Chat with us, powered by LiveChat

HIPAA One Releases Privacy Risk Analysis

After releasing the HIPAA One Security Risk Analysis, we received exceptional feedback on the product and how much our clients appreciated the simplicity and automation provided by the product. We have been committed to expanding our solutions and add products to be “all things HIPAA”. With the launch of the Privacy Risk Analysis, we now offer a full suite of products to address all citations and requirements related to HIPAA Security, Privacy and HITRUST.

Having implemented and performed the HIPAA One Security Risk Analysis at over 2000 locations, we know the importance of having a cloud-based process that is easy to understand and allows collaboration among different departments.   Furthermore, our Privacy Analysis, like our Security Risk Analysis, is offered in three different levels of engagement to meet the needs of not only the large practices, but also the small health and dental practices.

With the rise in hacking and breaches, our goal is to provide timely solutions to clients to ensure the patient information they keep is safe and secure. Furthermore, the OCR is accelerating the frequency and number of audits, with HIPAA One solutions, you are guaranteed to pass.

LEARN MORE

HIPAA Security for Meaningful Use : Myths and Facts

fact-vs-myth

After you spend enough time in one position, role or subject, it is human nature to assume for a fleeting moment others know what you are “geeking” about.  This is particularly true when it comes to Meaningful Use and to “Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities.” This is accomplished by doing the following: “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1)…”

Was that a good example?  Let me take it back out of the “geek” closet for a moment.

So we all know that this thing called a HIPAA Security Risk Analysis can be done using tools like spreadsheets, ONC’s Security Risk Assessment Tool, and NIST Questionnaires.  Ironically, none of these tools assure you are doing the right “thing” unless you have some sort of Auditor and Security designation (e.g. JD, CISA, CISSP, HCISPP, and CHPS among others), let alone provide any sort of guarantees.  But as the old saying goes, “You get what you pay for.”

Using a professional, third-party Audit, Legal, Security or IT Managed Service Provider (outsourced IT) usually provides good results as long as they are accredited (see above paragraph on basic credentials).  They go in to the organization interviewing, collecting some documentation, running scans on the networks and provide a comprehensive, detailed project plan to achieve compliance.  Somewhere between 4-6 weeks after the flurry of activity is over, and the world moves on, the final report appears.

The HIPAA Security Risk Analysis and Assessment (SRA) report is a combination of art, content, and most-importantly; it highlights serious risks to the organization.  Except there is one problem – you now need a project deployment team to convert this static SRA report into an ongoing risk management plan (prioritized by risk-level), get status reports on tasks, research Policies and Procedures, track progress, send email or meeting reminders, and track all of this towards HIPAA compliance.

This is a huge administrative burden!

Then there are the Myths…

Myth #1 – We will update the plan from last year’s SRA for Meaningful Use reporting and attestation.

HIPAA One® take:  False – this is called updating the progress of last year’s security risk management plan (see more in Myth #2 below).

Myth #2 – Each year, I’ll have to completely redo my security risk analysis.

HHS Guidance - Each year have to redo entire SRA Myth

False. Perform the full security risk analysis as you adopt an EHR.  Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks…

HIPAA One® take:  Things change on a constant-basis.  Roles change, network computer systems are changed to meet new requirements, and internal processes change too.

“Updating the prior analysis for changes in risks.” means conducting a gap assessment and risk analysis on any of those items that changed from last year.  Since tracking these changes is a near-impossible task (ITIL Change Management processes are being widely-adopted to tackle this), HIPAA One® will allow a full-import of last-year’s HIPAA Security Risk Analysis (SRA) allowing a review of each question to see what has changed.  Ongoing tracking is built-in after the SRA is over and automated documentation requirements simplify audit responses by pressing a “Print” button.

Myth #3 – I have to outsource the security risk analysis.

I have to outsource our Risk Analysis.

I have to outsource our Risk Analysis.

HHS Privacy and Security Guide of Health Information, page 6

False.  It is possible for small practices to do a competent risk analysis themselves using self-help tools.  However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”

HIPAA One® take:  If you haven’t had a third-party come in the past 3 years, or ever, then we would strongly recommend outsourcing one to ensure your efforts stand up to a compliance review.  The first year of compliance efforts are expensive however, year 2 should be roughly 50% of what year 1 is as investments are implemented.  The Security Risk Analysis should contribute to that 50% savings by automating the mundane, error-prone and labor-intensive steps to conduct the risk analysis.  HIPAA One® accomplishes this by accelerating each person’s efforts by a 5x factor; using automation vs any manual-based risk analysis while learning from the experience.  In year 2 this allows you, the non-certified auditor, to simply press the “Import Last Year’s Assessment” button and HIPAA One® allows you to insource, instead of outsource.

Org Info Import

We have tried to stay out of the geek-closet for this blog as much as possible and realize this is a very jargon-clad specification.  Let us at HIPAA One® along with our esteemed partners help provide the software, assurance and peace-of-mind for your organization.  Contact us today to get your Meaningful Use HIPAA Security Risk Analysis done before the Holidays!

Reference:  HHS Privacy and Security Guide of Health Information

HIPAA One partners with athenahealth

athenahealth

Lindon, UT – August 28, 2015 HIPAA One, a provider of HIPAA Security and Privacy Compliance software, today announced that it has partnered with athenahealth, Inc. through athenahealth’s More Disruption Please (MDP) program, making HIPAA One part of the athenahealth Marketplace offerings. Together, the companies will work to link athenahealth’s growing network of more than 67,000 healthcare providers with the capabilities of HIPAA One to make healthcare providers more successful, profitable, and responsive to patient needs.

“HIPAA one delivers a powerful tool for Covered Entities and Business Associates,” said Steven Marco, President of HIPAA One. “We have disrupted the HIPAA Audit space by automating 78% of the mundane, labor-intensive and error-prone activities of the risk analysis and documentation.  Thousands of sites are already using HIPAA One.  Through our partnership with athenahealth, we can leverage our experience in HIPAA compliance and help athenahealth clients more easily identify real risk to their organizations, reduce costs and make the sometimes intimidating process of responding to an audit as simple as clicking the “download report” button. We guarantee HIPAA compliance with the Security Rule when using HIPAA One and will be offering discounted pricing for athenahealth providers.”

athenahealth is a cloud-based services company with a vision to build an information backbone to help make health care work as it should. Through the MDP program, athenahealth is accelerating high-value innovation via the cloud, offering new services to help providers thrive in the face of industry change and pressure.  MDP partners with innovators, entrepreneurs, companies, and individuals who are passionate about disrupting established approaches in health care that simply aren’t working, aren’t good enough, or aren’t advancing the industry.

To learn more about athenahealth’s MDP program and partnership opportunities please visit www.athenahealth.com/disruption.

About HIPAA One

We work tirelessly to provide the best HIPAA compliance software and professional services in the industry.  Owned and professional services provided by Modern Compliance Solutions, HIPAA One® was designed from the ground-up to be the most simple, automated and affordable solution.

Our goal is to establish long-term relationships with our clients and partners to be “everything HIPAA” under one roof.  To be the resource for seasoned audit professionals looking for 3rd party assurances and those who seek a solid foundation in HIPAA Compliance for their organizations.

To learn more about HIPAA One, please visit https://www.hipaaone.com.

Contact Info

Bobby Seegmiller

HIPAA One

bobby@hipaaone.com

801.770.1199

Become HIPAA Compliant In A Flash!

With government rules constantly changing in regards to HIPAA compliance, making sure your office is HIPAA compliant can seem like the most complicated, time-consuming task. But you know it’s a task you must complete so your office avoids the severe penalties resulting from a privacy or security breach.

Becoming HIPAA compliant doesn’t have to be a stressful situation though. With the right tools and resources, you can become HIPAA compliant in no time, making it an easier, less strenuous process for you.

Note on starting a real compliance effort: the first year of any compliance program will be an investment. Take comfort in knowing the investment is heaviest in the first year, with a diminishing and stable investment over time. The following graph illustrates this concept:

Security and Compliance Investment

Use these tools and become HIPAA compliant in a flash!

HIPAA One® Compliance Software

HIPAA One is one of the most affordable, easy-to-use HIPAA compliance software solutions out on the market. It was designed to be simple, automated and the most comprehensive software in the healthcare industry.

Using HIPAA One’s web-based platform, you can perform a security risk analysis and a compliance gap assessment on your own, or you can opt for an upgrade to receive onsite help from their qualified professionals. This compliance software allows you to quickly find any vulnerabilities or gaps in compliance and formulate action plans to rectify them, saving you time and resources so your time can be better spent serving your patients.

In a nutshell, here’s why HIPAA One is a valuable compliance tool:

  • Affordable
  • Easy to understand and use
  • Saves time
  • Automates reporting and documentation
  • Allows you to track your compliance process
  • Ensures proper documentation for audits
  • Protects ePHI
  • Provides a HIPAA security and compliance checklists
  • Compliant with Meaningful Use Stage 1 and 2

Security Risk Assessment Tool

The SRA Tool was developed by the ONC, in collaboration with the OCR and OGC, as a means to help health providers and professionals when they perform a risk assessment of their office. You can download and run this informational guide on various devices, or you can receive a paper-based version if that’s what you prefer.

Once downloaded, the SRA Tool takes you through every HIPAA requirement and presents you with yes or no questions about your office’s activities. This HIPAA security risk assessment tool isn’t required nor does it guarantee HIPAA compliance. It’s purpose is to be an informational tool helping you assess where your office stands with compliance.

Here are some more benefits of the SRA Tool:

  • Includes resources with each question
  • Lets you document your answers, comments and risk correction plans into the tool
  • Your data doesn’t leave the tool
  • Allows you to pause and see your results during any part of the risk assessment

AIS Health Website

Atlantic Information Services, Inc. is a publishing and information company that develops news, data, strategic information and products for those in the healthcare industry. Their products include websites, webinars, newsletters, books, looseleaf services, databases, directories and strategic reports.

On the AIS Health website, there is a very handy, informative compliance tab. This section is a great go-to resource that provides useful tools, verified tactics and timely news for those wanting to better understand all they need to know about becoming HIPAA compliant.

Here’s why you should bookmark the AIS Health website:

  • One-stop educational compliance resource
  • MarketPlace tab lists their products by type and subject matter
  • Keeps you up to date on healthcare and compliance news
  • Brings insightful healthcare industry managers and advisers right into your office through their webinars 

Non-compliance is not an option. To protect yourself and your office from costly consequences, use these tools and resources to quickly and efficiently become HIPAA compliant.

Please contact us at info@hipaaone.com, or via phone at 801-770-1199 should you have any questions or comments.

Weren’t Business Associates Already Subject to HIPAA Before September 2013?

Before September 23rd, 2013, business associates were subject to upholding the provisions in the contracts by which they were governed. That meant that the contracts controlled the type, amount, and use of protected information a business associate was able to handle. Now through the new HIPAA policy changes, covered entities no longer determine the liability of a business associate.

Business associates, through the new policies enforced in September 2013, are now held accountable for all the actions they take that affect protected health information. That means that apart from entering into a contract that is compliant with the new HIPAA policies, a covered entity has no liability when it comes to what a business associate does with protected health information in the course of fulfilling their contractual obligations.

This is good news and bad news for covered entities. It means that covered entities don’t need to monitor or dictate a business associate’s every move. This makes for a much less labor intensive management of business associates.

It also means that there is greater responsibility placed on the covered entity for the violations and breaches of security that are discovered by covered entities. A covered entity can be charged with neglect if they discover or find evidence suggesting a violation or breach and do not take the appropriate steps in reporting it.

The largest change that both business associates and covered entities must be aware of is that business associates are now liable for being compliant in all their actions with protected health information.

If you don’t know where to start, we suggest learning more about our HIPAA compliance software which will help you conduct a HIPAA Security Risk Analysis and is the cornerstone of a good HIPAA Risk Management plan. This effort should identify gaps in compliance, identify vulnerabilities and provide reasonable suggestions to remedy any remediation items.  This is the expectation for Business Associates in addition to signing appropriate agreements with their healthcare clients.

Can A Business Associate Self-Certify or Be Certified By A Third Party As HIPAA Compliant?

Too often there are misconceptions about new laws or policies because there has been too little effort to educate or to elaborate on details concerning the changes that the new laws or policies will effect.

That is the case with the new HIPAA laws that have been in effect since September 2013. Evidence of this is the overwhelming number of people who are asking for clarification on many of the details of the new changes and restrictions applicable to their organizations.

The question that serves as the title of this post is an example of the many questions that have been surfacing ever since the initiation of the enforcement of the new policies regarding the new HIPAA laws. To answer that question it is a simple response in the negative. No, a business associate cannot self-certify or be certified by a third party as HIPAA compliant.

The reason behind this is the business associate has a responsibility towards the covered entity while performing their paid duties to be subject to exactly the same restrictions and laws that the entity is. Therefore it is required that the business associate be under contract in order to be HIPAA compliant.

So, what must the contract include in order to be compliant under the new HIPAA law?

The contract must make them accountable for the proper use of protected medical information. It must also restrict the business associate to how it uses said information. Additionally, it must make available any health information to the parties to whom it belongs as well as the covered entity.

Apart from these there are several other details that a covered entity should research and abide by for protection and comply with the new HIPAA laws.

New HIPAA Rules Go Into Effect On Monday – What You NEED To Know

The new HIPAA rules that will go into effect September 23rd, 2013 have changes that affect any company that deals with PHI. That means doctors, dentists, nurse practitioners, hospitals, nursing facilities, assisted living facilities, health care insurance companies, medical billing companies, and licensed coding contractors. All of these and others will need to take a careful look at how they are protecting PHI both physically and digitally in order to ensure they escape the hefty fines and penalties. Some of the notable changes are:

  • Patient notifications of breaches
  • Restriction of Disclosure to Insurance Companies
  • Marketing Restrictions
  • Broadened Definition of Responsible Persons
  • Clarification of Fine and Penalty Tiers

Although these have many ramifications for nearly every one working in the health care industry there are three that stand out more urgently:

  1. Patient Notifications of Breaches
  2. Broadened Definition of Responsible Persons
  3. Clarification of Fine and Penalty Tiers

First, patient notifications of breaches are a serious topic especially in the wake of so many penalized breaches since 2009. The largest change to the rule is that all breaches are now considered obligatory reportable unless the breach is determined to have not compromised PHI. This determination is made by using four factors assessing the risk to the PHI.

Second, a broadened definition of responsible persons is an expanded view of who is a business associate. Rather than simply holding a patient’s caregiver and their employees responsible of protecting PHI the new rules expand this to anyone who is tasked with transmitting, storing, receiving, converting, copying, selling, using, or even viewing PHI to take the same measures to protect PHI.

Lastly, the fine and penalty tiers have been simplified and explained. The first tier comprises of breaches in which the physician or facility administration could not have reasonably known of the breach. The second tier is made up of cases in which the doctor or facility admin knew of the breach, or would have known, if exercising due diligence but did not employ negligence. The last and most heavily penalized tier is those cases and circumstances where willful neglect has been proven.

These are only a few things to be aware of with the new changes to the HIPAA law going into effect on September 23rd, 2013. You may want to look into hiring a HIPAA security expert to learn more and help ensure you are compliant.

OCR gives an important 2013 update on their HIPAA Security and Privacy Enforcement status

The resumption of the HIPAA compliance audit program is on hold while regulators analyze pilot audit project results and implement the HIPAA Omnibus Rule, says Susan McAndrew of the HHS Office for Civil Rights.

HIPAA Privacy Audits begin – 20 “initial” audits to 150 audits by end of 2012

Is attestation means to hold providers accountable for expenditure of public funds and protect against fraud and abuse?

The Office for Civil Rights has engaged KPMG using $9M of their $52M budget for this year enforcing HIPAA compliance and investigating breaches for the CMS.  The covered entities in scope for KPMG audits are those that have received CMS Incentives under Meaningful Use and can expect a minimum of 30 business day process with 3-10 days of on site visit.

As you register and attest for Meaningful Use funds, be aware the risks associated with protecting ePHI are elevated in terms of IMPACT to your hospital.

For press release, click here.  For the HHS press release, click here.

I have worked for Deloitte & Touche ERS and understand the big accounting firm audit strategies with legal implications.  If you would like to discuss how to mitigate your clinic’s risks with attestation and be fully prepared for an OCR Audit, please do not hesitate to contact me anytime.

ePHI Patient Data Posted Online in Major Breach of Privacy at Stanford University Hospital

Failure to comply with HIPAA-compliance includes detection and notification procedures in the event of a breach.

This is a nightmare scenario and illustrates the consequences of not having a comprehensive risk-management initiative.

Read all about it on this New York Times article: http://www.nytimes.com/2011/09/09/us/09breach.html?_r=1&hp

No one is immune from breaches – could the legal, financial and privacy risks have been mitigated by enforcing acceptable use contractors for vendors? I like to think so. It is item 14 on our HIPAA Compliance checklist…