Friday, June 26, 2015

Episode 7: HIPAA Myths Part 1


 

we discuss some common myths (or points of confusion) surrounding HIPAA compliance requirements.

Glossary
Myth is a widely held but false belief or idea.

Links

HealthIT.gov Top 10 Myths of Security Risk Analysis
HealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis

Notes

  1. Providersarenotallowedtoshareinformationaboutapatientwith others unless authorized by the patient to do so. False. Providers can share:

    With anyone the patient identifies as a caregiver

    When the information is directly relevant to the involvement of spouse, family member, friends, or caregivers. (Ebola for example)

    When necessary to notify a caregiver about a change in condition or location of a patient (as long as the patient doesn't object)

    When in the best interest of the patient regardless of their ability to object or not

  2. Thesecurityriskanalysisisoptionalforsmallprovidersandbusiness associates. False. Everyone is required to abide by the Security Rule which specifically requires a security risk analysis.

  3. Achecklistwillsufficefortheriskanalysisrequirement.False.Checklists are tools for doing the analysis and gathering your data but they aren't enough to meet the risk analysis requirement. A Security Risk Analysis must include three main elements (according to OCR guidance):

A. Identification of all PHI sources
B. Human, electronic and environmental threats to the PHI
C. Review of current security measures to protect the PHI from those 


Check out the latest episode!

Posted by at No comments:

Friday, June 19, 2015

Episode 6 - HIPAA Compliant IT


In this episode we discuss technology support requirements under HIPAA and why professional, HIPAA compliant IT services are an important part of managing your security compliance.

The Security Rule has so many specific technical things to consider it really requires professional technology services to handle it properly.  We discuss why that is needed and what to expect from a HIPAA Compliant IT company. 

Glossary

A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations.

Links

FindHealthcareIT

HIPAAforMSPS.com

Kardon Compliance

 

Notes

 


Check out the latest episode!

Posted by at No comments:

Friday, June 12, 2015

Without Documentation It Didn't Happen


In this episode we discuss the importance of documentation for your HIPAA compliance program.  You can be doing everything right but without documentation there is now way for you to show anyone else that is the case.  If you can't prove it then you aren't doing it as far as OCR is concerned. 

Glossary

A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations.

Links

FindHealthcareIT

HIPAAforMSPS.com

KardonCompliance.com

ComplyAssistant.com

Notes

  • OCR says "don't just tell me you are compliant, show me you are"
  • What do you need to document
    • Policies and Procedures, including archive history
    • Risk Analysis and Risk Assessment
    • Training for workforce (who, what, where, when)
    • Risk Mitigation project plans
    • Issue/Incident details
    • BAAs and BA Due Diligence
    • Activity monitoring reports and logs
    • Audit plans and results
    • Assessment plans and results
    • Inventories of software, hardware, etc
    • Breach response plans and documentation
  • Spreadsheets and documents in folders or document management tools
  • Compliance Management tools

Check out the latest episode!

Posted by at No comments:

Friday, June 5, 2015

How Do You Eat An Elephant?


In this episode we discuss how to take the first steps to building a "culture of compliance" in your organization. Every project has to start somewhere but where do you start with something as big and complicated as HIPAA? Well.... Just like the joke goes "How do you eat an elephant?" "One bite at a time."

How do you break HIPAA Compliance into bite sized pieces and get your project moving? We have some tips for you.

 

Glossary

 

A culture of compliance is when an organization establishes standards, rules, and policies that aren't simply distributed to the workforce. The organization as a whole takes their compliance serious at a personal level. Each person agrees to abide by the standards, rules, and policies set forth and holds themselves accountable to each other for doing so. This culture can only be accomplished if it is done from the CEO all the way down the organization to the volunteers and/or temporary employees.

 

Links

Posts From Donna's Blog SmallProviderHIPAA.com

How do you create a culture of HIPAA compliance?

HIPAA Documentation AKA Telling Your Compliance Story

How long will it take to get HIPAA compliant?

Simple HIPAA Checklist – Well Sort of

5 Tips to Just Get Your Risk Analysis Done

Please, Just Do My HIPAA For Me!

 

Notes

  • What is a culture of compliance?
  • What are the parts I need to build a culture of compliance?
    • Established and supported by Senior Mgmt
    • Integrated into all training and education done for the workforce
    • Programs are designed to reward compliance
    • Sanctions are applied equally to all levels for failure to comply
    • All technology is reviewed and managed with compliance in mind
    • Every decision, project, addition, and subtraction to the business includes considerations for compliance
  • How can you really break HIPAA into small bites?
    • Documentation management plan
    • Business Associates
    • Privacy
    • Security
    • Breach
  • How to motivate myself to take the first bite of the elephant?
    • Every single week start with one task that must be completed
      • Policy or procedure reviewed
      • BA evaluated and audited
      • Procedure audited
      • Training class attended
    • Allocate time to complete a task each week
      • It isn't something you do last, it should be something that is as important as completing you accounting reports, payroll, accounts receivable management, etc.
      • Build the habit or assign it to someone who has the time to apply to getting it done.
    • Build on what you started
      • HIPAA compliance is never "done"

Check out the latest episode!

Posted by at No comments:

Wednesday, June 3, 2015

Business Associates


In this episode we discuss the definition of a Business Associate.  How do you find your Business Associates and what should your process for managing them include.

Glossary

A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations.

 

Notice of Privacy Practices (NPP) is the document CEs provide to patients when they begin treatment or coverage.  It is the document that defines the CEs Privacy, Security, and Breach Rule commitments to the patient.  

 

Links

WEDI BA Decision Tree

WEDI Business Associates & HITECH Deep Dive

 FindHealthcareIT

 HIPAAforMSPS.com

 Kardon Compliance

 

Notes

1. Anyone that CReMaTs PHI on behalf of a CE or another BA 

    Another way to think of it Produced, Received, Saved, Transferred

2. Upstream and Downstream BAs

3. BAAs and what they really mean

4. What are BAs supposed to do?  

  •  Security Rule, 
  •  Breach Plan, 
  •  Portions of the Privacy rule.  
  •  OCR - do what CEs are required to do.

5. BA Due Diligence

6. Finding them in your organization.  

  •    1099s, 
  •    subcontractors, 
  •    software vendors.

7. Don't go crazy making everyone a BA - Incidental exposure applies for electricians and others.


Check out the latest episode!

Posted by at No comments:
Subscribe to: Posts (Atom)