Help Me With Hipaa

ONC recently published an updated guide for Privacy and Security of Electronic Health Information.  This episode David and Donna discuss what that guide calls the Seven-Step Approach for Implementing a Security Management Process. Links Guide to Privacy and Security of Electronic Health Information FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Notes The 7 Steps Step 1: Lead Your Culture, Select Your Team, and Learn Assign your officers, make sure they are trained, show compliance is a top down commitment Step 2: Document Your Process, Findings, and Actions If you can't prove it then it didn't happen. Document your decisions, plans and activity Step 3: Review Existing Security of ePHI (Perform Security Risk Analysis) Review or perform your Security Risk Analysis and current security assessment Step 4: Develop an Action Plan The plan needs to address all the things you identified in your assessments, policies, and procedures Step 5: Manage and Mitigate Risks This is where your project management skills c

  We finish up our discussion about some common myths (or points of confusion) surrounding HIPAA compliance requirements.  GlossaryMyth is a widely held but false belief or idea.  Links  HealthIT.gov Top 10 Myths of Security Risk AnalysisHealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis Notes 1 - 7 of 10 Covered in two previous episodes. HIPAA covers all PHI no matter who possesses the information. False. HIPAA law applies to entities that are health plans, healthcare clearinghouses, and most healthcare providers and the businesses that create, receive, maintain, or transmit PHI on their behalf. Not every person or organization that possesses PHI falls under the CE or BA categories of HIPAA. A one hour video course is all that a compliance officer needs to implement HIPAA in any organization. Mostly false. The law requires you have an educated person in charge of privacy and security compliance. It does not define what that education should contain. I can't imagine h

  We continue our discussion about some common myths (or points of confusion) surrounding HIPAA compliance requirements.  GlossaryMyth is a widely held but false belief or idea.  Links  HealthIT.gov Top 10 Myths of Security Risk AnalysisHealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis Notes 1-3 In previous episode  Communicating with patients via email, fax, or telephone violates HIPAA.  Actually, not true. But.... reasonable and appropriate safeguards must be in place. HIPAA compliance is just like all the other compliance rules for other industries. You learn the requirements and you do what they say. Not at all true. HIPAA rules were designed to allow for every size and type of healthcare entity and business associate to use one set of regulations. That means there are phrases like "reasonable and appropriate" thrown all over them. Every single organization can determine what is reasonable and appropriate for their environment as long as they document how they ar

  we discuss some common myths (or points of confusion) surrounding HIPAA compliance requirements. Glossary Myth is a widely held but false belief or idea. Links HealthIT.gov Top 10 Myths of Security Risk AnalysisHealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis Notes Providers are not allowed to share information about a patient with others unless authorized by the patient to do so. False. Providers can share: With anyone the patient identifies as a caregiver When the information is directly relevant to the involvement of spouse, family member, friends, or caregivers. (Ebola for example) When necessary to notify a caregiver about a change in condition or location of a patient (as long as the patient doesn't object) When in the best interest of the patient regardless of their ability to object or not The security risk analysis is optional for small providers and business associates. False. Everyone is required to abide by the Security Rule which specifically

In this episode we discuss technology support requirements under HIPAA and why professional, HIPAA compliant IT services are an important part of managing your security compliance. The Security Rule has so many specific technical things to consider it really requires professional technology services to handle it properly.  We discuss why that is needed and what to expect from a HIPAA Compliant IT company.  Glossary A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations. Links FindHealthcareIT HIPAAforMSPS.com Kardon Compliance   Notes  

In this episode we discuss the importance of documentation for your HIPAA compliance program.  You can be doing everything right but without documentation there is now way for you to show anyone else that is the case.  If you can't prove it then you aren't doing it as far as OCR is concerned.  Glossary A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations. Links FindHealthcareIT HIPAAforMSPS.com KardonCompliance.com ComplyAssistant.com Notes OCR says "don't just tell me you are compliant, show me you are" What do you need to document Policies and Procedures, including archive history Risk Analysis and Risk Assessment Training for workforce (who, what, where, when) Risk Mitigation project plans Issue/Incident details BAAs and BA Due Diligence Activity monitoring reports and logs Audit plans and results Assessment plans and results Inventories of software, hardware, etc Breach response plans and

In this episode we discuss how to take the first steps to building a "culture of compliance" in your organization. Every project has to start somewhere but where do you start with something as big and complicated as HIPAA? Well.... Just like the joke goes "How do you eat an elephant?" "One bite at a time." How do you break HIPAA Compliance into bite sized pieces and get your project moving? We have some tips for you.   Glossary   A culture of compliance is when an organization establishes standards, rules, and policies that aren't simply distributed to the workforce. The organization as a whole takes their compliance serious at a personal level. Each person agrees to abide by the standards, rules, and policies set forth and holds themselves accountable to each other for doing so. This culture can only be accomplished if it is done from the CEO all the way down the organization to the volunteers and/or temporary employees.   Links Posts From Donna's Blog SmallProviderHIPAA.com How do you create a culture of HI

HIPAA requires encryption in transit and lists encryption at rest as addressable.  What does all that mean?

Help Me with HIPAA does have a point and vision even if it doesn't seem like it sometimes.  Learn about your hosts and the plan for the show.

In this episode we discuss the definition of a Business Associate.  How do you find your Business Associates and what should your process for managing them include. Glossary A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations.   Notice of Privacy Practices (NPP) is the document CEs provide to patients when they begin treatment or coverage.  It is the document that defines the CEs Privacy, Security, and Breach Rule commitments to the patient.     Links WEDI BA Decision Tree WEDI Business Associates & HITECH Deep Dive  FindHealthcareIT  HIPAAforMSPS.com  Kardon Compliance   Notes 1. Anyone that CReMaTs PHI on behalf of a CE or another BA      Another way to think of it Produced, Received, Saved, Transferred 2. Upstream and Downstream BAs 3. BAAs and what they really mean 4. What are BAs supposed to do?    Security Rule,   Breach Plan,   Portions of the Privacy rule.    OCR - do what CEs are