Archive for category: Articles

Business Owners Need Help in Communicating 401k Advantages

Categories: Articles

New research from Nationwide finds employers understand the value of offering 401k plans, but need help to better communicate their benefits to employees

by Brian AndersonNovember 13, 2019

in 401k Client AcquisitionEducation and EnrollmentRetentionYour 401k News

Advisors can help business owners communicate 401k benefits to employees

 

It won’t come as a surprise that business owners view 401ks as advantageous both for their business and their employees. Yet, despite business owners seeing the advantages and value of 401ks, a gap exists in understanding how to effectively communicate 401k benefits to employees, according to a new survey from Nationwide.

And with the Bureau of Labor Statistics reporting 71% of all U.S. workers have access to retirement benefits (which include defined benefit and defined contribution plans), offering a 401k to employees has become necessary in order to competitively attract and retain talent in today’s strong, steady labor market.

Nationwide’s latest research, which surveyed 400 U.S. business owners with 11-500 employees that offer 401ks, finds business owners agree 401ks offer key benefits including attracting and recruiting top talent (88%); tax advantages for both one’s business and employees (88%); improving employee retention (86%); and employees viewing a 401k as a necessary benefit (84%).

The survey data also found that although nearly nine in 10 business owners report their retirement plan provider offers tools and resources to them to help encourage employees to participate, over half of business owners (53%) still struggle with communicating the benefits and encouraging participation among their employees.

This number increases to 60% when looking at female business owners and 65% for younger business owners (aged 18-34 years old). What’s more, 68% of business owners acknowledge it’s their role/responsibility to encourage employees to participate in a 401k offering.

“Our latest survey shows employers are struggling to communicate the benefits of a 401k and encourage participation among their employees, ultimately putting their business and their employees at a disadvantage,” said Eric Stevenson, president of Nationwide Retirement Plans. “This data illustrates that the industry has an opportunity to help business owners bridge this gap and make a meaningful difference in the retirement security of their employees.”

Business owners agree 401k benefits outweigh challenges

While 401k plans have become a standard of sorts as a retirement benefit, business owners still report the following challenges in offering a 401k to employees:

  • Financial cost: 45%
  • Encouraging and managing employee participation: 41%
  • Administrative headaches (i.e. paperwork for plan administration): 37%
  • Lack of knowledge around starting or maintaining a plan: 27%

Even with the challenges associated with offering a 401k, an overwhelming majority of business owners (92%) agree that the benefits of offering a 401k plan to employees outweigh the challenges. Business owners ages 35-54 years-old are most likely to agree with this perspective, with nearly all in this age group (99%) agreeing. Interestingly, over three in 10 business owners aged 55+ years-old say they don’t believe there are any challenges in offering a 401k plan.

Helping business owners encourage participation

Nationwide’s data shows nearly two-thirds (64%) of business owners feel it is their role/responsibility to provide details on the benefits of participating in a plan with employees, as well as share information on how to enroll (62%).

In order to cut through the jargon and effectively communicate the benefits of participating in a 401k with employees, business owners can look to their plan provider and advisor for additional guidance.

“A workplace retirement plan, such as a 401k, is among the most valuable employment benefits and a top gauge of retirement preparedness,” Stevenson said. “As such, it’s integral that employers feel equipped to effectively have these conversations with their employees. Talking to a financial advisor is a good first step to not only discuss the resources and benefits available to business owners from plan providers, but to also gain insight into how to thoughtfully distribute this information and material to employees.”

More from the research

Beyond details about helping employers communicate the benefits of a 401k to employees, the Nationwide survey of 400 business owners (with 11-500 employees and who offer a 401k plan) contained some additional noteworthy data regarding the SECURE Act and 401k matching contribution rates. From the study:

  • 59% of business owners surveyed believe the SECURE Act would make it easier to offer a 401k plan to employees
  • 77% of business owners think passage of the SECURE Act would allow them to offer a 401k plan that rivals those offered at large corporations

401k Contribution Matching:

  • 8% of business owners don’t match employee contributions at all
  • 31% match 1-3% of contributions
  • 43% match 4-6% of contributions
  • 19% match 7% or more of contributions

Article submitted by Joshua C. Harper, CFP®, ChFC®, CLU®, RICP®

Why Are Healthcare Organizations are Struggling with Infrastructure?

Categories: Articles

Healthcare organizations are starting to hop on the technology train moving into the 21st century, which is excellent! Information technology and the healthcare industry have been growing more intertwined over the past 20 years. Advances that include Electronic Health Records (EHRs), Electronic Medical Records (EMRs), Cloud Storage, and Telemedicine have are widely adopted for helping to enhance the quality of care for many patients. This increase in quality of care has also provided more funding for healthcare organizations through the MACRA and MIPS programs. All of this sounds great, but “What’s the catch?” you may ask. The answer is infrastructure.

A loose definition of information technology infrastructure in the healthcare industry is the hardware, software, networks, and facilities used to support, monitor, service, and support information technologies. You may think that your Managed Service Provider (MSP) should be able to handle the security, support, and growth of these systems. For the most part, you would be correct, but with the acceptance and integration of mobile devices as viable platforms to use for healthcare services support and security of these devices becomes more difficult for even the largest of MSPs. According to a set of two surveys done by Spok, one in 2011 the other in 2019, mobile device use for nurses grew from 53% to 79%.  Today in 2019, 90% of doctors use mobile devices to perform health-related activities. Most of these activities involve communicating with care team members, receiving actionable information, and delivering real-time clinical data.

We can see that mobile devices are not just used for casual phone calls in the healthcare atmosphere. More and more, these devices are being used to communicate critical time-sensitive information that can have a significant impact on the quality of care of patients. That being said, mobile devices are notorious for their lack of security protection, and the fact that they use wifi makes them more vulnerable. Pair this with a lack of importance put on mobile device policies, and you have a perfect storm that cybercriminals will exploit when given a chance.

So, what can you do? The use of mobile devices is inevitably going to grow. So the best thing you can do for your practice is to ensure you have a robust and secure infrastructure in place to help support these devices.

Here at Medicus IT, we specialize in creating IT solutions for healthcare organizations and understand the stringent security standards that are required for HIPAA compliance.  If you have concerns about the infrastructure of your healthcare organization, contact us today. We can perform a free network assessment to determine any security and compliance gaps your practice may have.

You Treat Patients. We Treat You.

By: Mike Jann
Medicus IT
www.MedicusIT.com
678-495-5908

MJann@medicusit.com

 

 

 

Meet Your Customer’s Changing Payment Needs

Categories: Articles

The true measure of success for a thriving business is their customers.  Therefore, it’s important to be in tune with your customers to offer the right products, services, location, and yes, payment options.  Customers may want your product, but they are more apt to buy it on their terms.  Meeting them at this point increases the likelihood of the sale and increases the sale amount.

Physical Terminal:

Do you have a physical terminal with the latest technology?  The traditional consumer has their credit card ready to pull out to swipe or ‘dip the chip’.  Younger generations are more likely to pay using their mobile wallet.  The physical terminal should have the capability for EMV chip processing as well as NFC (near field communication) such as Apple Pay, Android Pay, or Google Wallet. These features not only allow convenience but also speed and PCI (payment card industry) compliance to limit fraud.

Recurring and/or Installment Payments:

Larger purchases require more flexible payment solutions.  Today’s consumers want to buy now and pay later.  By allowing the customer the instant gratification they desire, merchants meet their customer’s desire and make the sale.  Setting up recurring or installment payments through a virtual terminal is a simple process to capture the sale.  Virtual terminals offer flexible options to collect payments weekly, bi-weekly, monthly, quarterly, and more.  So, payments can be captured after customers are paid or in-between other bill periods.

Through recurring processing or installment payments, merchants can also extend their relationship. Customers don’t visit just once, they return and build loyalty. Using a subscription model for services, such as monthly lawn service or unlimited treatments for a monthly fee, merchants can collect payment before providing their services.  It creates a predictable cash flow and higher customer retention. Additionally, merchants reduce late payments or chasing down outstanding balances.

Electronic Invoicing and Web Payments:

Electronic invoicing is a hassle free way for merchants to collect outstanding payments.  Sending an invoice via email or text where the customer can simply click, enter their card information on a secure server, and payment complete.  It’s convenience for your customers and faster payments for the merchant.  No more sending paper statements every 30 days waiting for the customer to send in their payment.  Customers can click and pay when they first see the invoice, whether that be 9am or 2am.  The merchant can receive an email when payment complete or review reports.

Similar to electronic invoicing, the merchant can have a ‘Make Payment’ button on their website to collect payments from customers.  The button brings the customer to a secure payment server hosted by the processor gateway to ensure proper encryption.  The customer enters their payment amount, invoice number or other custom fields, and card information to complete the payment.

Mobile Processing:

If your business takes you away from the office, you can collect payments on your smart phone or tablet.  An app from the payment processor provides easy to use and secure payment collection on the go.  Bluetooth devices can be added to utilize EMV, swipe, and/or NFC payments similar to the physical terminal. Being ready to take payments when away from the office help to secure the sale as well as meet the customer where they are.

By utilizing a suite of payment options, your business will be ready for the various types of customers.

 

Jennifer Autian is the founder of TCA Business Solutions and an independent representative of merchant services.  To learn more about expanding your payment processing options, connect with her at 678-523-8760 or by email at Jennifer@tcabiz.com.

What’s Your Threshold?

Categories: Articles

Thresholds, what are they and why do they matter to practices?

If you said, “thresholds are a strip of wood, metal or stone forming the bottom of a doorway”, well…. you’d technically be right, but I’m not talking about that kind of threshold.

No, I’m talking about time (or count) thresholds as they relate to inbound calls in your practice. These are pre-planned values that are used as part of key performance indicators (KPIs) to benchmark against internally, and ideally to trigger operational processes or employment of resources to positively influence the overall delivery of patient experience.

Why it Matters

These threshold levels can be very important in assessing a practice’s service level. At the most basic level, we all know what happens when calls take too long to be answered, right? They hang up. Thresholds in this example can be setup around your longest wait time in queue for your current interaction to help ensure a minimal amount of calls/patient interactions go unanswered before a predetermined amount of time passes, and they are abandoned.

When used properly, thresholds can be a fairly accurate early indicator of when calls are likely to be abandoned. The key is having the tools to analyze, continually, if your thresholds continue to make sense. Is it a threshold that is helping to keep abandoned calls to a minimum? Reporting & Analytics software can help you leverage your data to determine when thresholds should be set and adjusted to make sure calls are answered before the average call is abandoned.

What About the Patient

Another way to think about thresholds is from the perspective of your patient: Thresholds are great when used as a KPI, (Key Performance Indicator) but ultimately, they are there to ensure a better experience for your patients. They should be used to trigger interventions within your practice to minimize wait time, ensure the right skilled resources available for your call volume to certain skilled queues, etc. Remember, if a call waits too long it likely means worse than an increment against your Abandoned Calls %… it more than likely translates to a lost appointment or a future mutually beneficial relationship with that patient.

How About an Example?

You’re a practice Manager. It’s been a busy Monday morning and you are constantly putting out fires. You look away from your dashboards to answer some emails or talk to a coworker. Your team is busy, and the calls are coming in faster than they can be answered, we’ve all been there. You’re quickly approaching your configured threshold limits and there’s a chance you miss the visual warnings and alerts that are telling you something is wrong. Fortunately, with proper tools like Brightmetrics software you’re able to configure audio alerts in addition to the visual alerts that tell you when calls are approaching your threshold. This will allow you and your team to proactively manage and redistribute workloads to get the calls answered before you exceed your service levels.

But Wait, There’s More!

And if you’re a Real Time Dashboard user, thresholds can play a pivotal role in how you provide top notch patient service. If you’re trying to deliver the best experience for your patients, it’s likely that your dashboards are the first thing you look at in the morning and the last thing you see before you leave; your eyes are always on them.

And because we know you’re busy and want your data easily digestible, thresholds can be configured to be highlighted in On-Demand Reports in a visual format so you can quickly see the calls that exceeded the predetermined threshold and why it might have happened.

For questions on how your practice can take advantage of these types of Reporting and Analytics tools, contact Paul Mancini with Clear Choice Telephones at 678-387-3200 or paul@clearchoiceinc.com

 

 

Assessing Telehealth ROI

Categories: Articles

Telehealth has been a buzzword lately in the healthcare industry. With all this talk about how telehealth can help improve the quality of care and overall revenue for your practice, there comes the point when it merits serious consideration. The real question is, “How do you track your Return On Investment (ROI) from implementing telehealth systems.”

Unfortunately, calculating ROI for telehealth systems is different from practice to practice. Luckily, Manatt Health Strategies has been working on a solution. Manatt did a case study on one rural healthcare organization and one more urban healthcare organization to determine who to decide which factors should be included to define the ROI from a new telehealth system. They identified four different institution types that have unique considerations they should consider. (Table 1)

Along with these clearly defined institution types and unique considerations, there are seven general considerations that every healthcare organization should look at when deciding how to determine their ROI. Each of these general considerations has a vital aspect they test, but you have to think critically and ask the right questions to see their value. First, Patient Acuity Mix, Cost Savings, and Reimbursement or Contract Revenue all have to do with the revenue stream of your healthcare practice. By analyzing the changes in these three considerations, you can determine how your telehealth system has impacted your revenue. Next, New-Patient Volume and Patient Retention reflect how your patients are responding to your telehealth system, potentially how telehealth is enhancing the quality of their care. Last, Technology, Program and Program Management, and Staffing help define costs and staffing requirements of your telehealth system. These directly impact the overhead of your practice. Comparing these three segments to one another can give you a clear view of the ROI for the telehealth system and where you need to think about improvements.

Keep in mind that this is just two case studies from one healthcare strategy group, and as telehealth becomes more widespread, more refined systems to calculate the ROI of your telehealth system will begin to show up. Don’t get lost in the data and remember that the ROI of your telehealth system should always be defined by unique considerations for your specific practice. Only you and your patients can determine is telehealth is helping or hurting your practice.

By: Mike Jann
Medicus IT
www.MedicusIT.com
678-495-5908

MJann@medicusit.com

A US airport is the latest place to ban plastic water bottles

Categories: Articles

It’s just the beginning of fixing the airline waste problem.

By Terry Nguyenterry.nguyen@voxmedia.com  Aug 21, 2019, 4:40pm EDT

Since the advent of air travel, airlines and airports have provided passengers plastic-wrapped items to be used once and tossed away. Rather than make the switch to sustainable goods and packaging, which tend to be heavier than plastic, the aviation industry has kept at this — and annually generates millions of tons of plastic waste.

In recent years, however, sustainability has grown into a larger talking (and selling) point for customers, who care about green travel options. On August 20, 2019, the San Francisco International Airport (SFO) started banning plastic water bottles smaller than one liter from being sold at concession stands, lounges, restaurants, or vending machines. It’s the first major airport in the US to issue such a policy, a step toward its goal to be a zero-waste hub by 2021.

Each guest that comes through the airport produces roughly half a pound of trash, an airport spokesperson told CBS News, and around 10,000 bottles of water used to be sold daily. San Francisco International already requires vendors to provide certified compostable utensils, food service accessories, and reusable cups.

As progressive as that sounds, there is a caveat: The plastic bottle policy only applies to water (not other beverages like seltzers, juices, or sodas), and doesn’t affect how airlines independently serve passengers. Airport vendors will still be able to sell water in presumably single-use aluminum and glass containers, which are arguably not much better for the environment.

Plastic water bottles have a notorious reputation in our waste-obsessed world: They’re flimsy, disposable, and most likely won’t be recycled, since research shows that only 9 percent of plastic waste ever generated are reused. They’re also manufactured from petroleum, which is extracted by oil drilling.

While glass and aluminum certainly seem more sustainable (both can be recycled again and again), manufacturing cans and bottles out of these materials, not to mention shipping them, requires lots of fuel, according to Grist’s Umbra Fisk. Completely banning single-use disposables — or even all plastic bottles, in this instance — would be a radical step for the airport, but could lead to a number of problems. It could cause confusion for passengers not aware of the policies, and according to SFO’s spokesperson, there are not enough non-plastic alternatives for teas, juices, or sodas.

In comparison, San Francisco International’s push to completely ban plastic water bottles seems positioned to actually reduce waste. (Now if only it could do the same for plastic Coca-Cola bottles or aluminum La Croix cans!) But conscious change, especially in a space thousands of transient people pass through daily, happens slowly.

San Francisco International Airport (SFO) started banning plastic water bottles smaller than one liter from being sold at concession stands, lounges, restaurants, or vending machines. It’s the first major airport in the US to issue such a policy, a step toward its goal to be a zero-waste hub by 2021.


Added by article submitter:

First it was plastic straws, now its plastic water bottles. It might be time to start thinking how we can all do our part. There are tons of options when it comes to re-usable tumblers, simple plastic ones and stainless versions with vacuum sealed interiors to keep liquids either hot or cold. All can be imprinted with a company logo. Now that we know for sure passengers will be carrying something other than plastic bottles through the airports, it might as well be some sort of device with YOUR logo on it.

Sheila Fox-Lovell

Shandy Creative Solutions

Shandycreative.com

sheila@shandycreative.com

Is Your Company at Risk for Occupational Fraud?

Categories: Articles

As a business owner or Managing Partner with a large corporation, you want to trust your employees, and this includes upper management, as well. You interviewed, tested, and helped train the best candidate available who eventually became a part of your business. After roughly 16 months, you find yourself looking at a case of Occupational Fraud. How did this happen? Oversight. Weak internal security accounts for almost half of the fraud instances.

According to the “Report to The Nations: 2018 Global Study on Occupational Fraud and Abuse,” publication, 2,690 real cases of occupational fraud were reported from 125 countries in 23 industry categories with $7 billion total losses. Small businesses generally suffer the brunt of monetary losses in  an approximate period of 16 months per case. Employers need internal controls and a trained resource for prevention. An internal audit is generally a good place to start and this can be done by an independent third-party source such as Stellaris Group Human Resources in Roswell, Georgia, by a CPA firm, or by management.

It’s difficult to know where to even begin to start when it comes to preventing occupational fraud in the workplace, but with a few steps you can ensure your company can be safe:

  • Have a system in place where employees can anonymously report or tip you off that someone in the company may be stealing from you in one form or another. Internal tips are the number one method of detecting occupational fraud over other methods and accounts for approximately 40% of the cases reported.
  • An Internal Audit is another way to detect someone who may be cooking the books or outright stealing from you. Some signs might include an employee showing up at work all of a sudden with an expensive new car or wearing designer clothes that you are certain are outside of their salary range.  Or maybe they are having financial problems such as too much debt or a gambling problem. The reasons are endless.
  • Conduct a Management Review and delegate. Preventing one person from managing all of the accounting responsibilities such payroll, accounts payable, receivables, bank reconciliations, financial statements, etc. These responsibilities should be shared among several employees in order to prevent the temptation of occupational fraud.

Overall, implement a Hot Line for employees, vendors, and competitors to tip you off if they suspect fraud. Have a good anti-fraud plan in place. Small businesses suffer greater losses because they sometimes lack the resources larger corporations have in place. If you do not have a Human Resources department, hire one to independently review your current anti-fraud plan for recommendations or guidance.

Dawn Stastny, SPHR, SHRM-SCP is the Managing Partner and Founder of Stellaris Group, LLC. To learn more about Human Resources Outsourcing and Consulting, connect with her at 678-935-6001 or by email at Dawn.Stastny@Stellaris.Co

References:

https://s3-us-west-2.amazonaws.com/acfepublic/2018-report-to-the-nations.pdf

 

‘Ban the Box’ is Most Likely Coming Soon to an Employer Near You

Categories: Articles

According to the National Employment Law Project (NELP), three-fourths of the U.S. population lives in a community that has banned the box. This leads to the question of “Can you legally ask an applicant if he or she has ever been convicted of a crime or involved in any illegal criminal activity,” during a job interview?

The answer is both “yes,” and “no.” It’s complicated. Can you legally include this question on a job application where an applicant has to click the box regarding having a criminal background? Currently you can—in *some states and municipalities, based on private or public entities.

**On the Public Level, over 150 counties and cities and 35 states (at the time of this writing) have initiated the “ban the box” movement in an effort to allow job candidates a fair chance of becoming employed. Depending on the state, county, or municipality’s laws, the candidate may not be questioned about his or her criminal background until later in the hiring process, generally after a firm offer has been made, or sometimes after a second interview where the question may be asked or a criminal background check may or may not be performed (again, this depends on your state or local laws).

**In the Private Sector, 18 counties and cities and 12 states (at the time of this writing) have extended the fair-chance laws to ban the box among them. This is all in an effort to give a potential employee a chance to prove to the employer that he or she is qualified for the position. In the past, most employers would look at the check mark in the box, and make a snap judgement based solely on that and move on to the next applicant before a fair chance was given.

So, what does happen when a potential employee applies for a position and you are genuinely interested in them, only to discover during a criminal background check that he or she has a criminal record? This is up to you. According to a *“SHRM” article dated November 12, 2018, “The dilemma for HR and hiring managers lies in finding the balance between giving applicants with a criminal history a chance to be evaluated on their qualifications and being liable for negligent hiring.”

As the ban the box movement progresses, and it is, things can get even more complicated for employers and the hiring process. It’s a little-known fact that this movement has been around for the past 20 years, but it is gaining momentum as time goes by. These days, more than ever, Human Resources has their work cut out for them, and if you don’t currently have an HR department or someone certified in HR at your disposal, it is imperative that you seek out a reputable HR company like Stellaris Group in Roswell, Georgia.

Stellaris Group is well-versed about Government Compliances, Recruiting and Hiring, Employee and Labor Relations, and day-to-day HR management. If you need to know what you can or can’t do as a business owner or an employer, you can count on Stellaris Group to keep you in the know.

Dawn Stastny, SPHR, SHRM-SCP is the Managing Partner and Founder of Stellaris Group, LLC. To learn more about Human Resources Outsourcing and Consulting, connect with her at 678-935-6001 or by email at Dawn.Stastny@Stellaris.Co

*https://www.shrm.org/resourcesandtools/legal-and-compliance/state-and-local-updates/xperthr/pages/ban-the-box-laws-by-state-and-municipality-.aspx

**https://www.nelp.org/publication/ban-the-box-fair-chance-hiring-state-and-local-guide/#Chart_of_Local_Fair_Chance_Policies

CMS and The Office of Civil Rights takes another step in enforcing HIPAA activities by launching “ASETT”

Categories: Articles

The new program is called ASETTAdministration Simplification Enforcement and Testing Tool.

This is a web based platform is for individuals or organizations to file complaints for potential non-compliance with the non-Privacy/Security provisions of HIPAA. CMS is making an effort to make the “whistle blowing “ process easier for the general public. A streamlined process to allow patients to report what they feel is a violation or misstep with their PHi and the like.

The ASETT system securely captures demographic information about the complainant and the filed-against entity, as well as details of the alleged violation, and any supporting documentation provided by the complainant and the filed-against entity. When filing a complaint, the complainant has the option to remain anonymous to the filed-against entity.

Complainants are urged to provide as much detail as possible to justify and support the allegations, and to ensure that accurate contact information is provided for the filed against entity (full names, titles, phone numbers, and email addresses). Each complaint is reviewed for validity and completeness to ensure that it can be processed.  The site offers Tips to assist the accuser in documenting their compliant. (ie. Add Supporting Attachments to support your complaint. Test Transactions to support Transaction violations)

Once the contact information for the complainant and the information against entity is verified and validated, CMS will officially open a complaint. CMS will contact the filed-against entity by phone/email to notify them of the allegations and to advise them that a letter will be sent with complaint details and a request for follow-up. This exchange permits the filed-against entity to evaluate the information, conduct an internal investigation, and either dispute the allegations or develop a response indicating how the issue will be corrected.

The correction can be done either immediately by their staff,  or through a process outlined by a formal Corrective Action Plan (CAP).

The CAP is created out of performing a Security Risk Assessment and documenting those items that need to be addressed/mitigated. CAPs are considered a “working or live” document since it should be referred to and updated throughout the year. Just about any audit that a covered entity will be faced with will include the delivery of a current Corrective Action Plan.

One of our services includes examining a covered entities current CAP (and Risk Assessment), to help them better understand those how to mitigate those specific risks, and help them prioritize with a plan forward. If you need additional information, feel free to contact us at www.gsgcompliance.com  or 877-270-8306.

You can find more information about the ASETT web based tool with the link below.

https://asett.cms.gov/ASETT_HomePage

Healthcare’s number one financial issue is cybersecurity

Categories: Articles

 

The cost of a healthcare breach is about $408 per patient record and that doesn’t include the loss of business, productivity and reputation.

Tuesday July 30, 2019

By:  Susan Morse, Senior Editor, Healthcare Finance

 

Cyber attacks affect the finances of every hospital and insurer like no other.

“I’ve seen estimates of over $5 billion in costs to the healthcare industry annually,” said Lisa Rivera, a partner at Bass, Berry and Sims who focuses on healthcare security. “That’s enormous and is not going away.”

Beyond the cost to find a solution to fix breaches and to settle any civil complaints are fines from the Department of Health and Human Services Office of Civil Rights. In 2018, OCR issued 10 resolutions that totaled $28 million.

The HHS Office of Civil Rights is stepping up breach enforcement of private health information, according to Rivera, who is a former assistant U.S. Attorney and federal prosecutor handling civil and criminal investigations for the Department of Justice.

What officials want to see is that the hospital or insurer has taken reasonable efforts to avoid a breach.

“There is no perfect cybersecurity,” Rivera said. “They say it’s not perfection, it’s reasonable efforts. That’s going to require an investment up-front to see where data is located, and educating the workforce on phishing incidents.”

Also, hospital finance professionals who are relying more on contractors for revenue cycle management and analytics should take note on the security issues involved in sharing this information.

“Every sector of business has attacks, but healthcare is experiencing the largest growth of cyber attacks because of the nature of its information,” Rivera said. “It’s more valuable on the dark web.”

It’s also not easily fixed.

If an individual’s credit card is stolen, the consumer can cancel his or her credit card. But in health records, the damage is permanent.

THE IMPACT

Despite the number of breaches, healthcare has been behind other sectors in taking security measures. Four to seven percent of a health system’s IT budget is in cybersecurity, compared to about 15% for other sectors such as the financial industry, according to Rivera.

Hospitals are behind because first, it’s a challenge to keep up with the move to more information being in electronic form.

“There’s no hospital that doesn’t have mobile EHR information,” Rivera said. “Then there was this transition with incentives from the government to go to electronic medical records. There were vast routes to doing that without a lot of experience involved in doing it. The push to become electronic began happening with this enormous uptick in cyber attacks.”

Also, the focus of healthcare has always been patient care. The population health explosion also involves the sharing of information.

And consolidation across the healthcare industry can potentially make covered entities more vulnerable to lapses in security during the transition and integration phases.

RECOMMENDATIONS

The number one way to cut costs is to prevent a breach. Once one has happened, hospitals must be able to identify it as soon as possible and then be able to respond to it.

Hospitals should be able to determine where certain data goes off the rail, Rivera said. For instance, large systems doing research have outcome information that may not be within the system of protection.

“You don’t want to learn about a data breach because the FBI saw it on the dark web,” Rivera said. And some hospitals have.

It’s a constant battle of software updates and checks. Criminals are pinging systems thousands of times a day. It’s like locking down doors and windows.

The first thing that’s needed for systems large and small is a risk assessment. This is the first thing the OCR wants to see, she said. Many hospitals use an outside vendor to do the job.

Prices for other cybersecurity measures vary from a software purchase that could be in the millions, to having vendor monitoring.

But the cost of a healthcare breach is about $408 per patient record and that doesn’t include the loss of business, productivity, reputation and the service disruption.

Hospitals can also purchase cyber insurance, which varies in cost and coverage. Some obtain it for purposes of class action lawsuits.

THE LARGER TREND

OCR enforcement activity during 2018 demonstrates the agency’s continued emphasis on enforcing violations of the security risk assessment and risk management requirements, Rivera said.

Covered entities and business associates are required to: conduct a thorough assessment of the threats and vulnerabilities across the enterprise;    implement measures to reduce known threats and vulnerabilities to a reasonable and appropriate level; and ensure that any vendor or other organization accessing or storing private health information is security compliant.

The OCR concluded 2018 with an all-time record year for HIPAA enforcement activity. The OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This surpassed the previous record of $23.5 million from 2016.

In addition, OCR also achieved the single largest individual HIPAA settlement of $16 million with Anthem, representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016. Anthem was held responsible for cyber attacks that stole the protected health information of close to 79 million people.

Article provided by Stephen Bradley

© Copyright - Healthcare Services