Controls

Western State Hospital (Tacoma, WA), Could Lose $65 Million in Federal Funds as CMS Finds Serious Risk for Exposed Fire System Devices that could be used by Patients to Commit Suicide by Hanging

Posted on May 30, 2018 10:50 pm by Caroline Ramsey-Hamilton Comment

RISKALERT #1040 – Report Updated: May 30, 2018

In a memo sent to top staff earlier in the week, “CMS identified a serious risk of harm to patients due to ligature risks
from the fire system in patient care areas of Building 21 ,” said the memo, which was obtained by public radio. Building 21 is where civil, or non-criminal, patients are treated on five different wards. Typically a ward has 30 patients. Western State Hospital is a Psychiatric Residential Treatment Center (PRTC) with over 800 beds.

A CMS finding of serious risk of harm is also known as an “immediate jeopardy.” The memo also said that if the issue is not resolved, funding could be lost in 23 days.

Since 2015, Western State Hospital has been under scrutiny for serious repeat violations that inspectors said put patients and staff at risk. The litany of troubles included violent assaults on patients and staff, the 2016 escape of two high-risk patients and scores of unauthorized patient “walkaways.”

The safety violations were discovered by a team of 22 federal surveyors who were re-inspecting the hospital last week as part of a turnaround plan that is approaching the two-year mark. The sprawling hospital, which serves civil and forensic patients, must meet standards on 26 federal “Conditions of Participation” in order to continue receiving federal funding.

A “root cause” report in 2016 identified ineffective management, staff reductions and turnover leading to patients who felt “neglected” and a “culture of helplessness” among staff. A review by the Department of Corrections also found numerous security gaps including 25,000 master keys unaccounted for.

LESSONS LEARNED

1. CMS requires all residential treatment facilities to maintain a safe physical environment, and any
identified risk situations should be addressed immediately to prevent loss of CMS reimbursement funds..

Management must take the lead even in facilities related issues, instead of leaving the improved
implementations up to lower level staff members.

THANKS FOR READING THE RISKAlert Report©For more information and a free subscription: write to: caroline@riskandsecurityllc.com

We provide the best Active Shooter Training, Workplace Violence Assessments, and & CMS Facility All-
Hazards Risk Assessments, Drills & Training Programs.

www.riskandsecurityllc.com and www.caroline-hamilton.com

62-Year Old Bumblebee Tuna Worker Killed in Oven with Six Tons of Canned Tuna

Posted on May 28, 2015 9:19 am by Caroline Ramsey-Hamilton Comment

RISK Alert Report #710 – May 27, 2015

The Los Angeles District Attorney announced felony charges Monday against
Bumblebee Tuna’s San Diego Plant, alleging that a worker, Jose Melena,
entered a thirty-five foot cylindrical oven that sterilizes cans of tuna. Melena’s
co-workers closed the door and started the oven. The oven temperature rose to
270 degrees in the next two hours, and when the doors were opened, they found
the severely burned remains of Jose Melena.

According to District Attorney Jackie Lacey, “We take worker safety very seriously”,
according to a published statement. “Our goal is to enhance the criminal of workplace
safety violations. Although the Bumble Bee investigation began in 2012, this case
represents our commitment to protecting workers from illegal – and, potentially,
deadly – on-the-job practices.”

Two plant employees, former Safety Manager Saul Florez, 42, of Whittier,
California, and the current Director of Plant Operations Angel Rodriguez, 63, of
Riverside, California, with three felony counts each of an Cal-OSHA (State of
California ) violation causing death.

Both men face arraignment on May 27 at the Foltz Criminal Justice Center in
downtown Los Angeles. If convicted, the individuals could serve three years in
state prison and a fine of up to $250,000. Bumble Bee faces a maximum fine
of $1.5 million.

Lessons Learned:

1. Strong safety controls should be put in place to protect workers in High Risk
Occupations.

2. Employees should make sure that all employees are aware of the
company’s safety and security rules to prevent incidents like this.

RISKAlert® is a publication of Risk & Security LLC

To subscribe to RISKAlerts® – write to: info@riskandsecurityllc.com

www.riskandsecurityllc.com

www.caroline-hamilton.com

Tags:
man dies in tuna oven
workplace safety

White House Security Breach -WHO DIDN’T LET THE DOGS OUT!]

Posted on September 22, 2014 1:18 pm by Caroline Ramsey-Hamilton Comment

**RISK Alert Alert #590 – White House Security BREACHED**

UPDATED Dateline: Sept 23, 2014

White House Attacker had been ARRESTED TWICE BEFORE, INCLUDING ON
AT THE WHITE HOUSE, CARRYING A MACHETE!

In Federal court, prosecutors said the Gonzalez car contained 500 rounds of ammo,
guns, assault rifles, a hatchet and a machete!

AND HE HAD BEEN ARRESTED TWICE BEFORE, including in August 2014, carrying a
hatchet on the White House Lawn. And on July 19, after being spotted driving recklessly
in a gray Ford Bronco, Gonzalez was charged in Wythe County, Virginia, with evading arrest
and possession of a weapon after he was found in possession of 11 weapons, including a
sawed-off shotgun, assault rifles and knives, and map — with the White House circled!

The Nation Was Shocked on Sept. 19 when an intruder not only jumped the fence,
but was ABLE TO ENTER THE FRONT DOOR of the White House. Controls that should
have been in place were apparently not ready for an actual security incident.

When even elementary schools have access control and card key systems, it is really hard
to believe that there is NO CARD KEY SYSTEM for the White House.

SECURITY IS A PROCESS, and that’s why Security Plan, Security Policies, and Security

Procedures are in place for every U.S. Federal Building. Obviously, at the White House, the
process is broken, or agents are willfully ignoring the security controls which should be in place
100% of the time. Every government building should have strong access control systems in place.

The intruder, Omar Gonzalez did the unthinkable, according to the
Washington Post. They reported that the 42-year-old ex-veteran from
Texas climbed over the north fence line along Pennsylvania Avenue,
toward the eastern side of the house’s circular driveway. His breach
set off the standard security alarm across the compound. Officers
rushed to the North Lawn but were unable to reach him on foot as
he ran, arms pumping, threading the needle between the fountain
and a security guard booth and ignoring their commands that he stop.
Gonzalez actually entered the White House because the door was UNLOCKED!

What We Learned:

Security Procedures and Policies MUST BE FOLLOWED 100% of the Time
for Security to be Effective. In this incident, the major problems included:

Front Doors MUST BE LOCKED to keep intruders out.
Canine that was on the job should have been released.
Active Monitoring of cameras was not effective. Was the intruder missed?
The perimeter fence is obviously not up to the job. In fact, a 2^nd jumper
breached the fence again on the same day,RISKAlertis a publication of Risk & Security LLC

RISKAlertis a publication of Risk & Security LLC

How Risk-Based Security Can Reduce Violence in Healthcare

Posted on May 23, 2014 9:54 am by Caroline Ramsey-Hamilton Comment

reprinted with permission from www.securityinfowatch.com

Using Risk-Based Security to Stem the Tide of Violence
in Hospitals and Healthcare

Created by: Caroline Ramsey Hamilton

Date: May 22, 2014

Hospital and healthcare security is experiencing a major increase in violence,
instigated by patients, patient families and even healthcare staff. Just last year,
there was an active shooter incident in Reno, Nev., in which two physicians were
shot, and in Houma, La., a hospital administrator was shot to death by a terminated
nurse. As recently as Easter Sunday in California, two nurses were stabbed at the
hospitals, where they worked. One was stabbed in both the upper and lower torso
and is in critical condition. These two incidents add to the more than 100 violent
incidents in 2013 and the first half of 2014.

Since 2010, violence in healthcare has skyrocketed. As a result, the Joint Commission has
issued a “Sentinel Event Alert” on the issue and contributed to numerous articles on shootings
in U.S. hospitals. The Department of Homeland Security and a consortium of state and local
hospitals recently released a standard for active shooters in healthcare. These all point to the
conclusion that the current law enforcement-based hospital security model is not working.

Changes in Healthcare
The changes in healthcare, including the increase in insured Medicaid patients and increased
traffic to emergency departments, highlights the fact that very well-intentioned people are
working with an outdated security model that hasn’t evolved to address a changing healthcare
environment. The change in billing and reimbursements for healthcare organizations, such as
tracking of readmission rates, has squeezed hospital profits causing reductions in funding in many
security departments at a time when violent events are steadily increasing.

A new risk-based model for hospital security is emerging that is less linear and more cyclical.
It uses technology to a greater extent, employs forecasting and statistical models to predict the
likelihood of future incidents, and is proactive instead of reactive, focusing money and energy on
preventing events instead of simply responding to them. This model also uses risk assessment
formulas to quickly assess the current security profile of a hospital, clinic, hospice, or behavioral
health facility, factoring in heightened threat-risk environment, not only for the facility in question,
but also adding in the wealth of healthcare data that’s now available.

Risk –Based Security Focuses on Continual Assessment
A major focus of this model is the continual assessment and evaluation of preventive security
controls, which are reviewed quarterly, semi-annually, or annually to discover gaps in controls,
and to fix gaps as soon as they are identified. This dovetails nicely into the assessment models
already required by the Joint Commission, OSHA and new CMS standards.

Looking at recent high-profile security events that took in place in hospitals shows that incidents
happen because of exploited gaps in the existing security of the healthcare facility. In the past,
security officers successfully worked hard to reduce response time so that often officers could
arrive in under two minutes, but it’s still too long. In the Reno shooting, response time was under
two minutes, but that was long enough to kill two doctors.

Focusing on prevention makes sense for healthcare, much in the way the Joint Commission
focuses on patient safety, by continually assessing controls, reducing discovered gaps in controls,
and mitigating gaps by reassessing and tightening security, which creates a cycle of continual
improvement in the healthcare security environment.

Taking Advantage of Technology
The healthcare risk-based security model takes advantage of technology. Instead of waiting
for manual recording of security incidents every day, software programs allow hospital security
officers to enter data at the end of each shift, and that means security directors can map what’s
happening in the hospital or facility on a daily, weekly, monthly and yearly basis. This can go a long
way to identifying trends early and help facilities make appropriate changes in controls so that
negative trends can be reversed quickly and both patient and staff security is increased.

In addition to automating incident collection and analysis, the healthcare security risk assessments
must be automated too. Risk assessments are too time-consuming and labor intensive to be done
annually. By the time the risk assessment is over, the environment has changed again. By
automating the risk assessments, including environment of care and hazard vulnerability,
it produces data that can be used instantly to analyze and recommend the most cost-effective
controls, and rank them by their return-on-investment (ROI).

The role of security in hospital and healthcare organizations is changing too. Security organizations
should no longer be isolated without intensive interaction with others in the organization, including
the human resources department, the facilities managers, safety managers, and the emergency
management staff.

New DHS Guidelines for Active Shooters in Healthcare
With DHS issuing new guidelines for active shooters in healthcare, hospital emergency managers
are now required to prepare for active shooter incidents, as well as storms, hurricanes, tornadoes,
power interruptions and other events related to natural or man-made disasters. This creates a
natural partnership between the emergency management staff and the security program,
because the skills of both functions are needed to properly prepare an organization for any disaster.

Instead of existing in a vacuum, healthcare security directors and managers should cheer at
this development because it expands the importance of security inside the hospital or healthcare
facility, and underscores its value in protecting the organizational assets – the physical facility,
patients, visitors and staff – to proprietary information, including the HIPAA mandated PHI
(Protected Health Information), vehicles, security systems, high-value healthcare equipment
and the healthcare provider’s reputation.

Security budgets have always suffered because security costs are seen as operating
expenses, not an income source, but by tying the security expenses more closely to loss
prevention and protection of the organization, it creates a cost justification for hospital and
healthcare security.

Risk-Based Security Links to Hospital Compliance Standards
A risk-based security model also links security to myriad compliance standards that affect healthcare
and this also supports and justifies the costs related to security. For example, hospitals are required
to have a variety of security controls in place related to tagging of newborns, posting of no-weapons
signs, and environment of care issues. Any healthcare organization accepting funds from Medicare
or Medicaid must comply with the new mandate for annual security risk assessments.

OSHA 3148 also requires hospitals and healthcare organizations to do annual workplace violence
assessments, and more than 33 states also require enhanced protection of hospital and healthcare staff.

As security incidents continue to increase and violence in healthcare escalates, making the
switch to a risk-based security program will provide better protection for hospitals and healthcare
organizations, making more effective use of existing security personnel, as well as justifying and
expanding healthcare security budgets.

For more information: contact: Caroline Ramsey-Hamilton at caroline@riskandsecurityllc.com

RISKAlert – May 2014 Shooting at VA Medical Center, Dayton, Ohio

Posted on May 15, 2014 11:01 am by Caroline Ramsey-Hamilton Comment

RiskAlert INCIDENT REPORT 552 – HOSPITAL SHOOTER

Terminated Employee Shoots Staff Member during Card Game
at Veterans Affairs Medical Center in Dayton, Ohio

Allowing terminated employees to have access to a hospital or facility where they
worked before is a questionable decision, because not only anger at the organization,
but also anger at individuals and former co-workers may turn into an incident as this report
explains.

In early May, a terminated housekeeper at the Veterans Affairs Medical Center in Dayton, Ohio came back to the hospital to play cards in a hospital break room with a group of current VA staff. The perpetrator, Neil Moore, had also brought a handgun to the hospital. Neil was upset because he thought another VA staff member was having a relationship with his wife, so he pulled out the gun, and as a result, one person was shot in the ankle.

It was not a typical active shooter scenario, but it does point out
the access control problem in hospitals, and also questions the
ability for anyone to walk into a hospital with a loaded gun.

LESSONS LEARNED:

1. Access to former employees should be prohibited or at
least limited on a case by case basis.

2. Visitors should not be allowed to bring guns into a hospital.
Metal detectors should be used to screen for weapons.

Moore, a former employee at the Veterans Affairs hospital, told police that he was going to a regular card game with
his former co-workers. He said he went to the hospital Monday intending to brandish the handgun to intimidate two former co-workers he believed were involved in relationships with his wife and daughter, both of whom reportedly work at the hospital. Moore planned to “hold the ex-co-workers at gunpoint while he punched them with his right hand,” according to court documents.

The hospital complex has beds for about 450 people and provides veterans with medical, mental health and nursing home care. It doesn’t have metal detectors at its entrances, but it does have its own security force.

VA spokesman Ted Froats said the force conducts active shooter training four times a year and showed outstanding response Monday. He said in a statement Tuesday that the hospital will consider additional steps to ensure safety, while making sure that any new measures won’t impede the hospital from providing care to veterans as quickly as possible.

RISKAlert® is a publication of Risk & Security LLC at www.riskandsecurity.com

What Went Wrong at Fort Hood? Another Active Shooter?

Posted on April 8, 2014 5:43 pm by Caroline Ramsey-Hamilton Comment

RISK Alert Alert #530 – Fort Hood Active Shooter-April 2, 2014

Dateline: April 5, 2014

Shock and grief were the reactions when the news said, for a second time, a shooter
inside Ft. Hood near Killeen, Texas had killed 4 and injured 13 in another Active Shooting
Incident. Everyone remembered the first major shooting attack in November 2013, when
a major killed 13 and injured 43 because he did not want to be deployed to Afghanistan.

A total of 73 injured and/or killed in the two incidents!

How could this have happened? The Department of Defense had implemented many of
the recommendations of its internal, and independent review panels, and the changes had not
been enough to prevent another active Shooter incident.

The 34-year old shooter had apparently been denied a leave form, and asked to come
back the next day and he came back, with a .45-caliber Smith & Wesson semiautomatic
handgun, recently purchased at Guns Galore, and started shooting. He eventually turned
the gun on himself, after firing 35 rounds in two buildings over a 2 block area. He had a
history of mental issues, and had recently been transferred to Fort Hood.

What We Learned: The After Action Review “Protecting the Force” had detailed 89
recommendations, but by Sept. .2013, only 52 had been
implemented and none included an Active Shooter Risk Assessment.

A comprehensive Active Shooter Risk Assessment has to be the first recommendation
after any Active Shooter event. Recommendations from the previous shooting were concentrated
on new policies and procedures, mental health screening, education and training programs but
those controls did not directly influence PREVENTION of incidents.

A Review of the Most Important Active Shooter controls would have been more
likely to prevent a future shooter event, like:

Tightened Access Controls for Facilities
- Panic Alarms
- Tracking of Potential Troubled Individuals
- Metal Screening for Weapons
- Policy on Personal Weapons on Base
  
  After the Navy Yard shooting in September 2013, another round of recommendations
  were made to improve security at all DOD installations, however, a Pentagon official
  said on Thursday, April 4th, that the new recommendations had not yet been put into
  effect at Fort Hood. Unfortunately, at Fort Hood, very little had changed from 2009
  regarding security procedures for soldiers at the entrance gates.
  
  Stay Alert and make sure that any Security Incidents are reported IMMEDIATELY!

Loss of Malaysian Airlines Flight Points Out Airline Security Weaknessess

Posted on March 24, 2014 12:02 pm by Caroline Ramsey-Hamilton Comment

Monday, March 25, 2014.

This morning the Malaysian Government stated that based on all their “new”
calculations, they have concluded that Flight 370 went down in the southern
Indian Ocean.

Has terrorism been counted out for this flight – no. Until the whole story is known,
it will be impossible for anyone at this point to say that this happened because of pilot
error, mechanical failure, bad weather, or anything else. However, as we watched
the near continuous news coverage of this ill-fated flight, it was impossible to ignore
the many security weaknesses that were revealed as the drama played out, and
experts proposed possible new theories, even alien abduction!

The airlines around the world, and even the Federal Aviation Administration (FAA),
have always maintained their unique security standards, unlike other industries
which have generally accepted security practices that are used worldwide. This
standardization of security elements has made it easier for multinational corporations
with offices worldwide, to secure their supply chains, ensure improved safety and
security for their employees, contractors and vendors, and, in my opinion,
contributed to making the world a safer place.

Unfortunately, this uniformity and standardization of security practices is not
mirrored in the airline industry globally, and even blatantly ignored by other
airlines, operating in other countries.

International travelers often see the little sign that says something like: THIS
AIRPORT HAS BEEN CLASSIFIED AS UNSAFE. Of course, because these
airports are often the only airport in the country, they are used anyway.

But the fate of Flight 370 has shocked some security experts by uncovering the
lack of security at a respected airport, generally thought to be safe and secure.

For example, right after 9/11, the FAA moved quickly to security the cockpit of
U.S. planes, and keep them locked and secure during flight. So it was quite a
surprise to have a young girl smiling and telling CNN how she partied with the
co-pilot in the cockpit during a recent flight.

“The FAA rule sets new design and performance standards for all current and
future airplanes with 20 or more seats in commercial service and all cargo
airplanes that have cockpit doors. Specifically, the rule:

Requires cockpit doors to remain locked. The door will be designed to prevent
passengers from opening it without the pilot’s permission. An internal locking device
will be designed so that it can only be unlocked from inside the cockpit.

Controls cockpit access privileges. Operators must develop a more stringent
approval process and better identification procedures to ensure proper
identification of a jump seat rider.”

As the tragedy has unfolded day by day, security experts can see vulnerabilities
in the way security controls are both either not required or are not correctly and
consistently implemented on planes around the world.

The “Tombstone Mentality” of the airline industry and civil aviation organizations now
have the tombstones for 370 individuals, and everyone hopes that even though we
don’t know know exactly why this flight went down, we can all see that there are
weaknesses in international security that need to be addressed in the aftermath of
this tragedy.

3 Killed, 4 Others Injured at Columbia, MD Mall Shooting

Posted on January 26, 2014 9:42 am by Caroline Ramsey-Hamilton Comment

Saturday morning at the Columbia Mall, in this neat, planned community was cold and many people decided
to go to the mall! Columbia, Maryland is a large mall, situated between Washington DC and Baltimore
in the Maryland suburbs. I’ve been there frequently – in fact, last month.

Unfortunately, at 11:15 in the morning, a young man entered the mall and started shooting. Some witnesses
said he was shooting down into the Food Court from the 2nd Level. The shots were centered in a surf, skateboard
and snowboarder store called Zumiez.

Two young people were killed, store employees, Brianna Benlolo, 21, of College Park, MD; and Tyler Johnson
25, of Ellicott City, MD, and a man police identified as the shooter. He had killed himself, but was wearing more
ammo and had more ammo around him.

A bystander was shot in the foot, and others were injured in the chaos that started when the 8-10 shots
were fired and someone yelled, “There’s a man shooting”. But these injuries were judged to be minor.

ONE MORE ACTIVE SHOOTER. ONE MORE YOUNG MAN WITH NO MOTIVE. Seven families devastated
and looking for answers.

Again, we look at access control, and due to the NRA effect, making it ridiculously easy to carry a gun, even
a concealed gun almost anywhere, we have to start with what kind of access we should allow to public places,
like schools, malls and airports.

In a risk and reward calculation, it’s basically, does the right of an individual to take a loaded gun anywhere
they want, supersede my right to safely shop at the local mall on a Saturday morning? I think it does.

Now the burden is on the mall owners about how many of these shootings it’s going to take before we start
seeing armed guards at malls, and access control devices like metal detectors, at entrances to the larger malls.
Because think of what the mall owners lost – they lost their reputation as a “SAFE” place to go. They lost
almost a whole day of sales, and maybe they will lose another day.

The local police and county Executive were on TV saying police arrived within 2 minutes of the shootings.

and the SWAT team entered the Mall and did a store by
store search, while the media trucks assembled in the parking lot.

If people want to take loaded guns everywhere and society
thinks that’s great – then store owners are going to have to
increase security and be able to have tools to exclude these
people.

Guns are for hunting, not for shopping!

Terrible day for Columbia Mall and it’s customers, I guess it’s a wonderful day for the security industry that will sell
lots more metal detectors, cameras, monitoring, panic alarms and more. Because that’s what we need to keep
the public safe.

Navy Yard Shooting Highlights Effect of Cuts to Navy Security

Posted on September 24, 2013 12:26 pm by Caroline Ramsey-Hamilton Comment

Security professionals around the entire were shocked and dismayed when they turned on the news and saw the historic Washington Navy Yard locked down, surrounded by emergency vehicles, and looking for an active shooter.

All the shock, the outrage, the Defense Department reaction, the involvement of the overlapping law enforcement jurisdictions, has apparently been already forgotten by the public, moved to the virtual ‘old story’ pile by the latest news of a mall shooting in Kenya, meeting at the UN, and the politics as usual in Washington DC.

If you graph it online, you can see the dramatic spike and then the dramatic drop-off in interest by the general public. This highlights what the security community has to deal with, in the context of a 24 hour news cycle.

My perspective on the event was personal because one of my very best friends was in Building 197 that day, a former navy commander, now a contractor, who went to work at 5 am that morning, and finally returned home at 9 pm that night. Unlike many shootings, the PCs, smartphones were all up and operational during the event, so people were instantly able to communicate with friends and relatives as the event unfolded.

Rumors ran rampant that it was terrorism related, that there were three shooters, then that rumor switched to two shooters and eventually to only one shooter, Alexis Aaron, a mentally disturbed young man who had previous events of gun violence and yet had a top secret security clearance at the time of the shooting.

If we took a poll three weeks ago and asked people which facility would they judge to be the safest, the results
would probably look something like this:

1. Military Base in the U.S.
2. Hospital
3. Regional Mall
4. Police Station

Unfortunately – this is more like a list of the places where a shooting is more likely to take place. As all the work in workplace violence statistics shows, a domestic Military Base has been the site of two mass shootings in only the last 4 years. This includes the twelve killed and eight wounded at the Washington Navy Yard, as well as the thirteen killed and twenty injured at the Fort Hood shooting in late 2009. That’s an average of 6 killed each year, and 8 injured, and doesn’t take into account any random shootings, training-related injuries, only the mass shootings.

Hospitals have increased in violent incidents every year for the last ten years, and we just witnessed a mass shooting at a Kenyan Mall.

However, the hospital and the mall are both completely OPEN, they want people to come in, they don’t control access at all.
This is what is so surprising about the Navy Yard shootings, the lack of security, lack of enough armed guards, lack of current background checks, lack of metal detectors, lack of retina scanners, and every other usual form of security control.

Speculation is that the key controls were missing because of budget cuts, which means that the Navy made the decision to reduce security controls, instead of cutting other, less critical programs. The incident makes a strong case for examining the potential Return on Investment for security controls!

Even if the shooter’s background check was “current”, it certainly had not been updated based on his own recent events, and brushes with the police, and, of course, the anger and mental health problems appears again, and is shrugged off as too tough to manage and track.

However, it is a wake up call for the U.S. Navy, the Department of Defense, the U.S. Capital Police, and a variety of other organizations who “Secure” the Washington DC Capitol zone, and it leads to more questions than answers.

Already, the questions are starting about what controls SHOULD be in place for all military bases, and, naturally, re-examining the background check process and how it could be updated and improved.

Let’s not forget this time.

What Happens if OCR Shows up – Asking about your HIPAA Compliance?

Posted on September 8, 2013 2:09 pm by Caroline Ramsey-Hamilton Comment

With only 2 weeks (15 days) left to meet the HIPAA Omnibus Rule, let’s say you have
done everything you could possibly do, to be in full compliance with every part of HIPAA:

1. Finish a current HIPAA Risk Analysis – CHECK
2. Rewrite Business Associate agreements – CHECK
2. Rewrite Policies & Procedures – CHECK
3. Get PHI off the office copiers – CHECK
4. Gather Documentation in one place – CHECK
5. Start HIPAA Security Awareness Program – CHECK
6. Update HR Sanctions Policies – CHECK
7. Finalize Contingency Plans – CHECK
8. Add more encryption – CHECK
9. Implement Plan for Smartphones & Mobile Devices – CHECK
10. Have staff sign new affirmation Agreements – CHECK

And in spite of your careful preparation, you walk into work on Monday, and the regulators from
OCR are sitting in the Lobby, and they’ve been there since 7:00 AM!

No matter what else you have done, or started, and have not done, your insurance policy is to be
able to pull out your most current (in months, not years) HIPAA Risk Analysis and then pull out all
your supporting documentation including:

1. All information, including network diagrams, on where the PHI is on your network, and the automated
network controls you have implemented.

2. A record of every application, every database, etc. that hold PHI, are used to create, manage, or
share PHI, in both electronic and paper form.

2. Rosters going back 3 years of everyone in the organization who’s taken HIPAA training.

3. A copy of the Policies and Procedures, and Security Plans, printed out and labeled in 3-ring
Binders.

4. List of all HIPAA controls that are currently in place and verification documents.

5. Copies of all Business partners agreements and contracts

6. A notarized statement signed by the Board Director, CEO or Administrator re-stating
the organization’s Commitment to HIPAA Security & Privacy & Omnibus Rules..

7. Copies of recent employee surveys validating their stated compliance with all HIPAA
Security, Privacy, and Omnibus rules.

All of these elements should be printed in their most current versions and put in D-Ring
binders, which you will pull out of a cabinet designed for high security. Nothing thrills a regulator
or auditor more than getting everything you ask for in a neatly labeled, giant 3-ring binder.

It says “PREPARED” in a way that having files on the network never will.

And, BTW, you HAVE completed all these steps – right?

Risk and Security LLC

Risk Assessments, Training and More