Help Me With Hipaa

Informações:

Sinopsis

HelpMeWithHIPAA.com is a collaboration between Kardon Compliance founder, Donna Grindle, and HIPAAforMSPs.com founder, David Sims. Our mission is to share our Privacy and Security knowledge with those who are required to understand, implement, and manage the complex Privacy and Security requirements of HIPAA compliance.Our work with CEs and BAs inspired us to launch the service to provide information about the complex requirements of HIPAA in a relaxed manner without using too much legalese or geek speak. As the podcasts programs progress we will cover topics about that include sorting through the requirements as well as real world examples of the procedures used, both good and bad.Join us as we do our best to create a show where HIPAA and humor collide!

Episodios

  • Episode 14: HIPAA Log Audits with AMS Spher

    14/08/2015 Duración: 45min

    An interview with Ray Ribble discussing the AMS Spher product.  We learn how Spher can automatically "learn" what access patterns are normal and ask you when something isn't right. Your HIPAA compliance requirement to audit access logs may be solved with this tool.  Your very own HIPAA Breach Detection Service! Links The AMS SPHER™ Solution FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Notes Who is AMS and Ray Ribble? Tell us about The AMS SPHER™ Solution. Behaviorial Analytics SPHER leverages pattern recognition algorithms to determine if there was suspicious behavior on the EHR. It does this by comparing past behaviors to behaviors in the audit log file SPHER is currently reviewing. For example, SPHER may have learned over the past months that an EHR user named John is typically active between 8 AM and 4 PM. In the current audit log file, SPHER notices that John was active on the EHR from 4 PM to 12 midnight which causes SPHER to send you an unusual time of access alert. It Learns! You know that John

  • Episode 13: What is a HIPAA Risk Analysis

    07/08/2015 Duración: 35min

    Description What a HIPAA Risk Analysis includes and why you need it for your cybersecurity risk management. Glossary CReMaT'ed - Create, Receive, Maintain, Transmit CIA - Confidentiality, Integrity, Availability Links JPP Medical Record OCR Guidance on Risk Analysis Training Documentation for this episode FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Notes Not a simple checklist it requires a lot of thought, data collection, and analysis. The analysis part Define where e-PHI is CReMaT'ed in your organization. Not just the server that holds the EMR.   Cloud apps used, messaging tools, mobile devices, USB storage devices, home computers Practice Management system and data analysis tools Don't forget to include downloads folders and temp folders on all PCs. Do you need to worry about vendors or consultants - your BAs that may move data around your network, systems, etc. If they handle it for you do you even know where it is going? What are the threats to the CIA of the PHI that you have located an

  • Episode A2: HIPAA Answers - BA question from a listener

    05/08/2015 Duración: 05min

    We have a listener who called in with an example situation to find out what we thought.  Is the company a Business Associate?  Listen to Donna's answer in Episode A2. These short "answer episodes" are released weekly on Tuesday mornings when we have them come in. Send us your questions and we will publish them with our thoughts and the best answers we can muster!   Use the Website form or Speakpipe voicemail  You can also find all our social media contact information at HelpMeWithHIPAA.com.    

  • Episode 12: Breach Response Plans

    31/07/2015 Duración: 26min

    Description A Breach Response plan is a required element of your compliance program since HITECH became effective. Everyone must have a written plan and know what needs to be done. Glossary NIST National Institute of Standards and Technology Links NIST SP 800-61 Revision 2 - Computer Security Incident Handling Guide APDerm Resolution Agreement See item 2(2) FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Notes Establishing an incident response capability should include the following actions: Creating an incident response policy and plan Written required - already had an OCR resolution that mentioned not having one (APDerm - $150,000) Developing procedures for performing incident handling and reporting Who is your "go to" team for forensics Setting guidelines for communicating with outside parties regarding incidents PR will be critical for reputation managment Selecting a team structure and staffing model Someone has to be in charge of the whole thing and then others in charge of the parts. E

  • Episode A1: HIPAA Answers - How do I get rid of my printers properly?

    28/07/2015 Duración: 04min

    How do I get rid of my printers properly?  Find out in HIPAA Answers Episode A1. Thanks for our listener questions that are coming in!  It took us a bit to work out the best way to get back to you, so sorry for the delay.   Today we introduce, HIPAA Answers episodes.  These short "answer episodes" will be released weekly on Tuesday mornings. Send us your questions and we will get them answered.  Lots of ways to contact us below! Website form or Speakpipe voicemail Twitter LinkedIn Facebook Google+ Send us an email

  • Episode 11: Ponemon Study 2014 on Healthcare Breaches

    24/07/2015 Duración: 35min

    Description A discussion of the findings in the recently released study concerning healthcare breaches in 2014.   Glossary A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations. Links Fourth Annual Benchmark Study on Patient Privacy and Data Security Criminal Attacks: The New Leading Cause of Data Breach in Healthcare FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Notes Represented in this study are 90 CE and 88 BAs. This year is the first time BAs were added to the study data.  Previous fours years only CEs were included. A security incident is defined as a violation of an organization’s security or privacy policies involving protected information such as social security numbers or confidential medical information. A data breach is an incident that meets specific legal definitions per applicable breach law(s). Data breaches require notification to the victims and may result in regulatory i

  • Episode 10: ONC Sample Seven-Step Approach for Implementing a Security Management Process

    17/07/2015 Duración: 32min

    ONC recently published an updated guide for Privacy and Security of Electronic Health Information.  This episode David and Donna discuss what that guide calls the Seven-Step Approach for Implementing a Security Management Process. Links Guide to Privacy and Security of Electronic Health Information FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Notes The 7 Steps Step 1: Lead Your Culture, Select Your Team, and Learn Assign your officers, make sure they are trained, show compliance is a top down commitment Step 2: Document Your Process, Findings, and Actions If you can't prove it then it didn't happen. Document your decisions, plans and activity Step 3: Review Existing Security of ePHI (Perform Security Risk Analysis) Review or perform your Security Risk Analysis and current security assessment Step 4: Develop an Action Plan The plan needs to address all the things you identified in your assessments, policies, and procedures Step 5: Manage and Mitigate Risks This is where your project management skills c

  • Episode 9: HIPAA Myths Part 3

    10/07/2015 Duración: 26min

      We finish up our discussion about some common myths (or points of confusion) surrounding HIPAA compliance requirements.  GlossaryMyth is a widely held but false belief or idea.  Links  HealthIT.gov Top 10 Myths of Security Risk AnalysisHealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis Notes 1 - 7 of 10 Covered in two previous episodes. HIPAA covers all PHI no matter who possesses the information. False. HIPAA law applies to entities that are health plans, healthcare clearinghouses, and most healthcare providers and the businesses that create, receive, maintain, or transmit PHI on their behalf. Not every person or organization that possesses PHI falls under the CE or BA categories of HIPAA. A one hour video course is all that a compliance officer needs to implement HIPAA in any organization. Mostly false. The law requires you have an educated person in charge of privacy and security compliance. It does not define what that education should contain. I can't imagine h

  • Episode 8: HIPAA Myths Part 2

    03/07/2015 Duración: 30min

      We continue our discussion about some common myths (or points of confusion) surrounding HIPAA compliance requirements.  GlossaryMyth is a widely held but false belief or idea.  Links  HealthIT.gov Top 10 Myths of Security Risk AnalysisHealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis Notes 1-3 In previous episode  Communicating with patients via email, fax, or telephone violates HIPAA.  Actually, not true. But.... reasonable and appropriate safeguards must be in place. HIPAA compliance is just like all the other compliance rules for other industries. You learn the requirements and you do what they say. Not at all true. HIPAA rules were designed to allow for every size and type of healthcare entity and business associate to use one set of regulations. That means there are phrases like "reasonable and appropriate" thrown all over them. Every single organization can determine what is reasonable and appropriate for their environment as long as they document how they ar

  • Episode 7: HIPAA Myths Part 1

    26/06/2015 Duración: 23min

      we discuss some common myths (or points of confusion) surrounding HIPAA compliance requirements. Glossary Myth is a widely held but false belief or idea. Links HealthIT.gov Top 10 Myths of Security Risk AnalysisHealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis Notes Providers are not allowed to share information about a patient with others unless authorized by the patient to do so. False. Providers can share: With anyone the patient identifies as a caregiver When the information is directly relevant to the involvement of spouse, family member, friends, or caregivers. (Ebola for example) When necessary to notify a caregiver about a change in condition or location of a patient (as long as the patient doesn't object) When in the best interest of the patient regardless of their ability to object or not The security risk analysis is optional for small providers and business associates. False. Everyone is required to abide by the Security Rule which specifically

  • Episode 6 - HIPAA Compliant IT

    19/06/2015 Duración: 35min

    In this episode we discuss technology support requirements under HIPAA and why professional, HIPAA compliant IT services are an important part of managing your security compliance. The Security Rule has so many specific technical things to consider it really requires professional technology services to handle it properly.  We discuss why that is needed and what to expect from a HIPAA Compliant IT company.  Glossary A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations. Links FindHealthcareIT HIPAAforMSPS.com Kardon Compliance   Notes  

  • Episode 5: Without Documentation It Didn't Happen

    12/06/2015 Duración: 49min

    In this episode we discuss the importance of documentation for your HIPAA compliance program.  You can be doing everything right but without documentation there is now way for you to show anyone else that is the case.  If you can't prove it then you aren't doing it as far as OCR is concerned.  Glossary A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations. Links FindHealthcareIT HIPAAforMSPS.com KardonCompliance.com ComplyAssistant.com Notes OCR says "don't just tell me you are compliant, show me you are" What do you need to document Policies and Procedures, including archive history Risk Analysis and Risk Assessment Training for workforce (who, what, where, when) Risk Mitigation project plans Issue/Incident details BAAs and BA Due Diligence Activity monitoring reports and logs Audit plans and results Assessment plans and results Inventories of software, hardware, etc Breach response plans and

  • Episode 4: How Do You Eat An Elephant?

    05/06/2015 Duración: 36min

    In this episode we discuss how to take the first steps to building a "culture of compliance" in your organization. Every project has to start somewhere but where do you start with something as big and complicated as HIPAA? Well.... Just like the joke goes "How do you eat an elephant?" "One bite at a time." How do you break HIPAA Compliance into bite sized pieces and get your project moving? We have some tips for you.   Glossary   A culture of compliance is when an organization establishes standards, rules, and policies that aren't simply distributed to the workforce. The organization as a whole takes their compliance serious at a personal level. Each person agrees to abide by the standards, rules, and policies set forth and holds themselves accountable to each other for doing so. This culture can only be accomplished if it is done from the CEO all the way down the organization to the volunteers and/or temporary employees.   Links Posts From Donna's Blog SmallProviderHIPAA.com How do you create a culture of HI

  • Episode 3: Let's Talk Encryption

    29/05/2015 Duración: 35min

    HIPAA requires encryption in transit and lists encryption at rest as addressable.  What does all that mean?

  • Episode 1 - Who & What is Help Me With HIPAA

    22/05/2015 Duración: 16min

    Help Me with HIPAA does have a point and vision even if it doesn't seem like it sometimes.  Learn about your hosts and the plan for the show.

  • Episode 2: Business Associates

    21/05/2015 Duración: 30min

    In this episode we discuss the definition of a Business Associate.  How do you find your Business Associates and what should your process for managing them include. Glossary A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations.   Notice of Privacy Practices (NPP) is the document CEs provide to patients when they begin treatment or coverage.  It is the document that defines the CEs Privacy, Security, and Breach Rule commitments to the patient.     Links WEDI BA Decision Tree WEDI Business Associates & HITECH Deep Dive  FindHealthcareIT  HIPAAforMSPS.com  Kardon Compliance   Notes 1. Anyone that CReMaTs PHI on behalf of a CE or another BA      Another way to think of it Produced, Received, Saved, Transferred 2. Upstream and Downstream BAs 3. BAAs and what they really mean 4. What are BAs supposed to do?    Security Rule,   Breach Plan,   Portions of the Privacy rule.    OCR - do what CEs are

página 20 de 20