Laureen shows you her proprietary “Bubbling and Highlighting Technique”
Download your Free copy of my "Medical Coding From Home Ebook" at the top right corner of this page
A heartfelt thank you to all of the officers and chapters who have participated in either on-site or virtual officer training this year. Many positive comments have been received from the officers who have participated, and renewed enthusiasm has been generated which is clearly seen by the activity on the officer Facebook page. 76 of our chapters […]
The post Message from AAPCCA Leadership appeared first on AAPC Knowledge Center.
Again this year we will be offering the local chapters the opportunity to do a poster board display. Show us how your chapter shines! Highlighting your chapters achievements and accomplishments gives other chapters the opportunity to see your successes. Feel free to bring any photographs and/or templates that youd like to incorporate into the design of your board. Everything you bring should be flat, light-weight and small enough to easily fit in your luggage. The majority of your display should be planned out ahead of time to fit these dimensions.
The AAPCCA Board of Directors will supply the following items:
Tri-fold display 36tall X 48 wide
Tape
Scissors
Markers
Construction paper
Supplies will be available for pick up immediately after the Officer Leadership Session. Please see either Lynda Wetter or Gina Piccirilli. Exceptions will be considered only for only those arriving after the leadership session on the 27th and should be coordinated with Lynda by e-mailing her directly.
RSVP is necessary and required to ensure we have the materials needed for everyone.
Please designate one of your officers or members as the point person and to RSVP by March 27th to [email protected] with the following information:
Name of Attendee:
Contact e-mail:
Cell Phone Number:
Chapter Name/State:
Arrival Date:
Display boards will be dropped off at a location to be determined. Additional information will be available when picking up your materials and will be added to the event on the Facebook page.
We all look forward to seeing you at HealthCon!
AAPC Chapter Association Board of Directors
New Options For Chapter Officers Want a greater variety of educational events at your chapter meetings? The AAPC Chapter Association Board of Directors has some exciting news to share with you. Officers are now approved to offer up to two virtual meetings through their local chapters. These meetings will open the doors to a variety […]
The post Message from AAPCCA Leadership appeared first on AAPC Knowledge Center.
HEALTHCON 2019 is fast approaching! This is one of my favorite times of the year. It is a time I get to see friends and colleagues that I do not get to see often. It is also a time where I meet new friends and grow my network. These past two years HEALTHCON has been […]
The post Message from AAPCCA Leadership appeared first on AAPC Knowledge Center.
Welcome to all new officers as well as to those who are returning to serve another year. Our local chapters need you all in order to thrive. Did you know that there are two AAPCCA Board of Directors representatives for each region of the country? You can find our names and contact information on the […]
The post Message from AAPCCA Leadership appeared first on AAPC Knowledge Center.
The leaves are changing, the air is becoming crisp, and we are entering a new season. Fall is a great time to recommit to goals, overcoming challenges, and continuing your education. What better way to do this than by attending a regional conference. In September, the regional conference will be held in Anaheim. With a […]
AAPC Knowledge Center
You’re working at a hospital during an emergency (e.g., a hurricane). But the person who’s supposed to take the lead is out sick or on vacation, or is distracted from duty because a family member is in danger. Do you know who’s supposed to take that person’s place?
Culture of compliance
Communicating with leadership
Threats to PHI are coming fast and furious. Although many organizations are ready to take HIPAA compliance seriously, it requires sustained attention and resources for organizations to protect PHI. That can’t happen if privacy and security officers aren’t being heard by the board and senior leaders.
In July, OCR announced it reached a HIPAA breach settlement with Oregon Health and Science University (OHSU), an academic health center. In its statement on the settlement, the agency drew attention to the vital role hospital executives and senior leaders play in HIPAA compliance. OHSU did complete risk analyses and identify vulnerabilities, including those that caused the two massive breaches named in the settlement, but no action was taken to mitigate these vulnerabilities. Without support from the top, OHSU’s security risks remained unaddressed until it was too late. Failure to address these risks came with a $ 2.7 million price tag, a strict three-year corrective action plan, and the kind of bad press that’s difficult to put a positive spin on.
Privacy and security officers need executive support, but obtaining it may be a challenge. Alliances with key staff and an understanding of the concerns senior leaders face can be a win for privacy and security in the boardroom.
Reaching for the top
Growing threats to PHI, particularly ransomware, have drawn attention to privacy and security this year. Senior leaders and members of the board may be feeling the pressure to change the way their organizations operate and step up security measures.
"I think that the danger is that there was a time when privacy and security were viewed as a very specialized and somewhat insignificant compliance area," Reece Hirsch, Esq., partner at Morgan Lewis in San Francisco, says. "But now that you have hospitals that are being hit by ransomware attacks and major security breaches, I think that boards are starting to get the message and they’re receptive to having more direct contact and input from the privacy and security officers."
Privacy and security officers will want to strike while the iron is hot but this isn’t always simple, even with ransomware and multi-million dollar HIPAA settlement fines in the news. If privacy and security haven’t been on the board’s radar, the privacy or security officer might not have the experience and connections that will help him or her successfully make the case, Hirsch says.
"Sometimes, admittedly, it is a little difficult, if the board hasn’t yet engaged in the subject, for someone like a privacy or security officer to by themselves drive change in the organization," he says.
Privacy or security officers can partner with the compliance officer or general counsel, he suggests. These roles will know how to speak the language the board is used to hearing and can address privacy and security issues in a broader risk and compliance management context.
Sending the message
Privacy and security risks may be neglected by the board and senior leaders simply because they may not fully understand them, Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP, manager of Wipfli, LLP, in Eau Claire, Wisconsin, says. They may assume these are primarily IT issues that don’t require their involvement.
"This doesn’t mean they don’t care, it just means they don’t understand the scope of security and privacy or the importance of a successful program and how it’s contributing to the success of the business," he says.
Privacy officers typically have a clearer identity and importance, he says. That role often has a longer history at an organization and a clearer, recognized place in the risk and compliance equation. In contrast, the security officer often reports to the chief information officer or IT manager. In some cases, one person may be both the security officer and the IT manager, which only promotes the misconception that security is purely an IT concern, Ensenbach says.
"Security needs to be separated from IT and reporting outside of the IT department," he says. "In my opinion, the privacy and security officers should be reporting to the same person because both pertain to the handling and safeguarding of information, regardless of the format it takes."
IT and security may seem like a logical fit, but combining the roles may cause security to suffer, Ensenbach warns. "When security officers are also the person in charge of IT, the primary demand is what is perceived as being the most important by the person," he says. "It has been my experience that in these situations, IT issues will always take precedence over security."
Both are also full-time positions and will be extremely difficult for one person to manage effectively, he adds. Senior leaders should take these factors into account when organizing departments.
Smaller organizations that need to consolidate roles may be better off combining privacy and security rather than IT and security, Ensenbach suggests. The role of a dual privacy and security officer can fall in the compliance department. Compliance, privacy, and security have a natural synergy and are well-equipped to support each other.
If privacy and security are different roles handled by different members of staff, each should make an effort to work closely together, Hirsch says. Presenting a united front will help both areas and best protect PHI.
Speaking the language
Members of the board will likely have a different perspective on the organization. Privacy and security are vital issues, but nevertheless demands that must be balanced with many others.
Members of the board may often have questions about privacy and security best practices and industry standards, Hirsch says. They will often be interested in making improvements but will most likely look to make reasonable changes with an eye on the budget. Privacy and security officers should go into meetings with senior leaders with realistic expectations and try to see how their areas fit into the organization’s overall risk management efforts.
Security officers should be wary of using overly technical jargon and explanations, Ensenbach says. Information should be correct and have the appropriate level of detail but should be delivered in a way the audience can understand.
"Never, ever speak in technical terms and write like you talk," he says. "Always present yourself in a professional manner and explain problems in business terms that they can relate to."
Have at least two or three solutions to a problem under discussion and explain each in terms of risk mitigation and return on investment, he adds.
Some security officers may find resources elusive if they can’t tie programs or improvements to specific compliance points, Kurt Hagerman, chief information security officer of Armor in Richardson, Texas, says. Simply explaining a particular security method will reduce a risk won’t mean anything if the board or senior leaders don’t understand what the risk is to begin with. Although it’s incumbent upon senior leaders to learn about regulations the organization must follow, it may be difficult for individuals without a background in information security to make the connection between regulations and security upgrades. Security officers often struggle to make those connections clear, Hagerman says.
"They typically don’t understand how to convey their ideas and their needs in a way that the executives can understand and has an impact to the organization," he says.
If a security officer doesn’t understand what information leaders need to make decisions, it’s unlikely improvements will be made, he says. Some security officers may simply say an investment should be made in a new security method because it provides better security, but that doesn’t offer any context.
"Quantify that. What does better security mean? You have to start talking in terms of risk and risk reduction," Hagerman says. "Start talking about it in terms of insurance. Insurance is a conversation that executives understand."
An unaddressed security vulnerability may put an organization at risk for a certain dollar amount, but addressing the vulnerability may considerably shrink that cost. If security officers can learn to translate what they ask for into stories executives can understand, resources will be easier to come by.
However, privacy and security officers must keep in mind that organizations have many competing demands. Even if a privacy or security officer has built an excellent rapport with senior leaders and the board, not all requests will be granted. "Privacy and security officers need to accept leadership’s decisions as final and not to take decisions personally," Ensenbach says. "Accept the fact that they are paid to make the hard decisions that impact the business, not the security and privacy officers."
Setting an example
Setting the tone at the top may be a buzz phrase, but it has real value. The message that privacy and security are fundamental to all aspects of the organization, from financial to patient care, must go out from the top, Hirsch says. Staff members look to leadership for guidance on what their priorities should be. If an organization’s leaders don’t have privacy and security on their radar, it will be difficult to convince other staff that these are serious concerns.