August 21, 2018

HIPAA Survival Guide August 2018 Newsletter

 
 

  Register here for the FREE HIPAA Survival Guide Newsletter

  
 
Does your staff have sufficient HIPAA training?
 
 
Determining the amount of adequate training is not an easy question because the answer is highly dependent on the individual and the organization. Individuals often claim that vendor training provides only the problems, but not the solutions. That is a missed opportunity because if you know the problem and don't have an adequate answer, you're likely to be faced with difficulty responding and potentially encounter an Incident, Breach, or unauthorized disclosure of Protected Health Information ("PHI"). In this article, we describe aspects of what may be considered "good training" and what kind of training we make available so that you can compare across vendors.
 
You need answers! In our view, if you do not succeed in establishing compliance literacy in your workforce, you are likely going to have an occasional bad day, not to mention being out of compliance with the HIPAA regulations for training and associated documentation. As expressly stated in HHS' Audit Protocol, policies and procedures that have been adopted and activated by covered entities and business associates to meet selected standards are reviewed to determine an organization's implementation specifications of the Privacy, Security, and Breach Notification Rules. Training, by the way, is one of the Privacy Rule Regulations. 

If you are audited, one of the things that will be reviewed is your training documentation. Yes, seems this is a small item compared to your Risk Assessment and other Compliance efforts. However, Covered Entities ("CE") and Business Associates ("BA") must train all members of their workforce regarding PHI as it applies and as necessary to perform their jobs. Compliance with Privacy Rule regulation 164.530(b) requires policies and procedures for training and to document which staff member was trained on what topic and when.
 
From a practical standpoint, when it comes to training, it's not enough to have an understanding of the regulations, but also training should provide the ability to evaluate responses to a variety of situations where PHI may be at risk. Training that provides hypothetical risk situations related to HIPAA regulations that prevent incidents or breaches and/or a Quiz regarding knowledge obtained is a component of quality education.
 
But is HIPAA a top priority for a CEO's average day? Probably not, unless there is an Incident or a Breach. The same is likely true for other executives in your organization. Aside from the regulation requirement, this is a VERY good reason why a named Compliance Officer should be in each Covered Entity and Business Associate's organization. A Compliance Officer has the responsibility to ensure that policies and procedures are being followed by the workforce to avoid non-compliance. And yes, the Compliance Officer ensures policies for training and the visible, demonstrable evidence for same.
 
So, how much training is really needed? For the purpose of this article, we will use the HIPAA Training Products contained within our Subscription Plan as training recommendation topics for different categories of workforce members. Again, remember our principal premise is that all workforce members need to become HIPAA literate since you have the 800-pound gorilla of Breach Notification staring you in the face.
 
Training for Clinicians
Not all staff members need to attend or be educated for every HIPAA training module. We recommend three (3) training sessions for clinicians as listed below:
Why do we recommend specific training for clinicians? Well, I can say as a Registered Nurse, clinicians do not need to understand every aspect of the regulations. What they need to know is how to respond to various threats to PHI or situations where compliance action is required. They need an awareness and a basic understanding of Security, Privacy, and Breach Notification regulations that will enable prevention of risks while managing situations when HIPAA rules are tested. 
 
A particular item of importance is knowing WHO to call when a situation arises. The same is true for Business Associates. You might be surprised at the number of times I have randomly asked clinicians the name of their HIPAA Compliance Officer and they did not know. That's a recipe for a bad day! Try this yourself next time you visit your doctor. Ask the receptionist or the nurse, or any other clinician or workforce member you encounter if they know the name of their Compliance Officer. By the way, this is generally true of organizations both large and small, even those that regularly train their employees.
 
Foundational Training for Other Staff
The following list of training modules is recommended for other workforce members, including the executive management team. 
I have been asked if there is a HIPAA LITE for Business Associates, and the answer is No! Business Associates need to be as aware of the regulations as Covered Entities if they are "touching PHI." That said, we also provide specialized training for Business Associates in situations where their needs differ from Covered Entities (see below).
 
Specific Training for Compliance Officers
In addition to the training above, compliance officers should consider taking the following training classes to obtain their certification. We offer a HIPAA Certified Professional ("HCP") certification after taking an exam that covers material from the training modules listed below.
 
 
Certification Training Modules
3.    Audit
7.    Documentation* 
8.    HITECH Act
9.    Omnibus Rule
 
We also recommend that Compliance Officers take advantage of our pre-recorded four-part training series entitled: "Surviving a HIPAA Audit." Subscribers may log in to the Compliance Hub Member website to:
For some, the amount of information may be overwhelming, but just like HIPAA, you bite off a piece of the elephant one at a time.
 
Specialty Workforce Training
Finally, we recommend that staff who are responsible for items in the list below, and Compliance Officers and/or Executive Officers become knowledgeable on the following topics:
  1. Training for workforce members that are designated as "point persons" for the Patient's Bill of Rights; these are sections 164.520 through 164.528 of the Privacy Rule. 
    • The regulations require that individuals "sign off" on certain processes pertaining to providing access to a patient's PHI; 
    • Helping a patient amend their PHI; 
    • Distributing the notice of privacy practices, etc.
  2. Training for individuals that handle Privacy Rule requests for authorizations, restrictions, etc.
  3. Training for personnel assigned the responsibility of tracking security incidents.
  4. Training for information technology personnel that are required to audit information systems containing PHI.
  5. Training for personnel that are assigned the responsibility for disposing of PHI.
This is not an exhaustive list. The "final" list of training will depend on your operational environment, the size and complexity of your organization, and the resources you have available, etc. One thing is certain, look for training that provides answers, not just a description of the problems.
 
 
HOW TO COMPLY WITH HIPAA
 

At 3Lions Publishing, Inc. our mission is to provide clients with:

  • Premium Compliance Products,
  • Education,
  • Free Monthly Webinars
  • Newsletter Articles on HIPAA and regulatory topics, as well as 
  • "High Touch" LIVE assistance with Products for Risk Assessment and Remediation
We do NOT charge extra for compliance support like many of our competitors, the cost for your LIVE assistance is included in your Subscription purchase. 

A full 360-degree circle of Risk Assessment and Remediation products are provided in 3Lions Publishing Inc.'s 
 
The Subscription Plan includes  Expresso®the Risk Assessment "SaaS" based software, over 30+ compliance and remediation products, and training videos that help Covered Entities and Business Associates understand how to implement the necessary Controls to be in compliance with HIPAA regulations. Our LIVE "High Touch" Assistance helps you "get it done" fast!
 
Our many Training products describe various aspects of the regulations as well as demonstrations of how to use Expresso and associated compliance tools. As part of the Subscription Plan, we also provide certification for clients seeking designation as a HIPAA Certified Professional ("HCP").
 
A "Crosswalk" between Expresso Risks and Remediation tools provides easy access to model policies, procedures and tracking mechanisms for compliance. 
 
FREE Monthly newsletters and webinars provide education on topics of regulatory concern. Missed one? Webinars and articles are posted to the HIPAA Survival Guide Store Website for future reference.
 
So, why are we sharing this information in our Newsletter? Education, Education, Education. Stay tuned not only for Product updates but also for new capabilities and value offered to our elite group of clients. Save time and money with our high quality, bargain Subscription Plan! 
 
Or, take advantage of our FREE 15 day trial of Expresso to complete your Risk Assessment
 
 
Questions? Please call or write using the contact information below.
 
Email:     [email protected]
Phone:   (800) 516-7903    
 
 
HIPAA Help
 
 
What is the new LinkedIn GDPR Survival Guide?
What is the HIPAA Survival Guide® Subscription Plan and what does it include?
HIPAA Requirements for Cloud, Social Media, and Mobile including Policies and Procedures
HIPAA Requirements for Breach Notification including Policies and Procedures
HIPAA Requirements for a  Business Associate Agreement including the essential terms of the agreement
How to prepare for a HIPAA Security Rule Audit  
How to prepare for a HIPAA Privacy Rule Audit  
How to prepare for a HIPAA Breach Notification Audit  
How to prepare for a HIPAA Risk Assessment Audit  
 
For HIPAA Help send us an Email at [email protected]
 

 
Included in the HIPAA Survival Guide® Subscription Plan 
 
 
Protect Your Practice and Your Business
 
 
Click Here for HIPAA Survival Guide® Subscription Plan Testimonials

Take advantage of our Heartbeat™ and Pulse™ offerings with The HIPAA Survival Guide® Subscription Plan With Expresso®
 
 
 
 
 

Posted at 10:26 AM in HHS Omnibus Rule, HIPAA Breach Notificaiton, HIPAA Checklist, HIPAA Compliance, HIPAA Compliance Software, HIPAA Training, HITECH Act | | Comments (0)

August 06, 2018

HIPAA Education: How much training is enough?

Join us this month for a free webinar about HIPAA training.
 
Description: HIPAA Education: How much training is enough?
 
This webinar will describe How much and what type of HIPAA education is well suited for staff and other workforce members?
 
Date and Time, including Time Zone 
August 16, 2018 2:00 pm EST
 
 
Also, if you're interested in future webinars from the HIPAA Survival Guide register for free Newsletter

Posted at 08:34 PM in HIPAA Compliance, HIPAA Training, HITECH/HIPAA | | Comments (0)

October 29, 2013

FREE Webinar: A Risk Assessment Foundational Methodology

Webinar Description

This Webinar will provide an illustration of a foundational methodology that can be used to perform a Risk Assessment that complies with a mission critical Implementation Specification of the HIPAA Security Rule.

Date/Time

Thursday, November 14, 2013 2:00 PM - 3:30 PM EDT

Registration

Click here to register.

Only five hundred (500) seats are available so login in early if you would like to attend.

Posted at 04:23 PM in HIPAA Training | | Comments (0)

October 28, 2013

Risk Assessment Training Module Released

The product below is now available on the HSG Store!  

2400 Hipaa Risk Assessment Training Digital Download Add to Cart$179.95

Omnibus Rule Ready

HIPAA Risk Assessment Training – Our HIPAA Risk Assessment Training Module gets you up to speed on the mandatory HIPAA Security Rule's Risk Assessment implementation specification. A Risk Assessment is required to comply with the HIPAA Security Rule and also to comply with Meaningful Use Stage I's Core Objective 15 and attestation. A Risk Assessment is foundational to your HIPAA Security Rule compliance initiative and your Organization is likely to be found in "willful neglect" if you ignore this requirement.

We walk you through our best practices based Risk Assessment methodology while at the same time clarifying the often confusing Risk Assessment lexicon of threats, vulnerabilities and risks. We teach you how to implement a repeatable process that can be used any time a Risk Assessment is triggered such as when significant changes occur within your operational environment or when there are material changes to applicable law.

PACKAGE CONTENTS: You get a training video, presentation, and a Risk Assessment Quiz (with answer key) that can be used to verify your Risk Assessment training class attendance within. The training video is well suited for group and/or individual training. 

QUICK and EASY CUSTOMIZATION – You could spend thousands of dollars developing training in house or pay consultants more to do the same. This Risk Assessment Training Module provides your organization with our files in native format so that you can customize the training to your organizational requirements or use it as is right out-of-the-box. 

REUSE IT – Reuse our training materials over and over as you add new members to your workforce.   

Welcome-video

Posted at 05:14 PM in HIPAA Training | | Comments (0)

April 17, 2013

Mobile Devices under HITECH Training Module Now Available

  Mobile_Devices_Cover Digital Download 

Omnibus Rule Ready

Our Mobile Devices under HITECH Training Module is now available in the HSG Store. Our Subscribers get this product, like all our new products and updates, as part of their Subscription Plan.

Mobile Devices Under HITECH – Our Mobile Devices Under HITECH Training Module gets you up to speed on how Mobile Devices have impacted the HIPAA Rules including: 1) the HIPAA Security Rule; 2) the HIPAA Privacy Rule; and 3) the Breach Notification Rule. We walk you through Mobile Device (phones, pads, laptops, etc.) challenges created by locally stored PHI, asset management, bring your own device ("BYOD"), wireless networks and audits, as well as the best practices that help you meet these challenges. It short, we present an overiew of what your mobile compliance initiative ("MDI") should consist of, keeping in mind that most PHI data breaches occur as a result of Mobile Devices.

Posted at 03:51 PM in HIPAA Compliance, HIPAA Training |

January 29, 2013

HITECH/HIPAA 2013: Why Mobile is the Hot Compliance Issue?

Webinar Registration

It is well known that most breaches occur due to rogue (lost, stolen, or hacked) devices.  HHS just launched a website to educate healthcare stakeholders on Mobile compliance challenges.

Register for this webinar, to gain an understanding of Mobile Device compliance risks, challenges and best practices and the foundation you need to protect your organization from the inevitable ‘oops’ or malicious attacks.

• Mobile Device Governance:  people, process and platform.
• Asset Management:  you can’t manage what you don’t inventory & track.
• Bring-Your-Own-Device (BYOD):  not your Daddy’s computing environment any more

Date: Tuesday, February 5th
Time: 3:30pm-4:30pm EDT

REGISTER HERE.

Presenter:
Carlos Leyva, CEO
3Lions Publishing, Inc.
www.hipaasurvivalguide.com 

Posted at 09:12 AM in HIPAA Training, HITECH/HIPAA |

December 20, 2012

HIPAA Cloud, Social Media, and Mobile Checklist under HITECH

CSMMFrontCoverThumbNailDigital Download

Now available on the HSG Store.

 

Checked__GreenOur HIPAA Cloud, Social Media, and Mobile Checklist ("CSMM") under HITECH ("Checklist") is intended to deliver guidance, including suggested policies, processes, and tracking mechanisms that allow you to make sense out of this new and quickly evolving terrain. The healthcare industry is adopting Cloud, Social Media, and Mobile technologies at an unprecedented rate. Although these enabling technologies collectively help drive the point of care anywhere vision and productivity, they also present unique and unanticipated compliance challenges. Our Checklist is intended as a knowledge transfer vehicle that allows you to derive the CSMM compliance solution that works best within your organization. Our Checklist will “walk you through” the relevant sections of the CSMM, highlighting the policies, processes and tracking mechanisms required at a granular level.

Our Checklist is comprised of Checklist Items that have the following components:

1) a policy statement that reflects an organization's intentions: FileDocument the what;

2) a definition of a process by which the policy is implemented: RefreshCircle the how; and

3) suggested tracking mechanism(s) for capturing process results: Tools1 the measurement.

What is a Policy?

FileDocument The word “policy” can be used in so many ways that it bears some exploration, especially for our purposes (i.e. as it pertains to HIPAA regulatory compliance). We often talk of “developing a policy,” or of “implementing a policy” or of “carrying out a policy.” For example, 45 CFR §164.530 (i) states as follows:

Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part.

Notice that a distinction is made between policies versus procedures. In general, we can think of a “policy” as a purposeful set of decisions or actions usually in response to a problem that has arisen. From a compliance perspective, a policy is a set of statements, including decisions and actions, regarding what an organization intends to do with respect to meeting its regulatory requirements (e.g. see our Breach Notification Policy). A policy indicates what an organization intends to do and is often also used as a communications vehicle of said intent.

Our Checklist contains a the following policies: Cloud, Social Media and Mobile; each of which can be used out-of-the-box or customized to meet your organization's specific requirements. However, our Checklist contains much more than mere policy statements. A policy is a necessary, but insufficient, component of a compliance initiative.

What is a Process?

RefreshCircle A process is a repeatable series of steps that must be accomplished over time. From a HIPAA regulatory compliance perspective, processes are how policies get implemented. Policies without processes are nothing more than empty promises and will not prevent serious compliance liability. HHS is going to want to see evidence not only of policies but of processes as well. Every Checklist Item contains process suggestions that will enable you to quickly "stand-up" your CSMM Compliance initiative. 

What is a Tracking Mechanism?

Tools1 A tracking mechanism is a way to keep track of process results. For example, QuickBooks is a tracking mechanism for accounting data and processes. You must be able to track the results of your compliance processes if you hope to provide visible demonstrable evidence that you are meeting your regulatory requirements. 

Other components included in our Checklist?

Component

Description

 

Model Cloud Policy

Comprised of Cloud policy statements included in the individual Checklist Items with some global clauses added.

Model Social Media Policy 

 

Comprised of Social Media policy statements included in the individual Checklist Items with some global clauses added.

Model Mobile Policy

 

Comprised of Mobile policy statements included in the individual Checklist Items with some global clauses added.

H2 Compliance Scorecard

 

H2 Compliance Scorecard for the Checklist. The Scorecard can be used as an internal tracking system to log an organization’s CSMM compliance improvement initiative over time.

Customize It!

Our CSMM Checklist under HITECH was developed in a manner that lends itself readily to customization in order to meet the unique requirements of Your Organization.

Posted at 02:16 PM in HIPAA Checklist, HIPAA Training, HITECH/HIPAA |

November 05, 2012

FREE Webinar: HITECH Breach Notification

What would you do in the event of a data breach? Are you equipped to assess the level of breach and send the appropriate notifications in a timely manner to avoid fines and protect your organization?

November 13
3:30pm-4:30pm EST

Join Axway and Carlos Leyva, author of the HIPAA Survival Guide, to learn how to assess a data breach and take the appropriate steps to notify patients. Mr. Leyva will also discuss the value of risk assessments to mitigating risk, how to educate your team about the data breach response process, and much more.

Register Now

Posted at 05:47 PM in HIPAA Training | | Comments (0)

June 09, 2012

FREE WEBINAR: What to expect from an OCR audit?

This webinar explores the same subject matter as this month's news article. The next several HIPAA Survival Guide Radio Shows will do likewise. Obviously this is a topic that has gotten the attention of the industry. Our objective is to demystify what you can expect from an audit by clearly exposing what a HITECH / HIPAA audit must be based on, according to the relevant statutes and regulations. 

Date: June 21, 2012. 

Time: 2:00 to 3:00 EST. 

To register Click Here.  

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?

Posted at 04:35 PM in HIPAA Checklist, HIPAA Compliance, HIPAA Training |

June 06, 2012

HITECH / HIPAA Newsletter June 2012 Now Available

The featured article this month is entitled HIPAA Compliance: what to expect from an OCR audit?.

Under Section  13411 of the HITECH Act, the Secretary "shall provide for periodic audits" to ensure compliance with the Act. It is the Office of Civil Rights ("OCR") that has the actual authority (under the Secretary) for HIPAA audits and enforcement actions. In 2011, OCR contracted with KPMG to develop an audit methodology and to conduct 150 audits. These audits are well underway. This article discusses what you should expect from an OCR audit.

You can subscribe to our FREE HITECH / HIPAA Compliance Newsletter here.

 

Posted at 11:55 AM in HIPAA Checklist, HIPAA Compliance, HIPAA Training |

Next »
My Photo

About

NEWSLETTER


  • ACO COMPLIANCE NEWSLETTER

    Join My ACO Mailing List

  • Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon
    Sign up for a FREE
    HITECH / HIPAA
    Compliance Newsletter

    Enter your email address

Categories

CC

Tools

  • Google Analytics

Essays and Such

  • HIPAA Survival Guide (PDF)
    Read the HSG in PDF format.
  • HIPAA Survival Guide (online)
    Practical advice for health care practitioners.

  • Search, KM & the Practice of Law

  • Silicon Stories eBook

  • Dirty Little Secret

  • Competitive Advantage

  • Process Patterns

  • Movie Making and Software Development

  • The Missing Factory

  • Architecture: Shack, House or Skyscraper?

  • The Talent Wars

  • Knowledge Management and Infotainment

  • What comes after what comes next?

February 2019

Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28    

Archives

More...