Whistleblowers, Incident Reporting and Incident Management…Is your Health Care Organization Ready?
Posted In Incident Reporting, Legal, Regulatory Compliance, Risk Management on August 31st, 2010 Tags: dodd-frank wall street reform, Health Care, Incident Reporting, whistleblower
A previous Lessons Learned Blog mentioned the Dodd-Frank Wall Street Reform and Consumer Protection Act and a special bounty program within the Act for whistleblowers. Did you see it?
An attorney at the Healthcare Financial Management Association’s Annual National Institute legal update says healthcare providers may be heading into a storm of whistleblower suits that could cause serious problems for the unprepared.
The attorney predicts the new Patient Protection and Affordable Care Act could lead to an explosion of whistleblower lawsuits because the new law does not require the plaintiff to have direct knowledge of alleged fraud to file a suit.
So if you are involved with healthcare industry…are you ready?
Healthcare organizations to make sure they are ready for whistleblower related challenges:
- Do employees have access to trusted tools to report suspicious actions?
- Do third-parties/business associates have access to trusted tools to report suspicious actions?
- Do patients have access to trusted tools to report suspicious actions?
- Are assessment teams defined and trained on how to respond to incident reports?
- Do assessment teams have tools to access, track and document their actions and decisions?
- Do organizations have a customized compliance program implemented and documented?
The short list above represents some but not all of the challenges healthcare leadership should be targeting as soon as possible to ensure legal defensibility for your leadership and your organization…are you ready?
No Comments
Email This Post
Veterans Affairs: Why Not Implement Data Breach Lessons Learned?
Posted In Human Resources, Incident Reporting, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on August 26th, 2010 Tags: Awareness Training, Data Breach, Information Security, lost laptops, Veterans Affairs
Dissemination vs. Implementation
The Veterans Affairs Department recently announced they will be publishing monthly online accounts of data breaches and lost BlackBerrys and laptops in order to improve accountability and increase transparency.
What was shocking to me was that from April through July of this year, the VA has lost 72 BlackBerrys and 34 laptops. Patient information has been sent to the wrong address or mailed incorrectly 441 times. There were 9,746 breach incidents involving notifications to patients and 2,501 incidents in which credit reporting was required.
Almost 10,000 breach incidents in 3 months! What is wrong with this picture? Instead of just disseminating data breaches after the fact, what if the VA actually explained and implemented lessons learned and took proactive steps towards prevention?
I think the VA needs to ask a couple of questions:
1) Why are so many handheld devices and laptops being lost? Are there ways we can educate our employees on best practices for protecting devices? Are there consequences?
2) With so many devices and laptops lost each month, how do we ensure these devices are protected with encryption? Are employees taking home sensitive information that should not be placed on personal devices? Do employees know what information is sensitive?
3) What should be done to improve efficiencies in the mail room and prevent mailing errors with patient information? How do we know there were only 441 errors; were these just the mistakes that were caught?
4) How can we implement ongoing awareness and educate our employees (and third-parties) on protecting sensitive information?
Breach notifications are expensive. Credit reporting is expensive. Replacing BlackBerrys and laptops is expensive. Correcting errors and re-mailing information is expensive.
Prevention is a lot less expensive for the Veterans Affairs and a lot less expensive for us tax payers too… is anyone interested in implementing lessons learned?
No Comments
Email This Post
SEC Creates Bounty for Whistleblowers?
Posted In Incident Reporting, Legal, Regulatory Compliance, Risk Management on August 24th, 2010
According to a recent Washington Post headline, law firms are gearing up for new whistleblower reward program.
The new program was included in the Dodd-Frank Wall Street Reform and Consumer Protection Act signed by President Obama in July 2009 has created a bounty program that rewards individuals who provide “original information” to the SEC. The SEC can then award the individual with up to 30 percent of any successful enforcement action that exceeds $1 million.
There is no doubt that federal agencies are publicly ramping up to police illegal corporate activity… future Lessons Learned Blogs will discuss healthcare, education and others.
Here are some questions your organization’s leaders should be asking:
- Are your existing compliance programs working as you want them to?
- Are your policies and procedures updated, communicated, acknowledged and documented?
- Are employees and third-parties aware of how to report incidents?
- Are you encouraging employees to report internally before going to the government?
- Are you confident in how employee complaints will be handled?
- Do you have the right tools in place to connect the dots?
If law firms are gearing up…it is probably a good idea to pay attention to headlines and this Lessons Learned Blog too.
No Comments
Email This Post
Whistleblowers, Incident Reporting, Incident Management…Are You Ready?
Posted In Incident Reporting, Information Security, Legal, Regulatory Compliance, Risk Management, Workplace Violence on August 19th, 2010 Tags: bank fraud, CYA, financial reform, Incident Reporting, online safety, SEC, whistleblower, Workplace Violence
Have you been paying attention to recent headlines?
“New whistleblower reward program has law firms gearing up”
“Attorney tells audience to brace for a storm of whistleblower lawsuits”
“Financial reforms up retaliation risk”
“Preventing violence in health care setting”
“Banks seek customers’ help to stop online thieves”
Lessons learned and headlines are mounting and organizational leaders from nearly every sector should be paying close attention if they want to prevent their name and their organization’s name from being featured in unwanted headlines and lawsuits.
In a few of our next blog posts, I will be sharing lessons learned on how incident reporting, incident management, threat assessment teams, prevention, intervention, documentation and CYA will play a critical role for the foreseeable future….are you ready?
No Comments
Email This Post
Are Your Security Cameras Mobile, Capable of Making Incident Reports?
Posted In Emergency Management, Incident Reporting, School Safety, Workplace Violence on August 17th, 2010 Tags: Incident Reporting, NASRO, school resource officer, School Safety, School Security, security cameras, threat assessment, TIPS
I met some really outstanding people this month while presenting at the NASRO national conference and I deeply appreciate how school resource officers (SROs) and school security officers (SSOs) are striving to make a difference with students and with schools.
Before and after my presentations I had some interesting conversations with several SROs from schools all across the U.S. One of the SROs I spoke brought up an ongoing challenge with cameras. He would like to replace outdated analog cameras that do not give him the clarity he needs to recognize and identify people. He also wants to add more cameras for better coverage in problem areas. He went on to say that he was having a difficult time getting school Administrators to understand his concerns and he also cited budget limitations too.
So I suggested a new and different approach. What if you “connected” hundreds or even thousands of existing “security cameras” that are mobile and capable of reporting incidents too?
The SRO looked at me a little funny and said what do you mean?
What if the eyes of every student and every teacher became your security cameras?
And what if the students and teachers were also able to provide details about suspicious activities that are taking place at school, even in the places at school where cameras aren’t allowed and away from school where you will never have cameras?
Lessons learned clearly show that if we want different results…we have to start trying different solutions.
For example, new and different tools like TIPS (Threat Assessment, Incident Management and Prevention Services) empower students, teachers, faculty, counselors, janitors, bus drivers, parents and others to become your mobile cameras that also report incidents…but only if you have the tools to “connect” them.
Are you ready for different and better results?
No Comments
Email This Post
Rite Aid – HIPAA Violation – Lessons Learned Not Implemented
Posted In Incident Reporting, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on August 12th, 2010 Tags: CVS, FTC, HIPAA, HITECH, Rite Aid, Security Awareness
Did everyone see this ultimate lesson regarding lessons learned but not implemented?
Remember back in February 2009 when the Federal Trade Commission (FTC) issued a settlement against CVS Caremark? According to the settlement, CVS Caremark violated the HIPAA privacy rule and the FTC Act when some of its stores improperly disposed of prescription information and pill bottles that had patient information on them. The settlement resulted in a $2.25 million fine and they must ensure their security program meets the standards of the settlement [including ongoing audits] for the next 20 years.
Now roll the clock ahead to July 2010 and another pharmacy chain – Rite Aid Corp. – has agreed to pay a $1 million fine because they violated the HIPAA privacy rule and the FTC Act when some if its stores improperly disposed of prescription information in dumpsters.
The HHS settlement against Rite Aid requires their pharmacies to:
- Establish policies and procedures for disposing protected health information and sanctioning workers who do not follow them;
- Create a training program for disposing of patient information;
- Conduct internal monitoring;
- Obtain an independent assessment of its compliance for three years.
The FTC settlement against Rite Aid requires the company to:
- Establish a comprehensive information security program designed to protect the security, confidentiality and integrity of the personal information it collects from consumers and employees;
- Obtain, every two years for the next 20 years, an audit from a qualified independent third-party professional to ensure that its security program meets the standards of the settlement.
For lessons learned to become lessons implemented, organizations must ensure that their program [security, privacy, compliance, risk management, etc.] is clearly defined, communicated, acknowledged by all appropriate personnel, documented, updated and maintained on an ongoing basis.
Unfortunately most programs are just pushed out on portals, intranets and shared drives or blasted out in binders, e-mails and memorandums.
Albert Einstein said it best:
“Insanity is doing the same thing over and over again and expecting different results.”
Are you and your organization doing the same thing over and over again and expecting different results?
No Comments
Email This Post
Perceptions of Campus Safety – Are You Helping Your Students Feel Safe?
Posted In Emergency Management, Incident Reporting, School Safety on August 3rd, 2010 Tags: Active Shooter, Campus Safety, Campus Security, columbine, incident prevention, Incident Reporting, public safety training, Virginia Tech
While tragic incidents like Columbine and Virginia Tech have created an increased awareness of campus safety and security, most college students reveal they still feel fairly safe on campus. A recent study by three Southern Illinois University scholars has revealed most students are not particularly worried about encountering an active shooter on campus.
The survey of more than 5000 students discusses attitudes towards on-campus crime, perceptions of risk and safety, personal experiences and understanding of campus safety measures.
What was perhaps most interesting 
about the report was the recommendations by the students to reinforce public safety training and communicate emergency procedures with students, faculty and third-parties. One safety director revealed that although students may understand their school has safety plans in place, they don’t really know what the plans are. It is critical for colleges and universities to implement and communicate emergency response plans, safety policies, evacuation routes, call lists, etc. to all appropriate personnel and students.
Several other recommendations include:
- Educating students on public safety components during orientation
- Making public safety training ongoing (not just annually)
It is critical for administrators to ensure all individuals (faculty, administration, staff, students, parents, first responders, mental health, campus law enforcement, etc.) understand and have acknowledged their individual roles and responsibilities. Many colleges have emergency plans tucked away in binders on dusty shelves or posted to an intranet site, but how can administrators ensure these plans have been read, understood, or updated as risks, threats, regulations, etc. change? Colleges must utilize effective tools for sharing, communicating, implementing and updating plans, policies and procedures on an ongoing basis. Once-a-year general training is not enough and students agree.
The study also suggests students are in favor of campus counseling staff sharing concerns about specific students with campus public safety personnel, and indicated that students believe both they and faculty have “a responsibility to report dangerous students.”
Schools must provide students and faculty with the tools needed to report suspicious incidents, threats, bullying harassment, violence, etc. so red flags do not continue to fall through the gaps. By documenting incidents across all campus departments (HR, IT, Mental Health, Campus Safety, etc.) campus administrators can connect the dots and take actions to prevent violent, expensive, embarrassing and tragic incidents from occurring.
As students are voicing their concerns…how is your campus planning to respond?
“Perceptions of Campus Safety Initiatives: Assessing Views of Critical Incident Prevention and Response” is available online at: http://www.icjia.state.il.us/public/index.cfm?metaSection=Publications&metapage=campuscrimehome
No Comments
Email This Post
SEC Provides Lessons Learned on Policies and Porn
Posted In Business Continuity, Human Resources, Incident Reporting, Information Security, Legal, Risk Management on July 7th, 2010 Tags: Federal Computer Week, incident management, SEC, security policy, social media policies
A recent follow up article in Federal Computer Week (FCW) highlighted the porn scandal at the Securities Exchange Commission (SEC) and suggested this was a dramatic wake-up call for any government agency who doubted the need for and importance of an airtight security policy.
Good for Teri Robinson… who wrote the article!!
However…the steps Teri laid out that an agency should take to build and enforce a security policy are missing a couple of critical steps based on lessons learned and legal defensibility. Teri suggested the following steps:
- Review existing policy
- Social media guidelines should be included and should be specific
- Assign responsibility because policies are more easily adopted if someone is in charge
- Train, train, train as threats change so do policies so regular training is needed
- Enforce the rules
- Ramp up resources with technology and staffing
I agree with Reviewing Existing Policy, Including Social Media and Enforcing the Rules.
I sort of agree with Assigning Responsibility and Train, Train, Train…
I disagree with Ramping Up Resources and Staffing Up.
Based on lessons learned, the following steps are also needed:
- Accountability at the Individual Level
- Documentation of Individual Acknowledgements
- Situational Awareness and Case Studies that relate to organization specific policies
- Incident Reporting and Incident Management Tools for Assessment/Prevention Teams
And based on lessons learned, more staff for enforcement and training is probably not necessary if you implement the right tools for current personnel to utilize.
Now if we could just get federal agencies to start using “tractors” instead of “old horses”…
No Comments
Email This Post
Improving Campus Safety – Prevention and Intervention – Part 2
Posted In Emergency Management, Incident Reporting, School Safety, Workplace Violence on June 23rd, 2010
If you did not read Part 1…you may want to do so before reading Part 2.
During my EduComm presentation, I identified numerous school related incidents and lessons learned and multiple new ways to improve campus safety, reduce costs, protect reputations and save lives.
Then after reviewing multiple lessons learned I asked the group another question:
What does each of these well-documented incidents have in common?
- Columbine
- Virginia Tech
- Fort Hood
- University of Alabama-Huntsville
According to expert reviews and reports, each of these incidents could have been prevented.
Let me repeat….each of these incidents could have been prevented.
Each of these incidents could have been prevented had the organizations implemented Prevention and Intervention Plans with tools/systems to ensure incident reporting, red flag management, proactive action teams (prevention, intervention, behavior analysis, threat assessment, etc.) and documentation resources were accessible on-demand.
If your goal is to improve safety on your campus or within your organization or across your community, isn’t it better to prevent incidents from happening at all?
Based on lessons learned and based on costs, lawsuits, reputation damage, emotional damages and loss of lives, my guess is that if each of these organizations (and numerous others) had the opportunity for a do over, they would all vote for preventing their incident rather than reliving their incident.
Does your organization have the right tools to connect the dots and prevent incidents from happening?
No Comments
Email This Post
Improving Campus Safety – Prevention and Intervention – Part 1
Posted In Emergency Management, Incident Reporting, Risk Management, School Safety, Workplace Violence on June 21st, 2010 Tags: Campus Safety, crisis management, EduComm, Intervention, Prevention, Virginia Tech
Just recently, I had the honor of presenting at the EduComm 2010 conference in Las Vegas. The title of my presentation was ‘Connecting the Dots to Improve Campus Safety’ and was selected as a featured presentation.
Presenting at conferences is definitely one of my favorite things to do. I get to share ideas, successes and lessons learned with other people who are coming from many different locations and I have the unique opportunity to ask questions and learn what challenges other people face.
During my presentation I asked the following questions:
How many of your organizations have a Crisis Management Plan?
(Everyone raised their hand)
How many of your organization have an Emergency Management Plan?
(Everyone raised their hand)
How many of your organizations have a Prevention/Intervention Plan?
(Only a couple people raised their hand)
WOW! You should have seen the faces of the attendees…and probably mine too.
This quick survey along with hundreds of other lessons learned continue to show that organizations are too focused on ‘reactive response plans’ rather than ‘proactive prevention actions’.
Maybe this explains why so many schools rushed out and purchased mass notification response systems after the Virginia Tech tragedy?
What do you think?
Should more schools invest in tools and systems for prevention and intervention efforts?
Stay tuned for Part 2…
No Comments
Email This Post
