1st Talk Compliance

In this episode of 1st Talk Compliance, Kevin Chmura is joined by Rachel Rose, JD, MBA, as they discuss the False Claims Act in detail. The FCA, one of five federal laws built to combat fraud, waste, and abuse, is the government’s primary fraud fighting tool, with the healthcare industry paying the largest contributor in recoveries for over a decade. Learn not only about how to avoid running afoul of this law, but also some details of cases in which it was violated, and the repercussions those who did so faced. In addition, find out how a proper compliance program can protect your practice in various ways, including staying up to date on cybersecurity training. Kevin Chmura Rachel, welcome to the podcast. Thanks for joining us.   Rachel V. Rose Thank you, Kevin, for having me back for another round of a very major healthcare compliance topic.   Kevin Chmura It very much is, yeah. This one generates some revenue for the government. So this is one that I think especially in today’s environment, people should be paying a lot of attention to. So as I said in the intro, we’re here to talk about the False Claims Act. It’s one of the most important fraud, waste and abuse laws that applies to physicians and health care practitioners of all kinds. The healthcare industry has consistently been one of the, if not the highest contributor to funds received under the False Claims Act. And it’s essential to be familiar with the law and maintain compliance programs to mitigate that risk. Rachel, I know you spend a fair amount of time in your practice in and around the False Claims Act defending and representing customers and providers. So you’re perfect to cover this topic for us. Wondering, though, if you could give us a brief synopsis of the False Claims Act and why is it unique?   Rachel V. Rose Absolutely. So as you mentioned, my practice focuses a lot on the False Claims Act, and I am fortunate to do a lot of compliance work not only around the False Claims Act, but HHS. OIG has identified five important federal fraud, waste and abuse laws. The False Claims Act, the Anti-Kickback Statute, the Stark Law, the Exclusion Authorities, and the Civil Monetary Penalties. And Kevin, as you mentioned, the False Claims Act is really the federal government’s primary fraud fighting tool. And in 2024, there were more than $2.9 billion in recoveries and, moreso healthcare represented over two thirds of that amount. That healthcare trend, as you mentioned, being the largest contributor, has gone on for at least the last decade. And what the False Claims Act does that makes it unique are really, I would say, five main things. But first, the False Claims Act goes back to 1863, and it is also known as the Lincoln Law. Its primary purpose, even back during the Civil War, was to root out fraud that was being perpetrated on the government. So how would that be done? Congress thought about it and said, well, the government could do it on its own if they caught wind of something, or they could insert a provision which gave an individual known as a relator, also known as a whistleblower, the potential to bring fraud to the government’s attention and receive a portion of the recovery. It’s very important to note that a relator and I represented several relators successfully, sometimes with co-counsel, sometimes with not, so I get to see the False Claims Act from the whistleblower standpoint as well. But this notion of being able to represent a whistleblower is the first distinguishing factor. And that’s because most other civil cases, a person can represent themselves on a pro say basis, meaning they don’t need a lawyer. There was a provision in the False Claims Act which in fact requires an individual to be represented by a lawyer. So unless the relator is a lawyer, then the individual needs to obtain counsel in order to file a False Claims Act case. That’s the first thing. Secondly, only the government can choose to open a criminal investigation. So even though certain laws like the federal Anti-Kickback Statute can have criminal penalties or civil penalties associated with them, only the federal government, or if a state has a similar type of law, the state can actually move and bring a parallel criminal investigation in potential proceeding. So that notion that only the government can bring in a criminal case is not unique to the False Claims Act. But what is unique is that a private party can bring a type of case, and that’s how the government learns of something to then potentially open a parallel criminal action. The process for the relator’s counsel is also very different. Normally, if I want to file a lawsuit in federal district court, I have to make sure that either a federal question is involved under 1331, or I need to meet the amount in controversy and diversity of the party’s requirement under 1332. While first, the False Claims Act is a federal statute, so it falls under 1331. So that’s the same. What is not the same is that before I even file a case under seal in a United States District Court, I have to provide a disclosure in evidence to the local United States attorney where I’m going to file the case, as well as providing that same information to Main Justice in Washington, D.C.. Another area that is relevant that I just mentioned is the seal. So that’s the third item. And initially, the statute itself provides for 60 days that the case is filed under seal, meaning no one knows about it but the relator, the lawyers, the judge, and whatever the court staff are, and that’s the way it has to stay. Now, the government may request what are known as deal extensions in this type of case. And another provision relates to the breaching of the seal. In the 2016 Supreme Court case, Rigsby versus State Farm, is the case that outlined different fact orders, which first stated A. Just because there may be a seal breached doesn’t mean that the case is automatically dismissed. But the court said we get to apply these factors and make that determination. I will say that even if the court says no, this case doesn’t need to be dismissed and the Government agrees with that, that the government on the back end, when we start to get to the fee issue where the relator can recover, they, the government, has the right to drop the recovery. If there has been a breach of the seal below what the typical statutory threshold is, and I’ll get to that in a moment. The other distinguishing factor in a False Claims, that case is once I filed the case, it’s really in the government’s hands until they make a decision. And there are three ways a case can go. The government can intervene in the case and intervention can occur at different times. I’ve had cases that have settled under seal and then the intervention decision is made and the seal is lifted by the court, so the government has taken the case through settlement, even though there has not been any action in court, so to speak. The second way to intervene is that if the defendant won’t settle while the case is under seal, the government can say, Hey, all right, relator, we like the case, we have adequate resources. And I don’t necessarily mean monetary resources. I made the specific notion of adequate human resources, right? Because the government only employs so many people and so many assistant U.S. attorneys to work on these cases. So the Georgia Tech case is an excellent example where the government intervened and they’re the ones who are leading trial. So in that instance, the relator’s counsel and the relator just sit back, and if the government needs help with something, then they’ll ask. Declining to intervene means that the government is not going to intervene, but they say to myself or other relator’s counsel, if you would like to move forward with the case and prosecuted, you’re able to. And so I’ve had that scenario as well. And then lastly, they can dismiss the case under C two way, and that’s always the government’s discretion. And the Supreme Court case, the Polansky case is a case from 2023 that actually addressed that very issue. Now, penalties and damages, damages can be trebled under these circumstances. Penalties up until 2016 ranged from $1500 to approximately, not $1500, $5500 to approximately $11,000 per violation. So that was per healthcare claim. Now the absolute minimum is over $11,500, and the upper end of that penalty range per claim is closer to $25,000. Oftentimes we don’t see penalties assessed unless a case goes all the way through to verdict in a trial. But it can still be costly for damages being trebled depending on the type of case. The relator’s recovery, if the government intervenes in the case, is between 15 to 25% of the total recovery. If the government declines, then the relator is entitled to 25 to 30% in the event of a successful recovery. And it’s important to note that the False Claims Act is not an intent based statute.   Kevin Chmura So. Well, wow that was great, that’s so, it’s dense, right. And there’s, yeah there’s a lot there, and expensive for those that find themselves on the wrong end of this, and so super important. And you touched on I think a few of them but I wonder if you could zero in a little bit on what healthcare laws are often included in False Claims Act cases.   Rachel V. Rose Several laws that are included, Kevin, include the Stark Law and the Toomey case, which was brought several years ago and to date is still one of the largest False Claims Act cases involving the Stark Law. It went up to the Fourth Circuit and that had to do with, in essence, paying kickbacks to physicians where a Stark exception was not met and they were getting remuneration outside of what met fair market value in order to refer patients for designated health services. Now, designated health services is a term of art within the Stark Law. We don’t see that term in the Anti-Kickback Statute, which is another term. One main difference, aside from the designated health services being the only areas that apply to Stark Law, is that Stark is a civil statute, and more importantly, it’s a strict liability. So it’s like speeding. If you go over the speed limit, you can get a ticket the same as the Stark Law. By way of contrast, the Anti-Kickback Statute, which actually predates Stark Law by at least 17 years, is a criminal statute. It applies to every single federal healthcare program, with the exception of the federal employee health benefits program, and it applies to any type of remuneration, whether in cash or in-kind, for referrals to, or utilization of, goods or services related to the provision of health care to a Medicare beneficiary, Medicaid beneficiary, TRICARE or beneficiary, etc.. And there are safe harbors.   Kevin Chmura That’s good stuff. I know from my now a few decades in healthcare and all of the compliance and other training that you are really required to do, I spent a fair amount of time being educated on particularly Anti-Kickback, and I wonder if it would be helpful. Maybe if you could highlight a few recent cases involving AKS violations. I think it is kind of where the rubber meets the road on these. It can be very, very informative for folks.   Rachel V. Rose Absolutely. And one unique aspect of the False Claims Act that I did not address earlier, because I highlighted more of the procedure associated with the False Claims Act. But one of the more unique or interesting items, especially as it relates to the Anti-Kickback Statute, is the idea that first there’s a different see/enter requirement or knowledge requirement. So knowledge under the False Claims Act is defined as actual knowledge, deliberate disregard for truth or falsity of the information, or reckless disregard for truth or falsity of the information. Now, the Anti-Kickback Statute is intent based. Remember, the False Claims Act is not. So intent must be proven and it must meet that statute’s definite kind of knowing or willful. But a nice thing occurred in 2010 for relator’s counsel, and that was that Congress said, if you can substantiate and clear the hurdle of an AKS violation, then the False Claims Act violation really comes along for the ride, which makes sense because it’s a higher level of see/enter. And as I mentioned before, the AKS itself is criminal. So when we think about the types of cases where we see a lot of AKS violations, one great case is from 2021 is the settlement date on that. And that was United States Ex Rel Goodman versus Areva medical. And that was a case out of the middle District of Tennessee. That case settled for $160 million after the relator’s counsel, it was a decline case and the relator’s counsel move forward, responded to the defendant’s motion to dismiss. The judge denied the motion to dismiss, and the case settled. At issue was a type of kickback, which some people may not be as familiar with, but it has to do with the carte blanche waiver of co-pays and deductibles. And so a co-pay is able to be waived if there’s documentation that an individual had a financial need, but only for that individual. So you can’t just say, I’m going to waive all co-pays or deductibles without having individual documentation substantiating it. So that case is really telling in terms of that area, and that’s an area too, Kevin, as you can imagine, that a lot of providers could really sidestep and eventually end up in hot water for not appreciating that type of risk. Another case that involved the Anti-Kickback Statute was actually a case that I had that the government intervened in and settled while it was under seal in May of 2024. So just about a year ago, and that was in the Northern District of Texas, and there the medical device company had physician owners and there is a safe harbor in the Anti-Kickback Statute known as the 4060 Rule, or the small business safe harbor, where if you, an individual physician or a group of physicians, own a certain amount of a company, then the revenues that they generate cannot be a certain amount. And so, a certain percentage of total revenues. And that’s what happened here. They didn’t meet the framework. And for anyone who looks at compliance of fraud, waste and abuse laws, it’s very important to note that you have to fit within the four corners of the safe harbor in order for it to be applicable. A couple of other really big cases that have been around lately. One is one of my favorite cases. It’s called the Sayid case, and it went up to the Seventh Circuit. And the Seventh Circuit issued an opinion on May 2nd of 2024. And in this instance, a creative entrepreneur, I will say, started coloring outside the lines. And instead of being satisfied with the existing relationship he had with the Healthcare Consortium of Illinois, which really had a primary purpose of coordinating healthcare for lower income seniors in the state, he created a third entity and entered into a managed services agreement to pay this consortium $5000 a month for allegedly providing management services. But in practice, what he was doing was accessing the patient data, using that patient data to solicit business, and that in turn was billed to Medicare. And as you hear the term PHI, your HIPAA flare should be going off, too. And that’s exactly what the judges both at the district court level and at the appellate court level said. And one of the things that caught their attention and this is, this is pretty rich, which is why it always stands out in my mind. But Sayid testified that he had spent over three decades in the healthcare industry and knew that buying protected health information was illegal. And as we know, HIPAA has a criminal provision as well. And so what the appellate court says was, you know, the district court was right. They did not err in finding that the defendant knowingly and willfully violated both the Anti-Kickback Statute and HIPAA, and also that this type of personal service or management contract did not qualify under that particular safe harbor for the AKS. And then very recently, Kevin, we have a few cases. One was against Omnicare, CVS, we had Controlled Substances Act violations which were very significant. And then there was a case that was actually filed in 2012 and that was United States and various states Ex Relator Panelo versus Janssen products. And as I mentioned, that case has been ongoing since 2012. The original firm that filed the lawsuit brought in really good trial counsel, who I’ve been fortunate to co-counsel with, and it went to a jury trial. The jury did not focus on the Anti-Kickback claims, but what they did focus on was the illegal promotion of an HIV drug. And the judge entered a final judgment of $1.6 billion.   Kevin Chmura Wow, that is a very large number. You know, and so, you know, there is the big is why it’s helpful to look at actual cases, right. Where these, like I said before, where’s the rubber meeting the road in terms of actions being brought in settlements being a tell you what, you know, there are bad actors out there and some people that are knowingly skirting. So it’s, I think when you tell the story about the co-pay waiving it’s really, it really highlights why it’s so important to understand the False Claims Act, particularly in AKS, you know, that you could really just be in a situation where you think you’re doing something kind or nice for an individual or group of individuals and not even realize that you’re in violation of this. And it just speaks to the criticality of the understanding of what your obligations are. So that was super helpful. I wonder if we could pivot for just a just a few minutes, because you can’t really talk about healthcare today without also covering cybersecurity. There’s been such a huge push to digitizing everything over the last several decades, and we were digitizing things faster than we could keep up with. Those people that wanted to get at those digital records. And I wonder if you could highlight a few recent cybersecurity case settlements.   Rachel V. Rose Yeah, absolutely. So in terms of False Claims Act cases, I was fortunate, along with my co-counsel, to represent the whistleblower who brought the first case that settled under the DOJ’s Civil Cyber Fraud Initiative, and that announcement was made in March of 2022. At issue, there was a government contract with the State Department and some of our armed services. And in essence, there was a requirement to safeguard the information. There was an additional requirement to ensure that the HIPAA information was being secured in a way that HIPAA information should be secured. So in that instance, the government intervened and that was the first case. So I’d seen it, cybersecurity violations from the whistleblower side, I have actually conducted HIPAA audits for well over a decade and I’ve also represented people post-breach on the enforcement side, some more recent cybersecurity-related cases are, one of my favorite ones is actually the Jelly Bean case that came out of the middle district of Florida that was not a whistleblower case. The government brought that on its own. And it’s unfortunate because there was a breach of over 500,000 minors’ information. And what the government said about this company, Jelly Bean, and their owner was, hey, we contracted with you to provide services to keep this information secure. And it was an item that came about because of the breach, but what they found upon doing due diligence was that the common patches that should be done with software weren’t done for over a decade. They were using non-supported software, data was not encrypted, there were password issues, you name it, in this company had it. So they actually brought a False Claim that case because as we learned right out of the gate, the government can bring that too. So that was the Jelly Bean case. We’ve also seen it more recently, again with government contracts, That’s the morse case MORSE, that’s it, one that’s important. Penn State University settled a case. A colleague of mine brought that case that was brought in the Eastern District of Pennsylvania. And I will say this because in my experience, the whistleblowers in cyber cases are very sophisticated. They’re typically Chief Information Officers or highly educated people who understand what regulations are supposed to be met and what’s not being met. So I would say that if I am any type of company, whether it’s a business associate or a covered entity, I would ensure that I have my items in a row in terms of HIPAA compliance, because that’s one of the greatest areas of potential risk. And this area of the law is only going to be a focus of the DOJ, per their January of this year statement, that cybersecurity is going to continue to be an area that they focus on.   Kevin Chmura Yeah, totally. And really in healthcare today, you should have an orientation towards data security, cybersecurity training, all safeguards, and many of them are just good business practices to begin with, right? Certain things can be more complicated than others. But the, really to just run a business in healthcare, which we all do, it’s not really that complicated to stay to stay in good stead, but it’s something you were touching on there, and I think it’s maybe a good way to close. And that’s really, you know, how do we mitigate all of these risks really through, I guess, an effective compliance program? I mean, if you’re up on compliance, if you take it seriously, these things should fall into order. But I wonder if you could give our listeners maybe some advice and guidance in that direction.   Rachel V. Rose Absolutely. So there are five main areas that I would focus on. The first is make sure, to your point, Kevin, that your HIPAA compliance is where it needs to be in terms of the Security Rule, the Privacy Rule, the Breach Notification Rule, as well as information blocking, which was part of the 21st Century Cures Act. And as you and I talked about in another podcast episode, the HIPAA Reproductive Rules. So that’s one area that’s key. Cybersecurity also dovetails into a case in Stark Law, because of the December 2nd, 2020 Final Rules. Those are the, quote, “New Stark and AKS Final Rules,” but they updated their safe harbors related to what types of cybersecurity services or goods could be provided and what needs to be done. So you need to have an agreement in place. You need to make sure it’s not based on volume or value, and it needs to be for fair market value. So those are some areas to look at when you’re considering the intersection of cybersecurity as well as fraud, waste and abuse laws. In terms of fraud, waste and abuse, 42 C.F.R. Section 483.85 requires a mandatory compliance program, and this specific provision was highlighted in the November 2023 HHS OIG guidance. And although guidance is not binding in that sense, it provides a great roadmap. But the laws and the regulations that it references are binding. So it’s a great item to look at right out of the gate. So the seven elements, I call them the dirty seven, that are required for fraud, waste and abuse laws are: written policies and procedures, compliance and leadership, and oversight training, effective lines of communication, with a compliance point person in forcing the standards, having consequences, and incentives. Those should be documented both in an employee handbook as well as your regular policies and procedures. There should also be a non-retaliation provision for concerns that are brought in good faith. And I added that term good faith because I actually represented a client where they had a rogue former employee file, literally, a false claim with the government agency that they were not compliant. And so, it came back after I defended them that, yeah, they were compliant with everything that they had, and the individual did not bring that concern either to the company. He didn’t bring it to the company first, but he went externally and just filed it completely invalid and factually false complaint with a government agency. So that’s why if it’s in good faith, then people should listen. And I, on the flip side of that, a positive situation I had with another client was that they had someone who was in billing bring a coding issue to their attention. And lo and behold, there was a glitch in the EHR system. So it was applying the wrong code. They were able to get the EHR company involved, address that, and then resubmit the claims right away to government and private insurers. And that isn’t a great example of a good faith concern that was brought. It was investigated, and it really ended up helping the organization. And so that’s the benefit of looking like that instead of just retaliating against someone. Last two items are a risk assessment. And for audit, that’s a great way to have a third party come in and do an audit assessment and then responded to detected offenses as well. So the last part is just to review your contracts and make sure that if persons are receiving money that there is a contract that is in place and that it’s legal.   Kevin Chmura Wow. So a lot, but a very important topic because you can see it intersects with day to day life in healthcare myriad ways. So that’s great. Maybe a quick summary. I mean, if organizations are proactively investing in a compliance program, living it, taking it seriously, and it’s not just a binder on the shelf, it’s going to mitigate risk through from the False Claims Act, potentially reduce penalties, and avoid legal repercussions that can just, that can linger for quite some time. So Rachel, this has been great. Appreciate you as always. Your knowledge in this space is unbound and we’re really glad that you choose to share it with us, and I’ll reserve the right to bring you back for future episodes. Maybe catch up on some other things that are happening relative to this very important topic. So with that, I’ll say thank you, Rachel.   Rachel V. Rose Thank you, Kevin. And thank you, Panacea and First Healthcare Compliance for having me again as a guest.   Kevin Chmura We’ll have you back soon. Thanks.   Rachel V. Rose Thanks.

1st Talk Compliance features guest Raymond Ribble, CEO and Founder at SPHER, Inc., on the topic of “Employee Snooping & Insider Threats.” Ray joins our host Catherine Short to discuss snooping and insider threats and why user monitoring and ePHI access strategies are vital to the security of sensitive patient information and data protection. With so much attention and money surrounding cybersecurity in the healthcare industry, malicious employees may decide to purposefully disclose patient information. Since employees and contractors may have knowledge of your network setup, vulnerabilities, and access codes, snooping employees with malicious intent hold the key to exposing your organization to a series of unwanted risks and threats. Listen as we identify signs of unauthorized access, provide guidelines to prevent snooping, and offer procedures to detect insider threats. Catherine Short: Welcome, and let’s 1st Talk Compliance. I’m Catherine Short, Manager of Virtual Education at First Healthcare Compliance. Thanks for tuning in. This show is brought to you by First Healthcare Compliance as part of our commitment to provide high quality complementary educational resources. We help create confidence among compliance professionals throughout the United States. Please show your support by taking a moment to provide a review on Google, Facebook or iTunes. You can also follow us on Instagram, Twitter, and subscribe to our YouTube channel. On today’s episode, we are speaking with Raymond Ribble, CEO and founder at SPHER Inc, a market leading compliance analytics cybersecurity solution addressing HIPAA compliance, state privacy laws and ePHI security threats on the topic of “Employee Snooping and Insider Threats.” Snooping and insider threats are exactly why user monitoring and ePHI access strategies are vital to the security of sensitive patient information and data protection. With so much attention and money surrounding cybersecurity in the healthcare industry, malicious employees may decide to purposefully disclose patient information. Since employees and contractors may have knowledge of your network setup vulnerabilities and access codes, snooping employees with malicious intent hold the key to exposing your organization to a series of unwanted risks and threats. Listen, as we identify the signs of employee and contractor unauthorized access, provide guidelines to prevent employee snooping, and offer procedures to detect insider threats. So thank you, Ray, for joining me on First Talk Compliance. It’s a pleasure to have you on. Raymond Ribble Thank you for having me today. It’s great.   Catherine Short Yes, always wonderful to talk to you. So Ray, I have a question for you to start off. I know when people think about threats to their organization, they worry often about external risks such as hackers. Would you say that this is the right focus?   Raymond Ribble 2:15 For an organization, it’s not the wrong focus. It’s what we read about in the press the most. We’re online looking at some healthcare rag, what they’re talking about is some type of external threat that impacts the organizations. And I think from a cost perspective, it is the most impactful. Somebody coming in from the outside, a hacker to use the term, can cause hundreds of thousands if not millions of dollars in damage to an organization. Ransomware would be a perfect example of that. You or I don’t want to have to pay some X number of bitcoins in order to get access back to our data knowing that now that they’ve done that, that they’re probably going to come back and do it again. Having said that, I think the equal component of that is what we talked about in terms of snooping and the insider threat, because an individual snooping and then taking that information that they get through snooping and sharing it through social media, or in gossip to somebody on the outside, potentially could have a financial impact to an organization more so today in 2022, than say 20 years ago, or 30 years ago. So are hackers real? Yes, they are. Is the hacker the thing that you should stay awake at night worrying about? Not as much as you think. 26% of the breach events that are captured by most organizations that are responding to our surveys out there, IBM Parliament being the best, indicate that snooping and insider threats are much more detrimental to the business than the hackers on the outside. I think they’re more prevalent. I think that 67%, if I remember the number correctly, is what we have in terms of the percentage of healthcare breach types come from inside the organization, not outside. I think we tend to focus on what that cost is to the organization if we get caught, when we get caught and so therefore, hackers are more prominent because we use that word as a catch all for everything from phishing, to ransomware to XYZ. Does that make sense?   Catherine Short It does. So all the time in the news and media and everything we hear about ransomware, ransomware there’s a cyber attack. So if you were talking about ransomware and cyber attacks, versus insider snooping, which is one of the topics here and employees snooping, what would you say then? Could you expand on that just a little bit more?   Raymond Ribble I’m more worried about the insider threat personally, I think that there are things that we can do from a technology perspective to significantly limit our exposure to ransomware type events. So if we can educate our end users to not click on anything that comes up on their screen, to not look at third party applications or ads, and click on them to go see if that shirt from China is really interesting, and I really can get something for $25 that I’d have to pay $200 for, is worth it. Because when I click on that, what I’m actually doing is opening up a hole into my data system. So if we can educate people not to do those types of actions, through technology and encryption and such, then we can reduce the exposure to a ransomware event through that. On the other hand, if I have people in my office, who are snooping or worse, in a malicious sense, stealing the credentials, and giving those credentials to somebody else in order to create havoc, that cost is exponential to our organization. That goes back to a major breach, it goes back to being measured in hundreds of thousands, if not millions of dollars. The impact to your organization from a cybersecurity insurance perspective, is significant. The reason we have that feeling, Catherine is because what articles we typically see out there in the press, whether it’s online or in print are stories about ransomware, a hospital being shut down, not being able to access their files. It’s rare that we see a story about a snooping incident, such as say, the Justice Mueller in Chicago, where it makes it to the point of news that’s worthy of being talked about. So it’s kind of a hidden crime in an organization that a lot of people think well is really causing the damage?   Catherine Short So right. Can you give me some examples of what you’re talking about? When you mentioned insider threats or employee snooping?   Raymond Ribble Yeah, the worst one that we’ve had with our organization where we work with a client, was an incident where they were brand new to our technology, we implemented the system for them. And maybe a little bit of background. It is a rural hospital. You and I both know that we love to talk about others. I mean, TV is loaded with shows about other people’s lives and reality TV, but what’s more reality than snooping that what’s happening in my community, viz a viz their healthcare and what they’re coming in, what type of ailments they have. This organization went live with SPHER and in the first month of using the system, they had 1800 snooping alerts. 1800.   Catherine Short 7:50 Wow, that was from one organization   Raymond Ribble That was for one place, it was the hospital and when we sat down with that team, and investigated the 1800s, they were all legitimate. There was no false positives, everything was legitimate. They were they had a very, very bad problem in this hospital.   Catherine Short That was in a month?   Raymond Ribble That was in one month.   Catherine Short Oh, my gosh, there must be a lot of gossiping going on there.   Raymond Ribble 8:22 Yeah. I’m not gonna say where it was, other than it was a rural hospital. It would be bad. But let’s just say yeah, there was a lot of gossiping in an area that’s famous for gossip like that. Everybody listening can say, now that’s my area. But now though, this is one that we probably would all agree upon. We sat down with them and this is where once they understood this was real, then they said, Okay, how are we going to solve this problem? And it really came down to the CIO. In this case, the CISO, saying, Okay, we’re clearly not educating our users on security and we don’t have a culture of compliance in this organization. So she decided to make it very public what they had found, to share some of the analytics without calling anybody out since it was everybody and saying, Okay, this is going to change immediately. We’ve implemented the system to monitor so I’m looking at you, just know that from today. Within two months, the snooping dropped from 1800 to five, five incidents, and those five incidents she told us, could all be explained. So you know, in essence, she said, Yeah, they did look, but here’s the reason they looked and she could accept that so basically, zero. Once people knew that somebody was looking at them looking at other people’s data, they stopped. Maybe they found a new way to do it, but they weren’t using the EHR system or the EMR system as their main source of Office gossip. How’s that?   Catherine Short Wow. So when you have an incident where someone is looking at someone’s medical records, say like an ex spouse or the ex spouses new wife or something like that, what do you do?   Raymond Ribble So we have to be very careful. I think I mentioned this to many people. At SPHER, we’re not the HIPAA police. My tool that I make available to my clients, the SPHER dashboard and the alerts that you get, that’s where you start. We do the hard job of identifying areas that might be worthy of an investigation, you’re then looking at that data and determine is this meaningful information that SPHER is giving me and should I take action on it? Yes, or no. If it’s a normal action, you tell the system it’s normal and you won’t see that again. That becomes part of that person’s profile. However, in many instances, when people do identify and do the investigation, they’ve called us to say, hey, look, I just saw something here, I did an investigation, can you look at it with me, we have their permission to do so. And then we’re just looking with them to make sure that they’re interpreting the data correctly. Final decision is theirs, not ours. And as I say, whenever I speak, this is where they want to reach out to an organization like yours, Catherine, and have a conversation with somebody who’s like a HIPAA consultant, or like Rachel Rose, somebody who is a HIPAA law attorney, and have a discussion about how should I handle this going forward? We’ve had incidents where physicians have gone into the system and taken data that was so random that it showed up in the alert, and they were giving that data it turns out, to somebody else that used it, as part of your example, in a divorce proceeding for custody of the children. And the only way that that data could have been gotten on the wife in this instance, was through the medical record, because it was very private. How did he get it? Of course, somebody else took it out of the system, gave it to him, and he used it in a court of law. That was a no, no, and they should have thought about that before they did it but they did it anyways and so they got busted for that. I mean, think about the ramifications of a doctor in that in court. So we do see real instances of people at very high levels going in and snooping or maliciously exfiltrating data for the purposes of something that might be legal in nature or monetary in nature. And we see that more often than you’d like to believe.   Catherine Short If you’re just tuning in, you’re listening to 1st Talk Compliance brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources. We help create confidence among compliance professionals throughout the United States. My guest today is Raymond Ribble, CEO and Founder at SPHER, Inc., on the topic of “Employee Snooping & Insider Threats.” Please show your support by taking a few minutes to provide a review of First Healthcare Compliance on Google or Facebook. You can also follow us and subscribe on all forms of social media. I have a question then. How do you recommend to administrators and managers for balancing and creating a culture of compliance and then balancing this with the feeling for employees? When a new system is implemented, that they might feel like they’re being micromanaged.   Raymond Ribble They’re very concerned, the administrators and the senior managers CISOs that we work with, they’re really concerned about that question that you’re asking. I want to do this but I don’t want to send a negative message to my employees. I don’t want to tell them I don’t trust them. I don’t want them to think that. Oh, you know, we’re watching everything they did – we are. How do I do this proactively? And so we’ve had some really creative organizations that have shared with us what they did do. That’s how I’ll answer your question, by sharing with you what I heard people do that I thought was very innovative So they have a regular lunch, or they have a regular session that’s scheduled every month or every couple of months in the organization. They take some of the analytics that they’ve learned from SPHER and integrate that into the learning process. They talk about, hey, we’ve noticed over the last couple of years in the United States, that the threat vector in terms of breaches through phishing, and hackers and even insider threats, is increasing and as an organization, we want to do what we can to protect ourselves, protect our patients. So it’s a bit of a manipulation of the words, but they come up with a very creative way of saying, We’re doing this to protect the people who come in here in order to get healthy and you know, this is a team effort. It’s not a me looking at you effort. It’s us looking at what’s happening effort in order to make sure that we’re protecting our patients from any external threat. The byproduct is the internal threat gets addressed as well.   So they take it from a negative message to a positive message and they use different vehicles like team training, or the company lunch or some type of a newsletter that they have in the organization to start making that a regular part of the presentation, and maybe introducing incidents that happened in the past and the corrective action that the organization took. It sends a secondary message of, hey, I am looking and we are aware of these things, and if that happens to you, you might be the person or at least the incident’s going to be highlighted in the next newsletter or the next company meeting. So let’s watch our P’s and Q’s let’s be better at how we access data and what we share.   Catherine Short 15:44 I think that’s very helpful for everyone.   Raymond Ribble You know, we always talk about penalties, we never talk about rewards. So if employees were to come to us with ideas on how we could improve our security posture, maybe there should be reward for them doing that versus penalties for somebody who does something wrong. Catherine Short Right, everyone likes to be rewarded. No one likes to feel like they’re a bad dog, you know, with a smack with a newspaper or worse, obviously   Raymond Ribble I think it gets viewed by the team, the employees in a much more positive light, if this is something we’re doing together. Hey, and if you have an idea on how we can improve it, I’d love to hear it. We sat down with the doctors and I’m thinking about who we work with a lot of clinics that are somewhere in the range of say 100 to maybe 1000 employees. So they’re always looking for creative ways to incentivize everybody doing better, it’s performance based. So security becomes a performance metrics as well and providing better security and doing a better job of creating that culture should be something that can be rewarded within the organization.   Catherine Short True. I have a question again about audit. So what’s the probability that someone would get audited? What are your thoughts on that?   Raymond Ribble Yeah, broad question. I’m going to attack it based on just what I’ve seen. I live in California, Catherine. So last year, I think was last year, I lose track now, we passed the California Consumer Privacy Act. My understanding is within the next two years, if not all, almost all of the 50 states and territories will have some type of Consumer Privacy Act in place. In many instances, like in California, some of that law supersedes HIPAA, in terms of reporting, in terms of having to grant access to patient data to the consumer, to the patient, and that could result in punitive actions and or investigation. So when we think about audit, you and I, we probably focus more on OCR related, health and human services related activities. I think what’s happened is the landscape has changed. It’s gone from a Federal HHS issue, to include state level, privacy and security laws that now in many instances, again, can supersede what we have in terms of accountability, record keeping, documenting, and being able to prove that somebody did or didn’t do something within an organization. I think the probability of an audit today is much higher than the probability of an audit, say, two years ago or five years ago. It’s not a real number for you. That’s what people are faced with today. So I can’t give you a specific number. I don’t know one. But I know that that threat vector for us as organizations is increasing, not decreasing, because now we have federal and state that impact us. Does that make sense to you in the way that I’m stating that?   Catherine Short 18:45 Absolutely, actually, yes. And I’m glad you mentioned California, because California I know, I always think of being kind of like Europe with the GDPR and having more stringent laws, than federal   Raymond Ribble A lot of other states flew into Sacramento and sat down with the state of California to see how they put that consumer privacy act together and in many instances, the other states, it’s a derivative of the California Privacy Act.   Catherine Short Right. I have another question concerning security. What are your thoughts on the security of automatic logins on the computer like if it asks you if you want to save the password, and then you can just log in automatically next time? And then following up on that isn’t a problem when it asks you show your password? I always feel like I’m suspicious that someone out there might be capturing my screen. I might be extra paranoid, but at that, I think maybe not. I don’t think so. I feel like somebody’s watching   Raymond Ribble Good question. I hate passwords. I bet you hate passwords too passwords. I’m a big advocate for at some point, I think we are going to move away from them, I think we’re going to move more towards biometrics, which I think is a better way to secure the data anyways, then whether it’s a fingerprint or a voiceprint, or an eyeball, whatever the case may be, I think they’re coming up with some really innovative solutions that we can incorporate. And I think we’re gonna see the MacBooks in the Microsoft workstations out there start to incorporate that technology in the years to come. That will allow us to move away from passwords. So your question is about having those passwords saved? Because I know that in a Microsoft and in an Apple world, you find online they will say, Oh, do you want to save this password? and it gives you the username and the password and boom, it’s sitting there. So if somebody were to break into your PC, they can go find that file, it’ll tell them every application that you have access to and what the login and password is. So is that dangerous? Yes, it is.   I guess if you’re really smart, you know what you’re using? Don’t do it. Your question, you kind of answered your question in the way that you asked it, don’t do it. Is it a risk? Yes, it’s a risk. I would start by saying, make sure your PC is encrypted, make sure you actually have a sophisticated login process to get into your PC itself. Because there’s only a few barriers of deterrent between your PC and all that data that we’re talking about. So please make sure you have a real stringent password in place that you can remember, that’s not written down, by the way that one doesn’t get saved into that file, and you’re gonna have to remember that, right? otherwise, you’d have to do a jailbreak to get into your own machine. So you know, you’ve probably had those instances, and they’re like, well, you don’t know the password and we’ve got to break into it, kind of a thing. So that’s a real problem.   The first part of my answer is, yeah, I think that is a risk. I know I have some there, I tried to think about which ones I want to have saved on there versus the ones that do. So I don’t want my bank information on there. I don’t want access to any sensitive materials on there. I don’t even want my Amazon account on there because God forbid somebody gets on Amazon and my cards already loaded into Amazon and they go on a shopping spree right? It might seem innocuous, but it actually can be very damaging to you. If you if you can avoid doing it, please do. And your applications on whether you’re using Chrome or whatever says, hey, do you want to store it? And you’re like, sure why not? That way, one more, I don’t have to remember. The problem is, the bad guys know how to find that file probably faster than you and I could.   Catherine Short Right. That’s why I’m asking   Raymond Ribble But the reality is, no, you don’t want to use it. If you can avoid using it, you want to create sophisticated passwords, which I think is the solution to that. Your username is usually your email, I mean, it’s almost 90% of the bar. And then sophisticated passwords, I always use the example and is just an example. I like the Boston Red Sox count that out in terms of the number of characters, anything longer than 12 characters, is really sufficient at defeating the algorithms that the hackers or a malicious insider might use in order to run against your machine to break the password code and get in. Most of the algorithms that they use are looking for an eight character based password. Once you move from eight to nine, nine to ten, ten to twelve, twelve to whatever, the time it takes for it to break into your machine grows exponentially. We’ll come back to why it’s taking too long, I don’t want to get into it. Now if they’re really hell bent on breaking into your PC or into your server, they’re going to do it because they’re happy to sit there hours, days, weeks to break into your PC will, you’re dead in the water. But most incidents are not that way. Another thing I might throw in here, just as a side note, Catherine, don’t use your PC at Starbucks or the local coffee shop because there are too many unscrupulous people out there using very simple $20 devices that can hack into your machine while you’re logged in. So, you know, if you’re on your phone, be careful what you’re looking at. Don’t do that kind of work, and don’t access those applications when you’re out in public. Keep that to your house and again, make sure you encrypt your PC and to the extent that you can avoid putting those passwords on your PC. There’s a long answer to an easy question, but sorry.   Catherine Short Okay, very sound advice. I very much appreciate that. Well, I think that we are just about out of time here. Have you thought of any words of advice that you wanted to leave with our listeners?   Raymond Ribble No, I don’t think so. I think what I try to do in my presentations, Catherine is the salient points that I’m trying to get across. I think for me, it’s upgrading your systems and making sure that the patches are properly up to date. It’s talking to your teams about security, I think it’s that simple. If they know that you’re thinking about it, they’ll think about it. If you don’t talk about it, they’re not going to be worried about it, talk about security, start talking about what can we do to improve security and work with my IT team to make sure that we have systems in place that allows us to regularly and properly monitor what’s happening within our system, not about trusting or not trusting your employees, we don’t know who’s surrounding them, we don’t know what’s happened in their life in terms of some life changing incident, that may move them from being the regular employee to be willing to do something that we might judge as malicious. And it could be again, for that personal gain but more importantly, it could be a reason for financial gain. If somebody is in a situation where they need to get money really fast, and the wrong person approaches them and tells them that, hey, some of those medical records would be worth thousands of dollars to me, you go from a very good employee to a very bad employee and sadly, it happens a lot. I’ve sat down with the FBI, I’ve sat down with OCR investigators, and they’ve heard enough stories about those types of situations, to know that it’s very real, that it’s that one incident that’s kind of broke the camel’s back and allowed or encouraged somebody to go do something that for many, many years they’ve never done before. So yeah, we trust our employees. I think we all do I do, I trust all the employees in my office, but having some type of regular and appropriate system that’s documented, that I can demonstrate to an outside party, defense lawyer during an audit or during a deposition that, hey, we do these things to protect our office and therefore, it’s not about not trusting my employees, it’s just making sure that we’ve done everything to protect our patients, I tend to look at it that way, Catherine   We had an organization who, using our technology, identified a user who had been with them for 17 years, who is going in and modifying records after the fact during lunch. Now, they were new to SPHER so they caught this with SPHERE. They radically looked at it, they started going back in the records, and they found that she’d been doing it for 10 years. Why? for financial gain. She was taking a little bit off the top and when we sat down with the doctor as part of the investigation, they indicated that Oh, wow, every year, we always seem to be coming up short in different areas and we thought it was really bad. We even changed our organization that did our collections for us a couple of times thinking that they were the ones doing it wrong. We never once considered there might have been somebody internally that was doing this.   Catherine Short Oh, wow! that’s actually very sad. You never know.   Raymond Ribble You never you never know. I don’t think you should feel bad about monitoring your end users. We’re just protecting our business from some event that could be catastrophic in terms of everybody losing their jobs because of a breach. With SPHER, we look at 100% of all the activity of all the users every day because you couldn’t possibly do that. Our users can read easily, and intuitively say oh, yeah, that’s a problem. I can see why SPHER flag that and let me investigate that. Bam. Make sense?   Catherine Short 28:22 Yes. Okay. Well, I think we’re about ready to wrap up our presentation then. So I wanted to thank you again, so much for sharing your time with us and your expertise. So thank you for being with us today.   Raymond Ribble Thank you for having me today. It’s always a pleasure and good luck to everybody out there.   Catherine Short And thanks to our audience for tuning in to 1st Talk Compliance. You can learn more about the show on the program’s page on healthcarenowradio.com and lend your voice to the conversation on Twitter @1sthcc or #1stTalkCompliance. You can also email me at catherineshort@1sthcc.com. I’m Catherine Short of First Healthcare Compliance. Remember, compliance is the key to achieving peace of mind.  

Grace Walsh speaks with Kevin Chmura, CEO at Panacea Healthcare Solutions, to explore an extremely timely topic: price transparency and its far-reaching impact on how healthcare providers interact with consumers, with each other, and with the market at large. Tune in as Kevin shares some important insights about how price transparency has opened the door to a whole new world of data analysis and strategic business strategies for healthcare providers, and covers what we might expect to see for the future of price transparency. We’ll also include some key resources for listeners hoping to boost their knowledge of CMS price transparency regulations and learn how they can leverage price transparency data to empower their own strategic initiatives.

The Centers for Medicare and Medicaid Services (CMS) recently released additional guidance on the Two-Midnight rule that carries important implications for hospitals seeking to apply the rule correctly and consistently. In this episode of 1st Talk Compliance, host Kevin Chmura is joined by Stacy Pereira, Executive Director of Coding and Clinical Services in Panacea’s KA Consulting Division, to continue the discussion surrounding the Two-Midnight rule and the challenges it poses. If you enjoyed Panacea’s recent webinar on the topic, or you’re simply looking for more information on how the rule might impact you, tune in for a deep dive into the potential challenges involved for hospitals seeking to apply the rule correctly, possible financial impacts of the rule’s enforcement, and pitfalls of over- or underusing observation status. In case you missed our webinar on the Two-Midnight rule, you can watch it on-demand here.

Previously on First Talk Compliance, we spoke with Kevin Chmura, CEO of Panacea Healthcare Solutions, about how the advent of price transparency has caused the business of healthcare to evolve and opened up fresh possibilities for healthcare providers to gain a competitive advantage. In this episode, we continue that conversation by inviting on two additional experts from Panacea—Govind Goyal, President of Financial Services, and Henry Gutierrez, Senior Vice President, Financial Consulting Services—to dive deeper into the recent changes to price transparency requirements and expand upon the many ways healthcare providers can adapt to succeed in this new consumer-driven arena. From navigating compliance regulations to leveraging data for a competitive advantage, tune into Part 2 of “The Sky’s the Limit – How Price Transparency Can Empower Healthcare Providers” to gain insight into the evolving landscape of price transparency and what lies ahead.

Grace Walsh speaks with Kevin Chmura, CEO at Panacea Healthcare Solutions, to explore an extremely timely topic: price transparency and its far-reaching impact on how healthcare providers interact with consumers, with each other, and with the market at large. Tune in as Kevin shares some important insights about how price transparency has opened the door to a whole new world of data analysis and strategic business strategies for healthcare providers, and covers what we might expect to see for the future of price transparency. We’ll also include some key resources for listeners hoping to boost their knowledge of CMS price transparency regulations and learn how they can leverage price transparency data to empower their own strategic initiatives.

Grace Walsh is joined by Becky Jacobsen, Vice President of CDM, Coding & Audit Services at Panacea Healthcare Solutions, to explore the key updates to evaluation and management (E/M) guidelines for 2024. On the surface, this year’s changes may appear fairly straightforward, but dig a little deeper and you’ll find that the updates have important implications for correct coding procedures. From payers, providers, and coders to those who work in auditing or IT template development, it is essential to keep up a comprehensive grasp on E/M coding guidelines. Tune in as Becky breaks down a few of the most significant guideline updates, clarifies some common areas of confusion, and shares her insider tips as an expert in the field of coding compliance auditing and education.

In this episode of 1st Talk Compliance, we dive into an increasingly crucial topic in healthcare: price transparency and its ever-growing impact on the industry. Kevin Chmura, CEO at Panacea Healthcare Solutions, joins us to share expert insights on strategic pricing and compliance, emphasizing the transformative benefits for healthcare providers. Learn how to proactively engage with CMS regulations and set your organization apart as an ethical leader in the realm of price transparency.

1st Talk Compliance features guest Govi Goyal, President, Financial Services, at Panacea Healthcare Solutions, on the topic of Evolution of Price Transparency and How to Stay Ahead of CMS Requirements. Govi joins our host Catherine Short to discuss how the new CMS Price Transparency Rule and No Surprises Act are closely related. By providing Good Faith Estimates for healthcare services, hospitals can comply with both regulations. This helps patients understand their expected costs upfront and avoid surprise medical bills. Panacea’s CMS Price Transparency and Hospital Zero-Base Pricing software solutions can assist hospitals in providing accurate Good Faith Estimates to their patients and stay compliant with the latest regulations.          

1st Talk Compliance features guest Lauren Moak Russell, Counsel at Young Conaway Stargatt & Taylor, LLP in Wilmington, Delaware, on the topic of “A Harassment-Free Workplace vs the Right to Engage in Concerted Activity.” Lauren joins our host Catherine Short to discuss how the National Labor Relations Board under the Biden Administration has expressed a renewed interest in expanding its influence into non-unionized work forces. This includes reviewing and–in the right circumstances challenging–employers’ use of workplace civility, confidentiality, and anti-harassment policies. Listen as we discuss what you need to know to safely navigate the National Labor Relations Act while ensuring that your employees enjoy a safe and respectful work environment. Catherine Short: 0:01 Welcome, and let’s 1st Talk Compliance. I’m Catherine Short, Manager of Virtual Education at First Healthcare Compliance. Thanks for tuning in. This show is brought to you by First Healthcare Compliance as part of our commitment to provide high quality complementary educational resources. We help create confidence among compliance professionals throughout the United States. Please show your support by taking a moment to provide a review on Google, Facebook or iTunes. You can also follow us on Instagram, Twitter, and subscribe to our YouTube channel. On today’s episode, we are speaking with Lauren Moak Russell, Counsel at Young Conaway Stargatt & Taylor, LLP in Wilmington, Delaware, on the topic of a harassment free workplace versus the right to engage in concerted activity. The National Labor Relations Board under the Biden administration has expressed a renewed interest in expanding its influence into non-unionized workforces. This includes reviewing and in the right circumstances, challenging employers use of workplace civility, confidentiality, and anti-harassment policies. Listen as we discuss what you need to know to safely navigate the National Labor Relations Act while ensuring that your employees enjoy a safe and respectful work environment.   Before we begin, I would like to mention at First Healthcare Compliance, we strive to serve as a trusted resource for compliance professionals, and every month we celebrate their hard work and dedication with our compliance Super Ninja recognition. For this episode, we’re spotlighting Super Ninja Sharon Miller, administrator at Gulf Coast Dermatopathology Laboratory. Sharon says “patient care is paramount and by creating a culture of caring, compassion and respect, we have succeeded in all we do. We try to promote a family atmosphere which in turn translates to ultimate patient care”. Congratulations, Sharon. Our team is honored to have the privilege of working with you.   Well, thank you so much, Lauren, for being on First Talk Compliance. Thank you for being here.   Lauren Russell 2:16 My pleasure. Thank you for having me.   Catherine Short 2:18 Today, we’re talking about workplace civility, and also about the National Labor Relations Board. Can you get us started in talking about how things have changed as opposed to the previous administration?   Lauren Russell 2:34 Absolutely. So I think that the first thing that listeners really need to understand is that the National Labor Relations Board is not just for unionized workforces, that it has a role in regulating nonunion workforces, particularly where employer policies impact what we call section seven rights, and that’s really employee’s rights to talk about the terms and conditions of their employment. This is an area where we see a lot of ebb and flow between Republican and Democratic administrations at the federal level. I know it’s not a popular thing to talk politics these days, it’s oftentimes very inflammatory, but the reality is that the board changes its conduct very significantly between administrations. And so we had under the Trump administration, a board that really saw its role as very limited in terms of just regulating the relationship between organized labor, which is what we call a unionized workforce and management. To a Biden administration and a board that really sees its role as very expansive and is very focused on ensuring that even in a non-organized workforce, so a non-unionized workforce, that employers are conducting themselves in a way that does not adversely impact employees, what we call Protected Concerted Activity. So their ability to talk about the terms and conditions of employment. This includes a lot of things that make employers uncomfortable, including wages, compensation, comparing how much I make to how much you make, masking, vaccination requirements, anything that keeps a manager up at night, is something that almost certainly touches on Protected Concerted Activity and that can be protected by the National Labor Relations Board.   Catherine Short 4:33 So, employees have the right then to discuss their pay with each other. Is that correct?   Lauren Russell 4:41 Yes, it is. This is something that makes employers really uncomfortable. I understand. I come from a family where we don’t talk about money because I think a lot of us do, right? It’s very crass.   Catherine Short 4:59 Yeah. I never asked my parents or if I did, I was shut down right away. You know, like what you don’t talk about, you don’t ask people how much they make, what’s wrong with you?   Lauren Russell 5:09 Even at 40, I don’t know how much my parents made at any point in their lives. So no, it’s not just about being a child. It doesn’t change. That was very much the way of things. In my parent’s generation, it was simply something that wasn’t done, and certainly my grandparents never, never, never, never, in a million years, never. But wages are really the heart of the terms and conditions of employment, that is the most essential thing. So, the National Labor Relations Board for a very long time predating my practice, starting back in 2009, well before that, the National Labor Relations Board has said policies that prohibit employees from discussing and comparing wages are a violation of the National Labor Relations Act. It does not matter if you have a unionized or a non-unionized workforce, you still may not have policies like this. It’s hard, it does create resentment and frustration and questions and gossip among employees. We have to look at it from the flip side, from the public policy perspective. On that side, employees can’t know if they’re being treated unfairly unless they’re able to talk about wages. That’s really the impetus for these policies and I think that it’s helpful, it keeps employers from getting really angry when we look at it from the public policy perspective. Then you can say, well, it makes my life more difficult. I guess I can understand that women or minorities or individuals with disabilities, they couldn’t discover that they were being treated differently if they were never, ever under any circumstance allowed to talk about their wages with other employees. That’s the way we figure this stuff out.   The Obama administration was very focused on the expansion of the role of the National Labor Relations Board, the Trump administration, I had a much more conservative view of the role of the federal government, and really pared back the enforcement activities that the board was engaged in. Now that we are back under a Democratic administration, that role is expanding, again. I happen to be somebody who thinks that predictability is a very important thing for business. So, whether you are going to have an expansive view or a retracted view of the board’s role, and there are grounds to argue for both, it’s not that one side is patently wrong and the other is patently right. It’s really a matter of philosophy, on whatever the case may be, it is good for businesses to know what the expectations of them are. The National Labor Relations Board swings much more broadly than any other federal enforcement agency. That’s a tough thing for employers to cope with so this is really a problem for both sides of the aisle. I don’t think that anybody is conducting themselves, necessarily in the way that provides the most predictability for business. The best we can do here on the outside is to make sure that employers are educated and know that these risks are out there. I’m certainly talking about it a lot more because I am seeing and I was in practice, under the Obama administration, the Trump administration, and now under the Biden administration, I have never seen as much effort to enforce against the private sector, as I am seeing now. So, Biden has held true to his promise to be the most labor friendly president that many of us will see in our lifetimes. So, even though the Obama administration expressed an interest in pursuing these matters, we’re seeing the enforcement drive from the Biden administration that perhaps was not quite so present before.   Catherine Short 9:19 Okay, so it sounds like there’s a lot of reason to be concerned. And I know this from talking to a lot of our administrators, like hospital administrators, practice administrators, all kinds of CEOs and CFOs, etc., that they have a lot on their plates right now and so much to be concerned about. It feels probably for some, that this is just another thing that they need to be worried about, right? If you could give one piece of advice to businesses and if they can only do one thing, what should it be?   Lauren Russell 9:52 I would take a really careful look at handbooks. That is an area that almost every business I represent neglects because, it’s there and this other thing is an emergency and I’ve got to put out that fire. And to your point, everybody has a tremendous amount of work on their plates right now. This is the most difficult environment to operate and that I’ve ever seen. It is truly amazing that people are able to get up and soldier on every morning. That’s from the management side and from the labor side, everybody’s got a lot on their plate. If we could move the handbook to the top of your non-emergency stack, that’s what I would do. Handbooks should really get a thorough going over every couple of years anyway. If you haven’t taken a careful look at your handbook in the last two years, to update it and make sure that it’s compliant with your current labor and employment laws, that’s a great thing to do. And take a look at those things: workplace civility, social media, and make sure that you’re really focused on illegal behavior and not just that employee shouldn’t say things that make us unhappy. Any policy that’s designed to keep employees from saying embarrassing things in public is going to likely be a problem. We should really be focused on: do not engage in illegal behavior, if you are on Facebook with a picture of you and your favorite marijuana paraphernalia that’s something we can prohibit. We can prohibit harassment and discrimination and defamation. Defamation is illegal behavior. That is it’s a tort, it is unlawful. You can prohibit defamatory conduct. But when we’re talking about general civility and being nice and be courteous, that’s a tough thing to enforce.   Catherine Short 11:44 If you’re just tuning in, you’re listening to 1st Talk Compliance brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources. We help create confidence among compliance professionals throughout the United States. My guest today is Lauren Russell, Council at Young Conaway Stargatt & Taylor, LLP, on the topic of a harassment free workplace versus the right to engage in concerted activity. Please show your support by taking a few minutes to provide a review of First Healthcare Compliance on Google or Facebook. You can also follow us and subscribe on all forms of social media.   Okay, could you talk to us about the National Labor Relations Board or the NLRB’s current enforcement policies?   Lauren Russell 12:35 Yeah, I mean, as I said a few minutes ago, there’s really been a focus on expanding their role in the private sector non-unionized workforce. When we’re looking at that, the driving force behind this is the current general counsel for the board, Jennifer Abruzzo. She is a brilliant woman. There has been a sense at times that she may be a little bit more aggressive than even sometimes the unions are comfortable with. But she is the driving force behind these priorities, and they include a couple of things. She certainly is very focused on lowering barriers to unionization in the workforce. And so she’s looking to bring back certain on administrative policies from the Obama era that either got stalled out or were challenged in court, including lowering thresholds to union organizing, and in a non-unionized workforce. And then also making it harder to oust a union, once it’s in. She is looking to reverse past decisions by the National Labor Relations Board under the Trump administration. It’s helpful to understand a little something about the composition of the board. The board consists of five individuals, five members who are appointed. Under a Democratic administration, it’s usually three Democrats, two Republicans, under a Republican administration, it’s usually three Republicans and two Democrats, and then the general counsel is a presidential appointee. So, she was appointed by Biden, after he terminated her predecessor, who was a Trump appointee who refused to step down. So, there’s a bit of a kerfuffle there. The board changes its orientation very promptly upon a change in administration. You usually have to wait for some for one of the members to come to the end of their tenure, but then you have a very rapid switch, and so the board can completely flip from a Democratic and Republican administration. With that in mind, with that background, she’s looking to reverse precedent on a couple of things including when an employee is engaged in Protected Concerted Activity. She wants to reverse some case law that held that an employee is not engaged in protected activity when other employees don’t join in complaint or offended by the complaint. This is really designed to protect individuals who are expressing unpopular opinions. She wants to reverse past case law that gave employers discretion, she wants to limit employers’ ability to impose confidentiality in the course of internal investigations and in settlement agreement and challenge that, because it impacts an employee’s freedom to speak about the terms and conditions of employment.   Then she really wants to focus on limiting what an employer can do in a handbook. So, limiting a handbook policies that in any way, on their face, would make a cautious employee less likely to engage in their section seven rights. By that I mean to talk to other coworkers about terms and conditions of employment. When we’re looking at those kinds of policies, we’re looking at confidentiality, non-disparagement, social media, media communications, civility, and respectful workplace policies, offensive language prohibitions, and no cameras at work rules. All of those things, when they are applied in just the right way can make a cautious employee and that’s the standard she wants. Not an average employee. Usually in the law, we look at a reasonable person, right? That is an imaginary reasonable person is who we look at when we decide what the legal standard is. She says, no, I don’t want you to think about a reasonable person. I want you to think about a cautious employee. That is our standard. If they feel like an employer policy, inhibits their ability to speak freely to coworkers about terms and conditions of employment her position is that handbook policy gotta go   Catherine Short 17:20 Can you expand a little bit more on what her definition of what a cautious employee might be?   Lauren Russell 17:25 Well, it’s certainly not a defined concept. But I’ll tell you a cautious employee is one that complains to the board.   Catherine Short 17:31 In my mind, a cautious employee would be somebody who’s super careful, but who would not complain, who would be really careful about what they say. Cautious to me is caution.   Lauren Russell 17:42 Keep in mind that the National Labor Relations Board, like every other federal agency has very limited resources. So as a general rule, they do not have a practice of auditing, non-unionized workplaces. The board would not knock on the door at First Healthcare Compliance and say “we’d like to see your employee handbook, please show it to us”. Similarly, they would not do that at my firm. So what has to happen is an employee has to go to the board and say, I think this, this handbook is discouraging. It’s somebody who’s not necessarily complaining internally and that is very frustrating to employers as well. How was I supposed to know you felt discouraged? I didn’t intend to discourage you. You never told me you felt discouraged. Instead, you went off and filed a charge. That’s the cautious employee.   Catherine Short 18:38 Okay. All right. Interesting. Okay, let’s talk about social media for a second. Can you explain a little bit about what is expected concerning social media at this time?   Lauren Russell 18:52 Social media is my nightmare.   Catherine Short 18:56 And for a lot of employers. You have some employees who don’t engage in social media whatsoever, and then some employees who are extremely engaged. So what’s the role right now?   Lauren Russell 19:07 Yeah. Certainly, you can expect employees to be lawful online. That is a perfectly reasonable expectation to say. Believe it or not, I’ve got clients who have to have a policy that says, Please do not post photos of unlawful activity. You should not have open containers of alcohol in a vehicle. You should not post photos of your marijuana paraphernalia. You should not post racist diatribes on Facebook. Depending on your workforce that may or may not be something you need to say. All of that behavior is something that you can expressly prohibit. What you can’t prohibit and what a lot of social media policy say is that you may not post anything online that criticizes the company or its customers client, patients etc. Now, in the healthcare context, we have some additional overlays. Most employees have HIPAA obligations, and you can absolutely say you may not post anything online that violates your duty of confidentiality under HIPAA. You cannot say Mrs. Smith was in today and she was a raging you-know-what, and I hate her and I hope she never comes back to this practice.   Catherine Short 20:26 I know perhaps some people like to go on diatribes on social media, personally, as themselves not as representative of their company and say, all kinds of things.   Lauren Russell 20:38 When we’re talking about where the board wants to flex its authority, it comes in two places. One is the policy itself. If you have no social media policy, then then there’s nothing for them to look at. The other is, when we apply the policy, are we adversely impacting Protected Concerted Activity. Going on Facebook and saying every member of the Green Party is an unmitigated idiot is not protected concerted activity, it’s not about the workplace, it’s about the world out there. So you can absolutely and if a patient or a coworker comes in and says, your receptionist on Facebook called me an idiot, and I don’t want to deal with them anymore, if you don’t fire them, I’m going to leave the practice. That’s okay. You can fire the employee, because their social media conduct has adversely impacted the business and they have tied themselves to the business in some way. Very frequently this happens because somebody tagged themselves to your company’s Facebook page, or they have a picture of themselves wearing a First Healthcare Compliance T shirt, and so they associate themselves online, and then somebody figures it out. They say, so and so was saying offensive things on the internet, I see they’re wearing their shirt, I went to your website and see that they work for you and I think you should know about that. I have had those cases and that person’s gone. They were the ones who tied themselves to your company on the internet and that’s their fault.   When we’re talking about actual concerted activity or the impact on the workplace, and this does happen, somebody posts on the internet, for example, something inflammatory about undocumented immigrants that borders on racist right on or says every member of the Republican Party is a racist, you can’t be Republican and not be racist, and you have a Republican employee who says, this is outrageous. This person is calling me racist on the internet, I’m deeply offended, I don’t feel comfortable working with them anymore. Again, that behavior is not protected, concerted activity. They’re talking about Republicans out in the world, they’re not saying the Republicans I work with are racists, they’re saying all of them in their totality. That is again, behavior that creates a hostile environment, it makes people deeply uncomfortable, and you can discipline that behavior, or you can terminate the employee. In the same way if somebody was posting racist or sexist messages, so instead of calling somebody else racist, I am posting deeply inappropriate things on the internet, jokes and memes about women should be barefoot and, in the kitchen, right? Because a female coworker comes in and says, I am deeply offended. I am a working woman and a mother, and this person thinks my only worth is to be at home. Like that’s, that’s offensive to me. Okay, we can discipline that behavior. Where the board gets interested, is when an employee goes on social media and criticizes the employer. If I go in on social media and say, my manager at XYZ company is racist, he will not denounce police violence in the country. Or he is paying female employees less well than male employees. That is Protected Concerted Activity. I have gone into a public environment and on behalf of myself and other workers have criticized management and said, this is an illegal environment, or there were unlawful behaviors happening here. I don’t know a single manager that I’ve ever met, who wouldn’t be deeply offended and upset that somebody took that to Facebook instead of talking to them first. And so the gut reaction is always fire them, discipline them. They took internal business to Facebook, they never talked to me. I had no chance to deal with this and now they’re defaming us on social media that’s Protected Concerted Activity and that is a real risk to the business if you discipline.   Catherine Short 24:47 So I have a question about employee expectations and labor rights perhaps do they extend to part time contract employees and also interns?   Lauren Russell 24:57 They apply to part time employees. Yes. Contractors? No. When you have independent contractors who are regularly working on your site like temporary staffers, the answer is often Yes because there’s a joint employment relationship. Interns, it depends. But generally if they’re paid interns like a summer intern, yes, they’re going to be covered. If it’s a volunteer, like at a hospital, you often have individuals who come in to read to sick children, or they will sit with the elderly patients. Those are not employees of any stripe, they’re volunteers. And even if it’s sort of a summer internship candy striper situation, it’s really more on the nature of volunteerism, and not within the scope of the board’s authority.   Catherine Short 25:47 Okay, well, I think we’re just about out of time. Did you have any other words of advice or things that you wanted to discuss that we didn’t talk about? Perhaps,   Lauren Russell 25:59 No solid guidance, but I will tell you anecdotally that I have watched businesses unionized, and I have watched them vote out unions. The key distinction is a level of basic respect between management and labor. You know, there’s a lot of research out there on healthy marriages. The marriages that succeed are ones where there’s mutual respect between spouses. If there’s a lack of respect, if spouses roll their eyes at each other, that’s a sure sign that one day they’re going to be divorced. That same guidance applies to labor management relations. You don’t have to agree on everything, and they oftentimes don’t. But when you can have dignity and respectful communications, that is a workforce where you are much less likely to see unionizing efforts generally, and specifically where you’re going to see even in non-unionized workforces, where you’re going to see charges brought before the board. When employees feel respected, and like their partners, you are always going to be in better stead. It’s a hard thing to do, but cultivating respect, making sure that even your low-level employees feel like they are a critical part of your success, and that they help you to have a voice in how decisions are made. It’s hard to do, but that makes a huge difference. Okay,   Catherine Short 27:33 Well, I want to just thank you so much. Lauren, did you have any other words of advice that you wanted to leave us with today?   Lauren Russell 27:39 Tolerance, kindness. I will tell you that you run into union problems when both sides of the equation management and employees are not able to take a deep breath and say, hey, I really need you to hear me but I could have said that nicer. I keep seeing these news headlines about how mean people are right now, that people are just hit their limits and they are mean. I hear that anecdotally from clients too. I think we’ve got to take a deep breath and be a little less mean. When there was a sense of respect and dignity between labor and management you really avoid the vast majority of these issues. So kindness.   Catherine Short 28:22 Great. That’s always wonderful advice. I wanted to thank you so much for being here today.   Lauren Russell 28:27 Very happy to be here. Thank you for the opportunity.   Catherine Short 28:31 And thanks to our audience for tuning in to 1st Talk Compliance. You can learn more about the show on the program’s page on healthcarenowradio.com and lend your voice to the conversation on Twitter @1sthcc or #1stTalkCompliance. You can also email me at catherineshort@1sthcc.com. I’m Catherine Short of First Healthcare Compliance. Remember, compliance is the key to achieving peace of mind.  

1st Talk Compliance features guest Raymond Ribble, CEO and Founder at SPHER, Inc., on the topic of A Practical Approach to The Safe Harbor Law. Ray joins our host Catherine Short to discuss how HIPAA data breach penalties typically get measured in millions of dollars, even following an organization implementing NIST cybersecurity framework measures. However, with the new HIPAA Safe Harbor Law, signed in January 2021, HHS and OCR may consider some penalty mitigation. It is important to understand that the Safe Harbor Law, while offering substantial protection, does not provide a true safe harbor and only offers some protection. This episode will examine what the established security practices for healthcare are, and how to pivot your organization’s security profile to mitigate breach penalties if an event occurs. Catherine Short 0:01 Welcome, and let’s, 1st Talk Compliance. I’m Catherine Short, Marketing Manager for First Healthcare Compliance, a division of Panacea Healthcare Solutions. Thanks for tuning in. This show is brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources. Please show your support by taking a moment to provide a review on Google, Facebook, or iTunes, and be sure to follow us on social media and subscribe to our YouTube channel. On today’s episode, we are speaking with Raymond Ribble, CEO and Founder at SPHER Inc, on the topic of A Practical Approach to The Safe Harbor Law. HIPAA data breach penalties typically get measured in millions of dollars even following an organization implementing NIST cybersecurity framework measures. However, with the new HIPAA Safe Harbor Law signed in January 2021, HHS and OCR may consider some penalty mitigation, it is important to understand that the Safe Harbor Law while offering substantial protection does not provide a true Safe Harbor and only offers some protection. This episode will examine what the established security practices for healthcare are, and how to pivot your organization’s security profile to mitigate breach penalties if an event occurs.   Catherine Short 1:39 So Ray, thank you so much for joining me on 1st Talk Compliance. It’s a pleasure to have you on.   Raymond Ribble 1:42 Thank you for having me, I appreciate it.   Catherine Short 1:43 Again, I’m so happy you’re here today. Today we’re discussing about the Safe Harbor Law and we’re going to be talking about a practical approach. For people who are new to this, can you give us a good background or a brief description about what we are going to be discussing as far as some compliance background? Or how we got here as far as I know that HIPAA has a Safe Harbor Law? And I know that that affects how people need to protect their health data and their data in general. Can you give us a little bit of background of what we should be protecting and what we should be careful of and what we should be discussing?   Raymond Ribble 2:27 Sure. For our listeners, I’ll try to give you the cliff note version of what it is. What I wanted to do for everybody who’s listening today is just give you a brief introduction to what is the Safe Harbor Law. I don’t want you to become experts on the Safe Harbor Law, I don’t want you to be able to click off the five things that it does. That’s not the background. It’s just that some well thought politicians in both the Senate and the House got together and said, Hey, look, we’ve provided all this money to help these medical institutions move from paper to digital. In doing so, we’ve exposed them to a brand new set of risks in terms of data breaches that can occur that didn’t exist before. And now we’re asking them to spend more money to implement policies and procedures and potentially technology solutions in order to protect that digital data. So that’s the first part of it. And they said look, for the organizations that embrace these ideas that go the extra mile that implement these policies and procedures, that are not experts on the Privacy Rule in the Security Rule and HIPAA, but they do understand that protecting patient data is a new requirement that they have to adhere to, and they want to do their best. They don’t want to do the best. They want to do their best to protect that data. They wanted to incentivize those organizations for implementing cybersecurity best practices. And in doing so, they put out what was called the House Resolution 78 98, which became the Safe Harbor Law. It was signed into law on January 5, 2021, by the President, and basically, that became public law 116-321, which is affectionately called the Safe Harbor Law. There are Safe Harbor Laws in other industries. This particular Safe Harbor Law is specific to the healthcare industry. So that’s why it’s important to you and I and to our listeners today.   This Safe Harbor Law again, 116-321 is the high-tech Safe Harbor Law if you want to think of it that way. And what it says is that if you implement policies and procedures, technologies, training, documentation around protecting your patients PHI (Protected Health Information), and you still experience a breach, that when the investigation from the OCR auditors occurs, and it will occur, that you will not be penalized as heavily as an organization who did nothing. That you should be incentivized ie through that lack of penalties and monetary penalties, you should be incentivized to do that, so that there is a risk-reward type scenario that’s set up in this. If you’re going to spend the money to protect that data, and then ultimately, it really happens and you have a breach, you should be getting a pat on the back and a reward for having spent that money and the time and the investment and the education with your staff to do the best that you can do. Nobody can fully prevent a breach, but you went the extra mile, and they wanted those organizations to be rewarded. The word they use, is it mitigates the probability of a major penalty, but in my opinion, really what they’re saying is attaboy, it’s not going to cost you 8.1 3 million and might cost you 50,000. You had a breach, that’s a bad thing. There’s some risk slapping that has to take place, but you’re not going to pay millions of dollars, because you paid up front, you made the investment to do the best that you could do, those cybersecurity best practices that I spoke about, you implemented parts of NIST, you went out and purchase some third party products, you educated your staff, you documented all of that, you did your security risk assessment every year, you did what was reasonable and appropriate for an organization of your size, and you still had a breach. Should you be blamed for that? The bad guys can basically spend 365 days a year trying to break into your system. You’re not going to spend 365 days trying to prevent them from breaking into your system. So there’s got to be some risk reward there. That’s where the Safe Harbor Law is coming from.   Catherine Short 7:17 That was a really great explanation. Thank you so much. That actually was a very practical approach. Concerning standards of security. What should we be using as a guide? For example, does HHS provide a guidebook?   Raymond Ribble 7:32 I think a great starting point is NIST. For those of you who don’t know what NIST is or what it stands for, so National Institute of Science and Technology. Basically what they do is they provide a security framework for many industries, not just the healthcare industry. What I’ve recommended to organizations is if you take a look at NIST in the five key areas that they identify, and then you put that together with the recommendations coming from the 405(d) taskforce, then I think that that is a blueprint that you can start going down towards protecting your organization without making mistakes or spending money where you don’t need to spend money.   Catherine Short 8:16 What is NIST cybersecurity framework?   Raymond Ribble 7:20 The NIST cybersecurity framework comes from the National Institute of Standards and Technology. It was developed many years ago, as a guideline to help organizations to understand what they need to do in order to identify, protect, detect, respond, and recover important data. So outside of healthcare, it might be PII, in healthcare world what we call PHI (Protected Health Information). It’s a set of guidelines that we can look at and apply to our organization. Some of them are procedural. Some of them are technical in terms of third party products, or downloadable products from manufacturers that cost us nothing, that we can put in place that allows us to see who’s looking at our data, when are they looking at the data? Is that appropriate for them to look at the data? If it’s not appropriate, and we’ve determined that it’s a problem, then how do we recover that and how do we respond to that? So NIST security framework would be complimentary to us following the HIPAA rules, whether it’s the Security Rule, the Privacy Rule, the Breach Notification Rule. By following NIST and the NIST cybersecurity framework. This is very much in line with what we’re doing for our HIPAA compliance   Catherine Short 9:53 If a facility can afford to do this does that in itself, grant them the protection and penalty mitigation that you’ve talked about previously?   Raymond Ribble 10:04 I like that question. Let me do my best to answer it. Let’s just take make the assumption that we don’t have a lot of money and historically, my organization has never spent a lot of money on technology to protect patient data. Let’s just that’s our example for this question. But I took the time to look at this NIST cybersecurity framework and I can see what the five key areas are. They’re making some recommendations, I went over to 405(d) task group, and I saw what they had and I said, Okay, I’m going to pick two or three things from each of those five things. I’ll repeat them just for the sake of the audience: identity, protect, detect, respond, and recover. And I’m going to apply a few of these rules to each of these that I think best aligns with the type of organization we have, whether we’re a pediatrics, an oncology, dermatology, plastic surgery, whatever type of practice we are, we all fall under that HIPAA umbrella. And what I’m trying to do is apply certain rules or guidelines that NIST provides in order to protect the data. Even if none of the things that I do involve me purchasing a third party product to do it. If I can accurately, regularly and appropriately document that I’m doing that, then the answer to your question is yes, that would allow us to mitigate, in the event of a breach mitigate the exposure to penalties that might come from an OCR investigation.   Catherine Short 11:40 If you had to name perhaps three security practices, what do you see as being the most important first to use today?   Raymond Ribble 11:50 Three that I think would be the most important, I think protecting your email is extremely important. It is probably the one thing that everybody listening today uses and probably uses almost from the minute they get up until just before they go to bed. They’re accessing email, they’re looking at messages, they’re opening emails from third party, some of them are unknown third parties. So having email protection on your devices, especially devices that handle PHI, to me, is extremely important. Two, access management. Knowing who’s coming into my system, and who is accessing the PHI and are they accessing that information for the purpose of providing care to our patients, would be equally important to me. The last thing, if I look at this, I would say is going to be having good cybersecurity policies. So that’s more of not a technical thing. So email, access management, and cybersecurity policies. Educating my staff on what to do, and what to look for, if they see something that seems suspicious, just teaching them not to click on it, not to open it, to ask questions first, can save us millions of dollars. So if I broke down those 10 to three that I feel are important, and a different person might give you three different answers. Those would be the three I would pick off the top of my head.   Catherine Short 13:22 If you’re just tuning in, you’re listening to 1st Talk Compliance brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources. We help create confidence among compliance professionals throughout the United States. My guest today is Raymond Ribble, CEO and Founder at SPHER Inc, on the topic of A Practical Approach to The Safe Harbor Law. Please show your support by taking a few minutes to provide a review of First Healthcare Compliance on Google or Facebook. You can also follow us and subscribe on all forms of social media.   Catherine Short 13:57 If we’re discussing phishing emails, does it help if we monitor them, if we implement encrypted email?   Raymond Ribble 14:04 If we’re trying to prevent phishing emails from getting into our system, we would typically install something like Malwarebytes or Bitdefender, or Sophos, or many of these third-party products. Some of them are even sold with your laptop and your PCs, your Mac books when you buy them. You want to make sure that you activate those licenses and that you use them and they help to prevent certain types of phishing emails to come in. Having said that, your question was also with regard to just email encryption as well. Email encryption is very different from phishing emails. Email encryption is encrypting, so it’s codifying the email that you’re using to do business and ensuring that if some third-party intercepts that email which is not phishing, that they cannot encode that and look at it unencoded, and see what was in there. Two different things completely. Just to be clear, I hope I’m answering this question correctly. So I do recommend that you don’t use products like Gmail, or AOL, or any at home third party email system to be sending information to your patients. I think something that was discussed before is, you should be using the portal that’s provided to you by your EHR company, in the best of my knowledge 90% more provide those types of portals that you can use that as a way of communicating and that data is encrypted. So that email is encrypted, they’re providing that encryption for you as a byproduct of using their solution. So that solves a lot of problems for you.   If you have your own email server, that you communicate with your patients with for whatever reason, then you should be installing some type of third-party email encryption on that system. The responsibility under the law is you must encrypt that email going out. There is not the equivalent of the patients sending you email and having ePHI in that email, that is not a violation because HIPAA doesn’t apply to them the way it applies to you. So let me pause there and make sure. Am I answering the question correctly?   Catherine Short 16:32 Yes, sure.   Raymond Ribble 16:34 Okay. Because there are two different things there that you asked me actually.   Catherine Short 16:38 So yeah, that was great.   Raymond Ribble 16:42 Okay, good. So again, phishing, I want to use third party products, to catch the majority of the phishing emails. And then let me add to that, Catherine, is, let’s be careful. If we see something we recognize, just because we recognize it, please don’t click, look first, put that cursor over wherever it says click here. Look down in the lower left hand corner and see where it’s actually going. Ask yourself, was I expecting this email? Is this email something that I normally get from this organization? And if those answers are no, hey, just leave it alone. Go to your interface that you might interact with that company, whether it’s your bank, or your cable company, or you’re a third party hosting site, and call them and say, Hey, by the way, I got an email from you guys, it says, and I guarantee you 99% of the time, they will say to you, we would never send you an email for something like that, right? You hear it all the time. They don’t send those things because they know that’s what the bad guys are doing. So they don’t send them. So when in doubt, don’t click in check first. That’s I want to add that as a caveat to the answer for phishing. Okay,   Catherine Short 17:57 Perfect. When you’re talking about phishing emails, you probably look at this a lot more as far as where they’re coming from. With phishing emails, do you think that they coming more from organizations, either organizations as far as foreign entities or from criminal organizations and working as employers, there’s a head person, and then they have people working for them? And then they’re sending out tons? Or are there lots of individual people, 15-year-olds out there who are trying to make some dough? What does the stats say about what they think people are doing?   Raymond Ribble 18:34 Clearly, you understand the issue, because your examples are really good examples. So, I can share with you a couple of my own personal observations. I think I told you before Catherine, I lived in China for two and a half years and while I was there, and this was in the midst of the explosion of the internet, between 2005 and 2010 I had an opportunity to visit a couple of sites, where there were 1000s of employees who were working in these warehouses and what they were doing was hacking. They were paid to sit down and to hack into various systems using bots, using phishing mechanisms, using third party software, in order to break into the systems. Why I was allowed to go there and why I was there would be a different story, but I saw that, and then it was explained to me that these types of sites exist not only in China, but in a number of other countries, including Africa, Europe, and even unfortunately, here in the United States or in South America. So it’s not one nation, nation state sponsored attempt, but it could be a private industry, it could be for somebody, it’s a business. That’s what scary.   How do they target you? They can get third party data. You know, I always tell people, if you’re on Facebook or some social media, don’t answer your friends quizzes about who is your favorite teacher in fifth grade or what was the name of the street you lived on when you were growing up, because unfortunately, nine times out of 10, those are hints to the types of security passwords that you use. These companies are the ones sponsoring those social media trivia contests. They gather that data, they now have your email, they have some answers from you, they know that your proclivity is to answer those questions. And they start to put a behavioral reveal map together. Then what they do is they target you with an Amazon or Barnes and Noble, or they know somehow they figured out you’re an Anthem customer, or you’re using Signa, or whatever the case may be. Verizon, T Mobile AT&T. The probability that you’re using one of those three mobile companies is pretty high. I keep getting this one on my phone for a PayPal, I don’t use PayPal. But I’m getting emails and text messages saying that my PayPal account has been compromised, please login to correct right away. Well, it’s pretty obvious, somebody’s got bad information. But they got my phone number. That’s pretty easy for them to get my phone number. But they keep sending me these messages. And I just laugh at it. And I delete it. And I’ve tried to teach myself to be very diligent to anything that I’m not expecting. And I have a pretty good idea of what I have set up in terms of my automatic payments. I don’t trust anybody. I’m terrible. But what I’m doing is I’m looking at all of this data, and I’m just naturally suspicious. Sounds terrible to be that way. To answer your question, I think it’s more external than it is internal. I think it is organized by a very large group. If it wasn’t working, if they weren’t able to get what they were looking for, they wouldn’t be doing it. So the bad news is that it’s an effective way for them to reach out to people and to steal data, and sometimes money.   Catherine Short 21:54 Great. Well, right. I had a question about employee snooping. I know, there’s probably a number of people who work on their own. And I know that you’ve said that there’s a lot of people who of course, are very curious so that’s always an issue. When we have an issue with employee snooping, is it usually just individuals working or do we sometimes find there are people working in concert with others, and it is sometimes some kind of a criminal type of element?   Raymond Ribble 22:30 It could be more of the former and very, very less of the latter. I’ll expand on that answer. What we find at SPHER, because one of the things that SPHER does is it actually monitors for snooping. So I can give you some firsthand examples here. We’re looking at employees that might be looking at their own files, might be looking at files that belong to their neighbors, or to their co workers, or to some VIP. We’re able to determine with our technology, whether or not that glance, or that long look at the record is consistent with their profile and the way that they use the system. Now that’s our perspective. That’s what SPHER is looking for. It’s one of the things we do. Your question isn’t how to SPHER do, your question is how does snooping occur? Who does it and the damage that occurs? So I do believe that snooping is somewhat nefarious for almost all instances.   A lot of people snoop just for the sake of gossip, unfortunately. I will tell you for example, that our highest rate of snooping is with our rural customers moreso than our big city customers, if that makes any sense whatsoever. We find that during the pandemic, snooping spiked quite a bit. People working from home, they were finding themselves not as busy or having as many tasks as they might have had in the office, or they weren’t in an environment where people could see over their shoulders to see what they were looking at, so they thought, hey, it’s okay to take a peek, right? All of that fit into that model where they went and took a look at something and forgot that there was some system that was in place that was looking at what they were doing and all of a sudden, they had a knock on their door or phone call from their manager saying, Hey, can you explain to me why you were in so and so’s file because that has nothing to do with anything that you had assigned to you or within your workflow.   And so people love what we do in that stage because that’s something they can lock down on. I’ll give you one example if you don’t mind me doing that.   Catherine Short 24:47 I would love it.   Raymond Ribble 24:48 We had a large organization in the south. I’m going to be very vague here. Very large organization. When they went live with our technology. In the first month of use, they had 1800 snooping incidents in one month. Yes, it’s pretty bad. Now, the CIO called us and said, you know, I hate you guys, for two reasons. One is, now that I know that, I have to go fix it, and you’ve made my life a living hell, because clearly I don’t have a problem. I have systemic, across the organization problem. Everybody’s looking at everybody’s data. It has nothing to do with their day jobs. Right? So she put together a strategy, she went to market, nobody got fired because she figured it was the entire company doing it. A side note, the two people who were assigned to review the data coming from SPHER were two of her biggest transgressors. So the guys who are responsible for watching were the ones watching the wrong stuff. Within two months, she was down to eight instances of snooping. Once a new culture was established, once the employees knew they were being watched, that somebody was looking at what they were doing, and what they were looking at, it changed the culture, it changed the habit that fast. Which I think is a testament to okay, we had a bad problem, we got forward, we taught everybody what we’re gonna do. We explained to them what we implemented, and we did it, and they changed. That’s great. That’s a great story. So that was us working together where a client and a really good outcome that happened from that but snooping is really a big issue. And I think a lot of it is gossip. So I hope that helps to provide some insight.   Catherine Short 26:47 Yeah. The eight people who didn’t get the memo?   Raymond Ribble 26:52 Well, there’s always the ones who think, hey, I can beat the system. Right? Maybe. Right.   Catherine Short 26:58 So I wanted to thank you so much for being on 1st Talk Compliance today. Right? I appreciate it so much. Your explanations were excellent and concise, and very practical. So thank you so much.   Raymond Ribble 27:12 Well, as always, thank you for having me, Catherine. Thank you to everybody at First Healthcare Compliance. And to everybody listening today, I appreciate your time and your efforts as well. Catherine Short 27:21 Thank you. I can’t wait to talk to you again. So appreciate it. Did you have any actual final thoughts before we totally wrap up?   Raymond Ribble 27:28 Please don’t be afraid of the answers that I just gave Catherine or the information that I presented. It’s not hard. Take it one step at a time. You’ve probably done better than you think you’ve done. But sitting down and just having a conversation with somebody within your organization and reaffirming that you have done the right things and that you have a plan that you’re working towards is the first step towards protecting your data. And I just recommend everybody do that.   Catherine Short 27:48 Great advice. So Ray, I wanted to thank you again so much for being here. And thanks to our audience for tuning in to 1st Talk Compliance. You can learn more about the show on the program’s page on healthcarenowradio.com and lend your voice to the conversation on Twitter @1sthcc or #1stTalkCompliance. You can also email me at catherineshort@1sthcc.com. I’m Catherine Short of First Healthcare Compliance. Remember, compliance is the key to achieving peace of mind.