August 21, 2018

HIPAA Survival Guide August 2018 Newsletter

 
 

  Register here for the FREE HIPAA Survival Guide Newsletter

  
 
Does your staff have sufficient HIPAA training?
 
 
Determining the amount of adequate training is not an easy question because the answer is highly dependent on the individual and the organization. Individuals often claim that vendor training provides only the problems, but not the solutions. That is a missed opportunity because if you know the problem and don't have an adequate answer, you're likely to be faced with difficulty responding and potentially encounter an Incident, Breach, or unauthorized disclosure of Protected Health Information ("PHI"). In this article, we describe aspects of what may be considered "good training" and what kind of training we make available so that you can compare across vendors.
 
You need answers! In our view, if you do not succeed in establishing compliance literacy in your workforce, you are likely going to have an occasional bad day, not to mention being out of compliance with the HIPAA regulations for training and associated documentation. As expressly stated in HHS' Audit Protocol, policies and procedures that have been adopted and activated by covered entities and business associates to meet selected standards are reviewed to determine an organization's implementation specifications of the Privacy, Security, and Breach Notification Rules. Training, by the way, is one of the Privacy Rule Regulations. 

If you are audited, one of the things that will be reviewed is your training documentation. Yes, seems this is a small item compared to your Risk Assessment and other Compliance efforts. However, Covered Entities ("CE") and Business Associates ("BA") must train all members of their workforce regarding PHI as it applies and as necessary to perform their jobs. Compliance with Privacy Rule regulation 164.530(b) requires policies and procedures for training and to document which staff member was trained on what topic and when.
 
From a practical standpoint, when it comes to training, it's not enough to have an understanding of the regulations, but also training should provide the ability to evaluate responses to a variety of situations where PHI may be at risk. Training that provides hypothetical risk situations related to HIPAA regulations that prevent incidents or breaches and/or a Quiz regarding knowledge obtained is a component of quality education.
 
But is HIPAA a top priority for a CEO's average day? Probably not, unless there is an Incident or a Breach. The same is likely true for other executives in your organization. Aside from the regulation requirement, this is a VERY good reason why a named Compliance Officer should be in each Covered Entity and Business Associate's organization. A Compliance Officer has the responsibility to ensure that policies and procedures are being followed by the workforce to avoid non-compliance. And yes, the Compliance Officer ensures policies for training and the visible, demonstrable evidence for same.
 
So, how much training is really needed? For the purpose of this article, we will use the HIPAA Training Products contained within our Subscription Plan as training recommendation topics for different categories of workforce members. Again, remember our principal premise is that all workforce members need to become HIPAA literate since you have the 800-pound gorilla of Breach Notification staring you in the face.
 
Training for Clinicians
Not all staff members need to attend or be educated for every HIPAA training module. We recommend three (3) training sessions for clinicians as listed below:
Why do we recommend specific training for clinicians? Well, I can say as a Registered Nurse, clinicians do not need to understand every aspect of the regulations. What they need to know is how to respond to various threats to PHI or situations where compliance action is required. They need an awareness and a basic understanding of Security, Privacy, and Breach Notification regulations that will enable prevention of risks while managing situations when HIPAA rules are tested. 
 
A particular item of importance is knowing WHO to call when a situation arises. The same is true for Business Associates. You might be surprised at the number of times I have randomly asked clinicians the name of their HIPAA Compliance Officer and they did not know. That's a recipe for a bad day! Try this yourself next time you visit your doctor. Ask the receptionist or the nurse, or any other clinician or workforce member you encounter if they know the name of their Compliance Officer. By the way, this is generally true of organizations both large and small, even those that regularly train their employees.
 
Foundational Training for Other Staff
The following list of training modules is recommended for other workforce members, including the executive management team. 
I have been asked if there is a HIPAA LITE for Business Associates, and the answer is No! Business Associates need to be as aware of the regulations as Covered Entities if they are "touching PHI." That said, we also provide specialized training for Business Associates in situations where their needs differ from Covered Entities (see below).
 
Specific Training for Compliance Officers
In addition to the training above, compliance officers should consider taking the following training classes to obtain their certification. We offer a HIPAA Certified Professional ("HCP") certification after taking an exam that covers material from the training modules listed below.
 
 
Certification Training Modules
3.    Audit
7.    Documentation* 
8.    HITECH Act
9.    Omnibus Rule
 
We also recommend that Compliance Officers take advantage of our pre-recorded four-part training series entitled: "Surviving a HIPAA Audit." Subscribers may log in to the Compliance Hub Member website to:
For some, the amount of information may be overwhelming, but just like HIPAA, you bite off a piece of the elephant one at a time.
 
Specialty Workforce Training
Finally, we recommend that staff who are responsible for items in the list below, and Compliance Officers and/or Executive Officers become knowledgeable on the following topics:
  1. Training for workforce members that are designated as "point persons" for the Patient's Bill of Rights; these are sections 164.520 through 164.528 of the Privacy Rule. 
    • The regulations require that individuals "sign off" on certain processes pertaining to providing access to a patient's PHI; 
    • Helping a patient amend their PHI; 
    • Distributing the notice of privacy practices, etc.
  2. Training for individuals that handle Privacy Rule requests for authorizations, restrictions, etc.
  3. Training for personnel assigned the responsibility of tracking security incidents.
  4. Training for information technology personnel that are required to audit information systems containing PHI.
  5. Training for personnel that are assigned the responsibility for disposing of PHI.
This is not an exhaustive list. The "final" list of training will depend on your operational environment, the size and complexity of your organization, and the resources you have available, etc. One thing is certain, look for training that provides answers, not just a description of the problems.
 
 
HOW TO COMPLY WITH HIPAA
 

At 3Lions Publishing, Inc. our mission is to provide clients with:

  • Premium Compliance Products,
  • Education,
  • Free Monthly Webinars
  • Newsletter Articles on HIPAA and regulatory topics, as well as 
  • "High Touch" LIVE assistance with Products for Risk Assessment and Remediation
We do NOT charge extra for compliance support like many of our competitors, the cost for your LIVE assistance is included in your Subscription purchase. 

A full 360-degree circle of Risk Assessment and Remediation products are provided in 3Lions Publishing Inc.'s 
 
The Subscription Plan includes  Expresso®the Risk Assessment "SaaS" based software, over 30+ compliance and remediation products, and training videos that help Covered Entities and Business Associates understand how to implement the necessary Controls to be in compliance with HIPAA regulations. Our LIVE "High Touch" Assistance helps you "get it done" fast!
 
Our many Training products describe various aspects of the regulations as well as demonstrations of how to use Expresso and associated compliance tools. As part of the Subscription Plan, we also provide certification for clients seeking designation as a HIPAA Certified Professional ("HCP").
 
A "Crosswalk" between Expresso Risks and Remediation tools provides easy access to model policies, procedures and tracking mechanisms for compliance. 
 
FREE Monthly newsletters and webinars provide education on topics of regulatory concern. Missed one? Webinars and articles are posted to the HIPAA Survival Guide Store Website for future reference.
 
So, why are we sharing this information in our Newsletter? Education, Education, Education. Stay tuned not only for Product updates but also for new capabilities and value offered to our elite group of clients. Save time and money with our high quality, bargain Subscription Plan! 
 
Or, take advantage of our FREE 15 day trial of Expresso to complete your Risk Assessment
 
 
Questions? Please call or write using the contact information below.
 
Email:     [email protected]
Phone:   (800) 516-7903    
 
 
HIPAA Help
 
 
What is the new LinkedIn GDPR Survival Guide?
What is the HIPAA Survival Guide® Subscription Plan and what does it include?
HIPAA Requirements for Cloud, Social Media, and Mobile including Policies and Procedures
HIPAA Requirements for Breach Notification including Policies and Procedures
HIPAA Requirements for a  Business Associate Agreement including the essential terms of the agreement
How to prepare for a HIPAA Security Rule Audit  
How to prepare for a HIPAA Privacy Rule Audit  
How to prepare for a HIPAA Breach Notification Audit  
How to prepare for a HIPAA Risk Assessment Audit  
 
For HIPAA Help send us an Email at [email protected]
 

 
Included in the HIPAA Survival Guide® Subscription Plan 
 
 
Protect Your Practice and Your Business
 
 
Click Here for HIPAA Survival Guide® Subscription Plan Testimonials

Take advantage of our Heartbeat™ and Pulse™ offerings with The HIPAA Survival Guide® Subscription Plan With Expresso®
 
 
 
 
 

Posted at 10:26 AM in HHS Omnibus Rule, HIPAA Breach Notificaiton, HIPAA Checklist, HIPAA Compliance, HIPAA Compliance Software, HIPAA Training, HITECH Act | | Comments (0)

August 06, 2018

HIPAA Education: How much training is enough?

Join us this month for a free webinar about HIPAA training.
 
Description: HIPAA Education: How much training is enough?
 
This webinar will describe How much and what type of HIPAA education is well suited for staff and other workforce members?
 
Date and Time, including Time Zone 
August 16, 2018 2:00 pm EST
 
 
Also, if you're interested in future webinars from the HIPAA Survival Guide register for free Newsletter

Posted at 08:34 PM in HIPAA Compliance, HIPAA Training, HITECH/HIPAA | | Comments (0)

November 25, 2013

Healthcare & Data Security: Still the "Red Headed" Step Child?

This article, based on a Ponemon Institute survey, fairly summarizes what many of us know through anecdotal evidence to be the state of privacy & security within the healthcare industry. Simply put, it remains dismal, almost five years after the HITECH Act.

Part of the reason is cultural. Healthcare has been, and remains, the most insular and myopic industry in the U.S., bar none. Based on a million and one false assumptions, the culture within healthcare has been "we are SO different than everyone else" and therefore the same rules don't apply. Those illusions (and delusions) are in the process of being significantly disrupted. However old ways of thinking die hard!

HSGLogoI once had a Chief Medical

Officer of a major hospital tell me that

he would rather retire and move to

Mexico than comply with the HITECH

Act...

We may literally have to wait for a generation of old docs (mostly men) to retire before we see real progress in healthcare, and not just regarding privacy & security. All the change that the healthcare industry is currently struggling with is destroying the "world view" of a generation that refuses to believe this kind of disruption is possible. Change is hard for everyone, BUT for a few that were once so privileged it may be devastating, and just too much to handle.

Posted at 06:47 AM in Health 2.0, HIPAA Compliance | | Comments (0)

July 22, 2013

HIPAA Security Rule Additional Definitions?

The Security Rule ("SR") is replete with technical terms. In addition, any description of how to comply with the SR will also necessitate the use of additional technical terms. Below we break down the technical jargon in a manner that is readily understood by the lay person.  The SR contains its own Definitions in 164.304. We do not duplicate those here.

Term

Definition

Adequate Security

Security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of ePHI .

 

Adversary

Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.

 

Asset

An Asset is a thing (tangible or intangible) that accesses, stores, maintains, or transmits ePHI. Examples include networks, PCs, servers, mobile devices, Information Systems, building, etc.

Attack

Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy Information System resources or the ePHI itself.

 

Authentication

Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an Information System.

Availability

Ensuring timely and reliable access to and use of ePHI.

 

Confidentiality

Preserving authorized restrictions on ePHI access and disclosure, including means for protecting personal privacy and proprietary ePHI.

 

Impact

The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of ePHI, unauthorized modification of ePHI, unauthorized destruction of ePHI, or loss of ePHI or ePHI system availability.

 

Individual

Individual is synonymous with a workforce member.

Information Owner

Official with statutory or operational authority for specified ePHI and responsibility for establishing the controls for its generation, classification, collection, processing, dissemination, and disposal.

 

Integrity

Guarding against improper ePHI modification or destruction, and includes ensuring ePHI non-repudiation and authenticity.

 

Likelihood

A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given Vulnerability or a set of Vulnerabilities.

 

Operations

Business processes and workflows that interact with ePHI on a day-to-day basis and which would be negatively impacted should ePHI be corrupted, breached, or otherwise compromised.

Operational Controls

The security controls (i.e., safeguards or countermeasures) for an Information System that are primarily implemented and executed by people (as opposed to systems).

 

Operational Environment

The physical, technical, and organizational setting in which an Information System operates, including but not limited to: missions/business functions; mission/business processes; threat space; vulnerabilities; enterprise and information security architectures; personnel; facilities; supply chain relationships; information technologies; organizational governance and culture; acquisition and procurement processes; organizational policies and procedures; organizational assumptions, constraints, risk tolerance, and priorities/trade-offs.

 

Risk

The net mission impact considering (1) the probability that a particular Threat will exercise (accidentally trigger or intentionally exploit) a particular Vulnerability and (2) the resulting impact if this should occur.

 

      Risks arise from legal liability or mission loss due to:

 

(1)   Unauthorized (malicious or accidental) disclosure, modification, or destruction of ePHI;

 

(2)  Unintentional errors and omissions;

 

(3)  IT disruptions due to natural or man-made disasters;

 

(4)  Failure to exercise due care and diligence in the implementation and operation of the IT system.

 

      A Risk is not a single factor or event, but rather it is a combination of factors or events (Threats and Vulnerabilities) that, if actualized, may have an adverse impact on the Organization.

 

Risk Analysis/Assessment

Risk Analysis is a process by which an Organization identifies the following:

 

(1)   Threats to the Organizations (i.e., Operations, Assets, or Individuals);

 

(2)  Vulnerabilities internal and external to the Organization;

 

(3)  The harm (i.e., adverse Impact) that may occur given the potential for Threats exploiting Vulnerabilities; and

 

(4)  The likelihood that harm will occur.

 

      The end result of a Risk Analysis is an overall determination of Risk for the Organization (i.e., typically a function of the degree of harm and likelihood of harm occurring).

 

      In order to be useful for an SR implementation, Risks must be aligned with more granular subcategories using Operations, Assets, or Individuals as high level categories that are subsequently further subdivided.

 

 

Risk Assessment Methodology

A risk assessment process, together with a risk model, assessment approach, and analysis approach.

 

Risk Management

Risk Management is a comprehensive global Organizational process that contains the following sub-processes:

 

(1)   framing risk-the purpose of the Risk framing component is to produce a Risk Management strategy that addresses how your Organization intends to assess Risk, respond to Risk, and monitor Risk;

 

(2)  assessing risk-See the definition of Risk Analysis;

 

(3)  responding to Risk-this component determines how your Organization responds to risk in accordance with your Risk management strategy by developing, evaluating, selecting, and implementing Risk responses; and

 

(4)  monitoring risk-this component determines how your Organization tracks risks over time by verifying that "reasonable and appropriate" risk responses have been implemented and determining ongoing effectiveness of these responses vis-à-vis a changing operational environment.

 

      The NIST definition of Risk Management incorporates the "analysis/assessment" process whereas the SR has separated Risk Analysis from Risk Management as two separate Implementation Specifications for the first Standard of the Administrative Safeguards.

 

      It should be noted that as part of Risk Management, further Risk Assessments can and will be required over time (e.g. when your Organization's operational environment changes). Also the NIST Special Publications are not HITECH / HIPAA specific; their scope is much broader and therefore don't always align with the SR.

 

Risk Mitigation

Prioritizing, evaluating, and implementing the appropriate risk-reducing controls / countermeasures recommended from the Risk Analysis process. A subset of Risk Response.

 

Risk Monitoring

Maintaining ongoing awareness of an Organization's Risk environment, Risk Management program, and associated activities to support Risk decisions.

 

Risk Response

Accepting, avoiding, mitigating, sharing, or transferring Risk to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, or other organizations.

 

Security Controls

The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an Information System to protect the confidentiality, integrity, and availability of the system and its ePHI.

 

Technical Controls

Security Controls (i.e., safeguards or countermeasures) for an Information System that are primarily implemented and executed by the Information System through mechanisms contained in the hardware, software, or firmware components of the system.

 

Threat

The potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific Vulnerability.

 

      There are several types of Threats that may occur within an Information System or operating environment. Threats may be grouped into general categories such as natural, human, and environmental.

 

      Examples of common threats in each of these general categories:

 

(1)   natural threats may include floods, earthquakes, tornadoes, and landslides;

 

(2)  human threats are enabled or caused by humans and may include intentional (e.g., network and computer based attacks, malicious software upload, and unauthorized access to ePHI) or unintentional (e.g., inadvertent data entry deletion and inaccurate data entry) actions; and

 

(3)  environmental threats may include power failures, pollution, chemicals, and liquid leakage.

 

Vulnerability

A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security Breach or a violation of the system's security policy.

 

      Vulnerabilities, whether accidentally triggered or intentionally exploited, could potentially result in a Security Incident, such as an inappropriate use ordisclosure of ePHI.

 

      Vulnerabilities may be grouped into two general categories, technical and nontechnical. Non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines. Technical Vulnerabilities may include: holes, flaws or weaknesses in the development of Information Systems; or incorrectly implemented and/or configured Information Systems.

 

Posted at 02:27 PM in HIPAA Compliance, HITECH/HIPAA |

April 17, 2013

Mobile Devices under HITECH Training Module Now Available

  Mobile_Devices_Cover Digital Download 

Omnibus Rule Ready

Our Mobile Devices under HITECH Training Module is now available in the HSG Store. Our Subscribers get this product, like all our new products and updates, as part of their Subscription Plan.

Mobile Devices Under HITECH – Our Mobile Devices Under HITECH Training Module gets you up to speed on how Mobile Devices have impacted the HIPAA Rules including: 1) the HIPAA Security Rule; 2) the HIPAA Privacy Rule; and 3) the Breach Notification Rule. We walk you through Mobile Device (phones, pads, laptops, etc.) challenges created by locally stored PHI, asset management, bring your own device ("BYOD"), wireless networks and audits, as well as the best practices that help you meet these challenges. It short, we present an overiew of what your mobile compliance initiative ("MDI") should consist of, keeping in mind that most PHI data breaches occur as a result of Mobile Devices.

Posted at 03:51 PM in HIPAA Compliance, HIPAA Training |

April 10, 2013

Excellent Summary of Patients' Access Rights Under HITECH/Omnibus Rule!

This article does an excellent job of summarizing the new and/or modified access rights that patients now have under HITECH as finalized by the Omnibus Rule.

As the articles suggests, almost universally CEs and BAs will need to retrain staff and implement processes that were "minimalist" or did not exist at all heretofor. For many reasons, but primarily because HIPAA was an unenforced paper tiger before HITECH, CEs and BAs that believed they were "mostly compliant" are in for a rude awakening.

Hopefully for these organizations it is not an HHS Audit or a lawsuit that awakens their slumber.

Posted at 08:38 AM in HHS Omnibus Rule, HIPAA Compliance, HITECH/HIPAA |

March 18, 2013

Announcement: Omnibus Rule Ready Subscription Plan & Products

We are pleased to announce Release 1.0 of our Subscription Service which is available for purchase in our New HIPAA Survival Guide Store along with our suite of Omnibus Rule Ready™ products. Our product suite has been updated to reflect Omnibus Rule modifications.

Our Subscription Service and products ("Products") provide policies, processes, and tracking mechanisms to help covered entities and business associates deliver visible, demonstrable evidence of HIPAA compliance. The HIPAA Rules tell you what is required in order to comply; our Products provide best practice step-by-step guidance that helps you meet your compliance objectives.

Posted at 08:03 AM in HHS Omnibus Rule, HIPAA Compliance, HITECH/HIPAA |

December 26, 2012

HITECH/HIPAA: 2013 will be the year of Mobile Compliance!

HHS has just launched a Mobile Device Compliance website. Watch the videos to get some basic insights regarding the compliance issues that mobile devices represent. Although HHS deserves kudos for providing an excellent information site, covered entities and business associate better understand that HHS is also sending an "enforcement message" through these nicely done videos.

Don't expect to become an expert by watching these videos and perusing this site. As with most things that HHS does with respect to HITECH/HIPAA compliance, the advice given is descriptive and not prescriptive. If you want the latter you will need to look elsewhere.

Posted at 04:22 PM in HIPAA Checklist, HIPAA Compliance, HITECH/HIPAA | | Comments (0) | TrackBack (0)

October 02, 2012

FREE WEBINAR: Business Associates: Compliance as Marketplace Differentiator

This webinar explores the same topic covered in this month's article. Business Associates struggling with this issue will learn about what others are doing in the space and can ask questions to thought leaders interacting with the HITECH / HIPAA marketplace daily.

Date: October 11, 2012. 

Time: 2:00 to 3:00 EST. 

To register Click Here

To read the article register for our FREE HIPAA / HITECH Newletter. Our archived newsletter articles can be found here.

 

Posted at 05:44 PM in Business Associates, HIPAA Compliance, HITECH Act, HITECH/HIPAA | | Comments (0)

September 27, 2012

Business Associates: Compliance as Marketplace Differentiator?

If a sigificant part of your operations has to do with transacting with a covered entity (CE) as a business associate(BA) then this article should bring to light (and confirm) what you may be seeing from a regulatory compliance perspective in the quickly evolving healthcare compliance landscape.

More and more covered entities are waking up to the fact that this is "Simply NOT your Daddy's HIPAA any more." Yes, we all know that the industry's "awakening" has been a long slow work in progress. We also realize that more than a few "Docs" have threatened to "retire instead of complying." However, by and large these comments are now correctly viewed  as fringe statements made by "grumpy old Docs" and/or those Docs that have been "banking" and can actually afford to retire (God Bless 'Em).

If you want to read the rest of the article the signup for our FREE HITECH / HIPAA Compliance Newsletter or read it in the archives here.

Posted at 12:49 PM in Business Associates, HIPAA Compliance, HITECH/HIPAA | | Comments (0)

Next »
My Photo

About

NEWSLETTER


  • ACO COMPLIANCE NEWSLETTER

    Join My ACO Mailing List

  • Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon
    Sign up for a FREE
    HITECH / HIPAA
    Compliance Newsletter

    Enter your email address

Categories

CC

Tools

  • Google Analytics

Essays and Such

  • HIPAA Survival Guide (PDF)
    Read the HSG in PDF format.
  • HIPAA Survival Guide (online)
    Practical advice for health care practitioners.

  • Search, KM & the Practice of Law

  • Silicon Stories eBook

  • Dirty Little Secret

  • Competitive Advantage

  • Process Patterns

  • Movie Making and Software Development

  • The Missing Factory

  • Architecture: Shack, House or Skyscraper?

  • The Talent Wars

  • Knowledge Management and Infotainment

  • What comes after what comes next?

February 2019

Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28    

Archives

More...