OCR Requests More Funding for HIPAA Enforcement
Posted In Health Care, Information Privacy, Regulatory Compliance, Validations on April 18th, 2011 Tags: HHS Office for Civil Rights, HIPAA, HITECH, Information Privacy
The HHS Office for Civil Rights is asking for $46.7 million in funding, an increase of $5.6 million over the current level. 76 percent of the new funds will be for increased enforcement of health information privacy and security rules.
Lessons Learned: Increased enforcement of existing and new regulatory requirements are on the way. Is your organization prepared and meeting all compliance requirements for HIPAA/HITECH or are you willing to take your chances? Based on numerous other lessons learned stories in this blog (search the Lessons Learned Blog for your sector or other keywords), getting your compliance program in shape sooner than later makes a lot of sense.
No Comments
Email This Post
OCR Tightens Requirements and Increases Financial Penalties
Posted In Health Care, Information Privacy, Regulatory Compliance, Validations on April 18th, 2011 Tags: HHS, HIPAA, HITECH, OCR
The HHS Office for Civil Rights plans to use powers authorized under the HITECH Act to tighten up privacy requirements, as well as exponentially increase the penalties for HIPAA privacy and security violations.
Lessons Learned: Organizations will need to ensure they are meeting all requirements and documenting actions under the HIPAA/HITECH Act and maintain a a high level of CYA – compliance year around! All employees (and third-parties) must be aware of and accountable for their individual requirements as a single data breach or violation can cost an organization up to $50,000…which is much more expensive and costly than new compliance and risk platforms that are proving to be extremely effective and valuable in preventing compliance related fines and penalties.
No Comments
Email This Post
Compliance and Ongoing Audits Save Money…
Posted In Regulatory Compliance, Risk Management on March 11th, 2011 Tags: audit preparation, Compliance, internal audit, Larry Ponemon, Ponemon Institute
A new study by the Ponemon Institute shows organizations that perform internal audits spent less per capita on compliance than those that didn’t perform internal audits.
Larry Ponemon is chairman of the Ponemon Institute and he commented: “I believe that the reason why internal audits reduce compliance cost is that they help prioritize the organization’s overall compliance efforts. This leads to greater efficiency in managing the total compliance burden. In other words, companies that do not conduct audits appear to be less efficient in their ongoing program management of data protection and privacy efforts.”
From my experiences and from lessons learned I agree that “ongoing program management and ongoing internal audits” are crucial to an organization’s bottom line and important to keep up with constant changes, new regulations, new risks, higher scrutiny in audits and mounting lawsuits.
But…is a binder full of policies ongoing? Nope. Is an electronic intranet or shared server full of policies ongoing? Nope. Is having your people go through online general training once-a-year ongoing? Nope.
What if your people were reviewing your policies, procedures, risks, expenses and efficiencies on an ongoing basis and had the ability to anonymously offer their feedback and report incidents on an ongoing basis?
This study reveals the obvious (including potential for cost savings), so hopefully organizational leaders are paying attention and will become more open to transforming their outdated and status quo ways of compliance and risk management sooner than later.
No Comments
Email This Post
Same Should Different Day!
Posted In Campus Safety, Regulatory Compliance, Risk Management, School Safety on February 2nd, 2011 Tags: Accountability, bullying, Situational Awareness, solving problems
I wrote a couple blogs in December 2010 about importance of solving bullying problems and about the importance of awareness, accountability and measurability in solving problems. The underlying message in each of those 2010 blogs was to point out the need to SOLVE problems rather than just talking about what SHOULD be done.
So in honor of Groundhog Day and the movie Groundhog Day, today is the perfect day to shed some light (or shade) on the dreaded “should all over yourself syndrome”.
And for you Tony Robbins fans, you may have heard Tony tell us all to: “Stop shoulding all over yourself”.
So what do I mean by same should different day? From today going forward, see how many times you come across the same shoulds in a:
- Headline news story telling you what you should do
- Risk assessment report citing you should do this and you should do that
- Seminar, webinar or conference with an expert telling everyone they should do this or do that
- New or updated regulations and mandates saying you should do this or do that
Or see how many times you catch yourself or your manager telling employees they:
- Should do this…
- Should do that…
- Shouldn’t do this…
- Shouldn’t do that…
Should is not the same as Solving. Should is a thought or an idea…Solving is taking action.
And now that January is over…stay tuned because going forward I will be blogging about numerous ways to take action and solve numerous problems and burdens.
Comment (1)
Email This Post
Bullying Prevention (or Procrastination) Plans?
Posted In Regulatory Compliance, School Safety on January 12th, 2011 Tags: bullying prevention, bullying reporting systems, Cyberbullying, Incident Reporting, MA Bullying Law
Under a law signed by Governor Patrick in May 2010, all Massachusetts schools had a December 31, 2010 deadline for filing comprehensive bullying prevention and intervention plans.
On November 10, only 3 of the 394 school communities had responded. On December 31, it was reported early in the day that 355 had submitted their plans, but right before the deadline, a flood of plans came in, resulting in 99 percent compliance (only six schools failed to meet the deadline).
I believe 99% compliance is an outstanding result, however I do have a few questions:
- Were the plans submitted comprehensive?
- Did the schools take the time to evaluate their individual school cultures, analyze their bullying reports, determine the best way to handle incidents, etc.?
- Or did they just fill in the blanks in the sample plan provided by the DOE and check off their compliance checklist?
The flood of plans on the deadline reminded me of how students put off their homework until the very last minute and then throw something together just good enough to get a passing grade….
Now that the December 31st deadline has come and gone, lessons learned show that the school’s most difficult steps begin… ensuring their plans are implemented effectively across all appropriate individuals (staff, faculty, students, parents, administration, mental health, school resource officers, law enforcement, etc.). Numerous lessons learned have also revealed that just having a plan or just having policies and procedures does not prevent incidents and suicides from happening.
If most schools already have plans…why are unwanted, expensive, embarrassing and tragic incidents still occurring in schools?
Systemic weaknesses involving individual level lack of awareness and lack of accountability along with systemic weaknesses with prevention tools and prevention efforts. To achieve better results, school leaders must understand their individual roles and responsibilities and school leaders must understand the best way to improve prevention are with tips…because it is nearly impossible to prevent any type of incident without tips. 2011 will be a critical year for school leaders and I am passionate about helping school leaders, victims, bystanders, teachers, staff, parents and entire communities to improve their prevention efforts beyond just having plans, programs and traditional incident reporting tools.
No Comments
Email This Post
Bullying Reporting Requirements – Lack of Documentation can Lead to Significant Costs and Failures
Posted In Incident Reporting, Legal, Regulatory Compliance, School Safety on December 29th, 2010 Tags: bullying, Cyberbullying, Incident Reporting, Massachusetts Bullying Law, Phoebe Prince
In a recent Boston Globe article, several Massachusetts school administrators discussed how they were implementing (or not implementing) the new state requirements for bullying.
The new anti-bullying law can potentially expose schools — and individual staffers — to lawsuits by parents or state authorities if incidents of bullying are not handled properly.
One of the key requirements is for school leaders to thoroughly investigate all reports of bullying and document actions taken. One superintendent claimed, “I like to keep the informal stuff in my head.” But, keeping informal reports and incidents in one faculty member’s head provides no documentation of a student skipping school, claiming harassment online, being bullied in the hallway, etc. and can potentially expose this school to a lawsuit down the road. What if a young boy commits suicide tomorrow and all of the teachers and staff who witnessed him being bullied numerous times had not come forward and reported the incidents?
As one school psychologist, said, “Consistently documenting problems to make sure none fall through the cracks can potentially prevent tragedies like the high-profile suicides of Phoebe Prince in South Hadley and Carl Joseph Walker-Hoover in Springfield…It strings together a series of events that in isolation may not seem like a big deal but could be if you put them together, maybe then a story is told.’’
Because bullying is typically not a one-time event for the bully or the victims, it is critical for school leaders and team members to understand there is more value in having documentation than not having documentation. Awareness is critical, and sharing information among P.E. teachers, faculty, janitors, students, parents, community members, etc. can often help identify at-risk students and connect the dots to determine the full extent of a situation. School leaders and employees must also be held accountable for reporting incidents so red flags do not continue to be ignored.
All incidents must be documented and thoroughly investigated if schools want to protect their students and provide a safe learning environment ongoing.
Among the values of comprehensive documentation are better decisions, better prevention, better intervention, reduction of liabilities, better compliance and a better bottom line because every situation has a cost (money, time, resources, reputation, etc.) and the lack of documentation could lead to significant “costs” with:
- Prevention failures
- Intervention failures
- Listening failures
- Trust failures
- Lack of Legal Defensibility
- Deliberate Indifference
- Non-Compliance
- Lack of Lessons Learned for future reference
- Monitoring failures
- Lack of Follow Up
- Lack of Behavioral Analysis
- Failure to Connect the Dots
Implementing proactive prevention tools is also much less expensive than the losses that occur if a student loses their life.
To learn how your school can improve documentation efforts immediately and ongoing click here.
No Comments
Email This Post
Bullying PSAs…OK, Then What?
Posted In Regulatory Compliance, Risk Management, School Safety on December 1st, 2010 Tags: Big March, bullying, bullying prevention, Cyberbullying, Dear Colleague, Natasha Alam, National Bullying Awareness Week, OCR, True Blood
Natasha Alam from True Blood has joined the growing list of celebrities speaking out publicly against bullying. Celebrities are raising awareness and bringing attention to this escalating challenge.
Alam recently filmed an anti-bullying public service announcement (PSA), click here to learn more.
Canada recently targeted bullying with their National Bullying Awareness Week and the UK recently promoted the Big March to bring attention to bullying, violence and harassment in schools.
Each of these efforts encourages people to speak out about bullying and victimization, and adults are being urged to listen. These campaigns also mention prevention, the need for awareness and how everyone (students, parents, teachers, staff, community members, etc.) can play a role and make a difference.
I agree that PREVENTION is critical, and I agree we need to help victims be heard and encourage Security Teams and Prevention Teams to listen. Unfortunately, traditional ‘safe school’ approaches are not delivering the results we need.
The statistics are real; the challenges victims face and the suicides are real, and it is clear that the time is now for new approaches.
The PSAs, marches and awareness weeks are all great first steps. However, bullying is a systemic problem that needs comprehensive tools and solutions to deliver multi-directional awareness, accountability, auditability and measurability. How is your school measuring your efforts? Are administrators measuring incident reports and tips provided by victims and bystanders? Are you measuring if school leaders and communities are listening? Are you measuring if prevention and intervention efforts are working or not working on an ongoing basis? Are you measuring if your efforts are meeting the OCR Dear Colleague letter’s guidelines?
Awareity wants to know… How is your school addressing bullying? Do you have a new innovative approach?
Comments (2)
Email This Post
Is Your Incident Reporting System Putting Your Organization At Risk?
Posted In Emergency Management, Human Resources, Incident Reporting, Legal, Regulatory Compliance, Risk Management, School Safety, Workplace Violence on November 11th, 2010 Tags: bullying, Cyberbullying, deliberate indifference, incident reporting system, Red Flags, threat assessment
How is your incident reporting system working for you?
Or perhaps the question should be – Is your incident reporting system working against you?
Lessons learned continue to show that organizations find themselves in ‘reaction mode’ more than they are in ‘prevention mode’. How can this be when most every organization claims to have an incident reporting system in place?
Are traditional incident reporting systems obsolete?
Multiple surveys reveal that 90% of bystanders who witness a bullying incident DO NOT report the incident. So why aren’t bystanders not reporting incidents?
Perhaps bystanders are not reporting because of one or more of the following reasons:
- Scared to get involved
- Not sure how to report incidents
- Not comfortable with incident reporting options such as paper, in person, phone or text
- Lack of anonymity when reporting incidents
- Bystander does not trust the incident reporting system will work
- Bystander does not trust the organization will take action
- And many others…
Victims are also reluctant to use traditional incident reporting systems. Victims want to be heard, but many victims do not trust traditional incident reporting systems due to:
- They tried using the traditional incident reporting system and nothing happened
- No anonymous option to report incidents
- Not knowing who was on the other end of the incident reporting system
- Afraid their information would not be kept confidential
- And many others…
Like bullying and cyber bullying, workplace violence incidents seem to be increasing too. Mounting stress related to economic challenges, job layoffs and mortgage foreclosures continue to affect millions of individuals and families. And some individuals have taken out their frustration on their bosses, their co-workers or their family members where they work….and many of the incidents could have been prevented based on red flags that were discovered after the incident.
Suicides and bullycides seem to be increasing too. According to statistics from support organizations, 5,000 teenagers commit suicide a year and perhaps as many as 500,000 or more teenagers contemplate suicide or attempt suicide each year. What if these 5,000 teenagers had a trusted incident reporting option they could have reached out to for help?
So is your traditional incident reporting system really working for you if bystanders are not reporting incidents and victims are not reaching out for help?
Red Flags and Prevention
Without red flags, it is nearly impossible for security teams and threat assessment and intervention teams to prevent incidents from happening. Yet after almost every bullycide or workplace violence incident, people come forward and say they were aware of multiple suspicious incidents and red flags, but did not report the suspicious incidents because they did not know how to or did not understand what suspicious activities should be reported. In some cases, people DID report the incidents and unfortunately the organization did not connect the dots.
Legal Defensibility
In our highly regulated and litigious society, victims and their families are taking organizations to court when they fail to respond as mandated. Many lawsuits brought against organizations cite “deliberate indifference” or the conscious or reckless disregard of the consequences of one’s acts or omissions.
Deliberate indifference is often the result of:
- Lack of Awareness – meaning people did not know what to do in different situations even though previous incidents, legal obligations and regulatory mandates exist
- Lack of Follow Through – meaning people knew about the issues, but did not take immediate actions to end the issue and did not take appropriate actions to eliminate the hostile environment and prevent future incidents
- Failed efforts based on the situation, state mandates or organizational obligations
Experts seem to be in agreement that reacting to incidents is much more expensive (and embarrassing) than preventing the incidents from happening, but prevention requires a more comprehensive suite of incident reporting tools to ensure:
- Anonymous or non-anonymous incident reporting tools
- Threat Assessment and Security Team collaboration tools
- Secure and confidential information sharing tools
- Situational awareness tools for all appropriate individuals and team members
- Accessibility options for anytime access to suite of tools
- Documentation / Reporting tools of entire process for compliance and legal defensibility
- And adaptability options as needs and situations continue to change
Is your traditional incident reporting system helping you or working against you?
Comments (2)
Email This Post
New Jersey Anti-Bullying Bill of Rights – A Step in the Right Direction
Posted In Legal, Regulatory Compliance, School Safety on November 8th, 2010 Tags: bullying, bullying bill of rights, Cyberbullying, new jersey anti-bullying law, rutgers university, School Safety, tyler clementi
Legislators in New Jersey have proposed what may be the toughest anti-bullying law in the nation with a “bill of rights” as its charter.
On the heels of the recent tragedy at Rutgers University when freshman Tyler Clementi jumped to his death, the proposed legislation builds on current laws that have not adequately protected students who are intimidated every day.
New Jersey’s Anti-Bullying Bill of Rights would:
- Apply to bullying at school, near school and on school buses and to cyberbullying.
- Require training for nearly all school employees on how to identify, prevent and report acts of intimidation
- Set deadlines for incidents of bullying to be reported, investigated and resolved. School personnel will have to report incidents of bullying to principals on the same day as the incidents. Principals will have to inform parents or guardians on the same day as the incidents. An investigation will have to begin within one school day of an incident and be resolved within 10 school days of an incident.
- Require each district to form a “school safety team” to review complaints, led by a counselor designated as an “anti-bullying specialist.”
- Provide for the grading of each school on its safety, and provide that each school must put that grade on the home page of its website.
- Create an annual school-wide Week of Respect during which school will provide anti-bullying programming.
- Strengthen suicide prevention training for teachers to include information on the relationship between bullying and suicide, and information on reducing the occurrence of suicide among students most at risk.
- Provides that public universities in the state must prohibit bullying and create anti-bullying rules and procedures for handling bullying, and distribute the rules and procedures to every university student within seven days of the start of the fall semester.
While most schools already have policies and procedures for anti-bullying and behavioral misconduct, what this bill will hopefully achieve is to encourage / require school leaders to help students, faculty and staff proactively identify and report suspicious incidents, bullying, violence, etc.
As we shared in a previous blog, 90% of the bystanders that witness bullying are not reporting incidents, which make prevention and intervention efforts almost impossible.. To prevent bullying and to meet federal regulatory obligations, school leaders must ensure that all faculty, school administrators, school security officers, school resource officers, counselors, parents, and students understand how and where to report incidents and that the incident reporting process is trusted.
Based on lessons learned from numerous bullying / harassment related incidents, anti-bullying legislation may help motivate school leaders and a possible Bullying Prevention Fund in the legislation may help with fiscal related challenges in schools.
Lessons learned also show that all the legislation in the world does not ensure that all appropriate people understand their roles and responsibilities to eliminate the hostile environment created by bullying / harassment and ensure that bullying / harassment does not recur.
The legislation is a step in the right direction, but saving lives and building a positive school environment will ultimately depend on better awareness and better accountability of the school’s living program.
No Comments
Email This Post
Financial Sector Challenges Keep Coming…
Posted In Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on October 5th, 2010 Tags: Consumer Financial Protection Bureau, credit card fraud, credit union bailout, FINCEN
How will these new challenges impact your community? And your organization?
If you have you been watching financial sector headlines recently, bad news and challenges seem to keep coming for financial leaders and their organizations. And we have all learned that when the financial sector is affected, all sectors will see and feel some impact.
Credit unions are now in line for their bailout.
According to CNN Money article, bank fees are like game of Whac-a-Mole…the minute some bank fees are banned, a whole new set of bank fees pop up.
http://money.cnn.com/2010/09/24/pf/new_bank_fees/index.htm?hpt=T2
FINCEN proposes mass new wire transfer reporting requirements that could represent a massive burden on banks and money services businesses to report international wire transfers to the government.
http://www.fincen.gov/news_room/nr/html/20100927.html
In Michigan, the Office of Financial and Insurance Regulation ordered a shutdown of a “business” that were actually scammers posing as a legitimate credit union in order to obtain information used in identity theft.
http://blogs.bankinfosecurity.com/posts.php?postID=725
Credit card fraud continues to go global and losses continue to mount.
The Consumer Financial Protection Bureau is coming…how will it affect your business?
The bad news: Many of these challenges are out of your control.
The good news: Organizations can control the postitive impact they have on their community, their customers and their employees.
So for all the organization leaders – financial, government, schools, healthcare, faith-based and others…Is your organization ready to take the lead in your community?
No Comments
Email This Post
