Episode 16: Seven Steps for Nurturing a Culture of Compliance

Culture of compliance is the phrase OCR uses when defining what they are looking for in an audit or investigation. They also use the phrase robust compliance program in the same manner. Using these steps is a great way to make sure your organization is following their lead.

Links

ComplyAssistant Compliance Management Solution 

Spher EHR Access Monitoring Solution

FindHealthcareIT

HIPAAforMSPS.com

Kardon Compliance

Notes

7 steps to improving your Privacy & Security policies and procedures and nurturing a Culture of Compliance:

1. Designate a Compliance (Privacy & Security) Officer
   First, the law requires you do this. But, if no one is in charge then nothing will happen, we all know that to be the case. Or, in a vacuum of leadership someone else will take charge and handle things the way they think they should be done without the support of management. 

2. Train and educate your staff and BA partners
   Constantly restating the same information over and over in a variety of ways may be annoying to some but that means they have heard it! Also, don't forget to work with your BA partners to confirm they actually understand what HIPAA compliance requires in their organizations.

3. Implement an ongoing Compliance maintenance solution
   This is what we talk about using tools such as ComplyAssistant, Spher, and professional MSP monitoring and management applications. Either use the tools or develop manual internal controls and processes to accomplish those same documentation and audit tasks on a regular basis. 

4. Conduct regular and complete audits and monitoring of all ePHI systems If you are ignoring it then so will everyone else in your organization.

5. Monitor and respond to Incidents in a timely manner (State & Federal regulations)
   We all freak out together as soon as we know something could havehappened to our PHI.

6. Adhere to a strict breach remediation protocol
   Define your breach plan and use it every time. After any case that it was used, then review it to make sure you don't need to change or add things in the plan.

7. Create a open line of communication for management and staff
   The law requires you to never retaliate towards any person who files a complaint or reports a problem including a breach. If you don't make it clear that you fully support that rule and all workforce members are free to ask any question, file any complaint, and report any concern then you will likely be missing things just because someone was afraid to tell.

    

 

Check out the latest episode!

Episode 15: It's not just about HIPAA anymore

In 2014 NIST introduced the National Cybersecurity Framework (CSF). It is designed for all businesses, large and small, to know things they should be doing to protect their businesses, data, customers, and more. Just how does it compare to HIPAA?

Notes

NIST Cybersecurity Framework

DHS Getting Started for Small and Midsize Businesses (SMB)

US Chamber of Commerce: Internet Security Essentials for Business 2.0

C3 Voluntary Program: Begin the Conversation: Understand the Threat Environment

FindHealthcareIT

HIPAAforMSPS.com

Kardon Compliance

Notes

It's not just HIPAA. All the different guides spell out the same basic concepts.
For example:

• NIST - Cybersecurity Framework
• US Chamber of Commerce: Internet Security Essentials for Business 2.0
  • STRONG SECURITY IS SMART FOR BUSINESS AND THE NATION COMMON THREATS TO BUSINESS INFORMATION
  • Hacking and Malware
  • Lost or Stolen Physical Storage Media
  • Insider Threat and Human Error
  • Accidents and Natural Disasters
  • CYBERCRIME ON THE RISE
    INTERNET SAFETY AND SECURITY FUNDAMENTALS
  • Set Up a Secure System
  • Protect Business Data
  • Train Your Workforce
  • Be Prepared
  • ADD BUSINESS VALUE THROUGH INFORMATION SECURITY
  • NATIONAL AND PRIVATE SECTOR PERSPECTIVES

Cyber Essentials to Protect Your Business: Managing Cyber Risks in a Time of State and Non-State Threats to Business Security and Resilience - Hosted by US Chamber of Commerce

• FBI - Deputy Director
• DHS - Undersecretary for Cybersecurity
• Secret Service - Atlanta Office Cybersecurity Team
• Army Lt Col - Cybersecurity Command

Check out the latest episode!

Episode 14: HIPAA Log Audits with AMS Spher

An interview with Ray Ribble discussing the AMS Spher product.  We learn how Spher can automatically "learn" what access patterns are normal and ask you when something isn't right. Your HIPAA compliance requirement to audit access logs may be solved with this tool.  Your very own HIPAA Breach Detection Service!

Links

The AMS SPHER™ Solution

FindHealthcareIT

HIPAAforMSPS.com

Kardon Compliance

Notes

Who is AMS and Ray Ribble?

Tell us about The AMS SPHER™ Solution.

Behaviorial Analytics

SPHER leverages pattern recognition algorithms to determine if there was suspicious behavior on the EHR. It does this by comparing past behaviors to behaviors in the audit log file SPHER is currently reviewing. For example, SPHER may have learned over the past months that an EHR user named John is typically active between 8 AM and 4 PM. In the current audit log file, SPHER notices that John was active on the EHR from 4 PM to 12 midnight which causes SPHER to send you an unusual time of access alert.

It Learns!

You know that John’s shift recently changed from 8 PM to 4 AM. Going through the SPHER incident resolution process, you indicate that this behavior is Normal and Permitted. Based on this feedback, SPHER has now learned that this is normal EHR behavior for John and will not send an alert the next time it sees EHR activity for John during this new time span. As normal behavior on your EHR changes, SPHER learns and does not send false alerts for behaviors you’ve already indicated are normal.

 

 

 

Check out the latest episode!

Episode 13: What is a HIPAA Risk Analysis

Description

What a HIPAA Risk Analysis includes and why you need it for your cybersecurity risk management.

Glossary

CReMaT'ed - Create, Receive, Maintain, Transmit

CIA - Confidentiality, Integrity, Availability

Links

JPP Medical Record

OCR Guidance on Risk Analysis

Training Documentation for this episode

FindHealthcareIT

HIPAAforMSPS.com

Kardon Compliance

Notes

Not a simple checklist it requires a lot of thought, data collection, and analysis.

The analysis part

• Define where e-PHI is CReMaT'ed in your organization.
  • Not just the server that holds the EMR.  
  • Cloud apps used, messaging tools, mobile devices, USB storage devices, home computers
  • Practice Management system and data analysis tools
  • Don't forget to include downloads folders and temp folders on all PCs.
• Do you need to worry about vendors or consultants - your BAs that may move data around your network, systems, etc.
  • If they handle it for you do you even know where it is going?
• What are the threats to the CIA of the PHI that you have located and identified above?
  • Human
  • Natural
  • Environmental
• What would be the impact to your business if the threat did act against your PHI?
  • Would it be a bump in the road or a sinkhole?
• What is the likelihood this threat will actually act against your PHI?
  • Very likely down to not likely at all
• With all this considered what level risk do you think this threat creates to your PHI?
  • High, Medium, or Low  
• Based on everything you know then you decide what you are going to do about the threat and the risk it presents?  
  • Accept the risk is just part of doing business
  • Address the risk with some type of safeguards in your organization
  • Outsource the risk by hiring another company to handle managing it for you

 

The assessment part

• At this point, you review that plan you have just made to address risks against what you are actually doing 
  • Are doing everything you can to protect the PHI and meet your obligations under HIPAA laws from all those threats?
  • If you are outsourcing threat management, have you made sure your BAAs are in order?
  • If you are handling it internally do you have all the written policies and procedures 
  • Is your staff trained to respond accordingly?
• Once you complete that process you draw up your final report on what was determined during your analysis and assessment.
  • What actions need to take place to address those threats and what priority should be applied to them?

This is your full analysis and assessment report that you will use to inform your decision making process for your security policies and procedures.

It is also the report you will review and update on a regular basis. Sometimes minor updates are needed but other times you will need to do most of the whole thing over if there is a major change in your business.

Check out the latest episode!

Episode A2: HIPAA Answers - BA question from a listener

We have a listener who called in with an example situation to find out what we thought.  Is the company a Business Associate?  Listen to Donna's answer in Episode A2.

These short "answer episodes" are released weekly on Tuesday mornings when we have them come in.

Send us your questions and we will publish them with our thoughts and the best answers we can muster!  

Use the Website form or Speakpipe voicemail  You can also find all our social media contact information at HelpMeWithHIPAA.com.  

 

Check out the latest episode!