HIPAA HITETCH Compliance Blog Archive

Automated Quarterly Risk Assessments

Editing, adopting, and implementing NIST poilicies creates quarterly NIST CSF risk assessments in the Jumpstart program.

Continue reading…

Why HITRUST CSF needs NIST CSF

Why do you need NIST CSF even if you already have HITRUST CSF?  Management and the board of directors may require NIST CSF.

Continue reading…

Simple HIPAA Checklist

The simplest HIPAA checklist is a quarterly NIST CSF risk assessment.  It reflects that you have edited and implemented NIST policies, documented staff training and updated your NIST CSF risk assessment.

Continue reading…

NIST Policies

Trying to do an official certified NIST risk assessment from HIPAA policies written in the past is like translating hieroglyphics into English.   The pathway to a Certified NIST Risk Assessment is having NIST policies in place.  A NIST policy is one written to address a specific safeguard on the NIST CyberSecurity Framework (CSF).

Continue reading…

Certified NIST Risk Assessment for HIPAA compliance

A certified NIST risk assessment is your best proof of HIPAA compliance.  Jumpstart delivers a quarterly certified NIST risk assessment.

Continue reading…

What is a NIST CSF and why should I care?

A NIST CSF is a National Institute of Standards and Technology Cyber Security Framework which can deliver an equivalent to "HIPAA Certification".  By meeting the standards including periodic risk assessments you can provide proof that you are doing all that is needed to protect PHI.

Continue reading…

HIPAA Certificate:NIST CSF Risk Assessment

A risk assessment on the NIST CyberSecurity Framework (CSF) is your "certification" of HIPAA compliance.  It demonstrates the status of your security and privacy programs to others such as regulators, customers, partners, and shareholders.

Continue reading…

NIST CSF Risk Assessment Cycle

The NIST Framework works best when linked with NIST Policies and a cycle of reviewing and updating policies to match changes in the organization.  We call this the Cycle of Compliance.

Continue reading…

Your HIPAA Policies are Out of Date

HIPAA policies need to be built on a Cyber Security Framework (CSF) to be valid.  Old policies written by consultants, lawyers, in-house IT, or bought off the internet do not meet the new CSF standards.

Continue reading…

Lack of Risk Assessments Could Cost $729 Million

Audit Finds Millions Paid Inappropriately Due to Lack of a Risk Assessment.  Under the HITECH Act meaningful use incentive program, conducting a security risk assessment of protected health information "created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities" is a core requirement.

Continue reading…

Ransomware Attack is a HIPAA Breach

A ransomware attack can trigger a series of bad events leading to a huge HIPAA fine.  The slippery slope: Ransomware attack is a HIPAA breach, which when reported triggers an audit, that discovers a lack of an up to date risk assessment, which leads to a fine for willful neglect.

Continue reading…

No HIPAA Risk Assessment? $400,000 Fine

Metro Community Provider Network received a $400,000 fine and a corrective action plan for failing to do a risk assessment prior to a phishing incident that exposed 3200 employee files.  Doing the risk assessment a month after the breach didn't work.

Continue reading…

The HIPAAssure® NIST Framework vs HITRUST

Compliance Helper offers the NIST framework at a fraction of the cost of HITRUST.  Assure compliance with HIPAAssure®, built on the NIST framework, delivered in the SaaS method, and with the Helper methodology to reduce cost.  

Continue reading…

HIPAA Risk Assessment: Get Out Of Jail Free Card

An up to date HIPAA risk assessment is the one single proof of HIPAA compliance that can prevent huge fines and possible jail time.  No matter what else you have done if you don't have an official (NIST) and up to date (at least annually) HIPAA risk assessment you are probably in willful neglect.

Continue reading…

HIPAA Willful Neglect Can Cause Bankruptcy

Willful Neglect of HIPAA compliance has caused companies to go bankrupt.  How would you handle a six figure penalty from OCR?

Continue reading…

OCR Steps Up Investigation of Smaller HIPAA Breaches

“We’re doing more investigations of smaller breaches … I think you’re going to see more of that in terms of entities with whom we enter corrective action plans,” reiterated Deven McGraw, Esq., OCR deputy director of health information privacy at the 88th annual American Health Information Management (AHIMA) conference held October 16-19 in Baltimore, MD

Continue reading…

Risk Assessment Critical for MACRA

An up do date risk assessment is a key element in your MIPS Composite Performance Score.  The MACRA Act which was passed with bilateral support in Congress uses the MIPS score to determine reimbursement for practices.

Continue reading…

Quarterly Risk Assessments Might Have Saved St Josephs $10 Million

Leaving 31,800 patient records open and accessible on the Internet cost St Josephs Hospital a $7.5 million dollar settlement of a class action suit and a $2.145 million dollar fine from OCR.  Quarterly risk assessments might have revealed the problem sooner or prevented it from happening at all.

Continue reading…

Got PHI in The Cloud?: Get HIPAA Compliant!

HHS issued new guidelines for covered entities or business associates who use cloud computing to create, maintain, store, transfer, or process PHI.   In a nutshell, every entity involved in the process must be HIPAA compliant even if the data is encrypted.

Continue reading…

Outdated BA Agreements: $400,000 Fine

Old business associate agreements cost Care New England Health System, Providence, R.I. a $400,000 fine.  Business associate agreements need to be updated to reflect current law plus you need to get "suitable assurances" that they are compliant.

Continue reading…