It’s hard to say whether the Office for Civil Rights (OCR) acting on its own, or in conjunction with the Department of Justice (DOJ), will show the same level of consideration to healthcare organizations who “try”, but it’s sure worth considering if its likely. After all, the number of investigative actions and caseloads are only going to increase. It may be a form of “prosecutorial discretion.” Here’s today’s big tip – Go to School on Morgan Stanley; learn how vibrant training and policies can help…
The Department of Justice shows great consideration when organizations exercise due care…
As written up in this blog post, entitled “The Most Marketable Compliance Officer In The World,” the Department of Justice and the SEC charged a Morgan Stanley employee, Garth Peterson, with violations of the FCPA (Foreign Corrupt Practices Act) for his involvement in “funneling millions of dollars to a government official in China (and to himself) regarding real estate deals.”
Correct, FCPA is not HIPAA and Morgan Stanley is not a Covered Entity. But pay attention Dr. “I-don’t-care-about-a-HIPAA-speeding-ticket” Jones, because the big lesson learned here is about “trying real hard to comply” and having a defensible, honest position that you done so.
In this case, because of its proactive and comprehensive compliance program, the company, Morgan Stanley, was not charged with any wrong-doing. The DOJ Press Release on April 25, 2012 stated that “Mr. Peterson admitted today that he actively sought to evade Morgan Stanley’s internal controls in an effort to enrich himself and a Chinese government official.”
The DOJ pointed out three aspects of Morgan Stanley’s program that bear repeating:
- Morgan regularly updated its policies – in HIPAA-HITECH compliance land, this means periodic updates and ensuring consistency of practice to policies. Have you taken a look lately?
- Frequent training – in HIPAA-HITECH compliance land, this means not only annual training but a proactive program involving security and privacy reminders. When was the last time you engaged your workforce in serious HIPAA privacy and/or security discussion?
- Due Diligence, including transaction monitoring – in HIPAA-HITECH compliance land, this means ongoing vigilance in the form of information system activity reviews and documented incident response and reporting. Is your C-suite engaged and supportive of due care and due diligence efforts around privacy and security?
And, here’s the punch line from the Press Release:
“After considering all the available facts and circumstances, including that Morgan Stanley constructed and maintained a system of internal controls, which provided reasonable assurances that its employees were not bribing government officials, the Department of Justice declined to bring any enforcement action against Morgan Stanley related to Peterson’s conduct.”
How would OCR and/or DOJ find your “system of internal controls” as it relates to HIPAA-HITECH compliance?
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
- Join our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
- Follow me: http://www.twitter.com/ClearwaterHIPAA
- Subscribe to our eNewsletter: https://clearwatercompliance.com/newsletters/
- Attend a HIPAA HITECH live webinar: https://clearwatercompliance.com/live-educational-webinars
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016