Being Prepared for a HIPAA Audit

A HIPAA audit is very important for service providing organizations, because the penalties for violations can bring their business down. It is important to understand the nuances of a HIPAA audit if one has to be successful.

A HIPAA audit is, for many service providing organizations, a make or break situation. This is because HIPAA audits are considered stringent. Violations can attract huge penalties, which is why getting it right the first time is extremely important. An entry level HIPAA violation can cost the organization upwards of $200,000, and the highest can run into multiple seven-figure amounts. So, an organization has to ensure that it gets its HIPAA audit right.

Risk analysis is the heart of the matter

Insulating oneself from heavy HIPAA audit violations requires service providers to be compliant with HIPAA audit requirements. Conducting a comprehensive risk analysis is the perfect solution to a HIPAA audit. These may appear to be no-brainers, but at its core, a HIPAA audit looks for these critical areas, so it is all the wiser for organizations to ensure these basic requirements to get the audit of their Security Rule and Privacy Rule right.

A thorough and comprehensive risk analysis has to be done to offset HIPAA violations, since a HIPAA audit can happen across the broad for a large number of parameters. HIPAA expects the service providers it audits to not only have these; they should also demonstrate so.

What practices are necessary for passing a HIPAA audit?

While being compliant with the risk analysis requirements is at the core of being compliant with HIPAA audit requirements; other tips can go some way in helping organizations understand ways by which to deal with HIPAA audits:

Any plans relating to the service provider’s data management, security, training and notification should be documented
A secure access password policy has to be put in place
Although not a strict HIPAA requirement, encrypting Protected Health Information, irrespective of whether the PHI is in a database or in files on a remote server, is a good practice
Using SSL whenever there is web access of sensitive data is a good idea
Only some, select members of the organization should have knowledge of the techniques relating to encryption and the way they work
Scans and images should be encrypted and should contain no personally identifiable information
Avoid using public FTP
Only VPN access is best used for remote access
A disaster recovery plan should be documented

1 Comment Leave a comment

Carrying out a HIPAA and HITECH risk analysis

The importance of conducting a risk analysis updating it can be gauged from the fact that failure to conduct a written risk analysis qualifies as “willful neglect”, which carries the highest Civil Money Penalty (“CMP”). This cannot be waived by the DHHS unlike violations that happen due to a reasonable cause.

Since risk analysis is a required implementation specification under the Security Rule, failure to do one amounts to willful neglect. If the civil money penalties for not doing a risk analysis were high enough; consider the costs associated with remediation: Blue Cross Blue Shield of Tennessee not only had to pay the $1.5 million settlement, but also incurred $17 million in remediation costs-costs that might have been avoided had it done an updated risk analysis. Other seven-figure settlements involved failure to do the required initial risk analysis.

Risk analysis is at the core of HIPAA and HITECH

So, it needs to be understood that risk analysis is at the core of HIPAA & HITECH. MentorHealth, a leading provider of professional trainings for the healthcare industry, will be explaining the importance of risk analysis to HIPAA and HITECH at a webinar it is organizing. Jonathan P. Tomes, J.D., a health care attorney and partner in the law firm of Tomes & Dvorak, Chartered, will be the speaker at this webinar.

To gain understanding of how to carry out a risk analysis for HIPAA and HITECH, please register for this webinar by visiting http://www.mentorhealth.com/control/w_product/~product_id=800889LIVE/~sel=LIVE/~Jonathan_P.%20Tomes/~How_to_do_a_Risk_Analysis.

This webinar will teach participants the proper ways of performing a HIPAA & HITECH Act Risk Analysis. Jonathan will help participants understand the nature, scope and methodology behind risk analysis.

He will cover the following areas during this session:

What is risk analysis?
Why do you need to do one?
How to do one
Assemble a good team
Identify assets
Identify risks
Quantify risks
Select reasonable, appropriate, and cost effective security measures
Test and revise security measures
Particular areas to focus on (portable devices, social media, email, and the like)
Case study (will walk webinar attendees through the process)
Questions and answers

1 Comment Leave a comment

Understanding the myths and realities of HIPAA and BYOD

What can be and cannot be done with the use of personal devices under HIPAA is something practices and businesses that need to be compliant with the provisions of HIPAA need to be thoroughly aware of.

With changes expected in 2016 relating to personal devices as well as emailing and texting; staying compliant is extremely important to protect one’s practice or business. It is important to understand the new changes going on at Health and Human Services (HHS) as they relate to enforcement of HIPAA for both Covered Entities and Business Associates relating to portable devices, texting, and emailing of PHI.

Audit risk-proofing practices and business

Practices and businesses need to insulate themselves from becoming vulnerable to audit risk as well as being sued by individuals who have had their PHI wrongfully discloses due to bad IT practices.

The way of getting prepared for a HIPAA audit properly is the teaching of a webinar that is being organized by MentorHealth, a highly reputable provider of professional trainings for the healthcare industry.

Brian Tuttle, a Certified Professional in Health IT (CPHIT), Certified HIPAA Professional (CHP), and Certified Business Resilience Auditor (CBRA) , who brings over 15 years’ experience in Health IT and Compliance Consulting, will be the speaker at this webinar. Log on to http://www.mentorhealth.com/control/w_product/~product_id=800831LIVE/~sel=LIVE/~Brian_Tuttle/~HIPAA_and_BYOD:_Myths_vs_Realities to enroll for this highly valuable learning session, where the speaker will explain the facts and myths of HIPAA in the course of bringing the experience of having carried over 600 risk assessments as well as having directly dealt with the Office of Civil Rights HIPAA auditors.

Putting an effective HIPAA compliance program in place

Brian will explain what organizations need to do to put an affective HIPAA compliance program in place that takes into consideration the texting and emailing aspects, as well as updates for 2016. Brian will offer examples of real life audits conducted by the Federal government to explain the highest risks an organization faces for being fined. He will also explain the highest risk factors for being sued for wrongful disclosures of PHI and the manner in which patients are now using state laws to sue for wrongful disclosures.

Brian will cover the following areas at this webinar:

o Updates for 2016

o BYOD

o Portable devices

o Doctors and texting

o Practical solutions

o Business associates and the increased burden

o Emailing of PHI

o Texting of PHI

o Federal Audit Process.

1 Comment Leave a comment

Staying compliant with HIPAA’s fundraising requirements

Rules implementing The Health Insurance and Portability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Act of 2003 (HITECH) underwent changes as a result of amendments brought about by the US Department of Health and Human Services in 2013.

Fundraising is among the areas of change these rules covered. Important areas such as the methods and practice that hospitals, their institutionally related foundations, and other healthcare charities may or must exercise when using any patient or client information for fundraising amendments have been modified significantly.

Change in types of information to be used for fundraising

The new rules include specific operational requirements, some of which prohibit protocols that were required under the original HIPAA regulations. The types of information that may be used for fundraising have also changed significantly under these amendments. As a result, there are now numerous fundraising opportunities, as well as challenges on the use and storage of related information.

Joel Simon, an expert on the fundraising aspects of HIPAA and one of the nation’s leading experts on the fundraising aspects of HIPAA, will be the speaker at a webinar that MentorHealth, a leading provider of professional trainings for the healthcare industry, will be organizing to offer clarity on the fundraising aspects of HIPAA. To enroll for this webinar, register by logging on to http://www.mentorhealth.com/control/w_product/~product_id=800867LIVE/~sel=LIVE/~Joel_Simon/~Fundraising_Under_HIPAA:_What_You_Need_to_Know,_What_You_Need_to_Do.

Implementing compliant strategies

The import of the most important words mandated by HIPPA-related regulations changed in multiple areas. Joel will explain how to effectively implement the fundraising regulations in a manner that increases both opportunities for philanthropic support and stays compliant with the new mandates. The speaker will suggest ways by which to ensure that an organization is both legally compliant and operationally effective.

This learning is important for a number of reasons:

Fundraising institutions that have access to of HIPAA Protected Health Information need to be aware of opportunities to strategize their fundraising in order to maximize philanthropic revenue for their organizations;
Fundraising organizations that use telephone or e-mail solicitations need to learn how new specific provisions of HIPAA now govern their fundraising activity, as well as effective policies to put in place to implement these rules;
Health related institutions that go for fundraising must make sure their fundraising practices meet compliance requirements and minimize the compliance risks and satisfy mandates governing the use of patient/client information;
A healthcare professional who is affiliated with a fundraising institution should know how to remain both ethically and legally compliant with patient privacy, while assisting both her affiliated institution and her patient/client;
Institutions will need to learn about compliance requirements for donor database management, as well as how to implement effective and efficient strategies needed to maintain compliance.
Keeping fundraising communication and related policies compliant without impairing operational effectiveness is important.

Joel will cover the following areas at this webinar:

New types PHI that may be used for fundraising
New requirements for Notice of Privacy Practices
New requirements for protocols to allow patients to opt-out of using their PHI for fundraising.

0 Comments Leave a comment

Understanding the HIPAA’s requirements for safeguarding PHI

For an organization that needs to show HIPAA compliance; having the proper policies and procedures in place is as important as ensuring that it is providing the appropriate patient rights and controls on its uses and disclosures of Protected Health Information (PHI). It makes sense for an organization that is the subject of a compliance review or is being audited, to demonstrate to the government that it has both the documentation necessary for safeguarding patient PHI, as well as the ability to show how it is addressing all of the required security safeguards.

Required: A good understanding of the fundamentals

To do all this, a healthcare practice, business or organization needs to have a good grasp of the fundamentals of what it takes to protect PHI. It also needs to make sure that its current safeguards are sufficient to withstand government scrutiny. Another reason for the need for understanding what requirements need to be met to safeguard PHI is that there has been a substantial increase in HIPAA data breaches

The ways by which an organization can do all these will be the topic of a webinar from MentorHealth, a leading provider of professional trainings for the healthcare industry. To enroll for this webinar, just log on to http://www.mentorhealth.com/control/w_product/~product_id=800871LIVE/~sel=LIVE/~Jay_Hodes/~HIPAA_Requirements_for_Safeguarding_Protected_Health_Information.

The speaker at this webinar is Jay Hodes, who is President and Founder, Colington Security Consulting, LLC. He will offer a thorough understanding of all the requirements that need to be put in place for protecting the health records that participants’ organizations maintain, create, transmit, or store. This course will offer a Covered Entity or Business Associate a solid understanding of what needs to be in place when it comes to complying with all of the HIPAA’s regulations.

Jay will cover the following areas at this discussion:

Why was HIPAA created?
Who Must Comply with HIPAA Requirements?
What are the HIPAA Security and Privacy Rules?
What is a HIPAA Risk Management Plan?
What is meant by “Required” and “Addressable” Implementation Specifications?
What are Administrative, Technical, and Physical Safeguards Requirements?
What is a HIPAA Risk Assessment?
What are HIPAA training requirements?
What is a HIPAA data breach and what happens if it occurs?
What are the penalties and fines for non-compliance and how to avoid them?
Creating a Culture of Compliance
Questions

0 Comments Leave a comment

The OCR’s Phase 2 Audit Program

Auditor sends file audited financial statements of the Company to executives.

The Office for Civil Rights (OCR) newly released the Phase 2 Audit Program. The audit process has started with the release of the rules and protocols. The need for a clear understanding of this new audit program by all Covered Entities (CE) and Business Associates (BA), or for that matter anyone who accesses, uses or discloses Protected Health Information (PHI) is acute. This is because the OCR has the power to review up to 180 different areas of the HIPAA privacy, security and breach rules.

Even if an organization is not selected for an OCR audit, it is important to be prepared, because any privacy or security complaint could trigger the same types of questions and requests for documentation as during the investigation.

A learning session on the program

A webinar that is being organized by MentorHealth, a leading provider of professional education for the healthcare industry, will review the detailed processes the OCR will use for the audits, and offer examples of the protocols. The speaker at this webinar, Kelly McLendon, a Health Information Management expert with over 36 years in the field, will show participants how to be prepared for an OCR audit.

All details of the OCR audit program

hand browsing through stack of magazines

Kelly will offer understanding of the various aspects of this topic, such as how the Phase 2 audit program builds upon the 2012 Pilot audit program, details about the sites to be selected for an audit, how to spot initial indicators that an audit may be eminent, timeframes for sites being audited, examples of privacy, security and breach audit protocols, continued analysis of the protocols to bring the audience the latest information about the questions and required documents OCR are using in the audits, and how to prepare a compliance program for an OCR audit or investigation by reducing overall privacy and security risk.

Kelly will cover the following areas at this webinar:

History of the OCR audit programs
The processes and rules surrounding the 2016 OCR audit program
Examples of privacy, security and breach audit protocols
Steps to take in preparation for an OCR audit

This session is highly useful to personnel such as Privacy Officers, Security Officers, Compliance Officers, HIM Managers, Practice Managers, CIO, General Counsel and Physicians.

0 Comments Leave a comment

Protecting a business from record breaches resulting from ransomware attacks

When HIPAA investigations relating to ransomware breaches find malpractices; it can be total jolt that can absolutely devastate the said practice or business. Discovery of this kind of breach during a HIPAA investigation can cause a major financial burden, apart of course, from severe embarrassment and ignominy.

This means that practices and businesses that are subject to a HIPAA investigation need to get a thorough understanding of whether their systems are at risk for ransomware or other very dangerous breaches, and of ways of dealing with them. The severity of a ransomware breach should never be underestimated, as it is the #1 risk for massive breach in the United States.

What needs to be done?

If a practice or business needs to insulate itself from appropriating of its electronic records, both foreign and domestic, it needs to take a few very important steps. What are these steps, and how does a practice or business do it? These constitute the learning a webinar from MentorHealth, a leading provider of professional trainings for all the areas of regulatory compliance, will be organizing.

Brian L Tuttle, who is a Certified Professional in Health IT (CPHIT), Certified HIPAA Professional (CHP) and Certified Business Resilience Auditor (CBRA) with over 15 years’ experience in Health IT and Compliance Consulting, will be the speaker at this webinar. To gain the benefit of this learning, register by just logging on to http://www.mentorhealth.com/control/w_product/~product_id=800873LIVE/~sel=LIVE/~Brian_Tuttle/~Ransomware_and_HIPAA_Risks_-_BE_VERY_CAREFUL_HERE.

Brian will explain the practical and proven ways by which practices and businesses that are subject to HIPAA investigations can protect themselves from ransomware attacks and breaches.

Understanding the risk factors

He will also explain what the highest risk factors for being sued for wrongful disclosures of PHI are, and the manner in which patients are now using state laws to sue for wrongful disclosures. Brian will be quoting real life examples and will share his vast experience of dealing with situations that could cause a business or practice to go haywire.

Brian will offer specific information about multiple incidents, which will help practices and businesses understand what they did wrong that led to a bad situation. In addition to an explanation of the variables that need to be considered; he will also discuss specific questions the Office of Civil Rights investigators and FBI are likely ask and how best to answer. In all, this is a very valuable session at which the speaker will educate participants on the ways of preventing a breach altogether.

Brian will cover the following areas at this webinar:

What is ransomware?
What are risk factors?
What to do if hijacked
Audit Process
What can cause an audit
How to avoid these issues altogether
What to do in the event of an audit
How to speak and deal with Federal auditors
Risk Assessment
Best resources

0 Comments Leave a comment

Ensuring HIPAA Compliance and Avoiding Penalties

hipaa-compliance1

The combination of the implementation of new HIPAA regulations in the HIPAA Omnibus Update of 2013 and increased enforcement and audit activity has forced healthcare organizations to review their compliance and to ensure that they have the proper policies, procedures, and forms in place.

Because of this, HIPAA Privacy Officers have been renewing their compliance activities and reviewing their documentation to make sure they can meet the challenges of the new rules and avoid breaches and penalties for compliance violations. In addition, the department of Health and Human Services (HHS) has been issuing new guidance and new enforcement settlements, which provide extensive insights into what behavior is permissible by a Covered Entity and what is not.

Under HIPAA and the Clinical Laboratory Improvement Amendments (CLIA); patients also now have new rights to directly access test results from the laboratories that create the data. Labs that did not deal directly with patients before will now have to create patient-facing operations. The way in which they communicate sensitive results to patients will come under scrutiny.

A complete training session

hipaa_checklist_1-resized-600

In view of all these; it is necessary for professionals in the healthcare industry to understand the ways by which to comply with HIPAA. A learning session that will provide background on the guidance and enforcement activity and identifies key issues for HIPAA Privacy Officers to focus on is being organized by MentorHealth, a leading provider of professional trainings for the healthcare industry. Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems, LLC, will be the speaker at this session. Just visit Mentorhealth to enroll for this high-value webinar session.

Aimed at Covered Entities and Business Associates

All the aspects of importance to HIPAA Privacy Rule compliance, such as what is new in the regulations, what change one needs to implement in one’s organization, and what Covered Entities and Business Associates need to address for ensuring compliance are some of the issues Jim will cover at this session.

He will provide the background and details of the most important privacy issues that any healthcare information privacy officer needs to know, what needs to be done for HIPAA compliance, and what can happen when compliance is not adequate. He will explain audits and enforcement, and how Privacy regulations relate to Security and Breach regulations, apart from teaching how to respond to privacy and security breaches and ways of preventing them. Jim will offer many references to all these points.

The following areas will be covered at this webinar:

Overview of HIPAA Regulations
Responsibilities of the HIPAA Privacy Officer
HIPAA Privacy Rule Principles, Policies and Procedures
Recent Changes to the HIPAA Rules
Implementing the New HIPAA Omnibus Rules
HIPAA Security and Breach Notification Rule Principles
Documentation, Training, Drills and Self-Audits
HIPAA requirements for access and patient preferences, as well as the requirements to protect PHI
How HIPAA audit and enforcement activities are now being increased and what you need to do to survive a HIPAA audit.

0 Comments Leave a comment

Get a complete understanding of HIPAA Phase 2 audits

With HIPAA Phase 2 audits underway, practice and business managers are on tenterhooks on the implementation part of this requirement. The biggest area of concern for these professionals is understanding ways of carrying out Phase 2 audits with a grasp of what their highest risks are for being fined.

Before the audits happen; practice managers, business managers and compliance offers need to get their HIPAA house completely in order. This preparation requires professional guidance, as any error at some or another part could lead to serious consequences. It is this guidance that a webinar from MentorHealth, a leading provider of professional trainings for the healthcare industry, will be offering.

Brian L Tuttle, who is a Certified Professional in Health IT (CPHIT), Certified HIPAA Professional (CHP) and Certified Business Resilience Auditor (CBRA) with over 15 years’ experience in Health IT and Compliance Consulting, will be the speaker at this webinar. To gain complete understanding of what needs to be done to get the HIPAA Phase 2 audits right, register by just logging on to http://www.mentorhealth.com/control/w_product/~product_id=800830LIVE/~sel=LIVE/~Brian_Tuttle/~Phase_2_HIPAA_Audits:_What_to_Expect_and_How_to_Pass.

Changes under the Omnibus Rule

At this session, Brian will also address major changes under the Omnibus Rule as it relates to Covered Entities and Business Associates, and any other applicable updates for 2016. The goal of imparting this learning is to clear the air about the many myths and misconceptions that exist in relation to this law and the do’s and don’ts of HIPAA.

A very important aspect of the HIPAA audits is an understanding of the highest risk factors for being sued for wrongful disclosures of PHI and the manner in which patients are now using state laws to sue for wrongful disclosures. This area will be covered too, at this webinar.

This webinar will offer complete understanding of the changes taking place at Health and Human Services (HHS) with regard to enforcement of HIPAA and how to avoid audit risks as well as being sued by individuals who have had their PHI wrongfully disclosed due to bad IT or internal administrative practices.

Brian will cover the following areas at this session:

Updates for 2016

Requirements of Compliance Officers

Audit Process

What can cause an audit

How to avoid audit

What to do in the event of an audit

How to speak and deal with Federal auditors

Risk Assessment

Best resources

0 Comments Leave a comment

Texting and emailing as part of HIPAA 2016

All the major players in an organization that is required to carry out HIPAA audits, such as information technology managers, business managers and compliance officers, have to be conversant with all aspects of the HIPAA Security Rule as it relates to portable devices. They need to be thoroughly clear about all areas such as texting, email, encryption, medical messaging, voice data and risk factors as they relate to IT.

In addition, they also need to be aware of the major changes and any other applicable updates that relate to HIPAA for 2016. Texting, email, encryption, medical messaging, voice data and risk factors as they relate to IT are some of the grey areas of a HIPAA audit, and those in charge of an organization’s compliance need to be thoroughly knowledgeable about all these, or else they have a good chance of goofing up their HIPAA audit, the result of which is heavy penalty.

Get trained in this direction

The way of getting prepared for a HIPAA audit in a very right and comprehensive manner is the teaching of a webinar that is being organized by MentorHealth, a highly reputable provider of professional trainings for the healthcare industry.

Brian Tuttle, a Certified Professional in Health IT (CPHIT), Certified HIPAA Professional (CHP), and Certified Business Resilience Auditor (CBRA) , who brings over 15 years’ experience in Health IT and Compliance Consulting, will be the speaker at this webinar. Log on to http://www.mentorhealth.com/control/w_product/~product_id=800865LIVE/~sel=LIVE/~Brian_Tuttle/~HIPAA_2016_-Texting_and_Emailing to enroll for this highly educative session, where the speaker will bring the experience of having carried over 600 risk assessments as well as having directly dealt with the Office of Civil Rights HIPAA auditors.

A learning session about getting texting and emailing under HIPAA right

Brian will help organizations put an affective HIPAA compliance program that takes into consideration the texting and emailing aspects, as well as updates for 2016, in place. Brian will offer examples of real life audits conducted by the Federal government to explain the highest risks an organization faces for being fined. He will also explain the highest risk factors for being sued for wrongful disclosures of PHI and the manner in which patients are now using state laws to sue for wrongful disclosures.

Changes at HHS mean a lot to BA’s and CE’s

Brian will offer the very important understanding of the new changes taking place at the Health and Human Services (HHS) as it relates to enforcement of HIPAA for both Covered Entities and Business Associates with regard to portable devices, texting, and emailing of PHI. These entities need to know how to insulate themselves from an audit risk as well as being sued by individuals who have had their PHI wrongfully disclosed due to bad IT practices.

Brian will cover the following areas at this webinar:

o Updates for 2016

o BYOD

o Portable devices

o Business associates and the increased burden

o Emailing of PHI

o Texting of PHI

o Federal Audit Process.

Texting and emailing as part of HIPAA 2016

Get trained in this direction

Brian Tuttle, a Certified Professional in Health IT (CPHIT), Certified HIPAA Professional (CHP), and Certified Business Resilience Auditor (CBRA) , who brings over 15 years’ experience in Health IT and Compliance Consulting, will be the speaker at this webinar. Log on tohttp://www.mentorhealth.com/control/w_product/~product_id=800865LIVE/~sel=LIVE/~Brian_Tuttle/~HIPAA_2016_-Texting_and_Emailingto enroll for this highly educative session, where the speaker will bring the experience of having carried over 600 risk assessments as well as having directly dealt with the Office of Civil Rights HIPAA auditors.

A learning session about getting texting and emailing under HIPAA right

Changes at HHS mean a lot to BA’s and CE’s

Brian will cover the following areas at this webinar:

o Updates for 2016

o BYOD

o Portable devices

o Business associates and the increased burden

o Emailing of PHI

o Texting of PHI

o Federal Audit Process.

0 Comments Leave a comment

How do attorneys and law firms bring about HIPAA compliance?

Any firm that is covered under HIPAA and is privy to Protected Health Information (PHI) needs to be aware of the new burden placed on Business Associates under the Omnibus Rule. This is so because patients can receive remedies for HIPAA violations, and law firms that handle PHI, ipso facto they become Business Associates, must now comply directly with HIPAA Omnibus Rule as part of the major changes to HIPAA set forth by the Federal government.

State laws, which are now in place, are increasing the liability for patient remedies. The HIPAA Omnibus Rule, which was rarely enforced, has now become a very strongly enforced stringent law. In these circumstances, protecting a business or practice has become contingent upon the knowledge of all these aspects.

Learn the ropes of HIPAA compliance for attorneys and law firms

In order to help Business Associates and Covered Entities get a thorough understanding of the new changes that have taken place under the Omnibus Rule and other updates that come into effect from 2016 onwards and will be effective for a much later time; MentorHealth, a leading provider of professional trainings for the healthcare industry, will be organizing a webinar.

Covering all aspects of HIPAA compliance

Brian will explore the reasons for which the Federal government is keen to enforce this law after all these years. He will explain how law firms who work with PHI need to get their HIPAA compliance right in the light of added stringency.

Another important learning that Brian will offer at this session is the major changes under the Omnibus Rule and any other applicable updates for 2016 and beyond. There are several issues at stake and risks for Covered Entities and Business Associates these days as the new rule heavily impacts patients’ ability to sue and the Federal governments audit process.

Among the other issues that Brian will be taking up are:

Some of the changes taking place with the Health and Human Services (HHS) in regards to the enforcement of the HIPAA laws already on the books
Some of the new changes that will affect law firms dealing with PHI
The factors that might cause an unwanted visit or letter from the Office of Civil Rights (OCR) and how to prepare for the audit and deal with the Federal government

He will explain how patients are now able to get cash remedies for wrongful disclosures of private health information and will show how participants can limit risks to their firm by simply taking proactive steps and utilizing best practices.

The following areas will be covered at this webinar:

Updates for Omnibus
Patients suing – how does this work
Fines from HHS
Audit process
New patient legal remedies and how to lower risks
State laws and patient remedies
Portable devices
Emailing and texting
Business associates and the increased burden
Breach notification
Risk factors for being sued or audited

0 Comments Leave a comment

Practice Managers need to be thorough in their understanding of HIPAA requirements

Practice managers, business managers and compliance officers need to have all their points in order before a HIPAA audit. They need to be fully educated about the misconceptions and realities of a HIPAA audit, since there is a lot of misinformation about HIPAA that keeps doing the rounds most of the time. These professionals who deal with HIPAA audits for their organization need to know the exact dos and don’ts of a HIPAA audit.

In addition, they also need to be aware of the major changes under the Omnibus Rule and any other applicable updates for 2016. Texting, email, encryption, medical messaging, voice data and risk factors as they relate to IT are some of the grey areas of a HIPAA audit, and those in charge of an organization’s compliance need to be thoroughly knowledgeable about all these, or else they have a good chance of goofing up their HIPAA audit, the result of which is heavy penalty.

Get trained in this direction

Brian Tuttle, a Certified Professional in Health IT (CPHIT), Certified HIPAA Professional (CHP), and Certified Business Resilience Auditor (CBRA) , who brings over 15 years’ experience in Health IT and Compliance Consulting, will be the speaker at this webinar. Log on to http://www.mentorhealth.com/control/w_product/~product_id=800829LIVE/ to enroll for this highly educative session, where the speaker will bring the experience of having carried over 1000 risk assessments as well as having directly dealt with the Office of Civil Rights HIPAA auditors.

A learning session about getting HIPAA right

Brian will speak about real life audits conducted by the Federal government and point to the highest risks organizations face for being fined. Other areas such as being sued for wrongful disclosures of PHI and the manner in which patients are now using state laws to sue for wrongful disclosures will also be covered.

He will help organizations put an affective HIPAA compliance program in place. This learning is necessary in the wake of enactment of new laws and funding, which have increased the risk for both Business Associates and Covered Entities.

All areas of HIPAA

Other important areas covered in this session include HIPAA Omnibus and court cases that are changing the landscape of HIPAA and patient’s ability to sue. The speaker will also explain the new changes going on at Health and Human Services (HHS) as it relates to enforcement of HIPAA for both Covered Entities and Business Associates and how it relates to what participating organizations’ compliance officers need to do. In addition, Brian will also show how to avoid being sued by individuals who have had their PHI wrongfully disclosed due to bad IT or internal administrative practices.

Brian will cover the following areas at this webinar:

Updates for 2016
Do’s and Don’ts
Truth vs Myths about HIPAA
Requirements of Compliance Officers
BYOD
Portable devices
Business associates and the increased burden
Emailing of PHI
Texting of PHI
Federal Audit Process
Risk Assessment
Best resources

1 Comment Leave a comment

Understanding HIPAA Compliance Requirements

An organization that needs to be HIPAA compliant has to not only ensure that it provides the appropriate patient rights and controls on its uses and disclosures of Protected Health Information (PHI); it has to also have the proper policies and procedures in place. Any organization that is the subject of a compliance review or is being audited has to demonstrate to the government that it has both the documentation necessary for safeguarding patient PHI, as well as the ability to show how it is addressing all of the required security safeguards.

Steep increase in number of HIPAA data breaches

If an organization has to put all of the required documentation aspects together in place; it needs to have a very good understanding of the ways of putting in place a HIPAA compliance program with which to ensure that the current program is adequate and can withstand government scrutiny. They ways by which an organization can do all these will be the topic of a webinar from MentorHealth, a leading provider of professional trainings for the healthcare industry. To enroll for this webinar, just log on to http://www.mentorhealth.com/control/w_product/~product_id=800869LIVE/.

Jay Hodes, who is President and Founder, Colington Security Consulting, LLC, will be the speaker at this webinar. He will take participants through a full tour of the subtleties of HIPAA compliance that an organization needs to understand if it has to get through HIPAA compliance without hassles.

Jay will equip the participants with a thorough understanding of all the requirements needed for a comprehensive HIPAA compliance program and explain what steps need to be taken to mitigate risk. He will cover the following areas at this discussion:

Why was HIPAA created?
What are the HIPAA Security and Privacy Rules?
What is a HIPAA Risk Management Plan?
What is meant by “Required” and “Addressable” Implementation Specifications?
What are Administrative, Technical, and Physical Safeguards Requirements?
What is a HIPAA Risk Assessment?
What are HIPAA training requirements?
What is a HIPAA data breach and what happens if it occurs?
What are the penalties and fines for non-compliance and how to avoid them?
Preparing for a HIPAA Audit
Creating a Culture of Compliance
Questions

0 Comments Leave a comment

Know the ropes of social media in healthcare to avoid costly penalties from HIPAA

Any healthcare organization that is active on the social media is vulnerable to some or another kind of Protected Health Information (PHI) breach. Although a healthcare practice or business benefits greatly in terms of marketing and publicity from the judicious use of the social media for; data stored on Facebook, LinkedIn, YouTube or Instagram leaves it susceptible to data breaches.

HIPAA requires that the business or practice maintain utmost confidentiality, privacy and integrity of patient information, failing at which can invite huge penalties. With the HHS currently carrying out audits and imposing a minimum fine of $10,000, it is all the more imperative for Covered Entities and Business Associates to become compliant while at the same time engaging patients actively.

Get the procedures right to get social media practices right

So, for practices and businesses to ensure that they get these aspects right; it is important for them to understand how to get HIPAA-mandated procedures right.

It is this understanding that a highly valuable webinar from Compliance4All, a very well-known provider of professional trainings for all the areas of regulatory compliance will be offering.

At this webinar, the speaker, Paul Hales, an attorney at law whose practice includes specialization in the HIPAA Privacy and Security Rules right from the dates they became effective; will explain the ways by which participants can implement the right social media practices without violating the provisions laid out by HIPAA.

To enroll for this meaningful and educative webinar, please log on to http://www.mentorhealth.com/control/w_product/~product_id=800823LIVE/~sel=LIVE/~Paul_R.%20Hales/~HIPAA_Social_Media,_Marketing_&_Websites

Balancing patient engagement and the use of social media

At this session, Paul will discuss the policies and procedures that when implemented will help healthcare practices and businesses to ensure compliance with the usage of social media, marketing efforts and website development.

If a practice’s or business’ social media practices have to be free of the harmful effects of the misuse of the social media; their staff has to be aware of the marketing aspects, as well as the nature of the websites and the devices used to access these portals. Paul will drive home this point.

The learning that Paul will impart at this session will be an accurate, comprehensive and easy to implement way of patient engagement that will go far beyond the usual rituals like posting a notice or opt-out message. He will reference examples and recent breaches.

Paul will cover the following areas during this presentation:

Patient Engagement Tips: Protect Patients’ Privacy and PHI, Build the Relationship

Social Media: Reviews, Testimonials, and Likes

Marketing: Phone Calls, Emails, and Text Messages

Websites: What to Post and Not to Post

Portable Devices and Electronic Communications Network

0 Comments Leave a comment

Preparing for a HIPAA audit

Mobile app for health

Steep increase in number of HIPAA data breaches

A full understanding of the requirements of a compliance program has become all the more important in the background of an increase in HIPAA enforcement and with Phase 2 audits, about which Covered Entities and Business Associates that are going to get audited will be notified soon, getting underway. That the American Congress has taken serious note of the fact that a whopping 120 million individuals had their HIPAA data breached in 2015 points to the added urgency and importance of implementing a proper risk assessment plan that ensures sufficient safeguards for the data contained in the PHI.

Jay Hodes, who is President and Founder, Colington Security Consulting, LLC, will be the Director at this seminar. He will take participants through a full tour of the subtleties of HIPAA compliance that an organization needs to understand if it has to get through HIPAA compliance without hassles.

Why was HIPAA created?
What are the HIPAA Security and Privacy Rules?
What is a HIPAA Risk Management Plan?
What is meant by “Required” and “Addressable” Implementation Specifications?
What are Administrative, Technical, and Physical Safeguards Requirements?
What is a HIPAA Risk Assessment?
What are HIPAA training requirements?
What is a HIPAA data breach and what happens if it occurs?
What are the penalties and fines for non-compliance and how to avoid them?
Preparing for a HIPAA Audit
Creating a Culture of Compliance
Questions

0 Comments Leave a comment

HIPAA’s position on use of mobile devices and maintaining privacy and security

HIPAA has regulations concerning the use of the mobile devices to access Protected Health Information PHI). Secure technologies for communications and storage of data should also be considered when using portable technologies. Due to these requirements, the use of portable devices by patients and staff can be complex. It requires careful consideration of the regulations, about how the devices will be used and secured, and what the patient desires.

At the same time, both HHS compliance audit activity and enforcement penalties have been increased, especially in instances of willful neglect of compliance. An organization that hasn’t adequately considered the impact of mobile devices on its compliance stands to get penalized. The use of mobile devices as a means of accessing patient information may be going up greatly, but these devices are prone to breaches of PHI. It thus becomes imperative and essential to consider these devices and how their use affects the privacy and security of PHI. Not doing so or not getting it right is sure to invite enforcement action by HHS.

Guidance is available

Those who use mobile devices to interact with medical records systems have guidance in the form of the NIST SP 1800-1, the draft guidance issued by The National Institute of Standards and Technology. This guidance concerns the use of, including recommendations on how to secure communications and how to vet HIPAA Business Associates providing communications.

So, when healthcare entities communicate with patients using portable devices, they have to consider the issues of privacy and security, as well as those of triaging incoming communications and documenting conversations. Only plain texting is not readily adaptable to the requirements of patient care and documentation, but secure, appropriate solutions are available.

Learn the ways of handling patient information using mobile devices

The ways of handling patient data using mobile devices while keeping all the guidance documents and regulatory requirements in mind will be the content of a webinar that MentorHealth, a leading provider of professional trainings for the healthcare industry, will be organizing. Professionals in the healthcare industry, who want to derive value out of this learning, can enroll for this webinar by visiting http://www.mentorhealth.com/control/w_product/~product_id=800801.

Jim Sheldon Dean, who is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm, will be the speaker at this webinar.

0 Comments Leave a comment

Understanding the final regulations for the new HIPAA Breach Notification Rule

The final regulations for the new HIPAA Breach Notification Rule place a far greater burden on Covered Entities and Business Associates than earlier. It is not enough for them to just notify individuals whose Protected Health Information (PHI) have been affected. For them to determine if a breach occurred, they must follow and document a very specific process. Their work does not end here. If no Breach occurred, then documentary evidence to this effect must be compiled and kept for six years. In the event of a Breach; CE’s and BA’s must undertake timely notifications and document this and other actions taken.

Huge number of breaches

That a breach and/or an incident can happen any time is attested by many experiences. From September, 2009 to May 31, 2015, over 173,000 separate breaches of PHI affecting less than 500 individuals and 1240 reports of PHI breaches affecting more than 500 individuals were reported to the U. S. Department of Health and Human Services (HHS).

The HHS has very stringent and often hairsplitting definitions of a breach. It considers an acquisition, access, use, or disclosure of PHI not permitted by the Privacy Rule to be a Breach unless it falls within an exception or the Covered Entity or Business Associate can demonstrate a low probability that the PHI was compromised. Not every suspected breach may turn out to be a breach, but the CE or BA should have enough knowledge of the rules to assess each incident and prove it was not a breach in case it was not.

Other aspects of a breach notification

A CE or BA should notify prominent media outlets in the region whenever a breach affecting 500 or more individuals happens. At times, they would have to publicly announce that a breach did not occur. They should also guard against the huge black market for PHI. It is a fact that phishers, hackers and burglars are constantly making attempts to get PHI. The FBI reported in 2014 that medical identity information commands $50 on the black market, while a credit card or Social Security Number sells for $1.

A learning session to help unravel the complexities of the Rule

To understand how to make sense of the final regulations for the new HIPAA Breach Notification Rule; a webinar is being organized by MentorHealth, a highly reputable provider of professional trainings for the healthcare industry. Paul R. Hales J.D, who is an attorney at law and specializes in the HIPAA Privacy and Security Rules, will be the speaker at this webinar. To enroll for this webinar, log on to http://bit.ly/Regulations-HIPAA-Breach-Notification-Rule

This session will offer clear understanding of how to understand the new HIPAA Breach Notification Rule and how CE’s and BA’s can protect patient information, which will help them to prevent a breach. At this webinar, Paul will explain the following:

What Covered Entities and Business Associates must do to comply with the Breach Notification Rule
What is and is not a Breach
Who must be notified in case of a Breach
When notifications must be provided
What information must be contained in each notification
Other requirements in case of a Breach
- Investigate
- Mitigate harm to affected individuals
- Protect against further Breaches
- Document everything
Planning and preparation for the worst – public relations and mitigation strategies to limit damage to the organization’s reputation and financial well-being

0 Comments Leave a comment

Getting the OCR, HHS HIPAA and HITECH Audits right

hipaa-audit-w-wordle1

The US Health and Human Services (HHS) conducts periodic audits of providers and Business Associates to ensure their compliance with the HIPAA Security and Privacy Rule, and to make sure they are in accordance with breach notification standards. This is mandated in Section 13411 of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

To implement this mandate, the OCR has partnered with KPMG and conducted HIPAA/HITECH audit program of 115 health care organizations to assess their privacy and security compliance. The lessons imparted by this program are considered best practices for this audit.

Imparting best practices

MentorHealth, an esteemed provider of professional trainings for the healthcare industry, will make these lessons and best practices available for participants through a webinar it is going to organize. To enroll for this webinar; just log on to http://www.mentorhealth.com/control/w_product/~product_id=800852LIVE/

This aim of this webinar is to teach participants the ways of implementation and tracking of HIPAA audit best practices in a healthcare setup that prepares for the federal audit using published Office of Civil Rights (OCR) audit protocols.

The speaker at this webinar is Srini Kolathur, HITPro, CISSP, CISA, CISM, MBA; who has several years of experience in helping companies effectively meet and exceed regulatory compliance requirements including SOX, PCI, HIPAA, etc. by using best practices. Srini will help participants get a thorough idea of how to understand the core elements of this program. He will take participants through the ways of implementing and tracking of HIPAA audit best practices in a healthcare setup that needs to prepare for the federal audit using published OCR audit protocols.

Getting all processes right

All the nuances of the audit program, such as audit process, documentation requirements, and implementation specifications of the HIPAA privacy, security and breach rules will be explained and made easy to understanding.

Participants at this webinar will be able to not only prepare for the federal HIPAA audit but also improve the security posture of their organizations by adopting to changing technology (mobile, social media, Health Information Exchange(HIE), cloud services, etc.) and threat landscape perspective as well.

During the course of this webinar, Srini will also share the best practices used for HIPAA security implementation and continuous risk assessment, to which auditors for the HIPAA security compliance program have given the collective name “due diligence”.

This webinar will cover the following areas:

Healthcare Technology Adoption/Trends
Healthcare Regulatory (HIPAA/HITECH) and OCR/HHS Audit Overview
Differences between HIPAA and HITECH Regulations
Confidentiality, Integrity and Availability (CIA) &ePHI Data Elements
HIPAA/HITECH Security, Privacy and Breach Requirements
OCR Audit Protocol
Patient Data Privacy, Security and Breach Procedures
Step-by-step guide preparation techniques
Sample policies
Risk Assessment questionnaire for protecting electronic health information
Checklist

0 Comments Leave a comment

HIPAA Compliance and Patient Care

Incidental disclosures form the crux of HIPAA compliance and patient care. HIPAA has elaborate rules on how to maintain these and in what situations.

Health Insurance Portability and Accountability Act (HIPAA), a landmark set of federal regulations, is aimed at protecting patient privacy regulations. Yet, it is understood that some information has to necessarily be shared. HIPAA compliance and patient care is centered on the inevitable disclosures that have to be made, or what are called incidental disclosures. Initially, there was some ambiguity about incidental disclosures, resulting in some kind of haziness about HIPAA compliance and patient care. With these cleared, much of HIPAA compliance and patient care hinges on this principle.

Incidental disclosures determine patient care compliance with HIPAA

Incidental disclosures are what are termed secondary use, i.e., it is the unavoidable or inevitable disclosure of Protected Health Information. It is understood that incidental disclosures, being a byproduct of the course or nature of the treatment; are inescapable, given the condition and situation of the patient.

Guiding factors for HIPAA compliance with patient care

The aim of HIPAA’s Privacy Rule is to ensure that healthcare providers have to use professional judgment guided by ethical guidelines at the time of making incidental disclosures. The following bases were propounded for adherence with HIPAA compliance and patient care:

Whenever there is an unavoidable breach in confidentiality, the breach should be proportionate to the potential benefit the patient’s gets from care
When a patient is not present in the healthcare setting or is incapacitated, information about the patient can be shared with the family, friends or whoever else is involved in the patient’s care. This protocol need not be documented.
In relation to the above, a requirement of HIPAA compliance for patient care is that when the patient has a condition that is not related to the present treatment, such information should be withheld
However, the healthcare provider can discuss the patient’s condition with family or friends over phone or through an interpreter. The patient’s health reports such as blood tests or X-ray or prescriptions can be issued to a person known or related to the patient if it is in the best interests of the patient
Healthcare professionals in charge of the patient should ask the patient which individuals she wants present in the room during treatment/examination. This has to be strictly adhered to, and anyone that the patient does not want present should be sent out
The professional’s best judgment has to be used when treating the patient in an emergency room, ensuring the maximum privacy to the best extent possible
Even while sending out appointment reminders or phone calls to the patients; HIPAA compliance and patient care requires that the patient’s privacy should not be put at risk inadvertently
The healthcare professional should avoid patient sign logs or calling out the patient’s name in the waiting area. Posting patient schedules, in which the patient is named, should be avoided.
When consultation or help is required from another specialist about a patient’s condition or ailment, the physician can do so without obtaining patient authorization specific to this request.
Yet, if a physician, who is not directly involved with the patient, has to be consulted, privacy of the patient name has to be preserved as part of HIPAA compliance and patient care. Identifiers can be used in such situations.

This link http://bit.ly/1PJAuFo has more on this topic for your reference

0 Comments Leave a comment

Making use of portable technologies in healthcare comes with challenges

Portable technologies have gone on to take center stage in many industries. Healthcare is one of the prime areas that use portable technologies, the notable examples of which are smartphones and other PDA’s. They are remarkably useful to this industry for not only the ease and comfort of access they offer, but also for the lightning speed with which they facilitate the flow of information, something that is of critical importance to healthcare.

One breach, and everything goes awry

All the benefits portable technologies bring into the healthcare sector notwithstanding; these technologies, like any other science based development, have their set of drawbacks. These shortcomings are real and not something that can be wished away or done away with easily. Many a time, they have the potential to neutralize the advantages accruing out of such technologies.

What are these drawbacks of portable technologies? Healthcare organizations that use these technologies are highly susceptible to data breaches, something that can send the whole data system into a tailspin. Data breaches carry not only a huge financial cost; they come with an even more expensive tag: The healthcare organization’s loss of name. This is why making sure that health data is secure and has integrity is crucial for healthcare organizations. In addition, guaranteeing data security is also a regulatory requirement, because it is set out in HIPAA.

Get a thorough understanding of how to prevent and deal with data breaches

A proper understanding of the ways by which healthcare organizations can protect their data from breaches and deliver the best in accordance with regulatory requirements as set out in a number of regulations is thus of paramount importance to healthcare organizations. It is exactly this learning that a seminar from MentorHealth, a reputable provider of professional trainings for the healthcare industry, will deliver.

Dr. Sheldon Dean, Director of Compliance Services, Lewis Creek Systems, LLC will be the Director of this seminar. Dr. Sheldon, as the old saying goes, needs no introduction to the world of healthcare informatics. At this two-day seminar, he will focus on the sensitivities and issues that healthcare organizations have to be aware of and take into consideration in order to prevent data breach and data loss. Apart from exploring the describing the compliance issues associated with the use of handheld devices, especially in relation to email and texting, he will also look into how to manage BYOD.

Just log on to http://bit.ly/1Uoh4J6 to enroll for this valuable learning session.

0 Comments Leave a comment