Communicating with Regulators and Enforcement Representatives

On Friday, September 28, 2018, the first session of the HCCA Indianapolis Regional Conference featured Steve Long, CEO, Hancock Regional Hospital, who discussed key lessons from Hancock Health's ransomware attack in January of this year. One of the key lessons included: Trust the FBI-- they are after the bad guy, not the organization.

Below are some of the topics/questions that an organization should be prepared for:

  • Details regarding the organization's existing/documented risk response;

  • Who will be calling and in what order;

  • A request to not turn off all computers, as it can take a long time to get computers back up.

Steve reaffirmed that the FBI will not say that you should pay a ransom in the event of a ransomware attack, however the FBI understands if private entities make decisions regarding ransom payoffs.

Later James Rough (CHC, CFE, CCEP), President and Founder of SunHawk Consulting, moderated a panel discussion on best practices for organizations engaging with regulators and enforcement professionals.

The Participating panelists included:

Lamont Pugh, Special Agent in Charge

HHS, Office of Inspector General

Matthew Whitmire, Director,

Medicaid Fraud Control Unit

Office of the Attorney General Curtis Hill

David Fuchs, Senior Counsel, Office of Counsel to Inspector General,

U.S. Department of Health & Human Services

Cindy Cho

Assistant United States Attorney,

Southern District of Indiana– DOJ

The main theme of this panel was and is the importance of clear, respectful, culturally competent communication.

Takeaways: Management is fully aware that receiving regulatory inquiries can have a negative impact on their organization’s reputation, bottom line, and company time.

Nonetheless, it is key for Management as well as individual departments in charge of compliance to develop functional, working relationships with agency representatives. The best approach at all times for organizations subject to compliance rulings is to prioritize accurate, voluntary, timely, and complete self-disclosure when reporting breaches, theft, losses, or fraud.