Chat with us, powered by LiveChat

HIPAA One 2.0 Security Risk Analysis Update Delayed

Although the HIPAA One 2.0 update delay may be disappointing, the story is reassuring. Steven Marco, President of Modern Compliance Solutions, Inc., today announced, “Our simplified HIPAA Security Risk Analysis solution has been geared towards small clinics and Critical Access Hospitals and could not scale-up.  Our “Turbo-Tax”-like, step-by-step is designed solution to handle organization’s complex political and GRC relationships like HITRUST or Archer.  We will release HIPAA One after completing testing of all the new features and utilities requested by our satisfied client base – which have responded to OCR audits, and most have responded to Meaningful Use Compliance Audits in the past 3 months – all successfully.  Our new target release date is Valentine’s Day, February 14,  2014.”

Send any questions about how HIPAA One® ‘s distilled workflow matches NIST SP800-30 – the only “suggested” methodology of the Office of Civil Rights Guidance on HIPAA Security – for HIPAA enforcement – to, call 801-770-1199.

HIPAA One 2.0 Security Risk Analysis Solution Software Update Announcement – More Simple, Automated and Affordable Than Ever

bobby hipaa one hippoHIPAA One unveiled an update to its popular HIPAA Security Risk Analysis solution on Tuesday at the company’s headquarters in Lindon, UT.

HIPAA One announced today the release of HIPAA One 2.0, the simple, automated and affordable alternative to complex and time-consuming HIPAA Security Risk Analysis tools and spreadsheets on the market today – by people with or without a security background. To address anxiety in dealing with HIPAA requirements, HIPAA One 2.0 facilitates a “Turbo-Tax”-like guided step-by-step process making the process easier and basic. Some small clinics are reporting completing their HIPAA Security Risk Analysis and Assessment in as little as one day using HIPAA One. Hospitals are reporting success in measuring compliance on a per-location basis for clinics and affiliates.

Steven Marco, President of HIPAA One states, “We have had excellent adoption of our HIPAA One Security Risk Analysis solution in 2013. And are reinvesting our successes into features for our users, the healthcare industry to offer peace of mind they are doing the right thing when it comes to securing their patient’s identities. We guarantee compliance with Meaningful Use to protect CEHRT data requirements when using HIPAA One.”

New features of HIPAA One 2.0 include:

  1. Executive dashboards for remediation tracking progress.
  2. Added subjective “Risk Remediated” check-box for remediation plan updates.
  3. Parent-Child relationship for regional and affiliated Clinic and Hospital organizations.
  4. Import/convert historical HIPAA One® Risk Analysis data for simple Risk Analysis updates.
  5. ePHI System Administrator role added to better handle multi-ePHI system environments.
  6. Can marry ePHI System to existing or new location – avoiding redundant questions.
  7. Improved workflow for cloud or hosted systems.
  8. Compliant with Meaningful Use Stage 2 (CM 7/9 for EH/EP)
  9. Added ASTM_E2147-01, and 45 CFR 170.314(d)(4), (d)(2), (d)(3), (d)(7), (d)(1), (d)(5), (d)(6), (d)(8), & (d)(9).
  10. Automated Shopping cart functionality for customized product quotes.

Original release found on PRWeb.

New HIPAA Rules Go Into Effect On Monday – What You NEED To Know

The new HIPAA rules that will go into effect September 23rd, 2013 have changes that affect any company that deals with PHI. That means doctors, dentists, nurse practitioners, hospitals, nursing facilities, assisted living facilities, health care insurance companies, medical billing companies, and licensed coding contractors. All of these and others will need to take a careful look at how they are protecting PHI both physically and digitally in order to ensure they escape the hefty fines and penalties. Some of the notable changes are:

  • Patient notifications of breaches
  • Restriction of Disclosure to Insurance Companies
  • Marketing Restrictions
  • Broadened Definition of Responsible Persons
  • Clarification of Fine and Penalty Tiers

Although these have many ramifications for nearly every one working in the health care industry there are three that stand out more urgently:

  1. Patient Notifications of Breaches
  2. Broadened Definition of Responsible Persons
  3. Clarification of Fine and Penalty Tiers

First, patient notifications of breaches are a serious topic especially in the wake of so many penalized breaches since 2009. The largest change to the rule is that all breaches are now considered obligatory reportable unless the breach is determined to have not compromised PHI. This determination is made by using four factors assessing the risk to the PHI.

Second, a broadened definition of responsible persons is an expanded view of who is a business associate. Rather than simply holding a patient’s caregiver and their employees responsible of protecting PHI the new rules expand this to anyone who is tasked with transmitting, storing, receiving, converting, copying, selling, using, or even viewing PHI to take the same measures to protect PHI.

Lastly, the fine and penalty tiers have been simplified and explained. The first tier comprises of breaches in which the physician or facility administration could not have reasonably known of the breach. The second tier is made up of cases in which the doctor or facility admin knew of the breach, or would have known, if exercising due diligence but did not employ negligence. The last and most heavily penalized tier is those cases and circumstances where willful neglect has been proven.

These are only a few things to be aware of with the new changes to the HIPAA law going into effect on September 23rd, 2013. You may want to look into hiring a HIPAA security expert to learn more and help ensure you are compliant.

Ready or Not, Here Come HIPAA Audits!

After running a successful pilot program in 2012 The Department of Health and Human Services’ Office for Civil Rights (OCR) is looking to launch a national HIPAA compliance audit program by the end of this year to ensure that all health care providers and business associates are compliant with HIPAA privacy and HIPAA security rules and regulations.

This announcement is causing panic in many of the health I.T. leaders as data security and privacy has become such a complex undertaking and many know that holes still exist but can’t pinpoint where they are. What’s really troublesome is the fact that the feds have proven through their Recovery Audit Contractors (RAC) program, that they are not hesitating to use a take-no-prisoners approach, especially when there’s a lot of money on the line.

To read more about this program, check out this press release.

OCR gives an important 2013 update on their HIPAA Security and Privacy Enforcement status

The resumption of the HIPAA compliance audit program is on hold while regulators analyze pilot audit project results and implement the HIPAA Omnibus Rule, says Susan McAndrew of the HHS Office for Civil Rights.

HIPAA Privacy Audits begin – 20 “initial” audits to 150 audits by end of 2012

Is attestation means to hold providers accountable for expenditure of public funds and protect against fraud and abuse?

The Office for Civil Rights has engaged KPMG using $9M of their $52M budget for this year enforcing HIPAA compliance and investigating breaches for the CMS.  The covered entities in scope for KPMG audits are those that have received CMS Incentives under Meaningful Use and can expect a minimum of 30 business day process with 3-10 days of on site visit.

As you register and attest for Meaningful Use funds, be aware the risks associated with protecting ePHI are elevated in terms of IMPACT to your hospital.

For press release, click here.  For the HHS press release, click here.

I have worked for Deloitte & Touche ERS and understand the big accounting firm audit strategies with legal implications.  If you would like to discuss how to mitigate your clinic’s risks with attestation and be fully prepared for an OCR Audit, please do not hesitate to contact me anytime.

Stanford University Hospital breach – UPDATE – From $250K file to $2.1M

Earlier in September, 2011, Stanford University Hospital was fined $250K under HIPAA by the State of California.  As Stanford U.H. filed an appeal, they were served papers with a $20M lawsuit.    That is 20,000 (ePHI records) times $1,000 per record equals $20,000,000.

Per the article, “The lawsuit, seeking a $1,000 award for each affected patient, alleges violation of state law that requires providers to safeguard patient information and prohibits disclosure without written consent, the Mercury News reports.”

CMS to Again Explain Medicare/Medicaid Meaningful Use Programs

Very useful information for Medical Practice Offices and Eligible Providers looking to acheive Meaningful Use and get their first payment for Stage 1:

They should also discuss Stage 2 set for release this week.

Are you Aware of the Registration Deadlines for the EHR Incentive Programs?

The CMS wants to remind all eligible professionals, eligible hospitals, and critical access hospitals of the registration dates for the EHR (electronic health record) inventive programs. They also want to help them successfully register and start their path to payment for 2011.

Registration Dates to Remember

  • November 30, 2011 – last day for eligible hospitals and critical access hospitals to register
  • February 29, 2012 – Last day for eligible professionals to register.

Important Updates on Registration for the EHR Incentive Programs

Changes to HIPAA Rules: OCR Increasing Financial Penalties

Just a quick update that the OCR is looking at the possibility of increasing civil money penalties for violations of requirements to ensure that protected health information stays private and is secure. Those who are found in violation may face fines of up to $1.5 million in a single calendar year.

You can read more about this here.