Tuesday, August 30, 2011

Doctor's office settles with OSHA

A local doctor’s office has agreed to pay a $10,500 fine as part of a settlement with the Occupational Safety and Health Administration.

The Kirkland Family Practice also agreed to correct violations involving exposure of employees to needles and other sharp devices, infection control and employee training, according to a settlement signed Aug. 18 by Dr. Clem Kirkland.

In July, OSHA cited the office, 5928 Springboro Pike, with eight violations calling for a potential $32,000 fine.

In the settlement, OSHA withdrew citations involving steps taken after an employee suffered a needle-stick in June 2011 and annual employee training. OSHA reclassified and reduced the fines for other violations.

In addition to the fines, Kirkland agreed to rewrite its exposure control plan, including “annual consideration and implementation of safer needle devices” and “identification of the appropriate disinfectant to be used in decontaminating contaminated work surfaces.”

Kirkland also agreed to hire inspectors for annual job safety and health inspections for the next two years and to report “how each item was abated or corrected” to OSHA.

Kirkland did not return calls.

HITECH Act Changes Game For HIPAA Compliance VARs


These days, health-care security solution providers are on the precipice of something that many channel partners only wish they had -- a potential windfall of business driven by federal mandates and backed up by government funding.

Specifically, the federally mandated Health Insurance Portability and Accountability Act (HIPAA), which governs medical data protection, is gaining enforcement powers through President Barack Obama's stimulus plan, spurring small doctors' offices and large hospitals alike to start conversations about becoming compliant and transferring sensitive patient data to Electronic Health Records (EHRs). And the channel is reaping the rewards.

The key factor driving these changes is recently enacted legislation -- the Health Information Technology for Economic and Clinical Health [HITECH] Act, which arms HIPAA with tough new enforcement capabilities as well as more funding.

“The main catalyst is in the HITECH Act, and the additional pressures that are being put on physician practices and their business associates to become compliant,” said HIPAA Security Specialist Joe Dylewski, president of ATMP Solutions, a southeast Michigan-based solution provider. “Up until HITECH came out in 2009, there were never any teeth in HIPPA enforcement. There wasn’t a lot of attention paid to the organizations that violated it.”

The federally mandated HIPAA emerged in 1996 as a way to make health insurance portable from one provider to another, to reduce health-care costs, provide general administrative efficiencies and offer privacy and security around the exchanged information. However, it lacked enforcement, solution providers said.

HITECH contains incentives related to health-care IT designed to accelerate the adoption of EHR systems among providers and deepen privacy and security protections available under HIPAA by increasing the potential legal liability for non-compliance and providing more tools for enforcement. Some of HITECH’s enforcement mechanisms include stiffer financial penalties and more varied and numerous fines affecting a wider swath of noncompliant organizations.

As HIPAA compliance gradually becomes hardened with enforcement mandates, medical facilities that range from small physician’s offices to major hospitals are starting to ask questions about how they can convert their sensitive patient data to EHRs and become compliant, partners said.

That reinvigorated enforcement as well as the mandated transition to EHRs have paved the way for HIPAA compliance as a burgeoning niche that is rapidly gaining traction for security solution providers.

“It [HIPAA compliance] needs the channel,” Dylewski added. ”Unless they have an office staff with HIPAA background, [compliance is difficult], and I don’t’ find that nearly as frequently.”

David Altizer, vice president of sales and marketing for SOS Systems, a Memphis, Tenn.-based security solution provider, said that his company has experienced a huge uptick of HIPAA related business since January as awareness about healthcare privacy laws have grown.

One big opportunity is in HIPAA-specific assessments and audits. Service providers rely on specialized tools, such as eGestalt’s SecureGRC SB, a compliance tool that automates the security process by breaking down HIPAA activities and detecting any compliance holes. The product incorporates an automated risk calculator, which detects areas of the business that are not in compliance, identifies the areas of risk and makes them a priority for remediation.

Altizer said that he has been able to make inroads with medical organizations by conducting risk assessments to determine compliance vulnerabilities, and then analyze the data to show the organizations their weakest links in terms they would understand. He then gives the customers tangible steps they can take in order to become compliant.

“We identify where they’re vulnerable and where the highest risks are, and find opportunity to upsell with things like firewalls or servers with Active Directory, and implement policies and procedures in those operations,” Altizer said. “Whether it’s a doctor’s offices or transferring service, they all have to provide this documentation.”

Other channel opportunities include maintaining and upgrading firewalls with a strong antivirus, as well as providing hosted e-mail solutions and e-mail encryption -- vital when physician’s offices are transferring sensitive medical information via e-mail.

Leo Bletnitsky, president of Las Vegas Med IT, a health-care security solution provider based in Las Vegas, Nev., said that of all his health-care customers, only one encrypted e-mail, representing a huge untapped opportunity in the near future. “That is a requirement not only for HIPAA, but Nevada state law,” he said. “But there’s a lot of opportunity potentially as budgets start getting freed up.”

Another area that is growing by leaps and bounds in health-care security is offsite backup and recovery services, also mandated by HIPAA. In addition, eDiscovery products and correlating consulting and analyzing services are increasingly necessary for digging up critical information required in the event of a lawsuit.
“If a practice or a business is ever audited, they have a single point of reference where all the documentation and proof exists,” Dylewski said.

The mounting opportunities translate into unprecedented profit growth for some solution providers. Altizer said that he has seen margins grow to anywhere between 40 and 50 percent, while in some cases rising to 60 percent with added consulting services.

“In all cases we try to sell some form of consulting on top of the assessment software. On top of that we’re helping them analyze these risks and determine where they are on compliance,” he said. “We’re uncovering some very profitable opportunities.”

Meanwhile, Dylewski said that his HIPAA compliance business has grown 120 percent over the last year and he expects that it will grow 100 percent a year over the next two years.

The opportunities also don’t stop at the doctor’s office or medical facility. HITECH also contains refinements that extend security not just for medical providers, but their contracted partners -- or business associates (BA’s) -- which also have access to private client health information.

Next: Non-Compliant Business Associates Represent Untapped Opportunity

Bletnitsky said that during the last year he’s seen more medical practices conducting HIPAA agreements -- non-disclosure agreements that promise to protect confidential health-care information -- with partnering vendors. “That’s something that no one really did three years ago,” he said.

That’s where some of the biggest opportunity exists, Dylewski said. While many medical providers are aware of the new security requirements and have already begun the process of implementing EMRs and data security protections, many of their business associates have not.

Altizer said that for every doctor’s office SOS Systems targets, they get anywhere from 10 to 15 referrals for business associates who are not compliant or need assistance in enhancing their compliance infrastructure. “That’s 10 or 15 calls we have to make,” Altizer said, adding that from there, SOS will then make sure they get a list of other partnering doctor’s offices that the business associates service. “It all mushrooms from there,” he said.

And in some cases, solution providers are benefitting from government programs that are providing doctors’ offices and medical organizations' direct funding to implement upgraded and expanded security infrastructure in order to become HIPAA compliant.

Specifically, channel partners such as ATMP Solutions work in collaboration with organizations such as the Michigan Center for Effective IT Adoption (M-CEITA), one of about 60 federally funded regional IT centers that assist medical provider throughout the entire adoption process. Among other things, M-CEITA helps medical provider achieve “meaningful use” and access EHR incentive payments.

Those incentives come in the form of payments and reimbursements for doctors’ offices and medical facilities, which are then directed to the IT channel to acquire and implement EHRs, as well as security and privacy software, if the medical organizations can prove they have achieved a level of “meaningful use.”

The financial incentives translate into tens of thousands of dollars, distributed from various pools of money that include direct federal funds to reimburse the costs of EHRs, as well as other pools out of HITECH that are funneled into training and education programs for healthcare providers on IT.

Under HITECH , physicians can qualify for up to $44,000 in Medicare bonus incentives if they can demonstrate “meaningful use” of an EHR, while physicians that deal with a large volume of Medicaid patients can qualify for up to $65,000 in incentives.

Next: Government Funnels HIPAA Compliance Business To Solution Providers

Meanwhile, Bletnitsky anticipates an uptick of health-care security business in the next year due to raised awareness generated by other government organizations dedicated to disseminating information about the HIPAA mandates and conversion to EHRs, which he says could help drive health-care security from 50 percent to 75 percent of his overall business.

One such organization, Las Vegas, Nev.-based Health Insight, the Medicare Quality Improvement Organization (QIO), serves that very purpose for small medical practices. Among other things, the non-profit, community-based Health Insight provides low-cost consulting, information and enablement regarding EHRs, which include analysis of implementation, quality care analysis and work process redesign.

Bletnitsky, said that he works regularly with Health Insight to find and funnel business opportunities their way. Thus far, less than 50 percent of his customer base has embarked on the process of EHR adoption. But recently he’s seen a groundswell of about 10 more medical facilities initiating the conversion process. And he anticipates further growth by January and February as more medical practices take advantage of Health Insight’s services or receive stimulus funds for the conversion.

Once the ball gets rolling, solution providers such as Las Vegas Med IT are on the front lines for implementation, assessment, monitoring and maintenance services, he said.

“In the long term it’s going to be beneficial. They’ll need more technical assistance to get up and running on the information exchange,” he said.

Meanwhile, more government organizations like M-CEITA are emerging around the country as HIPAA gains traction, with a mission to enable compliance that will ultimately spur IT business around data protection right to the channel.

And because HIPAA and HITECH are federal mandates, health-care security solution providers can often expand their customer base from anywhere in the country.

“Customers are going to say, ‘what do you mean I have to secure this?’ They’re not even aware of the breaches that can happen,” said SOS’s Altizer. “We just have to get the information to them.”

This article was originally posted at  http://ping.fm/XEeT4

Saturday, August 20, 2011

What Is The Best/Cost Effective E-learning Technology

E-learning technology has been evolving for quite some time now; it certainly has evolved through its slow but steady start. It is now growing in use and acceptance. The adaptation of e-learning in normal business training operations is increasing and more companies are experiencing the advantages of the technology.

An ideal e-learning technology should start with these three basic components – Learning Management System (LMS), Learning Content Management System (LCMS) and Talent Management System (TMS). LMS technology is designed to manage the learners: from determining what one needs to learn to perform in a particular position or task, to what the employee needs to learn next to be more competent. On the other hand, LCMS technology manages the learning content, which works on how to create content to be delivered on different platforms. Lastly, the TMS technology manages the workforce: from finding the right candidates to how much an employee should be compensated. The interplay of these technologies is the key to a working and efficient e-learning system.

The best e-learning technology is relative and varies in case-to-case basis. What works for company A may not work for company B, or vice versa. It is dependent on what goals have been established upon the implementation of the e-learning technology. It is equally important to consider the capability of a company and how much budget they can allocate in adopting a new kind of technology. Choosing and maintaining an e-learning system for a company falls heavily on the shoulders of the learning and development team. It demands a lot of skills and competencies as e-learning covers wide areas

This article was originally posted at http://ping.fm/0xuEN

Friday, August 19, 2011

Backchannel Learning in an Organizational Setting

About 15 years ago I was in a training class at my previous employer, and the person next to me was responding to emails on his Blackberry. The trainer facilitating the session stopped her lecture mid-sentence and addressed my coworker. I distinctly remember the disdain in her voice as she said: "Please put your phone away, it's distracting you and the rest of the group from the learning."

My, how times have changed.

Today it is commonplace to see people in a learning environment actively using their mobile phones. The assumption can no longer be made that using the phone is linked to some sort of disengagement on the part of the learner; quite often it's exactly the opposite.

Social media tools are rapidly changing the "rules" that have historically been applied to learning environments. The transfer of knowledge and skills is no longer limited to the teacher/student conduit. Learners are now pulling learning on their own—exercising more control over what they learn, when they learn, and how they learn. The advancements in mobile phone technology have made it possible to have access to just about everyone and everything from a device that can fit into your pocket.

Many teachers, trainers, and presenters have been resisting the use of mobile devices during their sessions. To quote a famous Star Trek line, "Resistance is futile." The influx of smart phones is only going to continue, so resistance only delays the inevitable. It is also shortsighted, as the usage of mobile devices during sessions is not a risk at all; it is an opportunity.

Simply put, learners are now walking into your session carrying the ultimate engagement tool right in their pocket.

One of the first demonstrations of using mobile phones and social media to enhance learning came, appropriately, from the learners themselves. Learners in classes and at conferences started informally sharing their learning experiences while it was happening via Twitter. More and more learners began interacting and sharing with each other. People not attending the learning session could follow and learn from the postings of those in attendance. This ability to break through the walls of a traditional learning environment and interact with the public at large is commonly referred to as "The Backchannel."

Many stories of backchannel learning are focused on academia, and the traditional classroom environment. However there are a number of powerful ways in which corporate organizations can harness the power of the backchannel as well.

Conference Backchannels


One of the biggest arenas in which backchannels are in use is at conferences, which can be a huge resource to organizations. Conference attendees routinely post updates from sessions they are attending, sharing key learning points. Attendees also add to the overall learning by sharing their own opinions and experiences. Most conferences recognize the growing participation and value of the backchannel and have begun to include the suggested hashtag in the marketing materials of the event.

Budget constraints usually limit the number of team members that can participate in conferences. One or a few members of a team may be able to attend, and if the organization is lucky, they are able to bring some of what they learned back to share with their team.

The Backchannel changes that equation. Non-attendees can learn from attendees in real time. They can interact with their counterpart in attendance, asking questions that delve deeper into the content being shared by the attendee. Through these interactions, a bridge is built that carries some of the learning from the conference to those who are not in attendance.

The exciting part is that this opportunity of sharing between organizational employees in attendance and those back at the workplace is only the tip of the iceberg. Beneath the surface is the true power of the backchannel, which enhances and increases the learning potential for non-attendees exponentially.

In addition to the content shared by those organizational employees in attendance, non-attendees can also learn from the content shared by everyone else attending the conference. For larger conferences, there could be hundreds of people sharing their learning via the backchannel.

It is in this open sharing that the true power of the backchannel emerges. You can definitely get an understanding of the themes, trends, and concepts being shared at a conference by reviewing the postings of attendees shared through the backchannel.

Is it as good as sending an entire team to attend a conference in person? Probably not, but it does have the potential to have your entire team engaged in conference learning in ways that was impossible in the past.

Internal Backchannels


The backchannel can be leveraged internally at organizations as well. Consider a bank's new-hire teller training program. The overall curriculum for such a program will likely include an in-person workshop component. At first glance, a workshop consisting of only 10 or 20 participants may not seem like an appropriate scenario to encourage a backchannel. Such an assumption would ignore the non-attending tellers currently working in the company—of which there may be hundreds.

Incorporating a backchannel into a new hire teller training workshop has huge potential. There is an opportunity to tap into the knowledge and skills of the existing teller population, as well as sharing new information with that audience. Consider these examples:

  • During a section on the most important characteristics of a teller, the existing workforce is polled and engaged in the discussion.

  • Key learning and performance points are posted as updates, reinforcing their importance to both new and existing employees.

  • Banking rules and regulations are constantly changing. Backchannel posts are used to point out policies and regulations that have recently changed. This reinforces the new tellers' learning, and ensures that existing tellers are aware of important changes.


I can almost hear people's thoughts as they read these examples, with the overall theme of the concerns being "we can't share information like that publicly on Twitter." And if you're thinking that, you'd be very much correct.

Luckily, there are a number of solutions available that address the privacy and security concerns of social media tools. The most common of these tools is Yammer, which enables you to utilize the micro-blogging functionality of Twitter "behind the firewall" and within a closed group of individuals. Of course, firewall concerns are somewhat secondary, simply because no organizational firewall can block my ability to post an update to Twitter via my personal mobile device.

The backchannel isn't something an organization can fully control, even if it wanted to. It exists organically, created and shaped by its participants. What organizations can do is search for ways to reinforce and harness the learning that takes place through the sharing.

It's in that sharing that the backchannel becomes a great representation of social media being used as a tool to support social learning, which is a concept more and more organizations are placing focus on. For organizations that are looking to leverage technology to support their employees' social learning, a backchannel is an excellent resource to consider.

This article was originally posted at http://ping.fm/wLZKI

Wednesday, August 17, 2011

U.S. Files Complaint Against Education Management Corp. Alleging False Claims Act Violations


WASHINGTON – The United States has intervened and filed a complaint in a whistleblower suit pending under the False Claims Act against Education Management Corp. (EDMC) and several affiliated entities, the Justice Department announced today. In its complaint, the government alleges that EDMC falsely certified compliance with provisions of federal law that prohibit a university from paying incentive-based compensation to its admissions recruiters that is tied to the number of students they recruit. Congress enacted the incentive compensation prohibition to curtail the practice of paying bonuses and commissions to recruiters, which resulted in the enrollment of unqualified students, high student loan default rates and the waste of program funds.

“Colleges should not misuse federal education funds by paying improper incentives to admissions recruiters,” said Tony West, Assistant Attorney General for the Civil Division of the Department of Justice. “Working with the Department of Education, we will protect both students and taxpayers from arrangements that emphasize profits over education.”

“Federal tax dollars must be protected from abuse,” said David J. Hickton, U.S. Attorney for the Western District of Pennsylvania. “This action against EDMC seeks to recover a portion of the $11 billion in federal student aid which EDMC allegedly obtained through false statements and which enriched the company, its shareholders and executives at the expense of innocent individuals seeking a quality education.”

The False Claims Act allows for private citizens to file whistleblower suits to provide the government information about wrongdoing. The government then has a period of time to investigate and decide whether to take over the prosecution of the allegations or decline to pursue them and allow the whistleblower to proceed. If the United States proves that a defendant has knowingly submitted false claims, it is entitled to recover three times the damage that resulted and a penalty of $5,500 to $11,000 per claim. When the government intervenes, the whistleblower can collect a share of 15 to 25 percent of the United States’ recovery.

The suit was originally filed by Lynntoya Washington, a former EDMC admissions recruiter, who later filed an amended complaint, jointly with Michael T. Mahoney, a former director of training for EDMC’s Online Higher Education Division. The states of California, Florida, Illinois and Indiana have also intervened as plaintiffs.

The suit is United States ex rel. Washington et al. v. Education Management Corp. et al., Civil No. 07-461 (W.D. Pa.).

This matter was investigated by the Commercial Litigation Branch of the Justice Department’s Civil Division; the U.S. Attorney’s Office for the Western District of Pennsylvania; and the Department of Education, Office of Inspector General.

Wednesday, August 3, 2011

Learn More About HIPAA Compliance


The actual meaning of HIPAA compliance is simply if entities and offices are effectively following the rules that Congress set forth through all three parts of the HIPAA legislation. The government states that each of the covered entities must meet the requirements which HIPAA has set forth.

The general principal of HIPAA compliance is simply to keep a safeguard over the Protected Health Information (PHI) of customers or patients. It is a rule that each entity must have a certain person that gets chosen to be the HIPAA Compliance Officer (who is sometimes referred to as the privacy officer). It is the compliance officer’s primary job to understand the laws and regulations of HIPAA as well as to be sure that the necessary actions and procedures are being put into practice so that an entity always remains compliant.

Staying within HIPAA guidelines ended up being a bit more difficult with the addition of the Security Rule in 2006. It was now required for the information to be held in secured and locked areas to help prevent security breaches in the event of a burglary.

This would be the first time that security of electronic information had ever been addressed in relation to Private Health Information. Now HIPAA compliance required password guided software and other extra measure to protect their safety.

The HITECH Act in 2009 increased these requirements even more by requiring that action be taken in the event of a breach of security. Basically, what this is saying is that the entities must inform patients or anyone who may have been affected by the security breach. It doesn’t matter if the breach in security was due to negligence on the part of the employees or if it was actually a wrongful act from the outside. All entities are required to have HIPAA Compliance procedures in place just in case regular procedures fail.