After 20 years in the training business, you know you can count on Merit Career Development for fresh and relevant content, engaging program activities, and proven-effective delivery methods that best help training “stick.” We assure you that our programs will have immediate application to your workplace, producing an immediate ROI. It’s a modest investment for a smashing return!

New courses in response to marketplace demand include:

Project Leadership	Communicating using DISC
Project Change Management	Negotiating and Influencing
Problem Solving with Root Cause Analysis	Identifying and Managing Risks
Preventing Harassment in the Workplace	Agile Project Management

New and aspiring leaders will benefit from our Handling Employee Performance Problems and Termination, Business Communications and Team Performance (which is also offered for experienced managers.) Visit a complete list of courses or download the catalog here. Our annual training needs survey (again) demonstrated the highest interest in courses that increase proficiency in leadership, strategy and management – even among Project Managers. We have a robust selection of these courses from Fundamentals of Leadership to advanced topics, such as 360-Degree Leadership.

Our project management courses have been updated to align with the 6^th edition of the Project Management Body of Knowledge (PMBOK®) guide. Every course description in the catalog includes a listing of the number of credits by organization. See inset for example of accreditations per course.

Need help bringing training to your organization?

Thousands of studies have been conducted that validate the connection between investing in employee training and development and the increase in loyalty, morale, and retention. Lower turnover reduces costs and prevents unanticipated gaps in performance. Most important, high morale and a loyal staff translates into more satisfied customers and a better bottom line. And after all, aren’t satisfied customers what keeps your organization in the black?!

Our facilitators are expert at tailoring course(s) to the needs and experience levels of your staff. Find out how, by contacting Jim Wynne, for a no obligation discussion at jwynne@meritcd.com or 610-225-0449.

FREE Tips

Check out our LinkedIn Friday Facts. These nuggets are excerpts from our courses that people enjoy sharing with their friends and colleagues. It will be worth your time.

Previously, we wrote about how resolving conflict often has the side benefit of building a cooperative bond — even loyalty — between the factions. As each side gains a deeper understanding of the others’ viewpoints, respect builds and morale improves. Cooperative, low stress interactions, create a fertile environment for productive brainstorming, ultimately boosting the health of your organization.

Being respectful to others, being open to hearing their perspective, and taking the time to understand their objective are very important, but you’ll need more knowledge in your toolkit to dispel conflict when the conflict gets tough. So, let’s dig deeper today.

How can you demonstrate that you are being respectful and open and trying to understand the other’s perspective?

Here are the top 5 proven techniques you can add to your toolkit:

1. Ask questions about the other person’s recommendations or point of view in a sincere, non-judgmental manner. Drill down to make sure you totally understand all of their objectives, concerns, and potential obstacles that you may both face.
2. Replay or paraphrase their points back to show your understanding, and ask for confirmation that you “got it.”
3. Make sure your body language is open and consistent with your words. If they’re not, people instinctively believe your non-verbal message over the spoken word.
4. Even if you don’t agree, be sure to acknowledge that you hear and understand the other person’s points.
5. It wouldn’t hurt (and yes, it could really help) to verbalize some of your “opponents” points that you think are good, smart and, or useful. A sincere compliment, or statement of approval and recognition will go a long way towards resolving conflict.

In Part 3 of this series, we’ll examine the five conflict styles that help people understand their own responses as well as diffuse conflict with others. Specifically, we’ll look at the five conflict styles that Kenneth W. Thomas and Ralph H. Kilmann identified and can be assessed in the Thomas-Kilmann Conflict Mode Instrument (TKI), a globally accepted, widely used diagnostic assessment for resolving conflict.

Understanding the subtleties of conflict and personality styles goes a long way towards elevating an organization’s harmony and effectiveness. At Merit, we frequently facilitate multiple Conflict Management training sessions for our clients where we adjust the level of detail to group (i.e., customer service reps, new managers, and the senior team.) For more information, please contact Jim Wynne at jwynne@meritcd.com or call 610-225-0449.

One of the biggest challenges in risk management is risk identification. Humans are naturally optimistic; therefore, we do not like to recognize or discuss risks. We need to incorporate processes such as scenario planning and the pre-mortem technique into our forecasting practices. These techniques help us overcome our aversion to recognizing and discussing risks. Only after we have identified risks can we implement tactics to reduce their probability.

Merit is frequently asked to help businesses, federal agencies and membership organizations reduce or mitigate risk – regardless of their size and business type. Often their project teams collaborate and discuss methods for improving their risk status but have proven to be flawed. The most common flaw that sets them back is their goal to have all risk plans drive their risk probability and impact to zero, in which case it would not be a risk.

Standard risk responses include Avoidance, Mitigation, Transference, and Acceptance (passive/active). At Merit, we developed a reporting process that would show that the risk factors were decreasing as the project progressed. Supplemented with suitable risk responses, the true reduction of risk probability occurs over time.

The added value that we incorporated into the risk management process was two-fold. First, because of the desire to drive the risk to as low as possible, the use of multiple risk responses could be utilized. The second process improvement would be not only to subsequently reassess the risk, but also to re-evaluate the risk probability and impact matrix after the implementation of the risk response over time.

The Probability and Impact Matrix is one of the tools that we recommend in a risk management strategy. It is superimposed with risks that are labeled or numbered as in the above example. “Red” area risks were uniquely documented on a trending month-to-month basis such that it could be seen “driving” toward zero.

The implementation of a risk response would then “reclassify” the risk event for the next reporting period. However, the biggest impact on reducing risk is time. Time because we are progressively refining our process as our project develops, and because the physical window (amount of time available) for a risk event is reduced.

We invite you to learn about our modified process template so you too can incorporate it into your project plans. For more information, to learn other advanced risk monitoring, reporting, and controlling techniques or to schedule a risk management training customized for your team, contact Jim Wynne at jwynne@meritcd.com or by calling (610) 225-0449.

During my research on how to make better decisions I came across the pre-mortem in the writings of Nobel Prize winner Daniel Kahneman. He notes in his book, Thinking, Fast and Slow (2011), that the pre-mortem technique is valuable in the decision-making process because it has two main advantages.

First, it overcomes “groupthink” that affects many teams once a decision appears to be made. When groupthink is in effect, the wisdom of a plan or decision is gradually suppressed and eventually come to be treated as evidence of disloyalty. The collective suppression of doubt contributes to the group’s overconfidence, which is often a tragic flaw.

Second, it unleashes the imagination of knowledgeable individuals in a much needed direction—the opposite direction of the decision. The principal advantage of the pre-mortem technique is that it legitimizes doubts and encourages everyone, even supporters of the decision, to search for possible threats not considered in the decision-making process. I immediately recognized it as an excellent technique for decision-making, risk management and general leadership.

Because this has proven to be of great value, I would like to share this excellent technique with you. The pre-mortem is easy to implement once the team reaches a decision or finalizes a course of action. Here’s what you need to do:

Step back and state the following: “Imagine that we are one year into the future. We implemented (the decision and plan) exactly as decided here today. The outcome was a total complete disaster. Take 5 to 10 minutes to write a brief history of that disaster.” If someone asks: “What do you mean by a total disaster?” Reply: “In any and every way imaginable it was a total failure.”

Then, explore all the possible reasons that the decision or plan failed. By taking this opposite approach to brainstorming the ideas, your team will likely realize that there are more points that need to be thought through before the plan is implemented.

Merit Career Development incorporates this technique into our leadership, strategic decision-making, risk management and project management classes and it is very well received. In one recent class the participants clutched the flip charts from the group discussion. I saw this and asked what were they going to do with them? I was told that they were going to present the findings to upper management; they had never participated in such a rewarding experience.

Merit can help guide your team through various tools and techniques to optimize your team’s knowledge, skills and ability with techniques and tools such as pre-mortem and many others. Please contact Jim Wynne at jwynne@meritcd.com or call him at 610-225-0449 to schedule training to learn this and other valuable decision-making techniques.

May 2014

The Department of Health and Human Services (HHS) entered into settlements totaling $4.8 million with New York-Presbyterian Hospital (NYP) and Columbia University Medical Center (CU) for failing to implement appropriate administrative and technical safeguards to secure the ePHI of approximately 6,800 patients^[i]. This is HHS’ highest financial sanction issued to date as a part of breach settlement agreements, confirming its commitment to enforce HIPAA compliance.

Breach Report, Investigation and Findings

NYP and CU received a complaint from an individual who found confidential health information (ePHI) including status, vital signs, medications, and laboratory results of a deceased relative, a former NYP patient, on the Internet. The HIPAA regulations require such ePHI be maintained in secure systems and kept confidential. In accordance with HIPAA requirements, they submitted a joint report of the complaint to HHS dated September 27, 2010 resulting in an investigation by HHS’ Office of Civil Rights (OCR).

OCR’s investigation found that NYP and CU have a joint healthcare services arrangement wherein CU faculty members work as attending physicians at NYP. To support the services, NYP and CU operate a shared data network including firewalls administered by employees of both entities with shared links to NYP patient information systems.

OCR identified the breach to have occurred when a CU physician employed to develop applications for both entities attempted to de-activate a networked server containing NYP patient ePHI. Due to a lack of technical safeguards in place on the network, the de-activation attempt resulted in NYP ePHI becoming accessible to internet search engines.

OCR found that neither NYP nor CU could demonstrate that its servers were secure or contained software protections prior to the breach. OCR found an additional lack of administrative safeguards, specifically that neither entity had conducted a risk analysis to identify all systems with access to NYP’s ePHI or had a risk management plan in place to address potential hazards or threats to the security of its ePHI.

Finally, OCR found that NYP failed to implement its own technical safeguards including procedures for authorizing access to its databases and information access management processes. In addition to the financial sanctions, NYP and CU agreed to a corrective action plan requiring implementation of the administrative and technical safeguards and to monitor compliance with regular reports back to HHS.

Increased HHS Enforcement of HIPAA Compliance

This action gives notice to Covered Entities and Business Associates that HHS has heightened its enforcement efforts since the enactment of HITECH and the HIPAA Omnibus Rule.

It is imperative that a healthcare organization ensure that its workforce understands the privacy and security regulations, not just completes rote training programs, and recognizes the impact that non-compliance - from even one employee - can have on an organization.

The mandated HIPAA safeguards must be in place to identify risks and threats to ePHI and patient information systems, including insider threats from its own workforce. The safeguards must be regularly monitored through risk analysis as a part of a comprehensive risk management program.

[i] See http://www.hhs.gov/news/press/2014pres/05/20140507b.html

Managing risk to confidential patient health information (PHI) is not only a critical component of healthcare today; it is also a mandate of the HIPAA Omnibus Rule (HIPAA).

HIPAA mandates that organizations conduct a regular risk analysis to identify and mitigate risks to patient records and the PHI they manage in their electronic health records systems (EHRs). Failure to secure PHI and mitigate the threats and vulnerabilities identified in a risk analysis can result in investigations by the Department of Health and Human Services (HHS) and other federal and state regulatory agencies. These agencies have authority to impose millions of dollars in penalties and fines as well as extended regulatory oversight, and can do so simultaneously for the same offense.

The Situation

According to the HIPAA Omnibus Rule (HIPAA Omnibus Rule)¹, Failing to protect patient records and prevent disclosure of PHI can damage patients’ financial status, job prospects, and reputation, far exceeding the impact of their medical conditions.

The HIPAA Omnibus Rule requires Covered Entities and Business Associates to conduct regular risk analyses² to identify and address threats and vulnerabilities to the confidentiality, integrity and availability of patient records and the PHI they manage and maintain in electronic health information systems.

Millions of dollars in penalties and fines as well as extended regulatory oversight can result from these failures, levied after investigations by the Department of Health and Human Services (HHS) and other federal and state regulatory agencies.

Nearly 30 million patient records have been reported to HHS as compromised in breaches since 2009, according to surveys conducted by healthcare IT security consultants as recently as February 2014[3]. The report states that “(i)n 2013 alone, 199 incidents of breaches of PHI were reported to HHS impacting over 7 million patient records, a 138% increase over 2012.” These statistics do not include breaches that have not been reported to HHS.

Furthermore, HIPAA requires notification of HHS and the patients whose PHI has been breached. Such notification can negatively impact patients’ confidence in as well as the reputation of the service provider. The flip side is that patients build trust in and strengthen their loyalty for their healthcare providers when their PHI is securely managed. A reputation for private and secure management of health information can also serve as a marketing tool for the provider.

In the early roll-out of HIPAA, HHS’ history of lax oversight and few consequences for non-compliance resulted in minimal implementation of the privacy and security standards. Covered Entities lacked comprehensive compliance planning, allocating responsibility over multiple departments to provide workforce training and accountability programs and taking the position that electronic health records systems (EHRs) successfully producing electronic records and bills was sufficient to demonstrate HIPAA and HITECH compliance.

Meanwhile, reports of patient complaints and breaches poured into HHS by the millions. Eighty-three per cent of all large HIPAA privacy and security breaches are the result of theft, according to surveys from HHS sources reported by Healthcare IT News. More specifically, the surveys report that approximately 22% of breaches since 2009 were due to unauthorized access to PHI, 35% were attributed to theft or loss of unencrypted devices containing PHI, and 6% were due to hacking¹.

The results of HITECH’s pilot audit program demonstrated that covered entities lacked understanding of the actual privacy and security standards as well as grounding in the specific implementation requirements the standards impose on internal systems, operations and resources necessary to meet HIPAA compliance requirements.

The HIPAA Omnibus Rule amendments confirm that anything short of a comprehensive, documented and implemented risk management process will not meet HIPAA compliance requirements today. It also requires that risk management program incorporate the results of a comprehensive complaint and breach investigation procedure focused on identifying and addressing workforce errors and patient complaints within the organization. Finally, the HIPAA Omnibus Rule extends these compliance requirements to Business Associates performing services or functions for or on behalf of covered entities.

The Solution

Risk management begins with an organization-wide risk analysis- i.e. an accurate and thorough assessment and mapping out of actual use and disclosure procedures in place for PHI in all formats throughout the whole organization. This includes satellite and multi-state offices, subsidiaries, patient portals, remote access to its PHI/ePHI, and PHI/ePHI disclosed to its Business Associates.

A key component of the assessment involves identifying and planning for mitigation of reasonably anticipated human, natural and environmental threats and vulnerabilities to the organization’s internal and external processes and systems. To be most effective, a risk analysis should be conducted regularly and at key intervals when changes, upgrades and/or mergers take place. The findings from the risk analysis should be incorporated into a document comprehensive and regularly updated risk management strategy for the organization. This documentation is what the OCR will likely request during investigations or audits to evaluate the organization’s compliance efforts.

The next round of OCR audits is scheduled to begin in October 2014. Covered Entities’ and Business Associates’ compliance with the HIPAA security standard’s risk analysis and risk management standard is in the OCR’s cross hairs. Failure to take affirmative steps towards compliance before the OCR comes a’knocking can add additional sanctions for willful neglect to corrective action plans and/or settlement agreements.

Whether the OCR is knocking on your door or not, the private and secure management of the Covered Entity’s or Business Associate’s health information is a critical aspect of quality healthcare services today. Leaders in the industry have this as a critical core value for their organizations, making compliance with the HIPAA Omnibus Rule just par for the course. The availability of secure and reliable healthcare information and data to support quality treatment and services requires the practice of good IT governance and due diligence². Continue reading "Risk Analysis: Prepare Now or Pay Later"