Compliance Helper

Insurance Broker HIPAA HITECH Breach

Mon, 15 Mar 2010 17:46:57 GMT

Beecher Carlson a large insurance broker in Atlanta reported the theft of two laptops containing PHI. The laptops contained names and Social Security numbers for employees of Beecher Carlson’s clients, including 1,012 people who live in Massachusetts.

This will end up costing them millions in fines and the cost of breach notification, not to mention the damage to their reputation. Denial is simply not the proper response to the new HIPAA HITECH Act standards.

Covered entities (CE) and business associates (BA) must put proper documented policies, and procedures in place, train their employees and protect the data entrusted to them.

Get compliant, stay compliant, prove compliance with the Compliance Meter^tm and you can avoid the pain and embaressment being experienced by Beecher Carlson.

The Blind Side of HITECH compliance; Business Associates

Tue, 09 Mar 2010 18:24:50 GMT

A recent survey by HC Pro had over 600 respondents mostly HIPAA privacy officers and HIM directors, and had the following quote "BA requirements under HITECH have changed drastically. Most survey respondents said they feel their BAs are ready, but the scary part is 45% said they are not confident in their BAs’ readiness." Based on my observations and conversations with BAs I think the 55% are over confident.

The key question is have the BAs done a true risk anlysis such as the NIST 800-30 and shared that information with their CE? Risk assessment is a requirement for those wanting stimulus funds. CEs may also require a risk assessment of their BAs if the cost is reasonable. (NIST 800-66)

Don't get blindsided by a breach by one of your BA's with your PHI. Do your own risk assessment and require your BAs to do it also and when you find problems like missing or inappropriate policies and procedures make sure that these problems are fixed. The cost for these services is now reasonable through the use of automation and cloud computing. Take a look at www.acr2solutions.com and www.compliancehelper.com

ACR2 Solutions, Compliance Helper and Rebecca Herold announce strategic partnership

Sat, 06 Mar 2010 18:45:27 GMT

Press Release:

ACR 2 Solutions, Compliance Helper, and Rebecca Herold and Associates announce a strategic partnership to provide HIPAA HITECH solutions
Get Compliant, Stay Compliant, Prove Compliance
March 5, 2010 –As part of a combined HIPAA HITECH solution, ACR 2 Solutions, the technology leader in automated risk assessment software, will help medical organizations identify the privacy and information security risks in their current information systems. Compliance Helper (CH) will then provide turn-key solutions for those needing policies and procedures based on content developed by Rebecca Herold and Associates. The combination of the ACR 2 Gap reportand the CH Prepare and Care solution creates a simple and organized process for organizations to become fully HIPAA
HITECH compliant. ACR 2 customers who have identified a non-compliance risk may select the CH Prepare solution which helps them get compliant, the Care solution which helps them stay compliant, and the Compliance Metertm which allows them to prove their compliance. Similarly, CH customers may choose the Risk Assessment option and begin to integrate their risk
assessments with their policy and procedure safeguards.
Jack Kolk, CEO of ACR2 Solutions, said "We are delighted to find a policy compliance solution for our clients which tiesinto our risk assessment solution so elegantly.”
Jack Anderson, CEO of Compliance Helper, said, “Risk assessment is the first step in the process of risk management. We share a market vision and philosophy with ACR2 Solutions that dovetails nicely with our technology and methodology. ”
Rebecca Herold, CISM, CISSP, CISA, CIPP, FLMI, stated in her article in the February 2010 issue of Compliance Today magazine, “Covered entities (CE) are now accountable for more active validation of business associate (BA) security and privacy program compliance, beyond just having a BA contract in place. It is more important than ever for CEs to take proactive measures to ensure BAs establish and maintain effective and appropriate information security and privacy policies and other supporting actions.”
Under NIST guidelines for HIPAA Security Rule Compliance, Covered Entities “May consider asking the business associate to conduct a risk assessment that addresses administrative, technical, and physical risks, if reasonable and appropriate.” (NIST 800-66, rev 1, p48). With packages starting at less than $1,000 a year, the ACR 2 Risk Assessment program for BA information security is more than reasonable. Linking BA scores to the ACR 2 Enterprise console allowsCEs to prove BA compliance in real time

ACR 2 Solutions (ACR2) is a leading developer and innovator of information security and regulatory compliance solutions. We specialize in software solutions that meet the needs of companies trying to keep up with rapidly expanding information security and compliance laws. Our products focus on automated risk assessment and risk management for regulatory compliance with federal mandates including GLBA, HIPAA, FISMA as well as industry regulations such as the PCI DSS.
Compliance Helper provides a safe, effective, and cost efficient method for healthcare organizations to comply with privacy and information security standards. Compliance Helper ‘s cloud computing technology delivers templates of policies, procedure, and forms developed by Rebecca Herold and Associates, a step by step process, and a personal Helperto guide and advise the customer.
Rebecca Herold, "The Privacy Professor"(R), is an information privacy, security and compliance consultant, author, instructor and management tool creator with her own company, Rebecca Herold & Associates, LLC. Rebecca also provides a wide range of information security and privacy training and awareness products and services that CEs and BAs can also use to round out their compliance requirements program. Rebecca has provided information security, privacy
and compliance services to organizations in a wide range of industries throughout the world for over two decades.

What is Hiding on Your Copier: PHI?

Fri, 05 Mar 2010 19:02:52 GMT

I recently had lunch with the folks from Digital Copier Security and what they had to say was eye opening for me and probably will be for you also. What they pointed out is that since 2002 copiers, and other devices such as fax machines and printers, have all had hard drives installed. They are storing images for everything that passes through them. What is really alarming is the fact that most of these devices are on lease and when they go off lease are returned to the dealer, with all the PHI still sitting there unprotected. Many of these older machines are store in unsecured warehouses until they are shipped to their new home. Frequently their new home is in another country.

Go to www.copiersecurity.com for more information and tell them Jack sent you. ( I have always wanted to use that phrase)

HIPAA HITECH and the Five Stages of Grief

Thu, 25 Feb 2010 16:56:12 GMT

In my many conversations and reading of blogs and comments about HIPAA HITECH, I have encountered all the five stages of grief:

1. Denial; HIPAA HITECH does not apply to me.

2.Anger; Why is Congress, Obama, HHS, OCR etc picking on me?

3.Bargaining; I am going to have my congressman get me an exclusion

4.Depression; I am going to quit and retire early.

5.Acceptance; What do I have to do to get compliant?

I might add that it does no good at all to try and point this out to the afflicted parties. All we can do is wait for them to get to acceptance and then provide a solution. Get compliant, stay compliant, and prove compliance.

HIPAA HITECH Breaches Posted by OCR

Tue, 23 Feb 2010 17:54:06 GMT

HIPAA HITECH breaches of over 500 patients are note posted in the OCR website. So not only are there financial penalties but also public relations penalties. Putting privacy and information security policies and procedures in place, training your staff, and maintaining your awareness is critical to you business. You literally can't afford a breach in more ways than one. Take a look at the site and see if there is someone you know.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html

HIPAA HITECH Compliance:Trust but Verify

Tue, 16 Feb 2010 16:44:28 GMT

The prevailing practice seems to be to try and shift the responsibility to the business associate (BA)by means of a business associate agreement (BAA). The fact that the BA accepted or signed the BAA is not a reasonable assurance that they have indeed complied. They may not even know what they need to do to be in compliance. All the recent surveys reveal a huge information gap between the covered entities and the business associates.

At a minimum, it seems to me, the CE must set standards for the BA that include some method of demonstrating their compliance. In the accreditation world sometimes this means having the BA send copies of P&P or of course CMS or the accrediting agency doing an on-site survey. This would be difficult at best for most CE. Clearly, a connection between the CE and the BA would be best, allowing them a window into the compliance level of the BA. We have solved this with our Compliance Meter^tm, but there are other solutions out there. We have been talking with the folks at ACR2 Solutions Inc. who have an elegant solution for the CE. It is able to see the gaps in security including insufficient P&P at the BA level. We are talking about working with them to solve this by helping the BA get compliant.

The goal is still get compliant, stay compliant, prove compliance. Trust but verify.

HIPAA HITECH "Indemnification and Assurance"

Mon, 15 Feb 2010 15:22:17 GMT

"Business associates are responsible for updating business associate contracts for compliance with the HITECH Act, but covered entities (e.g., group health plans) should also review their existing agreements to clarify or enhance indemnification rights, to obtain reasonable assurances that business associates have appropriate security measures in place and to clarify parties' responsibilities if the privacy breach notification requirements are triggered." Calfee Halter & Griswold LLP

This is an interesting quote because they seem to be be trying to cover all their bases. I am not a lawyer but I don't think the business associate (BA) can really indemnify the covered entity (CE). I would also ask how they would "obtain reasonable assurances". I would suggest that BAs are signing anything sent to them by the CE in order to keep their business. And, I believe the law has already clarified parties responsibilities.

I think the solution is for the CE to work with the BA to help them get compliant, stay compliant, and prove compliance.

Covered Entities need Active program for managing business associates

Tue, 09 Feb 2010 17:59:12 GMT

Rebecca Herold's article in the February issue of Compliance Today is a must read for covered entities. Relying on an amended business associate agreement could open them to charges of willful neglect.

She states "It is more important than ever for CEs to take proactive measures to ensure BAs establish and maintain effective and appropriate information security and privacy policies and other supporting actions. Simply depending upon a security questionnaire answered once a year (or even less often), with no validation that the information provided is even accurate, is not effective. CEs must take a more proactive approach to ensuring BAs have effective and compliant programs in place."

You need to help your business associates get compliant, stay compliant, and prove their compliance or pay a hefty penalty.

Come and hear her talk in tomorrow's webinar at 11:00 EST. https://www2.gotomeeting.com/register/207314795

David Blumenthal Emphasizes Privacy and Security in HITECH Act

Sat, 06 Feb 2010 17:27:50 GMT

As healthcare ponders "meaningful use" they need to also remember "willful neglect". David Blumenthal's article in the New England Journal of Medicine provides an important reminder that privacy and security are key elements ot the ARRA Stimulus Bill and the HITECH Act.

"Health information exchange, however, will never reach its potential unless patients and providers are confident that patients' data are private and secure — both when stored in EHRs or other repositories and when flowing through the health care system. The HITECH Act greatly strengthened existing privacy protections under the Health Insurance Portability and Accountability Act. In addition, the ONC has asked one of its advisory committees to study additional measures for increasing the privacy and security of health information without compromising its availability for such critical purposes as patient care and research."Launching HITECH,David Blumenthal, M.D., M.P.P, NEJM, Volume 362:382-385 February 4, 2010 Number 5

As you make plans for EHR keep in mind that you must be in compliance with the HITECH Act and HIPAA or risk penalties much higher than the potential stimulus funds you will receive.

HITECH Act Webinar February 10th

Thu, 04 Feb 2010 16:50:43 GMT

Compliance Helper is proud to be a cosponsor with the Argosy Group of this important webinar. Rebecca is the privacy and information security expert who has partnered with us to develop our HIPAA HITECH solutions. Amy has provided Argosy Group with legal advice on accreditation and compliance. Together they thoroughly cover the topic of the HITECH Act.

Rebecca is an information privacy, security and compliance consultant, author, instructor and management tools creator with her own company, Rebecca Herold & Associates, LLC. Rebecca has provided information security, privacy and compliance services to organizations in a wide range of industriesthroughout the world for over 17 years. In October 2007 Rebecca was named one of the “Best Privacy Advisers”in two of three categories by Computerworld magazine. Rebecca was also named one of the "Top 59 Influencers in IT Security" for 2007 by IT Security magazine. Rebecca is also an Adjunct Professor for the Norwich University Master of Science in Information Assurance (MSIA)
program.

Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the 1998 CSI Information Security Program of the Year Award. Rebecca assists organizations of all sizes within all industries with their information privacy, security and regulatory compliance programs, content development, and strategy development and implementation. Over the past decade Rebecca has developed and has been delivering two-day information security and privacy workshop, and another two-day workshop helping organizations learn how to effectively manage their information security, privacy and legal areas to work together to most effectively assure privacy and regulatory compliance while efficiently implementing security controls. Rebecca has created customized 1- and 2-day training for the specific needs of many different organizations. Rebecca is the creator and editor of the “Protecting Information” multi-media quarterly security and awareness journal (http://www.privacyguidance.com/piqa-journal.html) and also provides online information security and privacy training modules.

Amy is a valued business advisor in corporate matters involving health care and information technology law. She provides trusted counsel to health care providers, entrepreneurs, and service providers on licensing, payment, regulatory compliance, privacy and technology issues. As a former hospital executive, Amy has in-depth knowledge from over twenty years in the health care industry as vice president in both academic medical center and community hospital settings and an internship in the U.S. Department of Justice Antitrust Division. She also teaches advanced courses on transactions for health care organizations as an Adjunct Professor at the Case Western Reserve Law School, where she was editor-in-chief of "Health Matrix: Journal of Law-Medicine" and worked on NIH grant projects. Amy has been selected by her peers for inclusion in the "Best Lawyers in America.

Amy has a special interest in technology development and licensing and privacy and security issues. Amy leads the HIMSS Legal Aspects of the Enterprise Task Force and is Vice Chair of the AHLA Health Information Technology Practice Group. She served on the Certification Commission for Health Information Technology (CCHIT) Health Information Exchange (HIE) Certification Work Group to develop standards for health information exchanges.

https://www2.gotomeeting.com/register/207314795

HIPAA HITECH Compliance is an Ongoing Process

Fri, 29 Jan 2010 16:13:35 GMT

In our previous business, Accreditation Helper, we helped small healthcare organizations prepare for an on-site survey by The Joint Commission. The old model was for a consultant to tuck a policy and procedure manual under their arm, get on an airplane and go visit the client a number of times trying to educate them. There were a number of problems with this model. It was expensive, the travel was hard on the consultant, and it was a difficult way to teach. When we contemplated automating this process we decided that we needed to keep the "human touch" but we needed a better learning process. We used a task centered process that lead the client through reviewing, editing, and submitting policies, procedures, and forms to their Helper for approval. The Helper was always available to answer their questions and to check their work. So the client absorbed the content and started understanding how their business processes might need to change to become accredited. The idea was to teach them to fish, rather than giving them a fish.

Business associates need to understand that compliance is a long term commitment that could, and probably should, change some of the internal processes. The end result will be a better, safer, more efficient workplace that protects patients' information. Just buying a policy and procedure manual and putting it on the shelf will not provide you with a "safe harbor". Use HITECH compliance as a way to improve your business process and you will win in more ways than just satisfying the new HITECH regulations.

There's No Such Thing as a HITECH compliant tool.

Wed, 27 Jan 2010 17:52:47 GMT

ONC writes in its interim final rule, "Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology":

"While the capabilities provided by Certified EHR Technology may assist … in improving … technical safeguards in order to meet some or all of the HIPAA security rule's requirements or influence … the use of Certified EHR Technology alone does not equate to compliance with the HIPAA privacy or security rules."
Compliance requires a process that encompasses establishing policies and procedures, training staff, and maintaining these standards over time. There is no such thing as a HITECH certified software tool. You compliance is based on your actions and you need to be able to prove that you took appropriate actions to prevent breach.

Get compliant, stay compliant, and prove compliance with the Compliance Meter(tm)

Hacker Attacks Against Healthcare Organizations Increase

Tue, 26 Jan 2010 17:55:33 GMT

Data breaches can happen in a lot of different ways, misplaced smart phone, stolen laptop, lost thumbdrive, but hackers are a huge threat also. Here is a report on hacker attacks.

Hacker Attacks Targeting Healthcare Organizations Doubled in the 4th Quarter of 2009 According to SecureWorks' Data
ATLANTA, Jan. 26 /PRNewswire/ -- SecureWorks®, Inc., a leading global provider of information security services protecting 2,700 clients worldwide, reported today that attempted hacker attacks launched at its healthcare clients doubled in the fourth quarter of 2009. Attempted attacks increased from an average of 6,500 per healthcare client per day in the first nine months of 2009 to an average of 13,400 per client per day in the last three months of 2009. Attempted attacks against other types of organizations, protected by SecureWorks, did not increase in the fourth quarter.

Privacy and information security are a major part of the HITECH Act. Get compliant, stay compliant, and prove compliance with the Compliance Meter(tm)

HITECH Pain for Small Business Associate

Thu, 21 Jan 2010 16:55:56 GMT

I came across this letter on www.congress.org , Phil Roe is a congressman from Tennessee.

"Subject:
HITECH Act

To:
Rep. Phil Roe

January 6, 2010

My daughter does some transcription work out of her home for some doctors. She's been doing this for several years.
Now, she has heard about some HITECH Act which Obama signed into law and it has her scared to death. Evidently she falls into the "business associates" class of this act that accords very stiff fines and penalties for breaching this law. She has paid some company over 300 dollars to give her some kind of training and certification for this. She is just a person trying to make a living, not some big corporation. Shame on lawmakers who allow this to happen to individuals.

Kingsport , TN"

There are literally hundreds of thousands of these small business associates out there. They do have access to PHI and they probably have few if any safeguards in place. While we have sympathy for their plight, we will be hearing more about data breaches from them.

90 % Not Ready For HIPAA HITECH

Wed, 20 Jan 2010 18:49:00 GMT

I ran across this article in my endless searching for information on HIPAA HITECH

"More than 90 percent of health care companies are not ready to comply with the privacy and security provision of the Health Information Technology for Economic and Clinical Health Act, according to a survey conducted by the Ponemon Institute and sponsored by Crowe Horwath. . . . “It is disappointing, though not surprising, to learn that a majority of companies do not believe they are prepared for the latest in health care information security regulations,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Our research consistently finds that a lack of budgetary and moral support from the executive suite is a common barrier to proper data security and management programs, even with the specter of regulatory enforcement looming.”

[Source: EWeek.com]

This absoultely fits my view of the state of readiness. Fiddling with business associate agreements seems to be the primary focus, as if somehow all of the responsibility can be foisted off on the beleagered BA.

Get compliant, stay compliant, prove compliance with the Compliance Meter(tm).

HIPAA HITECH for Insurance Brokers

Tue, 19 Jan 2010 22:29:40 GMT

I discovered John Nail through his website, www.theindustryradar.com and he has the same passion to educate insurance brokers as I have for the healthcare industry. It turns out that the level of awareness of the HITECH Act is even lower among insurance brokers than in healthcare, as hard as that is to believe. Through John I met Steve Irons and Michael Lawrence from ZIX Corporation who supply secure email for HIPAA HITECH.

Rebecca Herold from Compliance Helper and Steve Irons from Zix Corporation will be the presenters at this webinar on January 28th at 11:00 AM EST. See more details at www.theindustryradar.com www.zixcorp.com or www.compliancehelper.com

HIPAA HITECH Compliance Meter(tm)

Mon, 18 Jan 2010 17:20:05 GMT

This came across on Google Alerts this morning:

The problem of securing health data that is everywhere | TalkBack ...
New tools utilizing cloud computing offer hope and help, including our toolset at www.compliancehelper.com which include the new Compliance
Meter(tm) a ...
<http://talkback.zdnet.com/5208-13593-0.html?forumID=1&threadID=74040&messageID=1433468>

As the covered entity learns that they are indeed their brother's (the business associate) keeper, they need to have a means of measuring their compliance. The Compliance Meter(tm) shows the up to the minute level of compliance with policies, procedures, forms, and maintenance tasks. The process requires the BA to review and edit templates developed by Rebecca Herold and Associates and delivered on the Compliance Helper platform. These edits are then reviewed by the personal Helper who is also trained and supported by Rebecca Herold and Associate. Once approved the go into the electronic policy and procedure manual and forms library. Once they move to maintenance they get a monthly task list and the system gives them a score based on their accomplishing these tasks. They also receive new templates or revised templates to reflect changes in the standards which then go through the same review, edit, approval cycle.

With approval of the BA the CE may drill down to look at the actual policies, procedures, and forms as well as a history of the tasks completed. This transparency allows the CE to be assured that their BAs are staying in compliance and can prove it.

Get compliant, stay compliant, prove compliance with the Compliance Meter(tm)

It's Not The Size That Counts - HIPAA Security Breach

Sun, 17 Jan 2010 16:25:48 GMT

I read with interest and concern about a breach of 1.2 million patient records but my attitidue about a breach of 15,500 by my own healthcare provider riveted my attention.

I was having lunch with a local family physician and his staff when I heard that Kaiser Permanente in Northern California, my provider had a breach of 15,500 patient records which easily could have included mine. The physician remarked that if a small practice such as his in a small town such as ours had a significant breach it would probably destroy his practice. Yet he is still weighing the risk versus the amount of work it would take to get in compliance with HIPAA HITECH. This is a decision that will become easier when he hears about a practice just like his having a breach. A large covered entity 3,000 miles away is an abstract. The closer it gets to home the more real it becomes.

Rebecca Herold states in her artice "It's not the size that counts", an article which you can see in our resource section, that they are the most likely to breach and the least likely to report the breach. They hope that somehow being small will keep them under the radar.

There was an old sunday school song that had the line "When his eye is on the sparrow, you know he's watching you". Get compliant, stay compliant, prove compliance with the Compliance Meter(tm).

Son of HIPAA

Fri, 15 Jan 2010 15:03:22 GMT

I have quoted extensively from David Harlow's blog because he states my case perfectly. You have to have an active and ongoing program of assuring that your business associates, get compliant, stay compliant, and prove compliance with the Compliance Meter(tm).

The takeaway point for other covered entities and business associates: An ounce of prevention is worth a pound of cure. Get into full compliance -- and stay there -- so that you don't become a test case (or an opportunity for a state AG to get some press for being tough on HIPAA scofflaws). Not only do you need to adopt the policies and procedures called for under the Son of HIPAA rules -- encryption, breach notification, beefed-up business associate agreements, and monitoring of business associates' policies and procedures -- you need to be sure that the policies and procedures are tailored to your business processes, that your personnel are fully-trained on the content and the importance of these policies and procedures, and that they are actually being followed in real life.

I've been talking to a lot of folks about these sorts of reviews as February compliance dates are upon us for some of the changes outlined above ... Nobody wants to be remembered as the Son of HIPAA test case.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

HIPAA HITECH and Willful Neglect

Thu, 14 Jan 2010 18:34:38 GMT

Noun 1. willful neglect - a tendency to be negligent and uncaring; "he inherited his delinquency from his father"; "his derelictions were not really intended as crimes"; "his adolescent protest consisted of willful neglect of all his responsibilities"
dereliction, delinquency
neglectfulness, negligence, neglect - the trait of neglecting responsibilities and lacking concern

Neglecting responsibilities and lacking concern my sound a little fuzzy but when the auditor is asking you to explain what actions you took to prevent a breach of PHI it will come into sharper focus.

Be sure and read the article in the upcoming issue of Compliance Today entitled "Business associate security and privacy programs: HIPAA/HITECH requirements". Rebecca Herold a renowned privacy and security expert states that covered entities must have an active program of informing their business associates of their responsibilities and assuring their compliance.

This is why she has partnered with Compliance Helper to develop the Compliance Meter(tm) to help business associates get compliant, stay compliant, and prove compliance.

HIMSS Survey HIPAA HITECH

Mon, 11 Jan 2010 18:05:00 GMT

The HIMSS Survey is fascinating and scary when you consider that the deadline is February 17, 2010. I am particularly interested in the relationship between covered entities (CE) and business associates (BA) Here is a quote from the survey:

Respondents indicated that the HITECH Act’s expanded requirements for business associates whereby business associates are now directly covered by the HIPAA security rule and some parts of the HIPAA privacy rule, will cause them to take additional steps to protect patient data. Most provider organizations are being proactive in terms of ensuring that the data held by a business associate is not being breached.
About 85 percent of respondents working at a provider organization indicated that they will take some action to ensure that the data held by a business associate is not being breached. Slightly more than half of respondents (57 percent) indicated that their organization will renegotiate their business associate agreements. Another half (49 percent) indicated that they will monitor their business associate’s performance/security posture, while 47 percent indicated that they will terminate business contracts for violations.
Renegotiation of the business associate contract will be more likely among large hospitals than among small hospitals. See below for the percent of each hospital group reporting a “yes” answer to this question.
•
Under 100 beds – 48 percent
•
100 to 299 beds – 61 percent
•
300 or more beds – 81 percent
Business associates were asked to identify the steps that the healthcare organizations they work with were taking to ensure that data held by a business associate is not at risk of a breach. While only four percent said that they didn’t believe that healthcare organizations were taking any steps, a full 39 percent indicated that they did not know what steps these organizations were taking. These respondents were most likely (35 percent) to believe that the healthcare organizations they work with will monitor the performance and security posture of their business associates. Another quarter indicated that their provider clients will renegotiate their business associate agreement. Only eight percent indicated that they believe their provider clients will terminate their business associate agreement.

Clearly there is a major disconnect at this point. We feel that the Compliance Meter ^(tm) is the solution since it provides both sides with an accurate measurement of real time compliance.

HIPAA HITECH Breach Notification

Sun, 10 Jan 2010 18:06:25 GMT

Our business is to help you prevent breaches and to give you the data to prove your efforts. Despite this, a breach might occur.

I recently met with a privacy and security consultant and a representative of one of the top breach notification companies and we concluded that the wise organization subscribed to all three of our services. The consultant to do risk analysis to pinpoint areas that need improvemen, Compliance Helper to help them get compliant, stay compliant, and prove compliance with the Compliance Meter(tm), and the breach notification service as an insurance policy in case a breach occurs. HHS has made it clear that if their audit reveals that an organization has actively striven to protect their PHI the penalties will be much less than if an organization is guilty of "willful neglect"

“Breaches on average cost an organization $4.1 million or $197 per record breached.”
-- Source: Javelin Research
“Data Breach Defense 2009”
January 2009

Engaging the consultant, Compliance Helper, and the breach notification company, and utilizing their tools is the ounce of prevention needed to prevent an expensive cure.

Rebecca Herold Amoung Top 5 Privacy Writers on HIPAA HITECH

Sat, 09 Jan 2010 17:35:22 GMT

Rebecca Herold is our HIPAA HITECH privacy and security expert here at Compliance Helper and we are proud to announce that one of her articles was chosen by the Cutter Consortium as one of the top 5 intriguing risk articles of 2009

"Top 5 Intriguing Risk Articles of 2009
by Karen Coburn, President & CEO, Cutter Consortium
This week, we're taking a look back at the five most intriguing articles published in Cutter's Enterprise Risk Management & Governance practice over this past year."

2. Avoiding Common Mistakes in Information Security and Privacy Training and Awareness Programs by Rebecca Herold
In this article, I describe the 14 mistakes organizations consistently make that render training and awareness programs ineffective and often even detrimental to information security and privacy efforts. This is Part II of a three-part series on information security and privacy training.

We will be making this article available on our website under the Resources tab.

HIPAA HITECH Compliance and Blind Men

Sat, 02 Jan 2010 21:33:33 GMT

There is an old folk story about seven blind men describing an elephant. The first has the elephant's trunk in his hands and says an elephant is flexible, strong, and about 6 inches in diameter, the next blind man has the elephant's tail and he says an elephant is stringy, leathery and about 2 inches in diameter, and so forth with the rest of the blind men.

I have been spending a lot of time on the Internet reading different descriptions of HIPAA and the HITECH Act and like the blind men the viewpoint depends on their touchpoint.

One group says that it is all about the business associate agreement and each BA should amend their own agreement, while another says oh no the covered entity should write a new BA agreement for all their BA. A third group says that the agreement is inherent in the HITECH Act so nothing needs to be written. One group says the CE needs to establish standards for their BA and enforce them, while another voice says that will make you more respinsible for them. IT folks talk about encryption. Practice management software companies talk about "meaningful use". One whole article was about "whistle blowers", but perhaps the most dangerous advice I read was "don't lose sleep over the new HITECH Act it is just like HIPAA and how hard was that?"

Finally HHS has published yet another "Interim Final Rule" which triggers a new round of interpretation. No wonder covered entities and especially business associates are confused.

A few things we know for sure from the HITECH Act: Business associates must meet the same standards as covered entities, breach notification is a serious new responsibility shared by covered entities and business associates.

So my advice is take care of your own house first, by making sure that you meet the standards. Then look to your BA and CE partners to figure out how you can work together to reduce your overall risk.