Help Me With Hipaa
- Autor: Vários
- Narrador: Vários
- Editora: Podcast
- Duração: 394:24:01
- Mais informações
Informações:
Sinopse
HelpMeWithHIPAA.com is a collaboration between Kardon Compliance founder, Donna Grindle, and HIPAAforMSPs.com founder, David Sims. Our mission is to share our Privacy and Security knowledge with those who are required to understand, implement, and manage the complex Privacy and Security requirements of HIPAA compliance.Our work with CEs and BAs inspired us to launch the service to provide information about the complex requirements of HIPAA in a relaxed manner without using too much legalese or geek speak. As the podcasts programs progress we will cover topics about that include sorting through the requirements as well as real world examples of the procedures used, both good and bad.Join us as we do our best to create a show where HIPAA and humor collide!
Episódios
-
Episode 22: So you think you're covered by cybersecurity insurance. Well...
09/10/2015 Duração: 28minCybersecurity coverage being challenged in court has some important points that all businesses should consider. Links FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Help Me With HIPAA Notes COLUMBIA CASUALTY COMPANY v. COTTAGE HEALTH SYSTEM Data breach occurred Breach announcement said: Between October 8, 2013 and December 2, 2013, PHI of approximately 32,500 patients on the CEs servers weredisclosed to the public via the internet. Hospital got voicemail message from a third party, who informed it that he was able to read the PHI online. Patients seen Sept. 29, 2009, to Dec. 2, 2013 included names, addresses, DOB, MR#, Acct#, diag, lab results and procedures performed. No financial information or Social Security numbers were involved Insync, their IT vendor at the time, left anonymous access for FTP traffic active on an internet servers on or about Oct. 8, 2012. The change allowed ePHI to become available to the public via Google's internet search engine. The server was taken offline immediately on Dec
-
Episode 21: Where does your fruit hang?
02/10/2015 Duração: 38minShow Notes If they were shocked that no one was actually watching for security holes at Ashley Madison you can bet they will be shocked that you haven't been looking because Healthcare is supposed to be private. Ashley Madison: Nobody was watching Top 10 Tech Companies with Ashley Madison Accounts What kinds of things do you need to do to actually be considered looking for them, though? HIPAA Compliant IT Router / Firewall test showed 600% Increase in Unique Vulnerabilities Discovered Last Year (OCR / NIST conference) Within hours or days of a release of software (firmware) vulnerabilities will be identified. Keep firmware up-to-date UTM - what is a UTM not just a router off the shelf at best buy IPS Antivirus Support Subscription! Reporting each month - look at what is going on - if you have IT they can do it but you should be asking them for reports. Printers / Copiers easy for hackers to get to first Smart TVs Patching helps when Hackers Start with "low hanging fruit" Beginning hackers look for
-
Episode 20: Its The People, People
25/09/2015 Duração: 35minShow Notes When it comes to securing anything the weakest link in the chain is always people. People are the ones who make mistakes, over-share, and are also the criminals. This episode talks about what people can manage to do so you have to think of all kinds of things outside the norm. University of Pittsburgh MC BA breach after being hacked the year beforeEmployee of the billing service call center copied personal information from the billing system. 2,259 patients were then passed on to a third-party. Notification that it happened came from FBI. Last year UPMC was hacked and employee information taken for all 62,000 employees. Over 800 employees reported ID theft. Oakwood Healthcare worker fired for HIPAA-violating Facebook commentsTerminated after posting disparaging comments about a patient on her Facebook page. Worked at a hospital that had to treat a suspect in a police shooting. Her posts were pointing out her disgust in having to treat him. It is still a violation. Roanoke, Va. Carilion Clinic - 1
-
Episode 19: I am vulnerable, too said your smartphone
18/09/2015 Duração: 42minMobile devices are vulnerable just like your network, servers, laptops, and desktops. Your risk analysis should include checking on any types of messages, pictures, or access to your data that can be done on your smartphones. Even if you don't put PHI on them they may be able to be used against you in some way to crack your network and your PHI. Patches Android updates and know your version of Android Wipe leaves some stuff on old Android versions iOS updates and know your version Windows is so small market share but mention it Encryption Android Option to encrypt this device Lock screen setting to wipe device after X failed logins iOS data protection turns on with password set set to wipe if after X number failed logins MDM - Mobile Device Management What is it What can you do with it BYOD - Bring Your Own Device Set rules to follow Do checks for software updates Don't let kids play with phone MDM? Backup If you lose the phone or it dies will you lose important things? Figure out a ba
-
Episode 18: Email isn't secure, really, it isn't
11/09/2015 Duração: 49minLet's review email systems and how they can be secured for ePHI and other sensitive data. Find Healthcare IT HIPAA For MSPs Kardon Compliance Alston Article on Email Security Notes Leigh from Florida sent us an email asking for us to explain some more specifics about email. She had been listening to Episode 8: HIPAA Myths Part 2 which mentioned it but she had specific questions how can email be secured. This couldn't be covered in a quick 5 minute HIPAA answer episode so we are doing a whole episode. How does email work - for "real people" to understand Compare to the post office since that is the way it was originally modeled to match Why that isn't secure at all, really http://www.healthcareitnews.com/news/hipaa-breach-letters-go-out-after-email-hack (article on email hacked and it had patient info in it) open transmissions and many different servers Misconceptions I use a password so it is secure I use https so it is secure I use TLS so it is secure I use updated Outlook with Hosted Exchange so
-
Episode 17: Compliance Management with ComplyAssistant
04/09/2015 Duração: 40minLinks ComplyAssistant FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Notes Who is Gerry Blass Been in healthcare for the long ride Consultant for years Now consultant and software company ComplyAssistant - when did you start development and what was your vision for it? What kinds and size of clients do you have - hospital, practices, BAs and CEs of all types ComplyAssistant features Due Diligence for BAs Contract management Incident Management Project Management Documentation, Documentation, Documentation Management Importance of having a documentation and management system of some sort in place Why ComplyAssistant instead of using a spreadsheet / folder approach?
-
Episode 16: Seven Steps for Nurturing a Culture of Compliance
28/08/2015 Duração: 36minCulture of compliance is the phrase OCR uses when defining what they are looking for in an audit or investigation. They also use the phrase robust compliance program in the same manner. Using these steps is a great way to make sure your organization is following their lead. Links ComplyAssistant Compliance Management Solution Spher EHR Access Monitoring Solution FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Notes 7 steps to improving your Privacy & Security policies and procedures and nurturing a Culture of Compliance: Designate a Compliance (Privacy & Security) OfficerFirst, the law requires you do this. But, if no one is in charge then nothing will happen, we all know that to be the case. Or, in a vacuum of leadership someone else will take charge and handle things the way they think they should be done without the support of management. Train and educate your staff and BA partnersConstantly restating the same information over and over in a variety of ways may be annoying to some but tha
-
Episode 15: It's not just about HIPAA anymore
21/08/2015 Duração: 33minIn 2014 NIST introduced the National Cybersecurity Framework (CSF). It is designed for all businesses, large and small, to know things they should be doing to protect their businesses, data, customers, and more. Just how does it compare to HIPAA? Notes NIST Cybersecurity Framework DHS Getting Started for Small and Midsize Businesses (SMB) US Chamber of Commerce: Internet Security Essentials for Business 2.0 C3 Voluntary Program: Begin the Conversation: Understand the Threat Environment FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Notes It's not just HIPAA. All the different guides spell out the same basic concepts.For example: NIST - Cybersecurity Framework US Chamber of Commerce: Internet Security Essentials for Business 2.0 STRONG SECURITY IS SMART FOR BUSINESS AND THE NATION COMMON THREATS TO BUSINESS INFORMATION Hacking and Malware Lost or Stolen Physical Storage Media Insider Threat and Human Error Accidents and Natural Disasters CYBERCRIME ON THE RISEINTERNET SAFETY AND SECURITY FUNDAMENTALS Se
-
Episode 14: HIPAA Log Audits with AMS Spher
14/08/2015 Duração: 45minAn interview with Ray Ribble discussing the AMS Spher product. We learn how Spher can automatically "learn" what access patterns are normal and ask you when something isn't right. Your HIPAA compliance requirement to audit access logs may be solved with this tool. Your very own HIPAA Breach Detection Service! Links The AMS SPHER™ Solution FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Notes Who is AMS and Ray Ribble? Tell us about The AMS SPHER™ Solution. Behaviorial Analytics SPHER leverages pattern recognition algorithms to determine if there was suspicious behavior on the EHR. It does this by comparing past behaviors to behaviors in the audit log file SPHER is currently reviewing. For example, SPHER may have learned over the past months that an EHR user named John is typically active between 8 AM and 4 PM. In the current audit log file, SPHER notices that John was active on the EHR from 4 PM to 12 midnight which causes SPHER to send you an unusual time of access alert. It Learns! You know that John
-
Episode 13: What is a HIPAA Risk Analysis
07/08/2015 Duração: 35minDescription What a HIPAA Risk Analysis includes and why you need it for your cybersecurity risk management. Glossary CReMaT'ed - Create, Receive, Maintain, Transmit CIA - Confidentiality, Integrity, Availability Links JPP Medical Record OCR Guidance on Risk Analysis Training Documentation for this episode FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Notes Not a simple checklist it requires a lot of thought, data collection, and analysis. The analysis part Define where e-PHI is CReMaT'ed in your organization. Not just the server that holds the EMR. Cloud apps used, messaging tools, mobile devices, USB storage devices, home computers Practice Management system and data analysis tools Don't forget to include downloads folders and temp folders on all PCs. Do you need to worry about vendors or consultants - your BAs that may move data around your network, systems, etc. If they handle it for you do you even know where it is going? What are the threats to the CIA of the PHI that you have located an
-
Episode A2: HIPAA Answers - BA question from a listener
05/08/2015 Duração: 05minWe have a listener who called in with an example situation to find out what we thought. Is the company a Business Associate? Listen to Donna's answer in Episode A2. These short "answer episodes" are released weekly on Tuesday mornings when we have them come in. Send us your questions and we will publish them with our thoughts and the best answers we can muster! Use the Website form or Speakpipe voicemail You can also find all our social media contact information at HelpMeWithHIPAA.com.
-
Episode 12: Breach Response Plans
31/07/2015 Duração: 26minDescription A Breach Response plan is a required element of your compliance program since HITECH became effective. Everyone must have a written plan and know what needs to be done. Glossary NIST National Institute of Standards and Technology Links NIST SP 800-61 Revision 2 - Computer Security Incident Handling Guide APDerm Resolution Agreement See item 2(2) FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Notes Establishing an incident response capability should include the following actions: Creating an incident response policy and plan Written required - already had an OCR resolution that mentioned not having one (APDerm - $150,000) Developing procedures for performing incident handling and reporting Who is your "go to" team for forensics Setting guidelines for communicating with outside parties regarding incidents PR will be critical for reputation managment Selecting a team structure and staffing model Someone has to be in charge of the whole thing and then others in charge of the parts. E
-
Episode A1: HIPAA Answers - How do I get rid of my printers properly?
28/07/2015 Duração: 04minHow do I get rid of my printers properly? Find out in HIPAA Answers Episode A1. Thanks for our listener questions that are coming in! It took us a bit to work out the best way to get back to you, so sorry for the delay. Today we introduce, HIPAA Answers episodes. These short "answer episodes" will be released weekly on Tuesday mornings. Send us your questions and we will get them answered. Lots of ways to contact us below! Website form or Speakpipe voicemail Twitter LinkedIn Facebook Google+ Send us an email
-
Episode 11: Ponemon Study 2014 on Healthcare Breaches
24/07/2015 Duração: 35minDescription A discussion of the findings in the recently released study concerning healthcare breaches in 2014. Glossary A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations. Links Fourth Annual Benchmark Study on Patient Privacy and Data Security Criminal Attacks: The New Leading Cause of Data Breach in Healthcare FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Notes Represented in this study are 90 CE and 88 BAs. This year is the first time BAs were added to the study data. Previous fours years only CEs were included. A security incident is defined as a violation of an organization’s security or privacy policies involving protected information such as social security numbers or confidential medical information. A data breach is an incident that meets specific legal definitions per applicable breach law(s). Data breaches require notification to the victims and may result in regulatory i
-
Episode 10: ONC Sample Seven-Step Approach for Implementing a Security Management Process
17/07/2015 Duração: 32minONC recently published an updated guide for Privacy and Security of Electronic Health Information. This episode David and Donna discuss what that guide calls the Seven-Step Approach for Implementing a Security Management Process. Links Guide to Privacy and Security of Electronic Health Information FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Notes The 7 Steps Step 1: Lead Your Culture, Select Your Team, and Learn Assign your officers, make sure they are trained, show compliance is a top down commitment Step 2: Document Your Process, Findings, and Actions If you can't prove it then it didn't happen. Document your decisions, plans and activity Step 3: Review Existing Security of ePHI (Perform Security Risk Analysis) Review or perform your Security Risk Analysis and current security assessment Step 4: Develop an Action Plan The plan needs to address all the things you identified in your assessments, policies, and procedures Step 5: Manage and Mitigate Risks This is where your project management skills c
-
Episode 9: HIPAA Myths Part 3
10/07/2015 Duração: 26minWe finish up our discussion about some common myths (or points of confusion) surrounding HIPAA compliance requirements. GlossaryMyth is a widely held but false belief or idea. Links HealthIT.gov Top 10 Myths of Security Risk AnalysisHealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis Notes 1 - 7 of 10 Covered in two previous episodes. HIPAA covers all PHI no matter who possesses the information. False. HIPAA law applies to entities that are health plans, healthcare clearinghouses, and most healthcare providers and the businesses that create, receive, maintain, or transmit PHI on their behalf. Not every person or organization that possesses PHI falls under the CE or BA categories of HIPAA. A one hour video course is all that a compliance officer needs to implement HIPAA in any organization. Mostly false. The law requires you have an educated person in charge of privacy and security compliance. It does not define what that education should contain. I can't imagine h
-
Episode 8: HIPAA Myths Part 2
03/07/2015 Duração: 30minWe continue our discussion about some common myths (or points of confusion) surrounding HIPAA compliance requirements. GlossaryMyth is a widely held but false belief or idea. Links HealthIT.gov Top 10 Myths of Security Risk AnalysisHealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis Notes 1-3 In previous episode Communicating with patients via email, fax, or telephone violates HIPAA. Actually, not true. But.... reasonable and appropriate safeguards must be in place. HIPAA compliance is just like all the other compliance rules for other industries. You learn the requirements and you do what they say. Not at all true. HIPAA rules were designed to allow for every size and type of healthcare entity and business associate to use one set of regulations. That means there are phrases like "reasonable and appropriate" thrown all over them. Every single organization can determine what is reasonable and appropriate for their environment as long as they document how they ar
-
Episode 7: HIPAA Myths Part 1
26/06/2015 Duração: 23minwe discuss some common myths (or points of confusion) surrounding HIPAA compliance requirements. Glossary Myth is a widely held but false belief or idea. Links HealthIT.gov Top 10 Myths of Security Risk AnalysisHealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis Notes Providers are not allowed to share information about a patient with others unless authorized by the patient to do so. False. Providers can share: With anyone the patient identifies as a caregiver When the information is directly relevant to the involvement of spouse, family member, friends, or caregivers. (Ebola for example) When necessary to notify a caregiver about a change in condition or location of a patient (as long as the patient doesn't object) When in the best interest of the patient regardless of their ability to object or not The security risk analysis is optional for small providers and business associates. False. Everyone is required to abide by the Security Rule which specifically
-
Episode 6 - HIPAA Compliant IT
19/06/2015 Duração: 35minIn this episode we discuss technology support requirements under HIPAA and why professional, HIPAA compliant IT services are an important part of managing your security compliance. The Security Rule has so many specific technical things to consider it really requires professional technology services to handle it properly. We discuss why that is needed and what to expect from a HIPAA Compliant IT company. Glossary A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations. Links FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Notes
-
Episode 5: Without Documentation It Didn't Happen
12/06/2015 Duração: 49minIn this episode we discuss the importance of documentation for your HIPAA compliance program. You can be doing everything right but without documentation there is now way for you to show anyone else that is the case. If you can't prove it then you aren't doing it as far as OCR is concerned. Glossary A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations. Links FindHealthcareIT HIPAAforMSPS.com KardonCompliance.com ComplyAssistant.com Notes OCR says "don't just tell me you are compliant, show me you are" What do you need to document Policies and Procedures, including archive history Risk Analysis and Risk Assessment Training for workforce (who, what, where, when) Risk Mitigation project plans Issue/Incident details BAAs and BA Due Diligence Activity monitoring reports and logs Audit plans and results Assessment plans and results Inventories of software, hardware, etc Breach response plans and