1st Talk Compliance

[https://1sthcc.com/wp-content/uploads/2025/06/1st-Talk_False-Claims-Podcast.png]https://1sthcc.com/mitigating-false-claims-act-podcast/1st-talk_false-claims-podcast/ In this episode of 1st Talk Compliance, Kevin Chmura is joined by Rachel Rose, JD, MBA, as they discuss the False Claims Act in detail. The FCA, one of five federal laws built to combat fraud, waste, and abuse, is the government’s primary fraud fighting tool, with the healthcare industry paying the largest contributor in recoveries for over a decade. Learn not only about how to avoid running afoul of this law, but also some details of cases in which it was violated, and the repercussions those who did so faced. In addition, find out how a proper compliance program can protect your practice in various ways, including staying up to date on cybersecurity training. Kevin Chmura Rachel, welcome to the podcast. Thanks for joining us.   Rachel V. Rose Thank you, Kevin, for having me back for another round of a very major healthcare compliance topic.   Kevin Chmura It very much is, yeah. This one generates some revenue for the government. So this is one that I think especially in today’s environment, people should be paying a lot of attention to. So as I said in the intro, we’re here to talk about the False Claims Act. It’s one of the most important fraud, waste and abuse laws that applies to physicians and health care practitioners of all kinds. The healthcare industry has consistently been one of the, if not the highest contributor to funds received under the False Claims Act. And it’s essential to be familiar with the law and maintain compliance programs to mitigate that risk. Rachel, I know you spend a fair amount of time in your practice in and around the False Claims Act defending and representing customers and providers. So you’re perfect to cover this topic for us. Wondering, though, if you could give us a brief synopsis of the False Claims Act and why is it unique?   Rachel V. Rose Absolutely. So as you mentioned, my practice focuses a lot on the False Claims Act, and I am fortunate to do a lot of compliance work not only around the False Claims Act, but HHS. OIG has identified five important federal fraud, waste and abuse laws. The False Claims Act, the Anti-Kickback Statute, the Stark Law, the Exclusion Authorities, and the Civil Monetary Penalties. And Kevin, as you mentioned, the False Claims Act is really the federal government’s primary fraud fighting tool. And in 2024, there were more than $2.9 billion in recoveries and, moreso healthcare represented over two thirds of that amount. That healthcare trend, as you mentioned, being the largest contributor, has gone on for at least the last decade. And what the False Claims Act does that makes it unique are really, I would say, five main things. But first, the False Claims Act goes back to 1863, and it is also known as the Lincoln Law. Its primary purpose, even back during the Civil War, was to root out fraud that was being perpetrated on the government. So how would that be done? Congress thought about it and said, well, the government could do it on its own if they caught wind of something, or they could insert a provision which gave an individual known as a relator, also known as a whistleblower, the potential to bring fraud to the government’s attention and receive a portion of the recovery. It’s very important to note that a relator and I represented several relators successfully, sometimes with co-counsel, sometimes with not, so I get to see the False Claims Act from the whistleblower standpoint as well. But this notion of being able to represent a whistleblower is the first distinguishing factor. And that’s because most other civil cases, a person can represent themselves on a pro say basis, meaning they don’t need a lawyer. There was a provision in the False Claims Act which in fact requires an individual to be represented by a lawyer. So unless the relator is a lawyer, then the individual needs to obtain counsel in order to file a False Claims Act case. That’s the first thing. Secondly, only the government can choose to open a criminal investigation. So even though certain laws like the federal Anti-Kickback Statute can have criminal penalties or civil penalties associated with them, only the federal government, or if a state has a similar type of law, the state can actually move and bring a parallel criminal investigation in potential proceeding. So that notion that only the government can bring in a criminal case is not unique to the False Claims Act. But what is unique is that a private party can bring a type of case, and that’s how the government learns of something to then potentially open a parallel criminal action. The process for the relator’s counsel is also very different. Normally, if I want to file a lawsuit in federal district court, I have to make sure that either a federal question is involved under 1331, or I need to meet the amount in controversy and diversity of the party’s requirement under 1332. While first, the False Claims Act is a federal statute, so it falls under 1331. So that’s the same. What is not the same is that before I even file a case under seal in a United States District Court, I have to provide a disclosure in evidence to the local United States attorney where I’m going to file the case, as well as providing that same information to Main Justice in Washington, D.C.. Another area that is relevant that I just mentioned is the seal. So that’s the third item. And initially, the statute itself provides for 60 days that the case is filed under seal, meaning no one knows about it but the relator, the lawyers, the judge, and whatever the court staff are, and that’s the way it has to stay. Now, the government may request what are known as deal extensions in this type of case. And another provision relates to the breaching of the seal. In the 2016 Supreme Court case, Rigsby versus State Farm, is the case that outlined different fact orders, which first stated A. Just because there may be a seal breached doesn’t mean that the case is automatically dismissed. But the court said we get to apply these factors and make that determination. I will say that even if the court says no, this case doesn’t need to be dismissed and the Government agrees with that, that the government on the back end, when we start to get to the fee issue where the relator can recover, they, the government, has the right to drop the recovery. If there has been a breach of the seal below what the typical statutory threshold is, and I’ll get to that in a moment. The other distinguishing factor in a False Claims, that case is once I filed the case, it’s really in the government’s hands until they make a decision. And there are three ways a case can go. The government can intervene in the case and intervention can occur at different times. I’ve had cases that have settled under seal and then the intervention decision is made and the seal is lifted by the court, so the government has taken the case through settlement, even though there has not been any action in court, so to speak. The second way to intervene is that if the defendant won’t settle while the case is under seal, the government can say, Hey, all right, relator, we like the case, we have adequate resources. And I don’t necessarily mean monetary resources. I made the specific notion of adequate human resources, right? Because the government only employs so many people and so many assistant U.S. attorneys to work on these cases. So the Georgia Tech case is an excellent example where the government intervened and they’re the ones who are leading trial. So in that instance, the relator’s counsel and the relator just sit back, and if the government needs help with something, then they’ll ask. Declining to intervene means that the government is not going to intervene, but they say to myself or other relator’s counsel, if you would like to move forward with the case and prosecuted, you’re able to. And so I’ve had that scenario as well. And then lastly, they can dismiss the case under C two way, and that’s always the government’s discretion. And the Supreme Court case, the Polansky case is a case from 2023 that actually addressed that very issue. Now, penalties and damages, damages can be trebled under these circumstances. Penalties up until 2016 ranged from $1500 to approximately, not  $1500, $5500 to approximately $11,000 per violation. So that was per healthcare claim. Now the absolute minimum is over $11,500, and the upper end of that penalty range per claim is closer to $25,000. Oftentimes we don’t see penalties assessed unless a case goes all the way through to verdict in a trial. But it can still be costly for damages being trebled depending on the type of case. The relator’s recovery, if the government intervenes in the case, is between 15 to 25% of the total recovery. If the government declines, then the relator is entitled to 25 to 30% in the event of a successful recovery. And it’s important to note that the False Claims Act is not an intent based statute.   Kevin Chmura So. Well, wow that was great, that’s so, it’s dense, right. And there’s, yeah there’s a lot there, and expensive for those that find themselves on the wrong end of this, and so super important. And you touched on I think a few of them but I wonder if you could zero in a little bit on what healthcare laws are often included in False Claims Act cases.   Rachel V. Rose Several laws that are included, Kevin, include the Stark Law and the Toomey case, which was brought several years ago and to date is still one of the largest False Claims Act cases involving the Stark Law. It went up to the Fourth Circuit and that had to do with, in essence, paying kickbacks to physicians where a Stark exception was not met and they were getting remuneration outside of what met fair market value in order to refer patients for designated health services. Now, designated health services is a term of art within the Stark Law. We don’t see that term in the Anti-Kickback Statute, which is another term. One main difference, aside from the designated health services being the only areas that apply to Stark Law, is that Stark is a civil statute, and more importantly, it’s a strict liability. So it’s like speeding. If you go over the speed limit, you can get a ticket the same as the Stark Law. By way of contrast, the Anti-Kickback Statute, which actually predates Stark Law by at least 17 years, is a criminal statute. It applies to every single federal healthcare program, with the exception of the federal employee health benefits program, and it applies to any type of remuneration, whether in cash or in-kind, for referrals to, or utilization of, goods or services related to the provision of health care to a Medicare beneficiary, Medicaid beneficiary, TRICARE or beneficiary, etc.. And there are safe harbors.   Kevin Chmura That’s good stuff. I know from my now a few decades in healthcare and all of the compliance and other training that you are really required to do, I spent a fair amount of time being educated on particularly Anti-Kickback, and I wonder if it would be helpful. Maybe if you could highlight a few recent cases involving AKS violations. I think it is kind of where the rubber meets the road on these. It can be very, very informative for folks.   Rachel V. Rose Absolutely. And one unique aspect of the False Claims Act that I did not address earlier, because I highlighted more of the procedure associated with the False Claims Act. But one of the more unique or interesting items, especially as it relates to the Anti-Kickback Statute, is the idea that first there’s a different see/enter requirement or knowledge requirement. So knowledge under the False Claims Act is defined as actual knowledge, deliberate disregard for truth or falsity of the information, or reckless disregard for truth or falsity of the information. Now, the Anti-Kickback Statute is intent based. Remember, the False Claims Act is not. So intent must be proven and it must meet that statute’s definite kind of knowing or willful. But a nice thing occurred in 2010 for relator’s counsel, and that was that Congress said, if you can substantiate and clear the hurdle of an AKS violation, then the False Claims Act violation really comes along for the ride, which makes sense because it’s a higher level of see/enter. And as I mentioned before, the AKS itself is criminal. So when we think about the types of cases where we see a lot of AKS violations, one great case is from 2021 is the settlement date on that. And that was United States Ex Rel Goodman versus Areva medical. And that was a case out of the middle District of Tennessee. That case settled for $160 million after the relator’s counsel, it was a decline case and the relator’s counsel move forward, responded to the defendant’s motion to dismiss. The judge denied the motion to dismiss, and the case settled. At issue was a type of kickback, which some people may not be as familiar with, but it has to do with the carte blanche waiver of co-pays and deductibles. And so a co-pay is able to be waived if there’s documentation that an individual had a financial need, but only for that individual. So you can’t just say, I’m going to waive all co-pays or deductibles without having individual documentation substantiating it. So that case is really telling in terms of that area, and that’s an area too, Kevin, as you can imagine, that a lot of providers could really sidestep and eventually end up in hot water for not appreciating that type of risk. Another case that involved the Anti-Kickback Statute was actually a case that I had that the government intervened in and settled while it was under seal in May of 2024. So just about a year ago, and that was in the Northern District of Texas, and there the medical device company had physician owners and there is a safe harbor in the Anti-Kickback Statute known as the 4060 Rule, or the small business safe harbor, where if you, an individual physician or a group of physicians, own a certain amount of a company, then the revenues that they generate cannot be a certain amount. And so, a certain percentage of total revenues. And that’s what happened here. They didn’t meet the framework. And for anyone who looks at compliance of fraud, waste and abuse laws, it’s very important to note that you have to fit within the four corners of the safe harbor in order for it to be applicable. A couple of other really big cases that have been around lately. One is one of my favorite cases. It’s called the Sayid case, and it went up to the Seventh Circuit. And the Seventh Circuit issued an opinion on May 2nd of 2024. And in this instance, a creative entrepreneur, I will say, started coloring outside the lines. And instead of being satisfied with the existing relationship he had with the Healthcare Consortium of Illinois, which really had a primary purpose of coordinating healthcare for lower income seniors in the state, he created a third entity and entered into a managed services agreement to pay this consortium $5000 a month for allegedly providing management services. But in practice, what he was doing was accessing the patient data, using that patient data to solicit business, and that in turn was billed to Medicare. And as you hear the term PHI, your HIPAA flare should be going off, too. And that’s exactly what the judges both at the district court level and at the appellate court level said. And one of the things that caught their attention and this is, this is pretty rich, which is why it always stands out in my mind. But Sayid testified that he had spent over three decades in the healthcare industry and knew that buying protected health information was illegal. And as we know, HIPAA has a criminal provision as well. And so what the appellate court says was, you know, the district court was right. They did not err in finding that the defendant knowingly and willfully violated both the Anti-Kickback Statute and HIPAA, and also that this type of personal service or management contract did not qualify under that particular safe harbor for the AKS. And then very recently, Kevin, we have a few cases. One was against Omnicare, CVS, we had Controlled Substances Act violations which were very significant. And then there was a case that was actually filed in 2012 and that was United States and various states Ex Relator Panelo versus Janssen products. And as I mentioned, that case has been ongoing since 2012. The original firm that filed the lawsuit brought in really good trial counsel, who I’ve been fortunate to co-counsel with, and it went to a jury trial. The jury did not focus on the Anti-Kickback claims, but what they did focus on was the illegal promotion of an HIV drug. And the judge entered a final judgment of $1.6 billion.   Kevin Chmura Wow, that is a very large number. You know, and so, you know, there is the big is why it’s helpful to look at actual cases, right. Where these, like I said before, where’s the rubber meeting the road in terms of actions being brought in settlements being a tell you what, you know, there are bad actors out there and some people that are knowingly skirting. So it’s, I think when you tell the story about the co-pay waiving it’s really, it really highlights why it’s so important to understand the False Claims Act, particularly in AKS, you know, that you could really just be in a situation where you think you’re doing something kind or nice for an individual or group of individuals and not even realize that you’re in violation of this. And it just speaks to the criticality of the understanding of what your obligations are. So that was super helpful. I wonder if we could pivot for just a just a few minutes, because you can’t really talk about healthcare today without also covering cybersecurity. There’s been such a huge push to digitizing everything over the last several decades, and we were digitizing things faster than we could keep up with. Those people that wanted to get at those digital records. And I wonder if you could highlight a few recent cybersecurity case settlements.   Rachel V. Rose Yeah, absolutely. So in terms of False Claims Act cases, I was fortunate, along with my co-counsel, to represent the whistleblower who brought the first case that settled under the DOJ’s Civil Cyber Fraud Initiative, and that announcement was made in March of 2022. At issue, there was a government contract with the State Department and some of our armed services. And in essence, there was a requirement to safeguard the information. There was an additional requirement to ensure that the HIPAA information was being secured in a way that HIPAA information should be secured. So in that instance, the government intervened and that was the first case. So I’d seen it, cybersecurity violations from the whistleblower side, I have actually conducted HIPAA audits for well over a decade and I’ve also represented people post-breach on the enforcement side, some more recent cybersecurity-related cases are, one of my favorite ones is actually the Jelly Bean case that came out of the middle district of Florida that was not a whistleblower case. The government brought that on its own. And it’s unfortunate because there was a breach of over 500,000 minors’ information. And what the government said about this company, Jelly Bean, and their owner was, hey, we contracted with you to provide services to keep this information secure. And it was an item that came about because of the breach, but what they found upon doing due diligence was that the common patches that should be done with software weren’t done for over a decade. They were using non-supported software, data was not encrypted, there were password issues, you name it, in this company had it. So they actually brought a False Claim that case because as we learned right out of the gate, the government can bring that too. So that was the Jelly Bean case. We’ve also seen it more recently, again with government contracts, That’s the morse case MORSE, that’s it, one that’s important. Penn State University settled a case. A colleague of mine brought that case that was brought in the Eastern District of Pennsylvania. And I will say this because in my experience, the whistleblowers in cyber cases are very sophisticated. They’re typically Chief Information Officers or highly educated people who understand what regulations are supposed to be met and what’s not being met. So I would say that if I am any type of company, whether it’s a business associate or a covered entity, I would ensure that I have my items in a row in terms of HIPAA compliance, because that’s one of the greatest areas of potential risk. And this area of the law is only going to be a focus of the DOJ, per their January of this year statement, that cybersecurity is going to continue to be an area that they focus on.   Kevin Chmura Yeah, totally. And really in healthcare today, you should have an orientation towards data security, cybersecurity training, all safeguards, and many of them are just good business practices to begin with, right? Certain things can be more complicated than others. But the, really to just run a business in healthcare, which we all do, it’s not really that complicated to stay to stay in good stead, but it’s something you were touching on there, and I think it’s maybe a good way to close. And that’s really, you know, how do we mitigate all of these risks really through, I guess, an effective compliance program? I mean, if you’re up on compliance, if you take it seriously, these things should fall into order. But I wonder if you could give our listeners maybe some advice and guidance in that direction.   Rachel V. Rose Absolutely. So there are five main areas that I would focus on. The first is make sure, to your point, Kevin, that your HIPAA compliance is where it needs to be in terms of the Security Rule, the Privacy Rule, the Breach Notification Rule, as well as information blocking, which was part of the 21st Century Cures Act. And as you and I talked about in another podcast episode, the HIPAA Reproductive Rules. So that’s one area that’s key. Cybersecurity also dovetails into a case in Stark Law, because of the December 2nd, 2020 Final Rules. Those are the, quote, “New Stark and AKS Final Rules,” but they updated their safe harbors related to what types of cybersecurity services or goods could be provided and what needs to be done. So you need to have an agreement in place. You need to make sure it’s not based on volume or value, and it needs to be for fair market value. So those are some areas to look at when you’re considering the intersection of cybersecurity as well as fraud, waste and abuse laws. In terms of fraud, waste and abuse, 42 C.F.R. Section 483.85 requires a mandatory compliance program, and this specific provision was highlighted in the November 2023 HHS OIG guidance. And although guidance is not binding in that sense, it provides a great roadmap. But the laws and the regulations that it references are binding. So it’s a great item to look at right out of the gate. So the seven elements, I call them the dirty seven, that are required for fraud, waste and abuse laws are: written policies and procedures, compliance and leadership, and oversight training, effective lines of communication, with a compliance point person in forcing the standards, having consequences, and incentives. Those should be documented both in an employee handbook as well as your regular policies and procedures. There should also be a non-retaliation provision for concerns that are brought in good faith. And I added that term good faith because I actually represented a client where they had a rogue former employee file, literally, a false claim with the government agency that they were not compliant. And so, it came back after I defended them that, yeah, they were compliant with everything that they had, and the individual did not bring that concern either to the company. He didn’t bring it to the company first, but he went externally and just filed it completely invalid and factually false complaint with a government agency. So that’s why if it’s in good faith, then people should listen. And I, on the flip side of that, a positive situation I had with another client was that they had someone who was in billing bring a coding issue to their attention. And lo and behold, there was a glitch in the EHR system. So it was applying the wrong code. They were able to get the EHR company involved, address that, and then resubmit the claims right away to government and private insurers. And that isn’t a great example of a good faith concern that was brought. It was investigated, and it really ended up helping the organization. And so that’s the benefit of looking like that instead of just retaliating against someone. Last two items are a risk assessment. And for audit, that’s a great way to have a third party come in and do an audit assessment and then responded to detected offenses as well. So the last part is just to review your contracts and make sure that if persons are receiving money that there is a contract that is in place and that it’s legal.   Kevin Chmura Wow. So a lot, but a very important topic because you can see it intersects with day to day life in healthcare myriad ways. So that’s great. Maybe a quick summary. I mean, if organizations are proactively investing in a compliance program, living it, taking it seriously, and it’s not just a binder on the shelf, it’s going to mitigate risk through from the False Claims Act, potentially reduce penalties, and avoid legal repercussions that can just, that can linger for quite some time. So Rachel, this has been great. Appreciate you as always. Your knowledge in this space is unbound and we’re really glad that you choose to share it with us, and I’ll reserve the right to bring you back for future episodes. Maybe catch up on some other things that are happening relative to this very important topic. So with that, I’ll say thank you, Rachel.   Rachel V. Rose Thank you, Kevin. And thank you, Panacea and First Healthcare Compliance for having me again as a guest.   Kevin Chmura We’ll have you back soon. Thanks.   Rachel V. Rose Thanks.

[https://1sthcc.com/wp-content/uploads/2025/05/HIPAA-Privacy-Rule-Graphics.png] In this episode of 1st Talk Compliance, Kevin Chmura is joined by Rachel Rose, JD, MBA, to discuss the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy, passed in 2024. With the reproductive healthcare landscape being very dynamic, this new rule has already passed one compliance date, with a second important date coming in February 2026. Tune in to learn about this new rule, and what it means in terms of reproductive health, patient privacy, and the legality between different states. In addition, learn some best practices for implementing the requirements of this rule into your practice. On June 18, 2025, The U.S. District Court for the Northern District of Texas – Amarillo Division (Carmen Purl, et al v. United States Department of Health and Human Services, et al., Case No. 2:24-cv-228-Z (N.D. Tex.)), issued an order vacating the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, published on April 26, 2024, which amended the HIPAA Privacy Rule (Reproductive Health Rule). The decision left intact amendments to the HIPAA rule regarding certain Notice of Privacy Practice provisions pertaining to substance use disorder regulations, which need to be adhered to by early 2026.   Kevin Chmura Rachel, thank you for joining us. Appreciate you joining us and looking forward to a timely discussion.   Rachel V. Rose Thank you, Kevin, for having me, as well as to Panacea and First Healthcare Compliance, it’s always my pleasure to coordinate and converse with you on our favorite healthcare compliance topics.   Kevin Chmura And it’s always great having you helping us with this and your expertise is invaluable. And you helped us and were the contributor, really writer, of an e-book on this particular subject that will be released very soon. Really this podcast is somewhat of a companion piece to that. And so what we’re talking about today is the HIPAA privacy rule to support reproductive health care privacy, passed in 2024. Reproductive health is a prominent and evolving topic within the healthcare policy landscape. It really, major changes have come down in recent years, and so there’s just a ton. So we thought it would be great to publish a book to get everybody up to speed and, but moreover, this podcast is an opportunity for people to hear directly from the person who helped us develop that. And that is Rachel. So, Rachel, I wonder, can you just start off by giving us a synopsis of the 2024 Final Rule, maybe some key terms we should be thinking about?   Rachel V. Rose Sure. As you mentioned, Kevin, the reproductive healthcare landscape is very dynamic and the rule itself was issued on April 22nd of 2024 with an effective date of June 25th of 2024. And basically what an effective date does is to start the clock running as to when certain requirements need to be implemented. In this particular rule, which I will refer to as the HIPAA Reproductive Rule, has two prongs of compliance dates. The first already passed and that had to be done by December 23rd, 2024. And for your clients who were with First Healthcare Compliance or Panacea at the time, they were able to access FAQs. And the first prong of the requirements really addressed every applicable item that I’ll run through, with the exception of the notice of privacy practices. Now, for anyone who’s been in the healthcare sector for a long time, and for anyone who goes to the doctor, a dentist or even a pharmacy to pick something up, we all know we have to sign the HIPAA authorization form, and then covered entities are required to post their notice of privacy practices. So the updated privacy practices, which need to include some of the reproductive health requirements among other items, does not need to be done until February 16 of 2026. So this is similar to the staggering of the compliance dates which we saw with the Final OmnibusRrule, which was published in the Federal Register, it’s hard to believe, but going on over 12 years ago and that was January 25th of 2013. Now specifically, the HIPAA reproductive rule really prohibits the disclosure of protected health information related to in these terms I need you to focus on: lawful reproductive health care in certain circumstances. And the reason it’s important is because legal means that whatever service or good is being sought, it has to be legal within the jurisdiction where the individual is receiving that care or that good, so to speak. And so if we want to take certain types of surgeries or certain types of procedures that in a viable fetus’s life, then you need to be in a jurisdiction or a state where that is permissible. So the terms are the meaning of a person. What is a person? If you read the Final Rule, it means a natural person, meaning a human being that is born alive, a trust or estate, a partnership, corporation, professional association or corporation, or other entity, public or private. And this definition is common. It was adopted by the U.S. Supreme Court several years ago. So when someone says a person, it can mean either an individual human being or one of the other more business-oriented items. Now, public health is also a term. And for this Final Rule, it’s used in terms of public health surveillance, public health investigation and public health intervention, and this means population level activities to prevent disease in, or promote the health of, populations. For those who are familiar with HIPAA, there has always been what’s known as the public health exception, and that has limited applicability. But one of the exceptions is to report a positive test for a communicable disease. We saw this during COVID. It is required for sexually transmitted diseases and other kinds of diseases. We’re seeing it now with all of the media attention on measles and those types of conditions. What’s important to note about public health is that those activities, which include identifying, monitoring, preventing or mitigating ongoing or prospective threats to health or safety, do not include any of the three following purposes, and that’s: to conduct a criminal, civil or administrative investigation into any person for the mere act of seeking, obtaining, providing or facilitating health care. Secondly, to impose criminal, civil or administrative liability on any person for the mere act of seeking, obtaining, providing or facilitating health care. And lastly, to identify any person for the activities that I just described. And I’m often asked, well, Rachel, what do you mean? If I’m seeking and what do you mean about going to a different jurisdiction? And for those who are familiar with the old school drinking age laws, for example, in Louisiana, the age used to be eighteen. So if you were eighteen, even though you were a Texas resident and went over the border to drink in Louisiana, it was legal and there was nothing that Texas could do as you were coming across the border. Now, intoxication while driving is a separate animal. But just because a person went over the border to drink in a jurisdiction or a state where it was legal doesn’t mean that Texas had any recourse against that person so long as they were sober coming back over the border. Right. A similar situation with reproductive health care. And that’s what the focus of this privacy is, if a person goes to a state to seek certain types of care, and the two areas that seem to be at issue particularly are surgical abortions or transgender care, especially as it relates to minors. So the other key term that everyone needs to be familiar with, and that should be in policies and procedures as well as training, is the term reproductive healthcare, and that means healthcare that’s been defined in this particular section, that affects the health of an individual and all matters relating to the reproductive system and to its functions and processes. This definition shall not be construed to set forth the standard of care or regulate what constitutes clinically appropriate reproductive healthcare. So what HHS, OCR said here is we are not looking to step into the shoes of the physician and determine what is appropriate under certain circumstances. We are not involved in the practice of medicine. We are just giving a roadmap of what is particular. And everything I just read really comports with the July 2022 opinion in Dobbs versus Jackson Women’s Health Organization, which overturned Roe v Wade. And what’s important about that opinion is actually Justice Kavanaugh’s concurrence. And it’s important because just as I mentioned, going across state lines to receive care or use the purchase and consumption of alcohol situation, by way of analogy. Justice Kavanaugh expressly stated that nothing in this opinion is meant to contradict or inhibit any other part of the Constitution, and interstate commerce is expressly stated in our Constitution. So really everything is aligned with Dobbs as well as the opinions in the case.   Kevin Chmura Yeah, it’s a great, great rundown. It’s impossible to talk about reproductive health in any context over the last several years in America without intersecting with Dobbs some way or another, right? That’s the seismic shift and I’m glad you touched on that. I think that’s a real critical area. And so, you know, the Final Rule is in concert with, or interacts is I guess a better way of saying it, considers Dobbs in the rule itself in all of the areas of Dobbs, correct?   Rachel V. Rose That’s absolutely correct, Kevin. And it goes back to that legally attainable reproductive health care, right? So if you’re in a jurisdiction where it’s not permissible or it’s not legal, then this rule is not going to help you on that front, right? It’s meant for individuals who are seeking care in a jurisdiction where it’s legal and nothing in this final rule tries to interfere with that. But it does make clear that just because someone goes across to seek care in another jurisdiction when they come back to their home state, the home state really has no recourse against them.   Kevin Chmura By the way, I’m just old enough to remember my oldest brother driving over the border from New Jersey to New York for the 18-year-old drinking age. I was not so lucky. But, so that’s a great analogy and it’s a great way of looking at it. So are there any other compliance items or dates that are critical that we should be thinking about?   Rachel V. Rose Well, as we mentioned from the outset, individuals and covered entities, etc. should have had the attestations which are now under 45 CFR Section 164.509. This is new as part as of the reproductive HIPAA rules and here regulated entities are required to obtain an attestation when it receives a request for PHI potentially related to reproductive health care. So what they need to do is first, create the attestation. Second, obtain the attestation from the requester that the use or disclosure is not for a prohibited purpose, and a prohibited purpose would be for health oversight activities, law enforcement purposes, and disclosures to coroners and medical examiners. So from these three bullet points, I would recommend A. Training the people who actually handle the medical records for your organization and making sure that they understand that if one of these requests are made and if you’re working in an OBGYN practice, it’s probably pretty easy, right? To make this a normal part of the processes. For other types of specialties, it might not be as common, but still training needs to occur. There is already a law enforcement exception under HIPAA and that’s found at CFR 164.512. But as we know, even with that law enforcement exception, it safeguards our due process, right? So really, this serves as a further safeguard so that law enforcement is not trying to get around the normal processes such as going to court, getting a warrant, getting a subpoena. I would recommend having an outside legal counsel review the requests, especially for the first few of them, snd also, if something just doesn’t seem appropriate. So that’s what I would recommend doing. And then we have a little bit of time left until February 16th of 2026, and that’s when covered entities are going to be required to update their notice of privacy practices to reflect changes to both the HIPAA Privacy Rule by including this reproductive component, as well as 42 CFR Part Two, which is more relevant to substance abuse and mental health disorders. And that relates more to SAMHSA, the Substance Abuse and Mental Health Services Administration.   Kevin Chmura That’s great. So throughout there you touched on Ithink a number of best practices necessary, but also best practices. Wonder for the listeners, maybe we wrap with as much advice as you’re willing to give to folks on how best to comply, what they should be thinking about immediately.   Rachel V. Rose Sure. So I think one thing to think about, if you haven’t already implemented what should have been implemented in December of 2024, I would jump on that. Secondly, what is your electronic health record doing? Are you working with your organization’s IT and provider to have a tab in the individual’s medical record, which requires a separate audit log and log in for sensitive information related to reproductive healthcare items? Psychotherapy note should already be in there if it’s that type of practice or the 42 CFR Part Two, so the substance use disorder item. So that’s one area to focus on there. Another area is the revised notices and there should be a separate provision that documents the Part Two changes. And then lastly, as part of the annual HIPAA risk analysis, I would absolutely recommend having the auditor include these facets of the HIPAA Reproductive Rule into the risk analyses so that you can ensure that it is covered.   Kevin Chmura That’s great and auditors are always looking for one more thing to audit for. So I’m sure that the audit community is happy to hear that. So Rachel, I think this has been great. I, we really appreciate it. This is a timely topic, probably one that’s worth revisiting as we move through February Compliance dates, and then into the future to probably talk about enforcement and other things that are happening all around this, because this is a topic that’s evolving and we’re coming into the middle of. So I would like to thank you for joining us and providing us so much information. Thank you.   Rachel V. Rose Oh, you’re most welcome, Kevin. And as always, thank you for having me as your guest.   Kevin Chmura And we look forward to bringing you back to continue the discussion on this. Thank you.   Rachel V. Rose Thank you.

[https://1sthcc.com/wp-content/uploads/2023/03/1746169_1stTalkImageResize_100923-300x188.jpg]https://1sthcc.com/wp-content/uploads/2023/03/1746169_1stTalkImageResize_100923.jpg 1st Talk Compliance features guest Raymond Ribble, CEO and Founder at SPHER, Inc., on the topic of “Employee Snooping & Insider Threats.” Ray joins our host Catherine Short to discuss snooping and insider threats and why user monitoring and ePHI access strategies are vital to the security of sensitive patient information and data protection. With so much attention and money surrounding cybersecurity in the healthcare industry, malicious employees may decide to purposefully disclose patient information. Since employees and contractors may have knowledge of your network setup, vulnerabilities, and access codes, snooping employees with malicious intent hold the key to exposing your organization to a series of unwanted risks and threats. Listen as we identify signs of unauthorized access, provide guidelines to prevent snooping, and offer procedures to detect insider threats. Catherine Short: Welcome, and let’s 1st Talk Compliance. I’m Catherine Short, Manager of Virtual Education at First Healthcare Compliance. Thanks for tuning in. This show is brought to you by First Healthcare Compliance as part of our commitment to provide high quality complementary educational resources. We help create confidence among compliance professionals throughout the United States. Please show your support by taking a moment to provide a review on Google, Facebook or iTunes. You can also follow us on Instagram, Twitter, and subscribe to our YouTube channel. On today’s episode, we are speaking with Raymond Ribble, CEO and founder at SPHER Inc, a market leading compliance analytics cybersecurity solution addressing HIPAA compliance, state privacy laws and ePHI security threats on the topic of “Employee Snooping and Insider Threats.” Snooping and insider threats are exactly why user monitoring and ePHI access strategies are vital to the security of sensitive patient information and data protection. With so much attention and money surrounding cybersecurity in the healthcare industry, malicious employees may decide to purposefully disclose patient information. Since employees and contractors may have knowledge of your network setup vulnerabilities and access codes, snooping employees with malicious intent hold the key to exposing your organization to a series of unwanted risks and threats. Listen, as we identify the signs of employee and contractor unauthorized access, provide guidelines to prevent employee snooping, and offer procedures to detect insider threats. So thank you, Ray, for joining me on First Talk Compliance. It’s a pleasure to have you on. Raymond Ribble Thank you for having me today. It’s great.   Catherine Short Yes, always wonderful to talk to you. So Ray, I have a question for you to start off. I know when people think about threats to their organization, they worry often about external risks such as hackers. Would you say that this is the right focus?   Raymond Ribble  2:15 For an organization, it’s not the wrong focus. It’s what we read about in the press the most. We’re online looking at some healthcare rag, what they’re talking about is some type of external threat that impacts the organizations. And I think from a cost perspective, it is the most impactful. Somebody coming in from the outside, a hacker to use the term, can cause hundreds of thousands if not millions of dollars in damage to an organization. Ransomware would be a perfect example of that. You or I don’t want to have to pay some X number of bitcoins in order to get access back to our data knowing that now that they’ve done that, that they’re probably going to come back and do it again. Having said that, I think the equal component of that is what we talked about in terms of snooping and the insider threat, because an individual snooping and then taking that information that they get through snooping and sharing it through social media, or in gossip to somebody on the outside, potentially could have a financial impact to an organization more so today in 2022, than say 20 years ago, or 30 years ago. So are hackers real? Yes, they are. Is the hacker the thing that you should stay awake at night worrying about? Not as much as you think. 26% of the breach events that are captured by most organizations that are responding to our surveys out there, IBM Parliament being the best, indicate that snooping and insider threats are much more detrimental to the business than the hackers on the outside. I think they’re more prevalent. I think that 67%, if I remember the number correctly, is what we have in terms of the percentage of healthcare breach types come from inside the organization, not outside. I think we tend to focus on what that cost is to the organization if we get caught, when we get caught and so therefore, hackers are more prominent because we use that word as a catch all for everything from phishing, to ransomware to XYZ. Does that make sense?   Catherine Short It does. So all the time in the news and media and everything we hear about ransomware, ransomware there’s a cyber attack. So if you were talking about ransomware and cyber attacks, versus insider snooping, which is one of the topics here and employees snooping, what would you say then? Could you expand on that just a little bit more?   Raymond Ribble I’m more worried about the insider threat personally, I think that there are things that we can do from a technology perspective to significantly limit our exposure to ransomware type events. So if we can educate our end users to not click on anything that comes up on their screen, to not look at third party applications or ads, and click on them to go see if that shirt from China is really interesting, and I really can get something for $25 that I’d have to pay $200 for, is worth it. Because when I click on that, what I’m actually doing is opening up a hole into my data system. So if we can educate people not to do those types of actions, through technology and encryption and such, then we can reduce the exposure to a ransomware event through that. On the other hand, if I have people in my office, who are snooping or worse, in a malicious sense, stealing the credentials, and giving those credentials to somebody else in order to create havoc, that cost is exponential to our organization. That goes back to a major breach, it goes back to being measured in hundreds of thousands, if not millions of dollars. The impact to your organization from a cybersecurity insurance perspective, is significant. The reason we have that feeling, Catherine is because what articles we typically see out there in the press, whether it’s online or in print are stories about ransomware, a hospital being shut down, not being able to access their files. It’s rare that we see a story about a snooping incident, such as say, the Justice Mueller in Chicago, where it makes it to the point of news that’s worthy of being talked about. So it’s kind of a hidden crime in an organization that a lot of people think well is really causing the damage?   Catherine Short So right. Can you give me some examples of what you’re talking about? When you mentioned insider threats or employee snooping?   Raymond Ribble Yeah, the worst one that we’ve had with our organization where we work with a client, was an incident where they were brand new to our technology, we implemented the system for them. And maybe a little bit of background. It is a rural hospital. You and I both know that we love to talk about others. I mean, TV is loaded with shows about other people’s lives and reality TV, but what’s more reality than snooping that what’s happening in my community, viz a viz their healthcare and what they’re coming in, what type of ailments they have. This organization went live with SPHER and in the first month of using the system, they had 1800 snooping alerts. 1800.   Catherine Short   7:50 Wow, that was from one organization   Raymond Ribble That was for one place, it was the hospital and when we sat down with that team, and investigated the 1800s, they were all legitimate. There was no false positives, everything was legitimate. They were they had a very, very bad problem in this hospital.   Catherine Short That was in a month?   Raymond Ribble That was in one month.   Catherine Short Oh, my gosh, there must be a lot of gossiping going on there.   Raymond Ribble  8:22 Yeah. I’m not gonna say where it was, other than it was a rural hospital. It would be bad. But let’s just say yeah, there was a lot of gossiping in an area that’s famous for gossip like that. Everybody listening can say, now that’s my area. But now though, this is one that we probably would all agree upon. We sat down with them and this is where once they understood this was real, then they said, Okay, how are we going to solve this problem? And it really came down to the CIO. In this case, the CISO, saying, Okay, we’re clearly not educating our users on security and we don’t have a culture of compliance in this organization. So she decided to make it very public what they had found, to share some of the analytics without calling anybody out since it was everybody and saying, Okay, this is going to change immediately. We’ve implemented the system to monitor so I’m looking at you, just know that from today. Within two months, the snooping dropped from 1800 to five, five incidents, and those five incidents she told us, could all be explained. So you know, in essence, she said, Yeah, they did look, but here’s the reason they looked and she could accept that so basically, zero. Once people knew that somebody was looking at them looking at other people’s data, they stopped. Maybe they found a new way to do it, but they weren’t using the EHR system or the EMR system as their main source of Office gossip. How’s that?   Catherine Short Wow. So when you have an incident where someone is looking at someone’s medical records, say like an ex spouse or the ex spouses new wife or something like that, what do you do?   Raymond Ribble So we have to be very careful. I think I mentioned this to many people. At SPHER, we’re not the HIPAA police. My tool that I make available to my clients, the SPHER dashboard and the alerts that you get, that’s where you start. We do the hard job of identifying areas that might be worthy of an investigation, you’re then looking at that data and determine is this meaningful information that SPHER is giving me and should I take action on it? Yes, or no. If it’s a normal action, you tell the system it’s normal and you won’t see that again. That becomes part of that person’s profile. However, in many instances, when people do identify and do the investigation, they’ve called us to say, hey, look, I just saw something here, I did an investigation, can you look at it with me, we have their permission to do so. And then we’re just looking with them to make sure that they’re interpreting the data correctly. Final decision is theirs, not ours. And as I say, whenever I speak, this is where they want to reach out to an organization like yours, Catherine, and have a conversation with somebody who’s like a HIPAA consultant, or like Rachel Rose, somebody who is a HIPAA law attorney, and have a discussion about how should I handle this going forward? We’ve had incidents where physicians have gone into the system and taken data that was so random that it showed up in the alert, and they were giving that data it turns out, to somebody else that used it, as part of your example, in a divorce proceeding for custody of the children. And the only way that that data could have been gotten on the wife in this instance, was through the medical record, because it was very private. How did he get it? Of course, somebody else took it out of the system, gave it to him, and he used it in a court of law. That was a no, no, and they should have thought about that before they did it but they did it anyways and so they got busted for that. I mean, think about the ramifications of a doctor in that in court. So we do see real instances of people at very high levels going in and snooping or maliciously exfiltrating data for the purposes of something that might be legal in nature or monetary in nature. And we see that more often than you’d like to believe.   Catherine Short  If you’re just tuning in, you’re listening to 1st Talk Compliance brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources. We help create confidence among compliance professionals throughout the United States. My guest today is Raymond Ribble, CEO and Founder at SPHER, Inc., on the topic of “Employee Snooping & Insider Threats.” Please show your support by taking a few minutes to provide a review of First Healthcare Compliance on Google or Facebook. You can also follow us and subscribe on all forms of social media. I have a question then. How do you recommend to administrators and managers for balancing and creating a culture of compliance and then balancing this with the feeling for employees? When a new system is implemented, that they might feel like they’re being micromanaged.   Raymond Ribble They’re very concerned, the administrators and the senior managers CISOs that we work with, they’re really concerned about that question that you’re asking. I want to do this but I don’t want to send a negative message to my employees. I don’t want to tell them I don’t trust them. I don’t want them to think that. Oh, you know, we’re watching everything they did – we are. How do I do this proactively? And so we’ve had some really creative organizations that have shared with us what they did do. That’s how I’ll answer your question, by sharing with you what I heard people do that I thought was very innovative So they have a regular lunch, or they have a regular session that’s scheduled every month or every couple of months in the organization. They take some of the analytics that they’ve learned from SPHER and integrate that into the learning process. They talk about, hey, we’ve noticed over the last couple of years in the United States, that the threat vector in terms of breaches through phishing, and hackers and even insider threats, is increasing and as an organization, we want to do what we can to protect ourselves, protect our patients. So it’s a bit of a manipulation of the words, but they come up with a very creative way of saying, We’re doing this to protect the people who come in here in order to get healthy and you know, this is a team effort. It’s not a me looking at you effort. It’s us looking at what’s happening effort in order to make sure that we’re protecting our patients from any external threat. The byproduct is the internal threat gets addressed as well.   So they take it from a negative message to a positive message and they use different vehicles like team training, or the company lunch or some type of a newsletter that they have in the organization to start making that a regular part of the presentation, and maybe introducing incidents that happened in the past and the corrective action that the organization took. It sends a secondary message of, hey, I am looking and we are aware of these things, and if that happens to you, you might be the person or at least the incident’s going to be highlighted in the next newsletter or the next company meeting. So let’s watch our P’s and Q’s let’s be better at how we access data and what we share.   Catherine Short   15:44 I think that’s very helpful for everyone.   Raymond Ribble You know, we always talk about penalties, we never talk about rewards. So if employees were to come to us with ideas on how we could improve our security posture, maybe there should be reward for them doing that versus penalties for somebody who does something wrong.   Catherine Short Right, everyone likes to be rewarded. No one likes to feel like they’re a bad dog, you know, with a smack with a newspaper or worse, obviously   Raymond Ribble I think it gets viewed by the team, the employees in a much more positive light, if this is something we’re doing together. Hey, and if you have an idea on how we can improve it, I’d love to hear it. We sat down with the doctors and I’m thinking about who we work with a lot of clinics that are somewhere in the range of say 100 to maybe 1000 employees. So they’re always looking for creative ways to incentivize everybody doing better, it’s performance based. So security becomes a performance metrics as well and providing better security and doing a better job of creating that culture should be something that can be rewarded within the organization.   Catherine Short True. I have a question again about audit. So what’s the probability that someone would get audited? What are your thoughts on that?   Raymond Ribble Yeah, broad question. I’m going to attack it based on just what I’ve seen. I live in California, Catherine. So last year, I think was last year, I lose track now, we passed the California Consumer Privacy Act. My understanding is within the next two years, if not all, almost all of the 50 states and territories will have some type of Consumer Privacy Act in place. In many instances, like in California, some of that law supersedes HIPAA, in terms of reporting, in terms of having to grant access to patient data to the consumer, to the patient, and that could result in punitive actions and or investigation. So when we think about audit, you and I, we probably focus more on OCR related,  health and human services related activities. I think what’s happened is the landscape has changed. It’s gone from a Federal HHS issue, to include state level, privacy and security laws that now in many instances, again, can supersede what we have in terms of accountability, record keeping, documenting, and being able to prove that somebody did or didn’t do something within an organization. I think the probability of an audit today is much higher than the probability of an audit, say, two years ago or five years ago. It’s not a real number for you. That’s what people are faced with today. So I can’t give you a specific number. I don’t know one. But I know that that threat vector for us as organizations is increasing, not decreasing, because now we have federal and state that impact us. Does that make sense to you in the way that I’m stating that?   Catherine Short   18:45 Absolutely, actually, yes. And I’m glad you mentioned California, because California I know, I always think of being kind of like Europe with the GDPR and having more stringent laws, than federal   Raymond Ribble A lot of other states flew into Sacramento and sat down with the state of California to see how they put that consumer privacy act together and in many instances, the other states, it’s a derivative of the California Privacy Act.   Catherine Short Right. I have another question concerning security. What are your thoughts on the security of automatic logins on the computer like if it asks you if you want to save the password, and then you can just log in automatically next time? And then following up on that isn’t a problem when it asks you show your password? I always feel like I’m suspicious that someone out there might be capturing my screen. I might be extra paranoid, but at that, I think maybe not. I don’t think so. I feel like somebody’s watching   Raymond Ribble Good question. I hate passwords. I bet you hate passwords too passwords. I’m a big advocate for at some point, I think we are going to move away from them, I think we’re going to move more towards biometrics, which I think is a better way to secure the data anyways, then whether it’s a fingerprint or a voiceprint, or an eyeball, whatever the case may be, I think they’re coming up with some really innovative solutions that we can incorporate. And I think we’re gonna see the MacBooks in the  Microsoft workstations out there start to incorporate that technology in the years to come. That will allow us to move away from passwords. So your question is about having those passwords saved? Because I know that in a Microsoft and in an Apple world, you find online they will say, Oh, do you want to save this password? and it gives you the username and the password and boom, it’s sitting there. So if somebody were to break into your PC, they can go find that file, it’ll tell them every application that you have access to and what the login and password is. So is that dangerous? Yes, it is.   I guess if you’re really smart, you know what you’re using? Don’t do it. Your question, you kind of answered your question in the way that you asked it, don’t do it. Is it a risk? Yes, it’s a risk. I would start by saying, make sure your PC is encrypted, make sure you actually have a sophisticated login process to get into your PC itself. Because there’s only a few barriers of deterrent between your PC and all that data that we’re talking about. So please make sure you have a real stringent password in place that you can remember, that’s not written down, by the way that one doesn’t get saved into that file, and you’re gonna have to remember that, right? otherwise, you’d have to do a jailbreak to get into your own machine. So you know, you’ve probably had those instances, and they’re like, well,  you don’t know the password and we’ve got to break into it, kind of a thing. So that’s a real problem.   The first part of my answer is, yeah, I think that is a risk. I know I have some there, I tried to think about which ones I want to have saved on there versus the ones that do. So I don’t want my bank information on there. I don’t want access to any sensitive materials on there. I don’t even want my Amazon account on there because God forbid somebody gets on Amazon and my cards already loaded into Amazon and they go on a shopping spree right? It might seem innocuous, but it actually can be very damaging to you. If you if you can avoid doing it, please do. And your applications on whether you’re using Chrome or whatever says, hey, do you want to store it? And you’re like, sure why not? That way, one more, I don’t have to remember. The problem is, the bad guys know how to find that file probably faster than you and I could.   Catherine Short Right. That’s why I’m asking   Raymond Ribble But the reality is, no, you don’t want to use it. If you can avoid using it, you want to create sophisticated passwords, which I think is the solution to that. Your username is usually your email, I mean, it’s almost 90% of the bar. And then sophisticated passwords, I always use the example and is just an example. I like the Boston Red Sox count that out in terms of the number of characters, anything longer than 12 characters, is really sufficient at defeating the algorithms that the hackers or a malicious insider might use in order to run against your machine to break the password code and get in. Most of the algorithms that they use are looking for an eight character based password. Once you move from eight to nine, nine to ten, ten to twelve, twelve to whatever, the time it takes for it to break into your machine grows exponentially. We’ll come back to why it’s taking too long, I don’t want to get into it. Now if they’re really hell bent on breaking into your PC or into your server, they’re going to do it because they’re happy to sit there hours, days, weeks to break into your PC will, you’re dead in the water. But most incidents are not that way. Another thing I might throw in here, just as a side note, Catherine, don’t use your PC at Starbucks or the local coffee shop because there are too many unscrupulous people out there using very simple $20 devices that can hack into your machine while you’re logged in. So, you know, if you’re on your phone, be careful what you’re looking at. Don’t do that kind of work, and don’t access those applications when you’re out in public. Keep that to your house and again, make sure you encrypt your PC and to the extent that you can avoid putting those passwords on your PC. There’s a long answer to an easy question, but sorry.   Catherine Short Okay, very sound advice. I very much appreciate that. Well, I think that we are just about out of time here. Have you thought of any words of advice that you wanted to leave with our listeners?   Raymond Ribble No, I don’t think so. I think what I try to do in my presentations, Catherine is the salient points that I’m trying to get across. I think for me, it’s upgrading your systems and making sure that the patches are properly up to date. It’s talking to your teams about security, I think it’s that simple. If they know that you’re thinking about it, they’ll think about it. If you don’t talk about it, they’re not going to be worried about it, talk about security, start talking about what can we do to improve security and work with my IT team to make sure that we have systems in place that allows us to regularly and properly monitor what’s happening within our system, not about trusting or not trusting your employees, we don’t know who’s surrounding them, we don’t know what’s happened in their life in terms of some life changing incident, that may move them from being the regular employee to be willing to do something that we might judge as malicious. And it could be again, for that personal gain but more importantly, it could be a reason for financial gain. If somebody is in a situation where they need to get money really fast, and the wrong person approaches them and tells them that, hey, some of those medical records would be worth thousands of dollars to me, you go from a very good employee to a very bad employee and sadly, it happens a lot. I’ve sat down with the FBI, I’ve sat down with OCR investigators, and they’ve heard enough stories about those types of situations, to know that it’s very real, that it’s that one incident that’s kind of broke the camel’s back and allowed or encouraged somebody to go do something that for many, many years they’ve never done before. So yeah, we trust our employees. I think we all do I do, I trust all the employees in my office, but having some type of regular and appropriate system that’s documented, that I can demonstrate to an outside party, defense lawyer during an audit or during a deposition that, hey, we do these things to protect our office and therefore, it’s not about not trusting my employees, it’s just making sure that we’ve done everything to protect our patients, I tend to look at it that way, Catherine   We had an organization who, using our technology, identified a user who had been with them for 17 years, who is going in and modifying records after the fact during lunch. Now, they were new to SPHER so they caught this with SPHERE. They radically looked at it, they started going back in the records, and they found that she’d been doing it for 10 years. Why? for financial gain. She was taking a little bit off the top and when we sat down with the doctor as part of the investigation, they indicated that Oh, wow, every year, we always seem to be coming up short in different areas and we thought it was really bad. We even changed our organization that did our collections for us a couple of times thinking that they were the ones doing it wrong. We never once considered there might have been somebody internally that was doing this.   Catherine Short Oh, wow! that’s actually very sad. You never know.   Raymond Ribble You never you never know. I don’t think you should feel bad about monitoring your end users. We’re just protecting our business from some event that could be catastrophic in terms of everybody losing their jobs because of a breach. With SPHER, we look at 100% of all the activity of all the users every day because you couldn’t possibly do that. Our users can read easily, and intuitively say oh, yeah, that’s a problem. I can see why SPHER flag that and let me investigate that. Bam. Make sense?   Catherine Short  28:22 Yes. Okay. Well, I think we’re about ready to wrap up our presentation then. So I wanted to thank you again, so much for sharing your time with us and your expertise. So thank you for being with us today.   Raymond Ribble Thank you for having me today. It’s always a pleasure and good luck to everybody out there.   Catherine Short  And thanks to our audience for tuning in to 1st Talk Compliance. You can learn more about the show on the program’s page on healthcarenowradio.com and lend your voice to the conversation on Twitter @1sthcc or #1stTalkCompliance. You can also email me at catherineshort@1sthcc.com. I’m Catherine Short of First Healthcare Compliance. Remember, compliance is the key to achieving peace of mind.

[https://1sthcc.com/wp-content/uploads/2023/11/1st-Talk-Image_11.8.23-300x188.jpg] In this episode of 1st Talk Compliance, we dive into an increasingly crucial topic in healthcare: price transparency and its ever-growing impact on the industry. Kevin Chmura, CEO at Panacea Healthcare Solutions, joins us to share expert insights on strategic pricing and compliance, emphasizing the transformative benefits for healthcare providers. Learn how to proactively engage with CMS regulations and set your organization apart as an ethical leader in the realm of price transparency.

[https://1sthcc.com/wp-content/uploads/2023/11/1st-Talk-Image_11.8.23.jpg] Grace Walsh speaks with Kevin Chmura, CEO at Panacea Healthcare Solutions, to explore an extremely timely topic: price transparency and its far-reaching impact on how healthcare providers interact with consumers, with each other, and with the market at large. Tune in as Kevin shares some important insights about how price transparency has opened the door to a whole new world of data analysis and strategic business strategies for healthcare providers, and covers what we might expect to see for the future of price transparency. We’ll also include some key resources for listeners hoping to boost their knowledge of CMS price transparency regulations and learn how they can leverage price transparency data to empower their own strategic initiatives.