Chat with us, powered by LiveChat

Follow me on

HHS SRA Tool Version 3.0 – The Good, Bad and Ugly

We at HIPAA One have been following the development of this toolkit since its inception as the HSR toolkit in 2011 and reviewed the 2014 v2.0 version here https://www.hipaaone.com/quick-review-hhss-new-hipaa-security-risk-assessment-tool/.

ONC/HHS issued

Earlier this month, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) released an updated version of their Security Risk Assessment Tool (SRAT) found on the HealthIT.gov website. Each time a new version is released, we circle up with a few trusted industry partners and review the changes/updates so that we may accurately counsel healthcare Providers, Payers and Business Associates on the pro’s and con’s of utilizing this free, government-issued application.

Before diving into our review of V3.0, it is important to remember that HHS in NO way states that by using SRAT, healthcare providers can be assured that they are compliant with the Security Risk Analysis requirement under HIPAA. Per the Health IT.gov website: “Disclaimer: The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws.”

This is not to say that SRAT does not have its merits. At HIPAA One, we firmly believe that SRAT can be an effective training tool for compliance professionals in training or a guideline for Certified Auditors.  Despite being a time-consuming process that takes more effort year-over-year, SRAT does provide step-by-step instructions similar to a bona fide HIPAA Security risk analysis and there is certainly value in that knowledge. Healthcare professionals should merely be warned that without the guidance of a trained auditor, SRAT may or may not hold up in an audit scenario.

ONC/HHS Report Screen

The Good

In short, the newly updated Security Risk Assessment Tool (SRAT) tool has made improvements mainly related to user experience and follows the HIPAA Audit Protocol and NIST-based methodologies for calculating risk. For example, although mostly a file repository, a new bulk asset upload feature has been added along with a multi-location option for larger entities. Additionally, organizations seeking assistance with Business Associate Agreement management will find that HHS has added a BAA-type function, however, it is important to note that this does not actually produce a BAA agreement.

Additionally, having the ability to enter asset type and status and the different stages of the ePHI systems is great however without having the ability to track or assign this questions the unexperienced end user will not be able to identify where some of the gaps come from.

As users work through the tool they will find that questions now map back to the HIPAA citations (similar to our software) and there is a little bit more guidance in the way of tips that have added throughout. Probably the most significant update is related to the production of a Final Report which is arguably the most crucial component in completely a risk analysis and what you walk away with. Much like the rest of the tool, the newly created Final Report does have a flag attached as the results of this report are fairly arbitrary with a large margin of error based on how the user responds to the risk calculation.

The Bad

At HIPAA One, we frequently use the term “Free like a puppy” and that’s exactly what SRAT is.  Although it is free to use (albeit funded by our taxpayer dollars) and updates have been made to create a better user experience, SRAT still has a long way to go when comparing it to other software or solutions in the marketplace today, or even spreadsheets.  Aside from being labor-intensive, mundane and error-prone; each measure results in multiple questions that need to be individually selected by one who knows how to estimate impact and likelihood year-over-year.

SRAT takes a single-user approach meaning there is no way to collaborate on the assessment with others in the organization.  This approach can result in the need for additional committee meetings to oversee remediation of identified risks. For example, there is no option to delegate survey questions to employees in different roles so it would be totally possible to have someone in IT trying to answer HR related questions. Also, should users desire to go back to previous sections or revise a past answer while in the middle of the assessment, navigation is really difficult. Past sections are merely available through <BACK> and <NEXT>.

Being that SRAT does not save any historical data related to previous assessments, organizations who have completed risk assessments in past years are unable to import their old assessments and simply make updates reflective of the past year. Healthcare providers focused on creating a sustainable and long-lasting HIPAA compliant office, should seek out a tool that allows for previous year imports to greatly decrease the amount of administrative work in complete your risk analysis year over year.

The Ugly

When evaluating the accuracy and comprehensive nature of the tool, there are a few glaring issues that we would be remiss not to address. These are the aspects of SRAT that would require either the experience of a Certified Auditor or compliance professional in training to ensure the assessment is accurate.

Some of the large issues not remedied by the V3.0 update include:

  • No Calculation of Risk – Without an experienced Auditor who is qualified to answer and assess risk, the average user is required to assign a risk score to each question without guidance or training. For example, the generated gaps from the SRAT do not have a correlation or identify which HIPAA control requirement those policies need to be addressed.
  • No Remediation Planning or Guidance – One critical component to completing a risk analysis is addressing and remediating the deficiencies and findings after the fact. The remediating planning process gives providers a framework for next steps and continued compliance.
  • The final report
    • does not include an executive high-level overview
    • Inability to see if you have met at least partial of the requirement or maybe a policy that needs to edited for minor or major changes.
    • No prescriptive recommendations how to address any of the risks.
  • No Included Policies and Procedures – SRAT does not include PnP templates nor does it review any current, existing PnP’s. This leaves providers at risk for continuing to use potentially outdated PnP templates and minimizes the possibility for a yearly review of these templates.

In summary

2018 HIPAA SRAT v3.0 tool vs v2.0:

Pros:

  • Bulk Asset upload (although it is just a repository for the file)
  • Multiple location option although we didn’t see additional questions for the addition location.
  • Adds a basic Business Associate Agreement (BAA) utility
  • Questions map to HIPAA citation
  • Provides a little guidance with tips
  • Final report (although the results are arbitrary with large margin of error based on how the user responds to the risk calculation)
  • User guide

 Cons:

  • No Roles. This is a big one.  One unqualified person is left to answer questions from IT to HR.
  • No auto calculation of risk. This is another big one.  Without a certified auditor, who is qualified to answer and assess risk for each of the questions.
  • Does not provide an actual Business Associate Agreement. Not sure what the value there is. Need to research more)
  • Navigation is difficult. Sections are not available except through <BACK NEXT>.  So if you want to review a question in the middle of the assessment, good luck!
  • Lots of Clicks
  • No remediation planning or guidance
  • No review by an auditor keeping you honest. No ongoing updates
  • No policies and procedures provided or review of the providers policies. Could be older than 3 years.
  • No Vulnerability Scan for free that links back to software
  • Useless graphs near the end that are not updatable
  • No importing of last year’s assessment
  • Use of the SRAT tool will not guarantee you will pass an audit

 Bottom line, it’s a good solution for compliance-in-training individuals or those who have the time but no funding run a stand-alone SRA solution.  There are some efficiencies over spreadsheets however, sometimes spreadsheets allow more flexibility than the SRAT tool.  

If your workplace is considering using the SRAT tool for your 2018 risk analysis, we encourage you to take a look at our industry-leading automated software before doing so.  At HIPAA One our software scales seamlessly based on your role and size of the organization. And with tiered pricing accessible for even single-doc physician practices, HIPAA One is the only choice for a guarantee to pass an audit using a simple, automated and affordable approach to conducting the annual HIPAA assessment.   What are your thoughts on the SRAT tool?  Feel free to enter your comments below or contact us anytime for a free consultation.

Cloud Email Phishing Attacks: A Practical Guide

Attention CIOs, CISOs and IT Administrators: look at the HHS Breaches over 500 website – it’s getting pretty grim. The number of breaches over 500 is trending and the culprit is clear: Hacking/IT incident. With or without a HIPAA Security Risk Analysis, this translates into email phishing attacks. Fraudsters and criminals are exploiting vast databases of compromised user credentials to make payroll. These accounts are publicly available for lookup. Anyone can access these credentials are available for as little as $45 for 1000 account/password pair.

According to a recent Proofpoint study, 72% of all cloud users have been targeted and of those, 44% of attacks were successful. That’s right, almost 1-in-2 targeted attacks were successful including those organizations using Multi-Factor Authentication (MFA).

Why? IMAP is a legacy email protocol which is turned-on by default when email is enabled for users and is not integrated with MFA. So hackers test email address and password combinations via IMAP to see if they can login – “bypassing” MFA. Once they are in, they can use those same login ID and password to connect via VPN and gain full access into the network – in addition to forging emails and downloading email attachments. Here a couple quick-hits to maximize your organization’s protection from this MFA bypass vulnerability.

For those who are new to IT, IMAP stands for Internet Message Access Protocol. It was designed when the intent was innocent: give people a way to connect via electronic mail. In today’s Office365, IMAP is turned on by default (for backward compatibility) and unless is needed, must be turned off if you want your MFA to be of any use.

Three Steps to control email phishing attacks

First, turn off IMAP and POP3  in Office365 by:

  1. Launching Exchange Administrator Console
  2. Opening User Mailboxes
  3. In each user’s mailbox, go to Mail Features, scroll-down and disable MAPI and POP3

Second, turn on Multi-Factor Authentication.

Go to Multi-Factor Authentication Controls: https://account.activedirectory.windowsazure.com -> Use prompts, guides or just highlight users and turn on MFA for multiple users.

Third, set passwords to never expire while forcing everyone to create a longer, easy-to-remember but hard-to guess passphrase.  Get each user to install Keepass or another encrypted password program to secure store this new password, and all their other passwords in one place.

By implementing the above housekeeping HIPAA Security changes will help comply with §164.308(a)(3)(i) (Implement P&P to ensure appropriate ePHI access) and §164.312(a)(2)(i) (Assign unique IDs to support tracking) while blocking hackers from bypassing Multi-Factor Authentication.  Capitalize on your Office 365 and Exchange investments – turn off IMAP and POP3 today.

Conducting a HIPAA Security Risk Analysis (SRA) using HIPAA One using our Remote or Onsite Consulting option engages our certified Audit Support Team to help with other regulatory compliance via Office 365.  The SRA also covers the 72 HIPAA Audit Protocol and is constantly updated with State and Federal updates.   Contact us at the link below for more details or if you have any questions.  Happy computing!

GDPR and Windows 10 Compliance

This is the second post in a 2-part series on GDPR. Guest post written in collaboration with Microsoft.

On April 14, 2016, the European Union (EU) ratified the final version of the General Data Protection Regulation aka GDPR. The new GDPR regulation has been characterized as the most sweeping and impactful change to privacy and data protection regulations in history. GDPR goes into effect on May 25, 2018 with broad reaching implications for EU-based organizations and multinationals around the globe. It is critical to note that GDPR imposes new rules on organizations that offer goods and services to people in the EU or those that collect and analyze data tied to EU residents, no matter where they are located.  This means that US based healthcare covered entities and organizations defined as controllers or processors of an EU citizen’s or resident’s healthcare data will be directly affected by GDPR and must be prepared to meet these regulatory requirements.

The General Data Protection Regulation (GDPR) sets a new bar for privacy rights, security, and compliance, which will be enforced through heavy penalties. Microsoft has made the commitment that all its online services will be GDPR compliant and backed by contract, providing assurance that any of their personal info is protected and in compliance. With Privacy-by-design as a core guiding principle, Microsoft provides a comprehensive set of software services to enable customers to meet their GDPR requirements.  Microsoft recognizes that end-to-end compliance is required and must be implemented as a holistic process across the organization including (and beginning with) the protection of endpoints. Windows 10 enables organizations to begin their GDPR compliance journey.

GDPR Focus: Data Protection and Security – Not Technology

Like the HIPAA regulations, GDPR makes no direct reference to technical or technology requisites. However, GDPR does require organizations to build a holistic & structured approach to data protection and overall security.

More specifically, GDPR states the following:

(Art. 24.1) Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary,

(Art. 24.2) Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller,

(Art. 28.1) Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Microsoft GDPR Readiness and Assessment Tool

Microsoft Windows 10 enables an organization’s GDPR security and privacy requirements with its cloud-enabled security stack that includes device protection, identity protection & management, information protection, threat detection and protection, and security management and operations. For example, beginning with the Windows 10 Anniversary Edition, Microsoft includes the Windows Information Protection (WIP) component that provides integrated protection against accidental data leaks.

With WIP Windows 10 can:

  • Protect data at rest locally and on removable storage
  • Enable corporate versus end user data to be identified wherever it rests on the device with the ability to wipe that data
  • Provide a common experience across all Windows 10 devices and prevent unauthorized apps from accessing business data and users from leaking data with copy and paste protection
  • Enable seamless integration into the Microsoft cloud platform
Additional Resources

Quality Reporting: A Drain on Practice Resources, New Study Shows

As featured in EMR & HIPAA, Powered by HeathScene.

If time is money, medical practices are sure losing a lot of both based on the findings in a new study published in Health Affairs. The key take-a-way, practices spend an average of 785 hours per physician and $15.4 billion per year reporting quality measures to Medicare, Medicaid and private payers.

The study, conducted by researchers from Weill Cornell Medical College, assessed the quality reporting of 1,000 practices, including primary care, cardiology, orthopedic and multi-specialty and the findings are staggering.

Practices reported spending on average 15.1 hours per week per physician on quality measures. Of that 15.1 hours per week, physicians account for 2.6 hours with the rest of the administrative work divided between nurses and medical assistants. About 12 of those 15.1 hours are spent logging data into medical records solely for quality reporting purposes. Additionally, despite a wealth of software tools on the market today, about 80 percent of practices spend more time managing quality measures than they did three years ago and half call it a “significant burden.”

Aside from the major drain on administrative resources, there are heavy financial ramifications for such lengthy and cumbersome reporting as well. The report found practices spend an average of $40,069 per physician for an annual national total of $15.4 billion.

The findings of this study clearly demonstrate the need for greater reporting automation in the healthcare industry. By embracing technology to manage labor-intensive, error-prone and mundane tasks; practices free up their staff to focus on patient care. In the past few years, we have watched electronic medical record (EMR) companies do just that by embracing cloud-based software solutions.

This overwhelming administrative bloat and financial burden can be addressed by implementing software tools and solutions designed to streamline reporting and compliance management. For example, if your practice or organization is still conducting your annual risk analysis through spreadsheets and other manual methods, it is time to embrace automation and a Security Risk Analysis software solution. Designed to control costs, a cloud based Security Risk Analysis solution automates 78% of the manual labor needed to calculate risk for organizations of all size.

There’s no time like the present to embrace best practices for your quality reporting. Allow technology to do the heavy lifting and free up your resources.

Fighting Ransomware: A Success Story

When the HHS Office for Civil Rights released the HIPAA guidance on ransomware in the summer of 2016, collectively the health care community sat up and took notice. The guidance (found here) outlines various activities required by HIPAA that assist organizations in the prevention and detection of threats. One of the key activities listed in the guidance is completing an annual Security Risk Analysis.

As an Auditor at HIPAA One®, my goal is to dot every “i” and cross every “t” to ensure a comprehensive HIPAA Security Risk Analysis.  By utilizing the HIPAA One® Security Risk Analysis (SRA) tool, I am able to guarantee compliance, automate risk calculations and identify high-risk technical, administrative, physical and organizational vulnerabilities.

Recently, I was on-site with one of our clients, which I will call “Care Health” to preserve their confidentiality, working on organization-wide identity protection. Care Health utilizes our SRA to safeguard their critical data and provide security and protection from Ransomware, malware and the proverbial “sophisticated malware attacks”.

blogWhile at the Care Health office, two staff members in the Billing department were utilizing shared files in a network-mapped drive (e.g. N: drive). One of the staff members noticed new files were being spontaneously created and the file icons in the network folder were changing. By watching the changing file names, the staff member noticed one showed up as ransom.txt.

Acting quickly, she contacted the IT Helpdesk for assistance. The Helpdesk had been trained to triage all security-related service-desk requests immediately to the HIPAA Security Officer (HSO). Upon being notified of the issue, the HSO logged-into the N: shared drive and found their files were slowly being encrypted!

How do you stop a Ransomware attack?

blog-2Promptly, the HSO ran Bitdefender full-scans on the Billing department computers and found nothing. He then installed and ran Microsoft’s built-in Windows Defender, which has the most current malicious software removal utilities on Server 2012 and found Tescrypt.  Installing Windows Defender on the two desktops not only detected the encryption, but also removed it.

This specific Ransomware variant had somehow infected the system and was systematically encrypting these files.  Thankfully, the quick-acting team at Care Health recognized the attack and stopped the Tescrypt variant before any patient data was compromised. Following the incident, backups were used to restore the few-dozen encrypted files on the network-drive. Due to appropriate safeguards and training, the Care Health team was ready and a crisis was averted.

Upon a configuration review of Care Health’s security appliances, WebSense was configured to allow “zero-reputation” websites through.  Zero-reputation websites are new sites without a known reputation and are commonly used by hackers to send these types of attacks. At Care Health, the Ransomware apparently came from a valid website with an infected banner ad from a zero-reputation source. The banner ad was configured to trigger a client-browser download prior to the user being allowed to see the valid web page. This forced website visitors to download the executable virus from the banner-ad and unknowingly install the Ransomware on their local computer. Once downloaded, the Ransomware would begin encrypting files in high-lettered network-drives.

Next steps…

Unfortunately, Ransomware is here to stay and the number of attacks are rising.  Now more than ever, it is critical that health care organizations have updated policies and procedures in place to prevent these attacks and a comprehensive user training and awareness program. Let the Care Health incident be a reminder that a well-trained employee is an organization’s best defense against Ransomware, Phishing and sophisticated malware attacks.

The HIPAA One® software suite offers an automated approach to implementing and maturing your organization’s HIPAA Security Compliance Program. To learn more, visit us at  https://www.hipaaone.com/contact/

OCR’s Updated HIPAA Audit Program – What you need to know

Health and Human ServicesWith the pinnacle of patient breaches hopefully behind us (e.g. Anthem/WellPoint breach, Premera, Blue Cross, and others in 2015), it is clear the industry has struggled with proper security of our electronic health information (ePHI).  As such, the federal government has stepped in to ensure measures are in place to secure ePHI, abide by privacy rules granting all of us access to our health information, and making it illegal to discover a breach and not take appropriate steps to notify those affected.

The Office for Civil Rights (OCR) is a division of Health and Human Services with the responsibility to ensure industry compliance with an individual’s rights to Privacy, safeguards to electronic PHI and to investigate an organization’s diligence when breaches occur.  Part of the OCR’s focus is also to develop audit rules in its activities ensuring the industry is adopting compliance efforts, reducing risk of breaches and improving health care.  This is called the HIPAA Audit Program, and leverages the instructions, called the Audit Protocol, to test compliance.

Phase 1 of the HIPAA Audit Program officially ended and Phase 2 of the HIPAA Audit program was announced on March 21, 2016 by Health and Human Services. In April 2016 they announced the updated HIPAA Audit Protocol.  To clarify, the HIPAA law itself has not changed since the Omnibus update in 2013, but the government’s auditing of compliance has been updated and expanded.

The HIPAA Audit Protocol is something the Healthcare Information Technology compliance and audit communities have been asking for a long time, which is more guidance on HIPAA regulations.  In addition to NIST-based risk analysis methodologies, this new set of protocols (instructions) are the most comprehensive guidance we have for HIPAA security (safeguards around electronic protected health information, or PHI), privacy (rights and restrictions to PHI) and breach notification requirements (what to do when a breach of PHI happens).  This graphic shows the number of top-level HIPAA citations covered under the OCR’s checklist, color-coded by discipline:

HIPAA Audit Protocol 2016

To summarize the changes between Phase 1 and Phase 2 of the Audit Program:

What it was – Phase 1 of the OCR’s Privacy, Security and Breach Notification Audit Program:
  1. HITECH added Breach Notification to HIPAA and endorsed the OCR‘s Audit Program.
  2. Contained 169 total protocols.
  3. Pilot program included 115 covered entities.
What it is now – the HIPAA Audit Program-Phase 2:
  1. OCR is implementing Phase 2 to include both CEs and business associates (every covered entity and business associate is eligible for an audit)
  2. Provides an opportunity for the OCR to identify best practices, risks and issues before they result in bigger problems (e.g. resulting in a breach) through the expanded random audit program.
  3. 180 Enhanced protocols (groups of instructions) which contain the following updates:
    1. Privacy – 708 updates (individual lines of instructions)
      1. Most notable changes are more policies and procedures surrounding the HIPAA Privacy Officer as well as some changes for Health Plans and Business Associates.
    2. Security – 880 updates (individual lines of instructions)
      1. Most notable changes are that Health Plans must have assurances from their plan sponsors and all companies now have to get proof of HIPAA compliance from their business associates, vendors and subcontractors.

HHS Spreadsheets Outdated?With so many recent changes, it is clear that checklists, spreadsheets, the ONC’s SRA tool , HITRUST and most commercial compliance software companies are now out of date with the new HIPAA Audit Protocol.   As we get to the end of the Meaningful Use incentive program, we risk having a high number of covered entities potentially using outdated software tools for modern HIPAA compliance requirements.

Regarding the HIPAA Audit Protocol’s compliance date, says Brad Trudell of MetaStar, “Remember it’s intended to detail the specific questions OCR plans to ask in Phase 2 audits to determine compliance with the previously existing HIPAA/HITECH requirements.  If possible, CEs/BAs should use the protocol as the basis for conducting their own internal audits to make sure compliance is whipped into shape before the REAL auditors come knocking.”

In other words, the compliance date would match the release date – April of 2016 (about 2 months before this article was written).

Specific steps to take in light of the new HIPAA Audit Protocol:
  1. Check your “Clutter”, “Junk” or “Spam” folders to ensure that an email sent from OSOCRAudit@hhs.gov (OCR office) is forwarded to the appropriate person (e.g. Compliance Officer, legal counsel, etc.) and responded to accordingly. Example of the email is here.
  2. Conduct an accurate and thorough HIPAA Security Risk Analysis. Be sure to include Privacy and Breach notification assessments since these are often overlooked
  3. Review your organization’s policies and procedures along with the associated processes, compliance programs and other supporting documentation proving compliance. For gaps, update processes, policies and procedures to address identified issues.
  4. Address risks found in previous risk analysis efforts. This requires documented progress of gaps in compliance and associated vulnerabilities (e.g. installing enterprise-wide encryption, implementing a training and awareness program, updating policies and procedures).  This also includes having supporting documentation tracking these updates.
  5. Identify who your business associates (BA) are (or subcontractors a BA would give PHI to in order to facilitate a particular service for the upstream BA). Get a copy of each signed BA Agreement, ensure your agreements are updated per the HIPAA Omnibus update (after March, 2013), and collect proof (e.g. reasonable assurances) that the BA or Subcontractor actually has a HIPAA Security, Privacy and Breach Notification assessment and/or other proof of compliance (e.g. proof of encryption, training and awareness, policies and procedures).
  6. Ensure any software tools used are updated with the new release of the OCR’s updated HIPAA Audit Protocol (e.g. as part of OCR’s Phase 2 of their Audit Program); therefore, your risk management and compliance program will become compliant today (not months from now).

Why invest in yesterday’s Audit Protocol?  HIPAA One® announced on June 15, 2016 they are current with the OCR’s Phase 2 of the Audit Program.  To learn more on how your organization can simplify and automate HIPAA Security, Privacy and Breach Notification Assessments, Mock-Audits and Risk Analysis in compliance with the HIPAA Audit Protocol, HITECH and NIST-based methodologies contact us or email info@hipaaone.com.

 

Demystifying HIPAA Security Risk Analysis

Steven Marco

As a business owner, my professional conversations with physicians run the gamut, from how my business services can solve their problems, to exchanging ideas and best practices, and offering support in starting and growing a business. I get the feeling that physicians running a medical practice often feel like they have a target on their back because staffing, management, regulations, documentation, and reimbursement have become such big parts of medicine.

Building a business requires tremendous time, money and effort in order to become profitable.  The compliance landscape shifts and evolves.  Today, a HIPAA Security Risk Analysis has become paramount for almost any medical practice to collect state and federal reimbursements.  An often overlooked benefit, however, is the Security Risk Analysis, which can improve the efficiency and professionalism of these same practices.

But how does complying with HIPAA help?

First, HIPAA Security is greatly misunderstood.  HIPAA was originally conceived because patients were not able to access their own health information.  Today, HIPAA enforcement is the main driver to ensure we don’t mishandle or otherwise treat patient’s protected health information (PHI) with neglect—willful, or not.

Many practices believe that if they complete a quick checklist or perform a risk assessment with an auditor on the phone and get a final report, they are done and have “checked the box.”    Like doing a fast tax-return, this quick approach diminishes the value of HIPAA. If embraced, HIPAA’s Security Risk Analysis checklist of best practices provides ongoing benefits, such as:

Staff morale:Improve morale

  • Policies and Procedures establish a code of conduct on how staff should represent the clinic in day-to-day interactions with patients.
  • Guidance on handling patients, staff, processes and technology provides operational clarity
  • Assurance that the IT department makes Electronic Medical Records available (e.g. performance, backups and recovery), complete, accurate and confidential.
  • A clear baseline on how to handle all aspects of patient releases, authorizations, business associates and internal operations.

Technology:Improve technology

  • One aggregated place for information about patient visits can contribute to population health research and disease management.
  • Encryption of laptops, desktops, smartphones and all portable media can reduce the risk of having to report a breach by up to 68% (according to OCR breach data for theft, loss and improper disposal).
  • Meaningful Use provides incentives and ongoing reimbursements (soon to become MACRA).

Clinic appearance:Improved appearance

  • Staff attire, name badges and a proper patient waiting area separate from the clinic complies with HIPAA and improves the professional look and feel of the clinic.
  • Training and employee awareness reinforces policies and procedures which drives improved moral and reduces risk to the clinic.

The Bottom Line:

Conducting a HIPAA Security Risk Analysis covers Administrative, Technical and Physical (PAT) safeguards and provides a snapshot into where the clinic is performing well and where improvements are needed.  If a HIPAA Security Risk Analysis is the snapshot, then the “moving picture” is the ongoing process of improving gaps in compliance, not only to reduce the chances of a security breach but also to improve the efficiency of the health care organization.   For a quick 5-minute assessment, take our high-level HIPAA Security Assessment quiz and see how your practices measures-up to the the top 13 HIPAA items typically missed.  Contact us today to learn how to get more of a return on investment in HIPAA than simply, “checking the box”.

HIPAA One Releases Privacy Risk Analysis

After releasing the HIPAA One Security Risk Analysis, we received exceptional feedback on the product and how much our clients appreciated the simplicity and automation provided by the product. We have been committed to expanding our solutions and add products to be “all things HIPAA”. With the launch of the Privacy Risk Analysis, we now offer a full suite of products to address all citations and requirements related to HIPAA Security, Privacy and HITRUST.

Having implemented and performed the HIPAA One Security Risk Analysis at over 2000 locations, we know the importance of having a cloud-based process that is easy to understand and allows collaboration among different departments.   Furthermore, our Privacy Analysis, like our Security Risk Analysis, is offered in three different levels of engagement to meet the needs of not only the large practices, but also the small health and dental practices.

With the rise in hacking and breaches, our goal is to provide timely solutions to clients to ensure the patient information they keep is safe and secure. Furthermore, the OCR is accelerating the frequency and number of audits, with HIPAA One solutions, you are guaranteed to pass.

LEARN MORE

Meaningful Use Attestation Extended!

Instead of “hoping” not to get audited, consider this:  your organization can have guaranteed compliance with HIPAA One® because CMS has extended the Meaningful Use attestation period to February 29, 2016!

HIPAA Isn't Going Away

HIPAA Isn’t Going Away

Good news – with the mixed-bag of recent news from CMS, the boat has not yet left the dock!  If you conducted a “last-minute” spreadsheet or checklist to meet December 2015 deadline, the odds of passing an audit are not good.  Take advantage of the extension and guarantee compliance with HIPAA One®.

Both Meaningful Use Stage 1 and Stage 2 require that a Security Risk Analysis be completed as part of the Medicare and Medicaid EHR Incentive Programs.  In spite of the recent proclamation from CMS that MU will end in 2016; any Eligible Provider (EP) or Eligible Hospital (EH) must still file for 2015.  The specific requirements to “Protect Electronic Health Information” are described by CMS as listed in the following table:

table1The filing period for Meaningful Use Attestation and reporting is from January 4 through February 29, 2016.  This means that if you were not able to complete your Security Risk Analysis (SRA) during calendar year 2015; there is still time!  The SRA will need to be for 2015 and cannot be used for the 2016 reporting year.

HIPAA One® has a simple and automated solution for the SRA process; using a cloud-based, step-by-step- approach (see quick video here:  https://youtu.be/9G_B7U_pnuo).  As such, you will be able to comprehensively address the HIPAA required safeguards (listed below) in an efficient, logical and clear fashion:

table2A “new program” is slated to be announced by CMS on or about March 25, 2016 that will replace (some think “augment”) the current MU program.  It will focus less on technology adoption and more on clinical outcomes and value-based reimbursement.  There will also be special attention paid to APIs and interoperability.  That said; data security will still be of paramount concern.

The new MACRA (Medicare Access and CHIP Reauthorization Act of 2015) program will still include some version of the EHR incentive (not yet defined) and certainly will still include the Security Risk Assessment.  The key elements are The Merit-Based Incentive Payment System (MIPS) and Alternative Payment Models (APMs).

HIPAA One®’s take:

With respect to the MU Program:

  • Current participants still need to complete attestation / reporting:
    • By 02/29/2016
    • HIPAA Security Risk Analysis (SRA) is always required
  • A “new program” is slated to be announced on or about 03/25/2016
    • There will still be quality and process measures
    • The SRA is still a requirement – ePHI Systems/Assets always need to be secured
    • The new program will focus on “patient outcomes rather than technology use”
  • The new MACRA program will still include some version of the EHR incentive (not yet defined)

With respect to DHHS OCR:

Common Sense:

  • HIPAA Security Risk Analysis is the benchmark for any Risk Management Program
  • Reducing risk to patient breaches is saving goodwill, time and money
  • HIPAA One® provides operational clarity for staff to know what is needed to maintain a great code of conduct
  • Keep your Meaningful Use Incentives and avoid payment discounts by maintaining automated documentation proving compliance

Prevent HIPAA Violations
Get Started by Contacting Us Today

HIPAA One® has over 1600 sites leveraging the streamlined, best-of-breed cloud-based HIPAA Security Risk Analysis Software (SRA) and has a fully-certified Audit Support Team (AST) to provide support & consulting solutions.   We have a full-service package for awareness training, Privacy, Breach Notification, Policies and Procedures, and more.

Contact us today at www.hipaaone.com/contact to learn more. HIPAA One® guarantees compliance for your 2015 Meaningful Use Security Risk Assessment for 164.308(a)(1)(ii)(A) so you be assured you are compliant.

HIPAA Security for Meaningful Use : Myths and Facts

fact-vs-myth

After you spend enough time in one position, role or subject, it is human nature to assume for a fleeting moment others know what you are “geeking” about.  This is particularly true when it comes to Meaningful Use and to “Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities.” This is accomplished by doing the following: “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1)…”

Was that a good example?  Let me take it back out of the “geek” closet for a moment.

So we all know that this thing called a HIPAA Security Risk Analysis can be done using tools like spreadsheets, ONC’s Security Risk Assessment Tool, and NIST Questionnaires.  Ironically, none of these tools assure you are doing the right “thing” unless you have some sort of Auditor and Security designation (e.g. JD, CISA, CISSP, HCISPP, and CHPS among others), let alone provide any sort of guarantees.  But as the old saying goes, “You get what you pay for.”

Using a professional, third-party Audit, Legal, Security or IT Managed Service Provider (outsourced IT) usually provides good results as long as they are accredited (see above paragraph on basic credentials).  They go in to the organization interviewing, collecting some documentation, running scans on the networks and provide a comprehensive, detailed project plan to achieve compliance.  Somewhere between 4-6 weeks after the flurry of activity is over, and the world moves on, the final report appears.

The HIPAA Security Risk Analysis and Assessment (SRA) report is a combination of art, content, and most-importantly; it highlights serious risks to the organization.  Except there is one problem – you now need a project deployment team to convert this static SRA report into an ongoing risk management plan (prioritized by risk-level), get status reports on tasks, research Policies and Procedures, track progress, send email or meeting reminders, and track all of this towards HIPAA compliance.

This is a huge administrative burden!

Then there are the Myths…

Myth #1 – We will update the plan from last year’s SRA for Meaningful Use reporting and attestation.

HIPAA One® take:  False – this is called updating the progress of last year’s security risk management plan (see more in Myth #2 below).

Myth #2 – Each year, I’ll have to completely redo my security risk analysis.

HHS Guidance - Each year have to redo entire SRA Myth

False. Perform the full security risk analysis as you adopt an EHR.  Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks…

HIPAA One® take:  Things change on a constant-basis.  Roles change, network computer systems are changed to meet new requirements, and internal processes change too.

“Updating the prior analysis for changes in risks.” means conducting a gap assessment and risk analysis on any of those items that changed from last year.  Since tracking these changes is a near-impossible task (ITIL Change Management processes are being widely-adopted to tackle this), HIPAA One® will allow a full-import of last-year’s HIPAA Security Risk Analysis (SRA) allowing a review of each question to see what has changed.  Ongoing tracking is built-in after the SRA is over and automated documentation requirements simplify audit responses by pressing a “Print” button.

Myth #3 – I have to outsource the security risk analysis.

I have to outsource our Risk Analysis.

I have to outsource our Risk Analysis.

HHS Privacy and Security Guide of Health Information, page 6

False.  It is possible for small practices to do a competent risk analysis themselves using self-help tools.  However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”

HIPAA One® take:  If you haven’t had a third-party come in the past 3 years, or ever, then we would strongly recommend outsourcing one to ensure your efforts stand up to a compliance review.  The first year of compliance efforts are expensive however, year 2 should be roughly 50% of what year 1 is as investments are implemented.  The Security Risk Analysis should contribute to that 50% savings by automating the mundane, error-prone and labor-intensive steps to conduct the risk analysis.  HIPAA One® accomplishes this by accelerating each person’s efforts by a 5x factor; using automation vs any manual-based risk analysis while learning from the experience.  In year 2 this allows you, the non-certified auditor, to simply press the “Import Last Year’s Assessment” button and HIPAA One® allows you to insource, instead of outsource.

Org Info Import

We have tried to stay out of the geek-closet for this blog as much as possible and realize this is a very jargon-clad specification.  Let us at HIPAA One® along with our esteemed partners help provide the software, assurance and peace-of-mind for your organization.  Contact us today to get your Meaningful Use HIPAA Security Risk Analysis done before the Holidays!

Reference:  HHS Privacy and Security Guide of Health Information