Cybersecurity Pink Panther Style!

Remember the Pink Panther movies?  Peter Sellers’ character, Inspector Clouseau, hired “Cato” to randomly attack him.  He thought unexpected ninja attacks would keep him every vigilant.  While the over the top comedy is ridiculous, it does remind me of how to approach cybersecurity.  You do not need to hire someone with a kendo stick to beat your staff into compliance, but frequent “reminders” do promote vigilance.

Most practices provide cybersecurity training when an employee is first hired, and annually after that. While certainly this method will check the box for “security training” it is highly ineffective for maintaining good cybersecurity habits.

Cybersecurity training is not a “once you learn it, you know how to do it” type of training.  It is not like riding a bicycle.  In fact, it’s just the opposite. For staff to maintain the awareness required to spot phishing emails and other cyber security scams, they must be continually reminded that there’s a threat.

Annual HIPAA training is not enough. Effective cyber security training is delivered in shorter sessions, more frequently, with ongoing reminders.

Here are six ways your practice can do this on the cheap:

  1. Send periodic emails with cyber security reminders and tips. Mark your calendar every six weeks with a reminder to send these out. In the morning is most effective. Pull tips directly from your security policies and procedures.
  2. Email a 3-question quiz just prior to a staff meeting. Present and discuss the answers in the staff meeting. Have everyone who got all three questions correct put their names in a hat and draw one for a gift certificate.
  3. Print posters and flyers. One practice I worked with created colorful “Watch Out for Phishing” posters, and hung them on bathroom staff doors, break rooms, and bulletin boards.
  4. Put reminders in Company Communications. If your practice sends a monthly newsletter to employees, include a story about security in several issues a year.
  5. Monitor employee password strength twice a year. Knowbe4 has a free tool for this: Weak Password Test (WPT). WPT checks your Active Directory for several different types of weak password related threats, providing insight to the effectiveness of your password policies and any fails, so that you can take action.
  6. Administer a verbal “cyber awareness quiz” at several staff meetings each year. This can be informal. Simply ask a few questions during the meeting (don’t put this on the agenda), and ask the team for verbal answers. For example:
    1. “Name two common human error reasons that cyber-attacks or breaches occur in healthcare?”
    2. “What are two clues that an email may be a phishing email?”
    3. “What is ransomware and how does it work.”

Choosing even two or three of the ideas presented here can improve staff retention of important security concepts. The key is keeping employees on alert for potential security threats all year long. Doing so can keep cyber security at the top of every physician and staff person’s mind – so they think twice about clicking.

If this fails, you can always bring in Cato for more “aggressive” cybersecurity compliance.

Do We Have to Return Plan Overpayments?

The short answer is, yes. Did your mother teach you nothing? Of course, you must return money that isn’t yours. In fact, to be compliant with Medicare and most commercial payers, once you discover an overpayment, you’ve got to refund it within 60 days.

Sadly, I still speak with physicians who believe it’s okay to keep the money in the bank until the payer requests a refund. One large practice I work with told me they hadn’t run the credit balance report in nearly a year. When I suggested they do so, the Medicare credit balances alone totaled more than $300,000.

This is not the time to invoke “finders keepers, losers weepers.” Much as you might like to keep the cash as a way to balance out years of reduced reimbursement, when you don’t refund overpayments in a timely manner you expose the practice to collection and other risks. Plus, credit balances offset the accounts receivable report, making it appear as if the practice is owed more money than is truly the case.

Here’s how to keep your credit balances, and your practice, in the clear.

 

  1. Understand and follow CMS rules.

Failing to refund Medicare and other Federal program overpayments puts your practice at risk for non-compliance. Let’s review the basics of Medicare’s rules. Review CMS’ Fact Sheet for more detail.

The CMS rule is that, once identified, Medicare overpayments must be refunded within 60 days. This rule applies to overpayments that occur for a variety of reasons – insufficient documentation, medical necessity errors, duplicate payments, and administrative and processing errors among them.

Further, Medicare’s look-back period is six years. The client that identified $300,000+ in Medicare overpayments a had to mobilize quickly to review and prepare refunds for overpayments that dated back six years. It wasn’t pretty.

These days, CMS’s processes are qyite proactive. When the payer identifies a Medicare overpayment of $25 or more, the Medicare Administrative Contractor (MAC) will initiate a recovery process by sending an initial demand for repayment. The MAC letter will explain:

  • the reason for the overpayment
  • that interest will accrue if overpayment in full is not received within 30 days
  • options to request immediate recoupment
  • options to request an extended repayment schedule
  • your rebuttal and appeal rights

In response, a practice may either make immediate payment, request immediate recoupment, submit a rebuttal, or request a redetermination to appeal the overpayment. With immediate recoupment, Medicare recovers the overpayment by offsetting future payments for other services. As any billing staff will tell you, this is a huge pain in the you-know-what when it comes to properly posting the amounts.

If the overpayment is not repaid in full, you will receive an Intent to Refer letter 60 to 90 days after the initial demand letter. This document advises that unless payment is made or a plan is established for repayment, the MAC will refer the overpayment to the U.S. Treasury for collection.

 

  1. Understand private and third-party payer requirements.

Must practices refund overpayments to private payers even if they don’t request the money? Again, the short answer is yes. Once your team discovers an overpayment, your practice must refund it, even if the payer does not request it.

Most managed care contracts include a clause that requires this, along with a specified time period during which the practice must make the refund. And whereas CMS requires repayment within 60 days, commercial carriers can have their own timeframe. In fact, some of them want repayment within 30 days. Others may try to recover the overpayment through remittance adjustment on future claims or other recovery actions.

Read your contracts to understand what you’ve agreed to.

Once you know the timeframe, gather the payback procedures from the plans your practice is contracted with. Most make this easy by supplying the rules and processes on their Web sites. For example, Anthem Blue Cross provides these Refund/Recoup Reminders and Tips. Aetna also provides clear instructions on its web site. In most cases, a simple Google search will get you to the correct page on each payer’s web site.

 

  1. Develop a refund policy and procedure.

Generally speaking, the policy should state that your practice processes overpayment refunds within 30 days of identification, and follow the guidelines for repayment established by the payer. Once you understand the compliance requirements from CMS and have completed research for plan overpayment guidelines, your team will have the details needed to develop a procedure they can follow systematically.

Procedures vary by practice but essentially you should validate that the overpayment amount is accurate and put a refund request into the accounts payable queue to be paid in the next check run or electronic payables cycle.

 

  1. Run the credit report regularly.

Even with best efforts to process refunds as they are identified, people get busy and things fall through the cracks. Running the credit report provides a list of any oustanding balances for the team to process. How frequently you generate this report will depend on your policy, but I recommend it be done at least quarterly and in large practices, monthly. Ideally, the balance should be $0, or close to it.

If, like my client, you haven’t generated this report in a while, you might find the amounts total more than $0. If that’s the case, consult an attorney for assistance on how to address the overpayments – especially if you have some that are more than 60 days old. Those refunds may put your practice risk because they don’t comply with CMS guidelines, and most likely other payor rules as well. Check with legal counsel before you being mailing refund checks.

The bottomline is that overpayments are not “found money” for the practice. They are monies due to payors who overpaid for services. Develop a refund repayment policy that includes processing refunds regularly, generate the credit balance report monthly or quarterly to identify overpayments that may have gotten overlooked, and seek guidance from your attorney if you believe your practice is out of compliance with federal and commercial payer overpayment compliance guidelines.

Test Your Knowledge About Passwords

Did you know that more than 60% of all confirmed data breaches involve the leveraging of weak, stolen, or default passwords?

One of your practice’s frontline defenses for avoiding the phishing  attacks and other cybercriminal schemes is effective password management. How well are you managing yours? Take this short (and fun) quiz to find out.

  1.  Strong passwords are too complicated to remember. It’s fine to use passwords that are short and easy.

           True or False?

 Answer: False

Easy passwords are easy to crack. Believe it or not, the most popular passwords in the United States are still “password” and “12345.” These weak passwords offer little security and are simply dangerous. Instruct your team to create strong passwords that contain a mix of letters, cases, and symbols. If you’re concerned about not remembering passwords, uses a password-management program like LastPass, which saves passwords securely and provides access to them on any device.

Another option to use a passphrase, using a combination of letters and symbols. For example, “Fido” is an insecure password and easy to guess if it’s your pet’s name. But My1$tPetWasFid0 follows strong password guidelines and is more secure.

2.   Putting a sticky note on your computer or desk as a reminder of your password:

             A. Is a really bad idea.

             B. Is essential to getting any work done if you are over 40.

             C. Is a nice way to help new employees get to know you.

 Answer: A

I still see sticky notes regularly in the practices I visit. And there is always at least one staff member’s desk with multiple, colored, sticky notes containing his or her password in plain sight. This is not good cyber hygiene. Conduct a walk around the office and remove all sticky notes and other evidence of passwords in plain sight. Do it today; we’ll both sleep better tonight.

3.   Sharing passwords is ok because:

    A. Sharing is caring.

    B. If you forget the password, your coworker can remind you.

    C. It’s never ok to share passwords.

 Answer: C

When it comes to data security, sharing is never ok. A practice in the East used only passwords for the entire team: “doctor” and “nurse.” Although this is an extreme case, passwords are shared with some regularity in many practices. Beyond the cybersecurity concerns, sharing passwords has professional liability issues because they render electronic medical record (EMR) audit trails useless. It’s impossible to identify the person who reviewed or entered information if passwords are shared.

Compliance issues are also triggered by password sharing. There’s no sure way to determine whether patient privacy is maintained if it’s unclear which user is accessing them.

The bottom line is  passwords are like underwear…don’t share them and change them often. Anyone caught sharing passwords should be disciplined.

4.  When should a practice disable the passwords of employees who leave?

   A. By the end of the week after the employee is gone.

   B. When my kid is home from college; he handles stuff like that in our computer system.

   C. Immediately after you have terminated the employee, or the employee has left the premises on good terms.

   D. We’re supposed to disable passwords?

 Answer: C

Staff turnover is a given. So have a plan for terminating user IDs and passwords in all systems immediately after the employee leaves. Often, this step is delayed or forgotten, leaving passwords active for potential access. Put credential disabling at the top of your employee-departure checklist.

5.  If you aren’t using a password manager, the best way way to remember a complicated strong password is to use the same one for multiple accounts.

True or False?

Answer: False

Humans are creatures of habit. According to a survey by LastPass and Lab42, 59% of us “mostly” or “always” use the same password for everything.

And only 55% said they would change their password if their account was hacked. Startling, but true.

Make sure you and your team are not part of the 55%. Insist on strong passwords. Store them in a password manager. And don’t use the same password for every account.

7 Social Media Policy Must-Haves

You’ve undoubtedly heard the national news stories of hospital employees posting photographs of anesthetized celebrities to their own personal Facebook pages. Or, the surgeon who enjoyed taking photographs of patients’ genitalia in the O.R., and sending them to staff.  This takes the concept of “sharing is caring” a bit too far.

Common sense and decency lead most people not to behave this way. But alas, your practice must prepare for employees who have all kinds of backgrounds and  predilections. Which is why it’s important that every practice have an up to date, written, social media policy for employees.

Here are the must-have components to include:

  1. Extent of policy.

This clause lets employees know that you are not trying to apply the long arm of the law to their personal lives. It explains that the policy only covers social media and Internet activities that are associated with the practice; not activities that are purely personal in nature. Like posts of the employee hiking the Continental Divide with a friend. Or giving the dog a bubble bath.

  1. Covered technology.

Given that technology is constantly changing, it’s tough to create a policy that names every technology, or platforms that don’t even exist yet. (The latter is particularly challenging.) Instead, explain that the policy applies to a list of common sites and list them, as well as other platforms that include social networking sites and sites with user generated content.

The examples you might list in the policy could include: 1) Twitter 2) Facebook 3) YouTube 4) Yelp.com 5) RateMDs.com.

  1. Professional and personal behavior.

This is the meat and potatoes of the policy. Here’s where you spell out what you expect. For instance, the policy should say that employees are prohibited from posting any patient’s PHI or image on a social media site. Or, that they are not allowed to provide medical advice or medical commentary that in any way references their employment with your practice. Or that they cannot impersonate someone else – for example, they can’t answer patient medical questions as if they were a physician. 

  1. Violation of laws.

Simply put, this clause explains that if an employee violates any local, state, or international law or regulation by uploading, posting, e-mailing or otherwise putting content online that is unlawful, threatening, profane, racist, etc. – the employee is violating the law and the practice is not responsible.

  1. Violation of the social media policy.

Makes employees aware that violations will have consequences, and defines the scope of those consequences. This section should also include language that indemnifies the practice against liabilities for actions in violation of the policy. It should explain that violation of any portion of the social media policy may result in disciplinary action up to and including termination of employment. As well as what employees should do if they notice that someone has violated the policy.

  1. Claim disputes.

Explain that any disputes relating to the employees inappropriate or illegal posting of content on a social media platform or blog will be addressed in accordance with the laws of the State. The employee must agree to be bound and subject to the exclusive jurisdiction of a local, State or Federal Courts.

  1. Date and Signature.

Execute the policy for each employee, asking him or her to date and sign it. Put in the employee’s personnel file.

A good policy also typically includes an indemnification clause, statements about amendments to the policy, and the term of the policy. With regard to term, the signed policy should be effective immediately and in force up until date of termination or the employee’s last day, if leaving voluntarily.

 

Parties, Promos, and Press Releases

It’s that time of the year again. December is the month where daylight hours and alcohol consumption are inversely related.

 

Every holiday season I get calls and emails with this question:

 

“Our practice is hosting a holiday party/open house event for patients and potential patients. We’d like to hire a professional photographer to take photos for social media and our web site. Do we need to ask guests to sign something in order to use their photo?”

 

The answer is, yes. You must have each individual’s permission to take his or her photograph at your event and upload it to your practice’s web site, Facebook page, or social media sites.

 

And, keep in mind that this release is different than the privacy law/HIPAA release you may already have on file for the patient.

 

I realize that the photographs of smiling, happy party goers in a public setting may seem benign compared to clinical photos of unconscious patients being prepped for surgery or those sporting enhanced body parts . Nonetheless, in order to legally use the photographs you snap at holiday fetes and other events, you must have a signed general photo release, not a patient/HIPAA release, from each individual that can be seen in the photograph taken at your special event.

 

A general photo release secures permission to publish images of people attending the event. The photo release used for before-and-after photos, research, or other clinical use covers you for compliance issues related to patient privacy/HIPAA regulations. Even if you’ve already got one of these signed releases on file, it’s not sufficient to cover you for social media, web site, or emails. You’ve got to have attendees sign a general photo release that is specific to the special event.

 

This release does not need to be long or complicated. You don’t want to overwhelm partygoers with lengthy fine print when their primary goal is to find the bar. A one page document should simply explain that the individual’s image may be taken while at the event, and they are giving their consent to your practice to use that image as it your practice sees fit.

 

If anyone under the age of 18 is attending your event, the release must be signed by a parent or guardian on their behalf. Generally, the wording is roughly the same as those for adults, with the addition of the release being signed on behalf of the minor by the parent or guardian.

 

Finally, if you are taking video clips instead of photographs, the release needs to give permission not only for the use of the image but also for the audio component. Otherwise, the video release is essentially the same as the still photograph document.

 

I’m often asked whether having a large sign or easel board stating something like, “By entering this area you agree to having your image taken and used in our social media, web site, and other promotional messaging for this event.” Nice try, but the answer is no. You must obtain individual, signed releases from each guest used in your promotion.

 

I hope that you and your practice have a peaceful holiday season. Enjoy the parties. March forward with the entertainment. I simply caution you to be careful when the cameras come out.

 

Cheers!