Frequently Asked Questions
If you're having a problem, others may have too. Here are some of the problems we solve with ease every day.
- Navigate to https://login.hipaaone.com —> Click “forgot?”
- Enter your email address and Captcha phrase on the Account Recovery page
- Click on the secured link (i.e. only works once) to navigate to the Change Password entry page for access into HIPAA One
- The secured link can only be used once! If you still have issues, ensure your Firewall has hipaaone.com white-listed (your IT person will know what to do). If you see the below screen when you click on the email link to reset your password, repeat the above process for a new secured email and link
- Once the risk analysis is completed and the final report has been signed, the main Sponsor must add any participants back to the report as a “Reviewer” to access the Action Plan and work on risk items
- Click on the competed assessment from the main menu. Three buttons will appear for the Sponsor, click “Reviewers” option (third green arrow below)
- Click “Add Reviewer”
- Click “Add Reviewers” to add each participant that needs to access the report. The Sponsor may also delete any participants here. Enter the participants' name and email address
- The participant will receive an email with an invitation link, check “junk folder” if the email does not appear in the inbox. The link in the email expires after 14 days
- Update organization’s reply-to email address by following these steps
- Click on the globe icon while in Organizations
- Enter desired email address in the Proposed Value field then click “Update Organization” as displayed below
- Upon adding the email address successfully, the screen should have a 3 wide grid with a variety of fields (Admin Name, Legal Name, Address, etc.)
- Use this guide to determine when to refer to the employee handbook and when to use formal policies as required on the questionnaire for completing the security risk analysis:
- Employee Handbook – The handbook is written with employees as the intended audience. As such, the document has a straightforward layout for easy referencing of company policies and procedures. Additionally, it is a vehicle for familiarizing employees with basic company policies and benefit programs, as well as the general expectations of the company, including acceptable and unacceptable behavior and disciplinary measures.
- Company Policies and Procedures – Different than the employee handbook, PnP’s are more comprehensive and include details on every aspect of how the company conducts business around standards and regulations. Some procedures might be more detailed regarding how to follow those policies as well as the documentation needed to complete each process. A PnP’s manual is essentially a reference tool for managers and supervisors, not for employees at large. This tool is much more complete in detail than the employee handbook and should be used as “back-up” when more information is needed to explain a policy or when a deeper understanding of a process is desired. As an added benefit for management, the manual can contain references to federal and state laws that correlate to each policy. Managers and supervisors then have access to the rationale for the policies, thus providing them with assistance for enforcement. It may include forms, checklists, and sample documents to show administrators and managers how to handle specific workplace policies and situations.
- Question: When conducting a HIPAA Security Risk Analysis (SRA) for Limited Access Death Master File (LADMF) submission to the National Technology Information (NTIS), do I need to remediate all risks found during the SRA prior to requesting access to the LADMF?
- Answer: You do not need to remediate during the SRA however, the HIPAA One SRA will provide risks and detailed remediation steps on how, who, and when to fix them upon completion. LADMF is the database, managed by the Service (NTIS) containing the authoritative source of deceased individuals. This information is typically used by payers to ensure claims for health care are not fraudulent. HIPAA One, through its array of internationally-recognized professional designations, is an Accredited Conformity Assessment Body (ACAB) who may submit the form attesting the applicant is who they say they are (i.e. not someone trying to access the LADMF to conduct fraud).
- Here are the steps for reference – please see our blog https://www.hipaaone.com/ladmf/ for more information.
- In our experience, the NTIS responds typically within 48-hours with acceptance granting LADMF database access to the applicant or rejection with an explanation. It is also important to note the HIPAA SRA does need to be completed before the application will be accepted by the NTIS.
- Pay the Fee– There is an annual fee of $1,575.00 for processing the LADMF Subscriber Certification Form, payment can be processed here: https://classic.ntis.gov/Search/Home/titleDetail?abbr=DMFCERT0002. Additionally, every three years a processing fee of $525.00 to have access to the LADMF ACAB Systems Safeguards Attestation Form is required.
- Complete Subscriber Form– After the payment has been accepted, complete and submit the LADMF Subscriber Certification Form at https://dmfcert.ntis.gov. Certification must be renewed each year.
- Order Number Assigned– Each organization is assigned a specific order number which will be used on the ACAB Systems Safeguard Attestation Form.
- Form Completed– HIPAA One will fill out the ACAB form free of charge.
- Form Submitted– HIPAA One will submit the form on behalf of the client.
- The difference between a penetration test and vulnerability scan can be difficult to understand. Whereas both are incredibly valuable in building a strong threat and vulnerability management program, penetration tests and vulnerability scans are often misunderstood and used interchangeably.
- Penetration Test – A penetration test simulates the actions of an external or internal cyber attacker (AKA ethical hacker) that strives to breach the information security of an organization. Simply, it can be thought of as a person trying to bypass application controls and “break into” a network system to take data or seek further access to other internal databases. There are many different tools and techniques an ethical hacker can use as they attempt to exploit critical systems and gain access to sensitive data. By implementing penetration testing, organizations can identify gaps between possible threats and existing controls.
- Vulnerability Scan – Unlike the manual practice of a penetration test, a vulnerability scan is a software tool designed to inspect the potential points of exploit on a computer or network to identify security holes. By checking internet facing devices against “known” Common Vulnerabilities and Exploits (CVEs) a vulnerability scan can detect and classify system weaknesses in computers, networks, and communications equipment. Vulnerability scans are configured for safety checks, meaning the scan will only identify known, unpatched security vulnerabilities for the external IP addresses provided and not conduct any denial of service (DOS). A free example of a vulnerability scan can be found at www.ssllabs.com and focuses on encryption and certificate exchange.
- There are many software options that may be utilized for vulnerability scanning as certain tools are specific to the different types of computing infrastructure. It is important to understand that a vulnerability scanning tool is only as good as the CVE dictionary within the software and one tool may not be all an organization needs. It is fairly standard that a hacker(s) may use anywhere from 6-10 different software scans to speed-up the process of identifying easy ways of bypassing application and infrastructure security controls.
- If the Main Menu bar on the left portion of the screen doesn’t show up, click on the “Door” icon located on the top-right hand corner of the screen. Next, select the “My Profile” Icon to open your profile information
- Change the email address(es) associated with this user account/profile by clicking the “Email Address(es)” link
- Next, to add an email address, click the “Add Address” link. Enter in your email address twice to verify correct spelling
- After clicking the “Save” button, the system will send you an email to the newly-entered email address. This email contains a verification Code
- Use the code from your email to verify your email address. Enter your code in the HIPAA One profile
- Now make the new email address the default email for the HIPAA One system. This means any subsequent emails will be sent to the “default” email address. Set the default email address
- Optional: You may delete the previous email. For example, if you do not want to reference the old email any longer (i.e. departed employee, voluntary change, etc.) you can delete the old email address(es). Once you click on the link the email will be removed the address without confirmation.
- To change the user account used to login to HIPAA One, click on the “Security Settings” link
- The below screen pop-ups up when you click on the change username link, you may choose an existing email address (recommended), or create your own username that is not an email address
- Recommended: Change the password associated with this login account. You may use the change password link to enter, confirm and save your new password
- HIPAA One Self Assessment Kickoff Instructional Video Step 1 of 3 (Detailed): https://youtu.be/ky7DRrm3ji4
- HIPAA One Onsite and Remote PRA SRA Kickoff Instructions: https://youtu.be/i3Mxhv1cLFU
- HIPAA One Self Remote Onsite Instructional Video Steps 2-3 of 3 (Detailed): https://youtu.be/_roR_NI6m_Y
- HIPAA One OrgAdmin Initial Release Intro: https://youtu.be/xx7DIDiHVYc
- HIPAA One Audit Alert-How to add Reviewers to update past risks found: https://youtu.be/6N5PWaEOA-E
- HIPAA One’s New Software Tool: BAA Software: https://youtu.be/aBTGytG9v10
- Buyer Beware: Not all HIPAA Risk Analysis Solutions are Created Equal: https://youtu.be/yyVZEP3d4G0
Let HIPAA One do the heavy lifting for your company when it comes to compliance. Make us part of your team to stay up-to-date, stay automatically compliant, and most importantly, protect your client's information.