Whether you are the Privacy Officer, the Security Officer, or both, the question remains the same.
When was the last time you scheduled a "walk through" of your work space for the sole purpose of looking into the "eyeballs" of your personnel and finding out what they are really doing (or not doing) to protect the privacy and security of your customers' health information?
No, this is not the annual HIPAA security risk assessment. No, this is not a surprise, mock survey in preparation for some third party visit. Instead, you are simply showing up and letting your personnel know, first hand, that you really are interested in what they are actually doing to safeguard your customers' protected health information "PHI." Nothing more.
In working with our HIPAA clients, we always recommend an annual HIPAA assessment calendar that sets out a series of compliance "questions" that will be reviewed -- one for each of the 12 months -- as part of an ongoing assessment process. The calendar can always be updated (or supplemented) as new questions or issues arise through the year.
For example, if this is January, then you may be in the HR department with the education coordinator reviewing a sample of personnel files to confirm that documentation exists to confirm completion of all annual HIPAA training. In April, you may join a supervisor and walk through their department work space at the end of the business day to look for any printed copies of PHI that may have been left on a counter or on a fax machine, all for easy "view" by the after-hours cleaning staff, or otherwise. .
In June, you may make rounds with the medical records staff to query them about how they work through their checklist for subpoenas and other third party requests for records. In August, you may meet with the CFO's contract manager to review a sample of vendor agreements that should include a fully executed Business Associate Agreement. In November, you may seat yourself in a public waiting area with one of the admissions staff and listen for any "incidental" disclosures that could be overheard by other customers and their family members who are seated nearby.
In August, you may request a current copy of your organization's "workstation" inventory and confirm whether its up-to-date by conducting an assessment of all computing devices - whether owned by the organization or workforce, including desktops, laptops, tablets, smartphones and "any other devices that perform similar functions" and which are used on (or off) premises. According a May 2018 OCR Cyber Security Newsletter (link is https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-may-2018-workstation-security.pdf), the physical security of all such "workstations" requires a complete inventory and ongoing training programs that communicate the reasonable safeguards necessary to protect these "workstations" - such as encryption, strong passwords, secure use in public areas, secure storage when not in use, and and up-to-date policies that are communicated in both orientation and annual training programs.
Of course, HIPAA assessment worksheets can be used to score and report your observations to create a paper trail and keep your leadership apprised, but it is the "eyeball" connection with your workforce that is truly the bottom line here.
Raise the bar, raise the awareness and show up. It only takes an hour once a month to get this done. Here's looking at you -- in your hallways and departments -- very soon!
Monday, March 30, 2015
Friday, March 27, 2015
Optimal Healing Environments ...
They are called "hard ideas." In health care, there are many. For example. Optimal healing environments (OHE). The literature is filled with definitions, models and frameworks, of course. Here's my skinny.
An OHE can be any space or process, physical or even virtual, where the bottom line is healing that does not always require a cure. An OHE can exist anywhere along the health care continuum -- whether as part of a birthing center, a phone app, a clinic located within the downtown public library, or a home-based hospice program. Enough said.
As a challenge, I recently used an online tool to test my ability to explain this hard idea -- OHE. The tool only allows you to use the Ten Hundred most commonly used words in the Oxford English Dictionary (Note: the word "Thousand" isn't on the list.) The process was developed by scientists who wanted to help people in better describing and understanding these hard ideas.
The link to the online editor tool is below. So is my OHE "top ten" which still makes me smile.
How good are you in explaining the many "hard ideas" in health care or otherwise? Give this tool your best shot next time you're working on a fresh message that just might reach your audience.
Link: http://splasho.com/upgoer5/
An OHE can be any space or process, physical or even virtual, where the bottom line is healing that does not always require a cure. An OHE can exist anywhere along the health care continuum -- whether as part of a birthing center, a phone app, a clinic located within the downtown public library, or a home-based hospice program. Enough said.
As a challenge, I recently used an online tool to test my ability to explain this hard idea -- OHE. The tool only allows you to use the Ten Hundred most commonly used words in the Oxford English Dictionary (Note: the word "Thousand" isn't on the list.) The process was developed by scientists who wanted to help people in better describing and understanding these hard ideas.
The link to the online editor tool is below. So is my OHE "top ten" which still makes me smile.
How good are you in explaining the many "hard ideas" in health care or otherwise? Give this tool your best shot next time you're working on a fresh message that just might reach your audience.
All You Need to Know About High Life Spaces
1. High life spaces are safe places. High life spaces are filled
with helping people who care for people in need. These people are in need
because they are sick or scared or they need an answer to a hard question. They
may also be cold and in need of food.
2. High life spaces can be found in a big store, in a little
store, in a car or even in a home. High life spaces can also be found in a
phone call or in a little picture box on your phone.
3. High life spaces make people in need and helping people feel
better about living. Sometimes these spaces also make people in need and
helping people feel better about dying.
4. High life spaces are one-of-a-kind because they are filled with
helping people who like to work together and who like to care for people in
need.
5. High life spaces may not always be pretty but they are places
that are usually warm and often quiet. Most of all, these spaces have been
given a lot of thought by helping people in order to make them one-of-a kind.
6. These high life spaces are never finished. They can always be
made better, thanks to the thoughts of people in need and helping people. These
thoughts come from phone calls, letters, face-to-face talks and even when
helping people watch one another or their very own people in need as they use
the high life space.
7. When high life spaces make people in need feel good or better,
these people will tell other people in need good stories about the high life
space. Also, the people in need will also not be scared if they have to return
to the high life space again next time.
8. When high life spaces make helping people feel good or better,
these people will also tell other helping people good stories about the high
life space. Also, these helping people will also not be sad when they return to
the high life space again to care for people in need again.
9. High life spaces get stars if they make many people in need and
many helping people feel very good about living and also sometimes, even better
about dying.
10. Big or small, seen or not, high life spaces with stars are
always in the hearts of people in need and helping people who are a part of
these high life spaces.
Link: http://splasho.com/upgoer5/
Thursday, March 26, 2015
The Ten Faces of Innovation
In his book, The Ten Faces of Innovation, Tom Kelley identifies the ten roles or "personas" that make up today's new generation of innovators (or what I call "action figures) who need to be at your table.
The first three personas -- the Anthropologist, the Experimenter and the Cross-Pollinator -- are all about learning and bringing new insights, ideas and concepts to the table.
The next three -- the Hurdler, the Collaborator and the Director -- are organizers who know how to manage obstacles, silos and red tape.
The four remaining personas -- the Experience Architect, the Set Designer, the Caregiver and the Storyteller -- are the builders who make innovation happen.
According to Kelley, every table will have its "devil advocate ... but on a good day, the ten personas can keep him in his place, or tell him to go to hell."
Look around your table. Examine the make up of your teams, work groups and even your committees. In addition to the ever-present devil's advocate, are the other ten faces of innovation well represented? If not, check out Kelley's book or even the website for his consulting firm, IDEO, which is all about "... helping organizations, grow, innovate, build businesses and and develop capabilities."
Here's looking at you and your new, breakthrough partnership, product or service someday, very soon!
The first three personas -- the Anthropologist, the Experimenter and the Cross-Pollinator -- are all about learning and bringing new insights, ideas and concepts to the table.
The next three -- the Hurdler, the Collaborator and the Director -- are organizers who know how to manage obstacles, silos and red tape.
The four remaining personas -- the Experience Architect, the Set Designer, the Caregiver and the Storyteller -- are the builders who make innovation happen.
According to Kelley, every table will have its "devil advocate ... but on a good day, the ten personas can keep him in his place, or tell him to go to hell."
Look around your table. Examine the make up of your teams, work groups and even your committees. In addition to the ever-present devil's advocate, are the other ten faces of innovation well represented? If not, check out Kelley's book or even the website for his consulting firm, IDEO, which is all about "... helping organizations, grow, innovate, build businesses and and develop capabilities."
Here's looking at you and your new, breakthrough partnership, product or service someday, very soon!
Monday, March 23, 2015
HIPAA Business Associates ... How Do I Know Thee?
HIPAA, as amended by HITECH, imposes significant requirements on those persons or entities who qualify as a business associate (BA) as a result of their access to protected health information (PHI) in the performance of services on behalf of a covered entity (CE).
For example, a BA could be a third party billing company, a shredding company, a law firm handling a Medicare audit appeal, a health care design consultant responsible for re-design of an emergency triage process, or even a third party responsible for storing PHI off-site. In each case, the drafting and negotiation of a business associate agreement (BAA) is an important step in confirming BA duties and obligations related to these service arrangements. Some level of due diligence is also important before the BAA is executed and the CE is in a position to trust the BA with its PHI.
To begin, the CE should confirm any and all names that have been used by the BA, whether now or in the past, so to confirm that none of these names are listed in the Office of Inspector General’s List of Excluded Individuals and Entities (OIG) or the General Services Administration’s System for Award Management (SAM), formerly known as the Excluded Parties List System.
A review of the OIG Corporate Integrity Agreement database can also confirm any prior enforcement actions that may have involved a prospective BA. Additionally, if the BA maintains certain licenses, registrations or other credentials necessary to perform their services on behalf of the CE, these qualifications should be verified by the CE. Review of business references or a telephone interview with another CE may also be helpful.
Proof of insurance coverage and some information about claims history should be requested. A general search for any public filings about the BA can provide additional information about their resources, business relationships and reputation. The BA may also be asked to disclose any outside business relationships which might represent a conflict of interest in doing business with the CE.
Because the BA is subject to HIPAA, as a result of the HITECH amendments, the CE should inquire about the BA’s HIPAA compliance program, including but not limited to the recent completion of a HIPAA security risk assessment process, the adoption of HIPAA policies and procedures, and the extent to which the BA will engage the services of subcontractors to assist in the performance of services. Although not a HIPAA consideration, many CEs take additional steps to confirm the health status of the BA who will have any physical contact with the CE’s workforce or clients, including but not limited to up-to-date vaccination records and negative TB testing results.
The CE can conduct its due diligence using a range of techniques. The BA could be asked to submit to a formal request for proposal process or the CE may ask the BA to complete and return a due diligence questionnaire. Selected HIPAA compliance documents may be requested as well. Depending on the nature of services to be performed, an in-person interview or a site visit may be in order.
Once the BA arrangement has been finalized, pursuant to the terms and conditions of the BAA, the CE should adopt certain safeguards to verify, on a regular basis, the identification of any and all persons who perform services, whether in-person or remotely, so to prevent any risk of an unauthorized actor gaining access to CE PHI.
For example, the CE contracts with a third party shredding vendor. On a regular basis, the vendor comes on premises and removes secured documents to be shredded. Without confirming the identification of any vendor employees before removing the documents, there is a serious risk that a "rogue actor" could represent themselves as a vendor employee and walk away with the CE documents, resulting in a serious HIPAA breach incident. In the case of a remote or electronic arrangement, the CE and BA should also maintain an up-to-date list of those individuals who are authorized to access CE PHI on behalf of the BA, subject to the host of safeguards required under HIPAA security.
Once the BA arrangement has been finalized, pursuant to the terms and conditions of the BAA, the CE should adopt certain safeguards to verify, on a regular basis, the identification of any and all persons who perform services, whether in-person or remotely, so to prevent any risk of an unauthorized actor gaining access to CE PHI.
For example, the CE contracts with a third party shredding vendor. On a regular basis, the vendor comes on premises and removes secured documents to be shredded. Without confirming the identification of any vendor employees before removing the documents, there is a serious risk that a "rogue actor" could represent themselves as a vendor employee and walk away with the CE documents, resulting in a serious HIPAA breach incident. In the case of a remote or electronic arrangement, the CE and BA should also maintain an up-to-date list of those individuals who are authorized to access CE PHI on behalf of the BA, subject to the host of safeguards required under HIPAA security.
In summary, the use of a well-drafted BAA, in addition to the use of an effective due diligence process, not only makes for a proper introduction to the BA but also serves another important purpose in allowing the CE to educate the BA and to communicate the importance of HIPAA compliance long before the parties sign on the bottom line. Additionally, after the BAA has been executed, the CE should also institute safeguards to ensure that only authorized individuals perform the designated BA services for the duration of the business relationship.
If you have any questions or require additional information regarding the establishment of a HIPAA-compliant CE-BA business relationship, please contact me through Integrity Health Strategies.
Wednesday, March 18, 2015
Liquid Networks
According to Steven Johnson, author of Where Good Ideas Come From (2010), a liquid network connects people and their ideas. During the early 14th century, the coffee houses in northern Italy served as liquid networks responsible for the explosion of ideas and innovation that gave birth to the early Renaissance.
To get the job done, liquid networks need sufficient structure to avoid chaos while allowing for "ad hoc" changes along the way. Such changes could be a new public-private partnership, a change in the organizational chart, moving (or removing) a wall in the office, or even a change in policy that incorporates a longstanding "work around" that is finally given the credit it deserves.
Today, there are many examples of the "information spillover" that comes with liquid networks. Modern day coffee shops and the online "hangout" spaces. Salons where people share ideas (and not just to get their hair cut). Life science "incubators" where professionals come together and donate their services in support new start-up companies. The new partnership in Philadelphia where an urban hospital and a public library have joined forces to create a health and literacy center on the city's south side. Even the creation of universal care platforms in the hospital ER allows for quick changes in the use of space and other high-cost inputs necessary in delivering critical care.
Liquid networks. Enough said.
To get the job done, liquid networks need sufficient structure to avoid chaos while allowing for "ad hoc" changes along the way. Such changes could be a new public-private partnership, a change in the organizational chart, moving (or removing) a wall in the office, or even a change in policy that incorporates a longstanding "work around" that is finally given the credit it deserves.
Today, there are many examples of the "information spillover" that comes with liquid networks. Modern day coffee shops and the online "hangout" spaces. Salons where people share ideas (and not just to get their hair cut). Life science "incubators" where professionals come together and donate their services in support new start-up companies. The new partnership in Philadelphia where an urban hospital and a public library have joined forces to create a health and literacy center on the city's south side. Even the creation of universal care platforms in the hospital ER allows for quick changes in the use of space and other high-cost inputs necessary in delivering critical care.
Liquid networks. Enough said.
Sunday, March 15, 2015
Teamwork
Teamwork
In health care, teamwork is essential. Unfortunately, teamwork is not easy and it can get messy. As a result, so many of us often find ourselves saying under our breath, “I would far rather do this myself," while forgetting about all the ideas and data that will be completely missed as a result.
You may recall the five stages of grief -- denial, anger, bargaining, depression, acceptance -- which were introduced by Elisabeth Kubler-Ross in her 1969 book, On Death and Dying. Well, guess what? Thanks to psychologist Bruce Tuckman, I have discovered that some of these very same forces play out in the five stages of putting together an effective team.
Forming. Storming. Norming. Performing. Adjourning.
Tuckman’s model gave me great insight recently when I was working on a team project. Looking back over the initial emails among our team members, we were polite and eager to get on with the task at hand. Soon, however, conflict arose as we tried to divide the labor and to determine how best to get the job done. After viewing a short summary of Tuckman’s model online (see link below), I was reassured. I even shared a copy with one of my team members as evidence that we were moving “full speed ahead” through this obviously quite normal developmental process.
Next time you are asked to work with a team, use Tuckman’s model as your road map and save everyone some unnecessary grief as you work through the messy process of becoming an effective team and in getting a “slightly extraordinary” result at the end of the day.
Friday, March 13, 2015
Escape Velocity
Escape velocity. A new term for me.
Something like “defying gravity” for those who recall the solo from Wicked. Or the 1960’s when I sat in front of our TV console and watched the US race to put a human being on the moon.
For my health care friends, check out the article “Escape Velocity” in Health Care Executive (Nov/Dec 2014). A quick read about escaping our health care silo(s) and gridlock and accelerating those partnerships and innovations -- whether yet to be discovered or funded -- all in service of our efforts to defy the "gravity" of our health care conundrum.
Something like “defying gravity” for those who recall the solo from Wicked. Or the 1960’s when I sat in front of our TV console and watched the US race to put a human being on the moon.
For my health care friends, check out the article “Escape Velocity” in Health Care Executive (Nov/Dec 2014). A quick read about escaping our health care silo(s) and gridlock and accelerating those partnerships and innovations -- whether yet to be discovered or funded -- all in service of our efforts to defy the "gravity" of our health care conundrum.
Subscribe to:
Posts (Atom)