It’s hard to say whether the Office for Civil Rights (OCR) acting on its own, or in conjunction with the Department of Justice (DOJ), will show the same level of consideration to healthcare organizations who “try”, but it’s sure worth considering if its likely.   After all, the number of investigative actions and caseloads are only going to increase.  It may be a form of “prosecutorial discretion.”  Here’s today’s big tip – Go to School on Morgan Stanley; learn how vibrant training and policies can help…

The Department of Justice shows great consideration when organizations exercise due care…

DOJ_logo_325x328As written up in this blog post, entitled “The Most Marketable Compliance Officer In The World,” the Department of Justice and the SEC charged a Morgan Stanley employee, Garth Peterson, with violations of the FCPA (Foreign Corrupt Practices Act) for his involvement in “funneling millions of dollars to a government official in China (and to himself) regarding real estate deals.”

Correct, FCPA is not HIPAA and Morgan Stanley is not a Covered Entity. But pay attention Dr. “I-don’t-care-about-a-HIPAA-speeding-ticket” Jones, because the big lesson learned here is about “trying real hard to comply” and having a defensible, honest position that you done so.
In this case, because of its proactive and comprehensive compliance program, the company, Morgan Stanley, was not charged with any wrong-doing. The DOJ Press Release on April 25, 2012 stated that “Mr. Peterson admitted today that he actively sought to evade Morgan Stanley’s internal controls in an effort to enrich himself and a Chinese government official.”

The DOJ pointed out three aspects of Morgan Stanley’s program that bear repeating:

  1. Morgan regularly updated its policies – in HIPAA-HITECH compliance land, this means periodic updates and ensuring consistency of practice to policies. Have you taken a look lately?
  2. Frequent training – in HIPAA-HITECH compliance land, this means not only annual training but a proactive program involving security and privacy reminders. When was the last time you engaged your workforce in serious HIPAA privacy and/or security discussion?
  3. Due Diligence, including transaction monitoring – in HIPAA-HITECH compliance land, this means ongoing vigilance in the form of information system activity reviews and documented incident response and reporting. Is your C-suite engaged and supportive of due care and due diligence efforts around privacy and security?

And, here’s the punch line from the Press Release:

“After considering all the available facts and circumstances, including that Morgan Stanley constructed and maintained a system of internal controls, which provided reasonable assurances that its employees were not bribing government officials, the Department of Justice declined to bring any enforcement action against Morgan Stanley related to Peterson’s conduct.”

How would OCR and/or DOJ find your “system of internal controls” as it relates to HIPAA-HITECH compliance?

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater  HIPAA Audit Prep BootCamp™ series.

More HIPAA HITECH Resources:

The complete HIPAA Privacy, Security and Breach regulations are here.

Series Navigation<< HIPAA Audit Tips – KPMG OCR Random Audit Documentation Request ListHIPAA Audit Tips – Learn What State Attorneys General Learned >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.