how she partied with the
co-pilot in the cockpit during a recent flight.

“The FAA rule sets new design and performance standards for all current and
future airplanes with 20 or more seats in commercial service and all cargo
airplanes that have cockpit doors. Specifically, the rule:

Requires cockpit doors to remain locked. The door will be designed to prevent
passengers from opening it without the pilot’s permission. An internal locking device
will be designed so that it can only be unlocked from inside the cockpit.

Controls cockpit access privileges. Operators must develop a more stringent
approval process and better identification procedures to ensure proper
identification of a jump seat rider.”

As the tragedy has unfolded day by day, security experts can see vulnerabilities
in the way security controls are both either not required or are not correctly and
consistently implemented on planes around the world.

The “Tombstone Mentality” of the airline industry and civil aviation organizations now
have the tombstones for 370 individuals, and everyone hopes that even though we
don’t know know exactly why this flight went down, we can all see that there are
weaknesses in international security that need to be addressed in the aftermath of
this tragedy.

Chemical Security Programs Affected by Government Shutdown

Posted on October 7, 2013 4:30 pm by Caroline Ramsey-Hamilton Comment

CFATS is an essential defensive program to monitor the security of the chemicals used in the U.S. CFATS stands for the Chemical Facility Anti-Terrorism Standards. The program is run by the Department of Homeland Security and is vitally important because chemicals can be used in bombs and chemical attacks.

To avoid giving terrorists and possibly drug dealers access to the raw materials that are used in the manufacture of chemicals, chemical facilities, like manufacturing plants, distribution centers, etc., are supposed to be actively monitored by security personnel who are trained in chemical security.

Fertilizer chemicals were purchased to blow up the Oklahoma City Murrah Federal Building. Chemicals are in every medication you take, including sensitive heart medication, and other pharmaceuticals that mean life or death to those to take them.

Rep. Bennie Thompson (D-Miss.) said in a statement to Global Security Newswire Friday that the incident at a fertilizer plant in West, Texas, “brought into focus the need to secure dangerous chemicals against accidental or malicious release or detonation.

Imagine if a terrorist was able to insert a poisonous ingredient in a statin manufacturing plant – over 15 million Americans now take statins to reduce their cholesterol. Or imagine a poison ingredient put into pool chemicals, or something like putting water into jet fuel. Think catastrophe!

In fact, CFATS was just geared up because of a Presidential Executive Order issued in August, 2013, after the deadly blast in West, Texas that killed 14, most of them firefighters. The order instructed federal agencies to review safety rules and create new strategies for plants that store hazardous materials. The order also included a review of potential new guidelines to improve storage and handling of ammonium nitrate, the explosive material that caused the West. Texas fertilizer plant explosion in April 2013.

Already this week, chemical companies that had DHS inspections scheduled for this week received notice that the site visits would be postponed indefinitely. Likewise, the review of security plan documents is also expected to be frozen, as DHS employees who normally do this work have been furloughed.

A critical meeting scheduled for this week, which included industry leaders, DHS, EPA and Occupational Safety and Health Administration officials was canceled as a result of the government shutdown, which creates prolonged uncertainty for industry regarding what new regulations they might have to comply with and whether companies will have another opportunity to weigh in on possible changes.

Now the program has been shutdown and critical employees furloughed.

Chemical security is a critical chokepoint because of the potential for major disasters, whether accidental or intentional.

Security programs should be immune from political shutdowns that threaten the safety and security of the entire country.

Categories:
accountability
Budgeting for Security
CFATS
Compliance
Risk
risk assessment
RiskAlert
www.caroline-hamilton.com

What Happens if OCR Shows up – Asking about your HIPAA Compliance?

Posted on September 8, 2013 2:09 pm by Caroline Ramsey-Hamilton Comment

With only 2 weeks (15 days) left to meet the HIPAA Omnibus Rule, let’s say you have
done everything you could possibly do, to be in full compliance with every part of HIPAA:

1. Finish a current HIPAA Risk Analysis – CHECK
2. Rewrite Business Associate agreements – CHECK
2. Rewrite Policies & Procedures – CHECK
3. Get PHI off the office copiers – CHECK
4. Gather Documentation in one place – CHECK
5. Start HIPAA Security Awareness Program – CHECK
6. Update HR Sanctions Policies – CHECK
7. Finalize Contingency Plans – CHECK
8. Add more encryption – CHECK
9. Implement Plan for Smartphones & Mobile Devices – CHECK
10. Have staff sign new affirmation Agreements – CHECK

And in spite of your careful preparation, you walk into work on Monday, and the regulators from
OCR are sitting in the Lobby, and they’ve been there since 7:00 AM!

No matter what else you have done, or started, and have not done, your insurance policy is to be
able to pull out your most current (in months, not years) HIPAA Risk Analysis and then pull out all
your supporting documentation including:

1. All information, including network diagrams, on where the PHI is on your network, and the automated
network controls you have implemented.

2. A record of every application, every database, etc. that hold PHI, are used to create, manage, or
share PHI, in both electronic and paper form.

2. Rosters going back 3 years of everyone in the organization who’s taken HIPAA training.

3. A copy of the Policies and Procedures, and Security Plans, printed out and labeled in 3-ring
Binders.

4. List of all HIPAA controls that are currently in place and verification documents.

5. Copies of all Business partners agreements and contracts

6. A notarized statement signed by the Board Director, CEO or Administrator re-stating
the organization’s Commitment to HIPAA Security & Privacy & Omnibus Rules..

7. Copies of recent employee surveys validating their stated compliance with all HIPAA
Security, Privacy, and Omnibus rules.

All of these elements should be printed in their most current versions and put in D-Ring
binders, which you will pull out of a cabinet designed for high security. Nothing thrills a regulator
or auditor more than getting everything you ask for in a neatly labeled, giant 3-ring binder.

It says “PREPARED” in a way that having files on the network never will.

And, BTW, you HAVE completed all these steps – right?

HIPAA COUNTDOWN – 26 DAYS LEFT TO COMPLY WITH HIPAA OMNIBUS RULE!

Posted on September 4, 2013 11:39 am by Caroline Ramsey-Hamilton Comment

The HIPAA Countdown continues, with the HIPAA Omnibus Rule compliance date of September 23rd looming in the distance.

Now that everyone is coming back to work, relaxed from the long weekend (we hope), it’s time to get back to work.

As a HIPAA Risk Analysis expert, I have gotten more than 300 calls and emails in the last 5 days (yes, even on Sunday) about
what NEEDS to be done right now. Here’s a sample of the questions,

“Should I do a penetration test before Sept 23rd?”
“Should we update our policies before Sept. 23rd?”
“Should I hurry and get the laptops encrypted by Sept 23rd?”
“We re-wrote our business agreements – what else do I need to do before Sept. 23rd?

To quote Leon Rodriguez, the Director of the Department of Health and Human Services, Office of Civil Rights, which is
the lead federal agency for HIPAA Enforcement, “The Number One Thing you need to do before September 23rd
is to update, or start a new HIPAA Risk Analysis.”

According to the OCR Guideline on Risk Analysis, “Conducting a risk analysis is the first step in identifying and
implementing safeguards that comply with and carry out the standards and implementation specifications in the Security
Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful
guidance that specifically addresses safeguards and technologies that will best protect electronic health information.”

This is why the First Area that OCR will address when they visit is: “Where is your HIPAA Risk Analysis?”

Where is yours? And has it been updated lately?

And did you know that Leon Rodriguez is on Twitter! His twitter handle is @OCRLeon.

Countdown for HIPAA — Less than 25 days to Deadline & How to Get A Free HIPAA Risk Analysis Guide

Posted on August 30, 2013 11:58 am by Caroline Ramsey-Hamilton Comment

NEW DEADLINE: September 23, 2013

The new HIPAA Omnibus rule became law on March 23, 2013. The main provisions of the Rule, which include new requirements for healthcare organizations, insurance companies, hospitals, clinics, pharmacies, dental practices and many other organizations, also include Business Associates, which means any organization that has access to patient medical records (PHI- Protected Health Information).

So all the data managers, the data storage companies, the lawyers and countless other companies who are part of flow of healthcare and medical data also have to have a completed HIPAA Risk Analysis by September 23, 2013!

For primary healthcare providers, to be in compliance with the HIPAA Omnibus Rule, they have to revise all their policies and procedures, and also rewrite their contracts with business associates, to place responsibility for data protection on the business associates. And business associates have to apply the same policies to their subcontractors too. So thousands of policies and contracts are being furiously re-written, as I write this!

Completing a HIPAA Risk Analysis is the best way to prepare for the deadline, and also to pinpoint any area where your organization needs to
improve a control, a policy or their operating procedures. As a core HIPAA requirement, the Risk Analysis is a kind of summary of where the organization is in relation to all the HIPAA Rules, including HIPAA Privacy, HIPAA Security, NIST SP 800-66, the Office of Civil Rights, and the
Breach Notification Act.

There are great software tools available to help managers do a HIPAA Risk Analysis (like my HIPAA Risk-Pro program), available online at
www.flash-risk.com, or, as another option, many other organizations are hiring HIPAA consultants to come in and do a Risk Analysis for them.

So if you are a healthcare organization, or a designated business associate, you can start your HIPAA Risk Analysis on Tuesday, Sept. 3,
and have it completed by the deadline.

The Office of Civil Rights has a big pot of money, collected from fines, and they have hired more investigators to go out and audit all these organizations for HIPAA Compliance. Recently a small hospice in Idaho was fined $50,000, and a physicians practice in Arizona was fined $100,000, and
many other organizations, including states and health plans, have been fined more than $1,000,000 for a variety of violations, including not
having a current Risk Analysis.

For more information on how to do a HIPAA Risk Analysis, you can write to: info@riskandsecurityllc.com and get a free HIPAA Risk Analysis Guide, a free Project Plan, and a copy of exactly what the OCR Regulators look for when they conduct a HIPAA audit.

Why HIPAA Compliance is Related to Federal Contracts

Posted on August 21, 2013 6:21 pm by Caroline Ramsey-Hamilton Comment

Most healthcare organizations take Federal money – whether it’s reimbursement for Medicare services, or if it’s a federal grant for
providing special care or even addiction treatments, or whether they are part of an NIH trial, or receiving grant money for research.

If your organization is part of state government, county government or even city government, your organization probably takes federal money too.

When the hospital, clinic or treatment center gets that Federal check, they have to first sign a contract saying they verify that they are in compliance WITH ALL FEDERAL LAWS, RULES AND GUIDELINES. In the old days, this may have meant that you didn’t discriminate in your hiring policies, or that you complied with the Americans with Disabilities Act (ADA), or that you complied with federal reporting requirements, like for a GSA Contract, or for billing protocols.

But HIPAA is also a law, and a Federal Rule, and so when you signed that contract, you attested, or ‘represented’ that your organization was in compliance with all the HIPAA laws and rules, too.

I recently talked to a CEO of a large hospital that, as a Level 1 trauma center, received millions of dollars each year from the Federal government – and he wasn’t aware of their HIPAA status! He didn’t know if a HIPAA risk analysis had been done (it hadn’t), or whether they had amended all their business associate agreements (hadn’t even started), and also had no idea that some of these HIPAA Rules had elements that needed to be formally approved by the Board.

If you’re the HIPAA Compliance Officer, the Privacy Officer, the Information Security Officer, or any functional title that means, the HIPAA Buck stop with you — you need to explain this to your manager or director. This will get any administrator’s attention, because they don’t want to have to give any of that money back, and they also don’t want to get into a lawsuit over a compliance issue.

So keep talking about that HIPAA Compliance deadline of September 23, 2013, and you’ll get the support you need, and maybe the budget you need to keep all your HIPAA activities in full swing!

top

Risk and Security LLC

Risk Assessments, Training and More