Virtual Seminar on HIPAA Training for Compliance Officer

This 6-hour seminar will be addressing how practice/business managers (or compliance offers) need to get their HIPAA house in order before the imminent audits occur. It will also address major changes under the Omnibus Rule and any other applicable updates for 2018.

Areas also covered will be texting, email, encryption, medical messaging, voice data and risk factors as they relate to IT.

The primary goal is to ensure everyone is well educated on what is myth and what is reality with this law, there is so much misleading information regarding the do’s and don’ts with HIPAA -I want to add clarity for compliance officers and what you guys need to do and how to best implement your HIPAA program based on over 18 years of personal experience working with Federal auditors, state auditors, and corporate auditors.

We will go through multiple scenarios that are commonly faced by compliance officers and how to manage these situations

I will also speak to real life litigated cases I have worked where HIPAA is being used to justify state cases of negligence -THIS IS BECOMING A HUGE RISK!

In addition, this course will cover the highest risk factors for being sued as well as being audited (these two items tend to go hand in hand).

Why you should attend

Join me in this in depth 6-hour seminar where we will get into the nitty-gritty about the roles and responsibilities of a HIPAA Compliance Officer.

Do you have an affective HIPAA compliance program? Do you know what needs to be done to satisfy the requirements?

New laws, funding, and enforcement mean increased risk for both business associates and covered entities – 2017 was a record year for enforcement and fines – 2018 will be no different.

HIPAA Omnibus – Do you know what’s involved and what you need to do?

What does Omnibus mean for covered entities and business associates?

Why should you be concerned?

Court cases that are changing the landscape of HIPAA and patient’s ability to sue!

TRIAL ATTORNEYS ARE MORE DANGEROUS THAN THE FEDERAL GOVERNMENT!!

It is important to understand the new changes going on at Health and Human Services as it relates to enforcement of HIPAA for both covered entities and business associates. You need to know how to avoid being low hanging fruit in terms of audit risk as well as being sued by individuals who have had their PHI wrongfully discloses due to bad IT or internal administrative practices.

Who Will Benefit

  • Practice Managers
  • Any Business Associates who work with medical practices or hospitals (i.e. billing companies, transcription companies, IT companies, answering services, home health, coders, attorneys, etc)
  • MD’s and other medical Professionals

Agenda

  • Updates for 2019
  • Requirements of Compliance Officers
  • New definition of what constitutes protected health information
  • Real life litigated cases
  • BYOD
  • Portable Devices
  • Business associates and the increased burden
  • Emailing of PHI
  • Texting of PHI
  • Federal Audit Process
  • HIPAA and suing – how this works
  • Risk Assessment
  • Ransomware and how to avoid
  • What to do when a breach occurs
  • Best Resources

Speaker Profile

Brian L Tuttle, CPHIT, CHP, CBRA, Net+, A+, CCNA, MCP is a Certified Professional in Health IT (CPHIT), Certified HIPAA Professional (CHP), Certified Business Resilience Auditor (CBRA) with over 15 years’ experience in Health IT and Compliance Consulting. Mr. Tuttle has worked all of those 15 years with MAG Mutual Healthcare Solutions and is now Senior Compliance Consultant and IT Manager with InGauge Healthcare Solutions (previously named MAG Mutual Healthcare Solutions). Almost all of Brian’s clients are earned by referral with little or no advertising. Brian is well known and highly regarded in medical circles throughout the United States .

Click Here to Continue Reading

How Covered Entities and Business Associates Can Comply Calmly, Confidently and Completely with the HIPAA Rules

HIpaa Blog wpress

Any business organization that is involved in creating, receiving, transmitting and maintaining Protected Health Information (PHI) has to comply with the requirements set out in Health Insurance Portability and Accountability Act (HIPAA). Such businesses, called Business Associates, since they carry out these functions on behalf of what are called Covered Entities; are legally obliged to show compliance with the provisions of HIPAA, whose main aim is to protect the privacy and confidentiality of patient information.

So, any Business Associate has to know how to comply with the provisions of HIPAA. Considering that the provisions of HIPAA have undergone major changes from the time of its enactment in 1996 up until 2013; Business Associates often find that showing compliance with the provisions of this legislation is complex. But failing to do so attracts hefty fines and penalties.

Understanding HIPAA provisions is the key to implementation

Although HIPAA implementation appears somewhat intimidating at first glance, in reality, it is not so. It can be implemented with ease and felicity in a manner that meets all the regulatory requirements. How? By breaking down the requirements into separate parts. The ways of taking this very sensible and commonsensical approach to HIPAA implementation by Business Associates and their Covered Entities, will be the subject of a very useful two-day seminar that is being organized by GlobalCompliancePanel, a highly reputed provider of professional trainings in the areas of regulatory compliance.

Overcoming HIPAA Compliance Challenges 

HIPAA Compliance

Taking the right steps to HIPAA implementation

He will, for instance, highlight the role of the social media and how to use the electronic media for staying updated and thus reducing the crucial element of time. He will also highlight the importance of managing risks in HIPAA compliance. This is all the more critical, considering that the Office of Civil Rights (OCR) has found that a shockingly high 94% of Covered Entities failed the Risk Management audit and about 87% failed the Risk Analysis audit. This was despite the fact that every Covered Entity knew well in advance of the upcoming audit, and had filled up a pre-audit questionnaire, which gave them a clear idea of what was to come in terms of the questions that HIPAA inspectors would be asking them, and what documentation were needed from them.

The central aim of this learning session is to help participants understand how Business Associates and Covered Entities can take simple and easy steps to stay compliant, so that they don’t have problems in meeting HIPAA requirements for compliance.

Learning at this highly valuable Areas:

  • Thorough Understanding of HIPAA Rules
  • What they are
  • How they work together
  • Why and How they were made
  • How they are changing and what to expect next
  • HIPAA Risk Analysis – Risk Management for Your Organization
  • A Practical Guided Exercise done in class on your computer to take home
  • Privacy and Security Rules – Permitted and Required Uses and Disclosures
  • What information must be protected
  • Administrative, Technical and Physical Safeguards
  • Social Media, Texting and Emailing Patients
  • The inter-connected, inter-dependent relationship of Covered Entities and Business Associates
  • What is, and what is not a Reportable Breach of Unsecured PHI

http://www.fertilitybridge.com/blog/hipaaandsocialmediawithpaulhales

 

How to Develop, Review, and Amend HIPAA Policy and Procedure

Imparting a full understanding of the HIPAA requirements, which will help entities safeguard PHI in a manner that meets the regulatory requirements, is the intent of a seminar from GlobalCompliancePanel, a globally trusted provider of professional trainings for all the areas of regulatory compliance. President and Founder of Colington Security Consulting, LLC, Jay Hodes, will be the Director of this two-day, in person seminar.

Two hallmarks of being in compliance with HIPAA are:

  • Ensuring that the healthcare practice provides the appropriate patient rights and controls on the patient’s uses and disclosures of Protected Health Information
  • Having the proper policies and procedures in place.

healthcare practices4

So, it follows that showing to the government that it not only has the ability to demonstrate how it is addressing all of the required security safeguards; but that it also has the documentation necessary for safeguarding patient PHI is required from any organization that is being audited or is the subject of a compliance review.

Grasp of the fundamentals is important and necessary

A healthcare practice, business or organization needs to have a sound understanding of HIPAA compliance requirements needed for protecting PHI. Full and comprehensive grasp of the fundamentals of HIPAA compliance requirements is necessary for an entity to ensure that whatever safeguards it has put in place can withstand government scrutiny.

safeguarding patient PHI

This knowledge is needed to implement the provisions of HIPAA. This apart, another important reason for which healthcare practices, businesses or organizations have to develop the right knowledge of the HIPAA requirements is to avoid data breaches. The appreciable rise in the number of recent HIPAA data breaches necessitates a proper understanding of HIPAA compliance requirements, which will help entities understand which of the requirements of HIPAA they need to meet if they have to safeguard PHI.

An understanding of how to show compliance with HIPAA requirements

Imparting a full understanding of the HIPAA requirements, which will help entities safeguard PHI in a manner that meets the regulatory requirements, is the intent of a seminar from GlobalCompliancePanel, a globally trusted provider of professional trainings for all the areas of regulatory compliance. President and Founder of Colington Security Consulting, LLC, Jay Hodes, will be the Director of this two-day, in person seminar.

Healthcare Providers1

Jay is being organized with the intention of giving professionals at various levels in the regulated industries, who have to implement HIPAA regulations a perceptive and thorough understanding of all aspects of HIPAA compliance. These professionals include Compliance Officers, HIPAA Privacy Officers, HIPAA Security Officers, Medical/Dental Office Managers, Practice Managers, Information Systems Managers, Chief Information Officers, General Counsel/lawyers, Practice Management Consultants, and any Business Associates that access Protected Health Information, IT Companies that support Medical/Dental practices or other healthcare organizations.

Jay will add spice to this rather mundane topic by breaking down the complexities of HIPAA compliance requirements in a lucid manner. The aim is to impart knowledge of all the requirements needed for a comprehensive HIPAA compliance program and the steps they need to take in order to mitigate risk, in a fun manner.

Healthcare Regulatory Compliance

 

8 Tough Questions Every CISO Should Be Ready to Answer

8 Tough Questions Every CISO Should Be Ready to Answer

When a major security incident, such as the recent massive Equifax data breach, grabs headlines, CEOs start asking more questions about data security.

See Also: Addressing the Identity Risk Factor in the Age of ‘Need It Now’

CISOs need to be thinking about their answers to critical questions the CEO is likely to pose.

Information Security Media Group asked seven security experts what questions they believe CEOs should be asking CISOs, and what information CISOs should arm themselves with to be prepared to provide answers. Following are eight questions and the experts’ suggested responses.

We have been investing in cybersecurity for a few years now. Would you say our organization is secure?

Israel Bryski, vice president, technology risk, Goldman Sachs: To pre-empt this question, the CISO should have a conversation early on with the CEO to determine the organization’s risk appetite. This will allow the CISO to align and prioritize security initiatives accordingly.

We are in the business of information and technology risk management, so the “Are we secure?” question is somewhat misguided. The question should be: “Are we managing risk according to our risk profile?” To answer this, the CISO should be able to easily demonstrate, based on a recent risk assessment, how the various cybersecurity initiatives and projects are in fact reducing risk, shrinking the attack surface of the organization and aligning the security program with the firm’s overall risk profile.

We have a board meeting next week. Can you talk about cybersecurity in a way they will understand?

Mischel Kwon, former director of US-CERT and deputy CISO for the Department of Justice; currently CEO of MKACyber: CISOs should be able to confidently say “absolutely” to this question. They should be able to speak with the board in a very businesslike way and articulate what they are doing with the company’s money and how they are protecting the company and its assets.

The key to being able to speak to the board is to base their program on a business-focused model. That business model shows their capability founded on their maturity, and that maturity is based on the probability of detecting specific types of attacks. These are the type of attacks that are most likely to happen to them, and this is the risk to the business, its goals and its reputation that these attacks bring.

Do you have enough money to do what you need to do?

Tim Youngblood, CISO, McDonald’s: Depending on where CISO sits, this can be a hairy topic. That can be a difficult conversation to say “I’m not getting enough.” It’s not easy if the CIO is in the room.

The best way to answer that is, “We may have current risks we are really well-funded to address, but there may be future risks we’ll need to fund and we still have some work to figure that piece out.”

A CEO is not going to write you a blank check. The CEO is going to look at the CFO and CIO and say, “The CISO needs money. You take it out of your budget and make it happen.” There is not an extra pot of money waiting for anyone, so making the clear case for why it is needed is key.

Is this really worth the investment?

Heath Renfrow, CISO at U.S. Army Medicine: The best thing a CISO can do when asked this question is have multiple options they can present to the CEO. Explain to them: Here’s the full issue. This is the total cost to fix this issue. This is what we believe the cost will be if this issue doesn’t go away and how much it will be should the vulnerability be exploited.

As an example, we didn’t know not know where our protected health Information and personal identifying information resided across all systems when I first got to Army Medicine. It would be a huge HIPAA concern if we got hit on that, or if there was a leak or a violation. It could have cost millions of dollars and many jobs. I tied in the overall cost and broke it down to how much it would be per end-user device to address it and it came out to be an about $3.43 per end-user device. Then I tied in all the results of HIPAA violations in the past few years and the fines associated with them. You get your senior leaders attention real quick with that approach.

Rick Howard, CSO, Palo Alto Networks, adds: Questions like this are sure to arise as corporate leadership attempts to understand the business risk associated with a cyberattack. As a result, CIO/CISOs should be prepared to explain the total cost of a potential breach. Everything from business disruption and loss of customers to consequential legal fees and remediation can rack up the bill more quickly than leadership may realize.

Read More: http://snip.ly/q0zie#https://www.bankinfosecurity.com/8-tough-questions-every-ciso-should-be-ready-to-answer-a-10357

What should Entities do to avoid HIPAA fines and penalties?

What should Entities do to avoid HIPAA fines and penalties.jpg

A look at the nature and numbers of HIPAA breaches over just the couple of years makes stark reading: On the one hand, in terms of numbers; 2016, with about 16 million records breached was a pretty good year compared to the previous year, in which about seven times that number, more than 113 million, were breached. But the bad news is that 2016 saw more Covered Entities reporting breaches than in any other year since the Office of Civil Rights (OCR) started publishing its data on healthcare record breaches.

These huge numbers show that not only is there a big demand for these records in the black market -they are in greater demand than even social security and credit cards -Covered Entities and Business Associates need to all that it takes to avoid HIPAA fines and penalties.

What should Entities do to avoid HIPAA fines and penalties4

The federal government has not been lax on this aspect. It is being extremely vigilant about protecting healthcare records. It has been consistently urging the HHS to take a serious view of the increased incidence of cyberattacks that has resulted in medical records theft and has suggested many measures towards ensuring this. The fact that there has been a steady increase in the global spending on cybersecurity-related hardware, software, and services and could reach $100 billion in 2020, according to estimates by the International Data Corporation (IDC), suggests the seriousness with which this issue is being viewed not just in the US, but all over the world.

One of the primary requirements that Business Associates need to comply with is adherence to HIPAA mandates regarding the handling and use of health information. This is spelt out in the HITECH Act, a recent update made to overall HIPAA regulations. It is mandatory for a Business Associate to comply with a wide range of regulatory obligations, which include certain privacy obligations, security standards, and breach notification requirements.

What should Entities do to avoid HIPAA fines and penalties2

However, there is a lot of confusion and misunderstanding among Business Associates about their roles and requirements. They must be completely knowledgeable about all the aspects of their roles, functions and requirements before they enter into agreements of contracts with subcontractors and vendors for their services

Learning about ways of avoiding HIPAA fines and penalties

Jay Hodes, who is President and Founder, Colington Security Consulting, LLC, will be providing thorough understanding of the roles and requirements of a Business Associate and Covered Entities in HIPAA enforcement at a webinar that is being organized by MentorHealth, a leading provider of professional trainings for the healthcare industry. Please visit What should Entities do to avoid HIPAA fines and penalties? to get complete clarity of the ways of avoiding HIPAA fines and penalties.

Clarity on how to avoid HIPAA fines and penalties

What should Entities do to avoid HIPAA fines and penalties1

The aim of this learning session is to help businesses understand what it means to be a Business Associate and know what required safeguards, policies and procedures must be in place or make sure that their current compliance program is adequate and can withstand government scrutiny.

Jay will highlight the importance of being compliant with the HIPAA requirements for an organization if it has to avoid HIPAA fines and penalties. The ways by which a Business Associate or Covered Entity can provide the appropriate patient rights and controls on its uses and disclosures of Protected Health Information (PHI) and what all it has to have in place for doing so, will all be explained.

He will cover the following areas at this session:

  • Why was HIPAA created?
  • Who Must Comply with HIPAA Requirements?
  • What are the HIPAA Security and Privacy Rules?
  • What are the Consequences of being a Business Associate
  • What is a HIPAA Compliance Program for a Business Associate?
  • What is a HIPAA Risk Management Plan?
  • What is a HIPAA Risk Assessment?
  • What is the Role of the HIPAA Security Official?
  • What are HIPAA training requirements?
  • What is a HIPAA data breach and what happens if it occurs?
  • What are the penalties and fines for non-compliance and how to avoid them
  • Case Examples of HIPAA Data Breaches
  • Creating a Culture of Compliance
  • Q&A.