Help Me With Hipaa

During the onboarding and termination process is where many mistakes are made that lead to security incidents and even reportable breaches.  Today we discuss why they are important and the kinds of things you should consider having in yours. For more information HelpMeWithHIPAA.com/125

How do you talk to the boss about HIPAA? That is a regular question we get around here.  The staff responsible for compliance gets trained and understands what needs to be done but they don't get leadership support.  Over the years we have had to have those conversations many times.  It is never easy but there are some key pointers to making ground with your argument and turning the tide for supporting your efforts.  Today we cover a few of our ideas on how to broach the subject effectively when you need to talk to your boss about HIPAA. More details at HelpMeWithHIPAA.com/124

During the NIST OCR HIPAA Security Conference we covered in the last two episodes, there was also a session on OCR Audit Updates. OCR gave an update on the information gleaned so far from the compliance desk audits that were started in 2016. Their presentation included some interesting details. Today we cover the information they shared so you can compare and contrast those details against your own program. For more details HelpMeWithHIPAA.com/123

This is the second episode covering the things David has to share from the Safeguarding Health Information conference. There are many great points he picked up. As we review them we keep coming back to the reminder that HIPAA is about patient care now.  Join us as we discuss everything from ransomware requirements to security for a small practice on this episode. More info at HelpMeWithHIPAA.com/122

The annual NIST and OCR security conference has come around again.  This year, David attended the conference via webcast and shares his notes on the first day of the conference.   Before the conference discussion, we have to touch on the announcement from Equifax about their HUGE data breach. For more information go to HelpMeWithHIPAA.com/121

We recorded this episode on the day that Harvey was hitting Houston and had no idea just how bad that disaster would eventually become for those on the gulf coast.  On the day we publish this episode, we are both personally involved in the evacuations and preparations in advance of Irma. She is forecast to hit Florida, Georgia, and the Carolinas in the next few days. The timing for this discussion could not be more appropriate from a news perspective but this planning should have already taken place prior to this date for those in the paths of these deadly storms.   As you listen to this episode, know that we had no idea just how bad things were about to become for the millions of people under the stress of these major natural disasters.  Take care in your planning now if you haven't been in these areas, your turn may be next and there is no way you want to be dealing with anything similar without a plan. What do you have in your disaster recovery plans? For more info HelpMeWithHIPAA.com/120  Email us at cont

Every time we discuss server security issues it opens a debate about where is the best place to keep your servers.  There are three options and we are going to discuss them today.  Local hosting vs data center hosting vs cloud servers under HIPAA. For more details HelpMeWithHIPAA.com/119 email us: contact@helpmewithhipaa.com

What is reasonable and appropriate? The HIPAA legal reference and guidance mentions reasonable and appropriate all over the place. Many times that concept creates confusion. How do you determine what is reasonable or appropriate for any environment? More at HelpMeWithHIPAA.com/118

Can a doctor have Alexa in OR to play music?   Is it a HIPAA violation for staff to look at their own records or is it an internal policy violation? I am a small company BA do I really have to do all of HIPAA compliance requirements? If I know my upstream BA or CE isn't following their HIPAA compliance obligations what am I legally obligated to do? Why would you make daily copies of your visitor logs? More info at HelpMeWithHIPAA.com/117

Sometimes following the news lets you find things like security incident investigations with interesting details.  But, these cases were different than most.  Even better than that, we learned how can a fish tank help hackers!  There were just too many parts of these stories that got my attention to pass them up.  When something occurs and the investigation uncovers way more to the story than you normally see we should all learn from them. More details at HelpMeWithHIPAA.com/116

Incident response plans have been a topic of our show several times. But, these days we just can't get enough of a good thing! Actually, there is a reason we are covering it in this episode.  I was reviewing a Business Associate Due Diligence from a software provider. In the questionnaire, we always ask if you have a written incident response plan and trained incident response team. They responded Yes, with a comment of "we have an engineering department". More info at HelpMeWithHIPAA.com/115

There has always been a concern from many people we work with about compliance officer personal liability. Specifically, is a compliance officer personally liable for the compliance of the company? The recent settlement agreement between the FTC and the Chief Compliance Officer of Moneygram has created interesting conversations for compliance circles. In this case, the Chief Compliance Officer of Moneygram was able to reach a settlement in the liability case against him but it included a $250,000 penalty payment and 3 years restriction on working in that industry. Yep, that is enough to make you sit up and take notice. More details at HelpMeWithHIPAA.com/114

The monthly OCR Cyber Newsletter for June had some interesting points.  The fact that OCR mentions multiple times and in multiple ways that they do not endorse, certify, or recommend specific technology or products should serve as their "OCR mic drop moment" on this discussion.  We can dream, can't we!  Today we are going to review that newsletter and how they have pointed these things out once again. Before we close out the episode we are also covering some questions and comments from listeners.  Hang around for those just after the 30-minute mark. More info at HelpMeWithHIPAA.com/113

This is not another episode about preventing and responding to the NotPetya ransomware. There are countless articles about those topics.  We are discussing the bigger picture today.  In this episode, NotPetya, Windows, and Ransomware, we discuss what happened in the case but also what does all of this really mean in the big picture of cyber attacks.  If you don't stay proactive in evaluating what the criminals may do next then you don't have a chance of being anything but reactive. In light of these recent global attacks, we have many questions.  Are we experiencing a shift in the criminal's intentions or are they just bumbling around with new toys?  If is it no longer just about taking our money then what is really about?  If you haven't cared about protecting your data so far, how about protecting your data from becoming a pawn in the latest cyberwarfare battle? For more information go to HelpMeWithHIPAA.com/112

In June, the NY State Attorney General announced a settlement with CoPilot, a healthcare services company that illegally deferred notice of breach of more than 220,000 patient records.  Another annual report was also just released with the latest numbers : 2017 Cost of a Data Breach Study from Ponemon Institute and IBM.  Today, we are going to discuss how the two of them can help us all make better decisions where potential breaches of PHI are concerned.  Breach reporting costs and decisions in 2017 are proving to be something you should understand before a crisis, not after one hits. For more info: HelpMeWithHIPAA.com/111

Mobile devices are susceptible to malware attacks, phishing, and other security vulnerabilities just the same as laptops and desktops.  The systems most of us have in place are directed at managing the security for laptops and desktops, however.  It is important to expand your security controls to address the growing threat that mobile devices introduce to your network and systems regularly.   In most cases, it is important to have a "home base" tool that can talk to and monitor the mobile devices.  That is where MDM comes into play.  For most people that brings us to the question: What is MDM and why do I want it?   For more: HelpMeWithHIPAA.com/110

There are countless times we have covered the "my EHR vendor handles HIPAA for me" misconception. The recent $155 million whistleblower lawsuit settlement between eClinicalWorks (eCW) and the government really brings it home how wrong you can be about EHR vendors. Meaningful Use attestations relied heavily on the vendors supplying proper information. eCW set up thousands of organizations to take a major hit based on the details in this case and it's settlement. Especially, when you take into account that eCW is one of the biggest EHR vendors out there. CIA of PHI is the objective of the entire Security Rule under HIPAA. Unreliable data created by an application is clearly a data Integrity issue. If you can't trust the data can you trust the system at all? If you have knowledge of this kind of stuff going on somewhere you should review it closely. It includes civil payments by developers and project managers not just the C-Suite folks involved.   For more information: HelpMeWithHIPAA.com/109

The 5 stages of grief during a cyber attack really do follow the process of dealing with grief in those familiar 5 stages. Many don't realize that ransomware attacks aren't always just the result of someone clicking in an email and running a program.  As Erie County Medical Center found out recently, ransomware attacks can come from a hacker being active in your network too.  Those 5 stages of grief during a cyber attack for them and others we have seen is what we will be discussing today.   We have a special guest with us for today's discussion too.  David Benton with Altep is joining us.  David is a super IT forensics dude.  The CSI of the nerds, so to speak.  He is helping us review this topic. More information at HelpMeWithHIPAA.com/108

A major breach of PHI was announced by a Beverly Hills plastic surgeon's office on Jun 1. There are so many things about this case from the fact that it involved a malicious insider to how many different ways proper HIPAA policies and procedures would have stopped it, if not prevented it completely. Celebrity patients records breached in this case may make it hit home with a lot of folks who haven't worried too much about those protections until now. We have talked about insiders as a major vulnerability a lot lately and this one really makes it big news! 15,000 files with medical and personal information. Added to that are pictures including those of celebrity patients records breached without them even know the pictures existed! More info at HelpMeWithHIPAA.com/107

OCR continued their enforcement trend for 2017 with 2 more settlements announced in May.  These stand out on their own because the focus is specific disclosure of PHI instead of major breaches.  A total of three patients were involved in these large settlements.  This week we review what transpired and what OCR found as violations of privacy for these three patients.   For more information go to HelpMeWithHIPAA.com/106