Marti Arvin

Marti Arvin

About Marti Arvin

Marti Arvin brings more than three decades of operational and executive leadership experience in the fields of compliance, research and regulatory oversight in academic medical and traditional hospital care settings to her position at CynergisTek. She was most recently the Vice President and Chief Ethics and Compliance Officer for Regional Care Hospital System and before that Vice President and Chief Compliance Officer at UCLA Health System and the David Geffen School of Medicine.

Mobile Devices in the Healthcare Academic Medical Center: Why Are They So Difficult to Control?

In today’s healthcare environment, mobile devices are rampant. Controlling the nature and method of data stored on these devices is not easy in most industries – and mobile devices in the healthcare environment present a unique challenge. What makes securing mobile devices particularly difficult in healthcare and even more difficult in the academic medical center (AMC)? It helps first to understand the environment. The Academic Medical Center The old saying is that if you have seen one AMC, you

January 10th, 2019|

User Access Monitoring: Convincing Your Governing Body that You Need to do This

User access monitoring is a requirement under the HIPAA Security Rule. However, the specifics of what must be done remain a little cloudy. The regulations state, “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information” 45 C.F.R. §164.312(b). The rule also requires that covered entities “implement policies and procedures to prevent, detect, contain, and correct security violations” and “implement procedures to regularly review records of information

September 27th, 2018|

When is data collected for research PHI covered by HIPAA and when is it not?

On June 1, 2018, an OCR ALJ decision imposed civil monetary penalties against the University of Texas MD Anderson Cancer Center for data that was on two lost thumb drives and a stolen laptop. MD Anderson had challenged the original determination by OCR that the data was improperly accessed, used or disclosed. They also appear to have put forth an argument that the data was research information and therefore not subject to HIPAA. The ALJ’s decision indicated the information

June 25th, 2018|

Building and Maintaining an Effective Compliance Program with Limited Resources

It is often said an effective compliance program is difficult to measure, but experienced compliance professionals “know it when they see it”. This is not much comfort to many compliance professionals. A key outcome of having a compliance program is that it is effective. This is even less comfort to individuals who have limited resources for their compliance program. But even with limited resources, there are still ways to demonstrate effectiveness. It just requires more creativity and leveraging of

June 11th, 2018|

What Can Be Done About Drug Diversion?

A Growing Problem for Healthcare Organizations The opioid crisis and drug addiction are not just among criminals. The issue is growing among all segments of the population including healthcare workers. This is a multi-faceted problem. There are patient safety issues, fraud and abuse issues, and regulatory compliance issues just to name a few. Healthcare facilities are expected to have controls in place to help ensure drug diversion is not occurring and to identify and resolve instances when it does

February 22nd, 2018|

Guide to Proactive Access Monitoring and Auditing Under the HIPAA Security Rule

Monitoring and auditing of access to protected health information by many organizations is prompted by patient complaints or some other event triggering the need to conduct an investigation. This is reactive or for-cause access monitoring and auditing which is necessary but organizations should also be doing proactive, not-for-cause auditing and monitoring. Under HIPAA Security Rule, covered entities and business associates have an obligation to have policies and procedures in place to prevent, detect, contain and correct security violations. 45 CFR 164.308(a)(1)(i).

December 6th, 2017|

Printer and Multi-Function Device Security: Why Compliance and Privacy Officers Should Care

Security of an organization’s printers and multi-function devices, as well as the data on those devices, is handled by the IT department, right? While this might be true, compliance and privacy officials should care about what is happening with these devices. It is not uncommon for these devices to have significant data storage capacities, as much as 320 GB. Imagine how many records such a device could hold, as well as the fact healthcare organization will have hundreds if not thousands such devices. Think about what gets printed in a busy clinical area or by the staff in finance or patient quality. These business units often work with large files that include the information of hundreds if not thousands of individuals. Has anyone at the organization ever evaluated the volume of records that get printed by the staff in one of these areas?

October 11th, 2017|

Business Associates, Ransomware and Breach Notifications: Why Covered Entities Must be Diligent

The increase of ransomware attacks on healthcare entities and their business associates continues to be a significant concern. While covered entities (CE) have their own issues to deal with when the attack is directly against the organization, there are additional considerations if the attack is on a business associate (BA). This issue was recently raised when there was a reported attack against a BA used by several healthcare entities. The attack was made public, which means the CEs that used the business associate were on notice of the attack.

August 3rd, 2017|

What would a Petya attack on your organization or your BA mean?

Petya, or NotPetya as some call it, has shown itself to either be very poorly thought out ransomware, or more likely a full on destructive malware attack thinly veiled as ransomware. In essence, a “traditional” ransomware threats will encrypt specific important file types and show the user a ransom note telling them to pay or lose their data. In the last week of June, we saw something stranger, on the surface it appeared to be a modified version of a known and fairly common ransomware variant called Petya, hence the NotPetya name. However, unlike standard ransomware, where the entire purpose of it is to make money, the ransom payment and recovery mechanisms built into this new Petya variant were very weak. It relied on a single email address (that was promptly shut down) and a single Bitcoin wallet meaning there was virtually no way for the criminals to know who had paid, or which key might be the right one to unlock the data.

July 28th, 2017|

Using the OIG/HCCA Compliance Effectiveness Resource Guide

Compliance officers everywhere want to believe the compliance program they oversee is effective. Some believe it is effective, some hope it will be found effective and some know the program is not effective because of significant gaps in one or more of the seven elements of an effective compliance program. If you are a believer, ask yourself, “What methods have I established to demonstrate effectiveness?” If you are filled with hope – well hope is not a strategy. If you know your program has gaps, what are you doing to address those gaps? An additional resource now exists to help evaluate effectiveness. The OIG/HCCA Measuring Compliance Program Effectiveness: A Resource Guide released March 27, 2017, provides recommendations on what to measure and how to measure it under each of the seven elements.

May 5th, 2017|