Happy New Year
HIPAA Survival Guide January 2017 Newsletter
We have educated thousands of stakeholders pursuant to the HIPAA Rules through our monthly webinars and newsletters during the past seven years. We intend to educate many thousands more in the years to come. During that time our own understanding of the Rules has also increased dramatically from our interaction with the marketplace. Through this collaborative effort a great many insights have been added to the HIPAA lexicon. These insights and lessons learned apply not only to HIPAA but to any compliance regime you can think of. Therefore, the Manifesto provided herein should have wide applicability across industries and subject matter domains.
Going forward we anticipate that need for many more compliance professionals across a wide array of disciplines. This remains true despite the incoming administration's desire to reduce regulations. However, regulations are how we apply normative principles to the un-tractable problems that we confront (e.g. on Wall Street, the environment, in healthcare, the law, government, etc.). It is not a question of having more or less regulations but rather smarter and more just regulations. Show me a nation that does not self-regulate and I will show you a nation where anarchy prevails.
It should go without saying that people of good conscious everywhere do not want to leave a world ruled by anarchy for their children and grandchildren. The little anarchy that we have experienced in the past fifty years pales in comparison to what may ensue if we do not find a way to regulate the unsustainable paths that we are now embarked upon.
A Compliance Manifesto
- Compliance always exists along a continuum where full compliance is often nothing more than an aspiration goal.
- Compliance is a journey and not a destination, which implies the creation of a culture wherein compliance is something you do as part of your organization's mission and not as some necessary evil.
- Compliance is not an abstraction but rather is always manifested at the granularity level of a requirement.
- For each requirement you need the following three things to demonstrate visible demonstrable evidence: (1) Policies; (2) Processes the underpin your Polices; and (3) the ability to track process results.
- Agile is the only compliance methodology that matters; all others are anachronisms that belong in the dustbin of history because they are woefully inadequate for a rapidly changing complex world.
- Every compliance regime is a wicked problem that contains an order of magnitude more organizational complexity than technical complexity, however the latter is ever present and almost always non-trivial.
- The only way to improve an organization's compliance narrative is to improve its ability to produce visible, demonstrable, evidence of compliance over time, at the granularity level of a requirement.
- Checklists that provide suggested policies, processes, and tracking mechanisms at the granularity level of a requirement prove invaluable because compliance regimes are (almost always) descriptive and not prescriptive (i.e. requirements inform you as to what should be done but not how to do it).
- Analytical frameworks and modeling (often one and the same thing) are proven educational transfer vehicles when deciphering the meaning and/or intent of a requirement.
- Scorecards based on specific requirements are the only way to measure progress of your compliance initiative (i.e. by definition, if you are in compliance with all the requirements of a regulatory regime then you are in compliance).
HIPAA Survival Guide New Product Release
Do you need a Contingency Framework?
The HIPAA Security Rule requires that your organization comply with its Contingency Standard
(i.e. "Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.")
1. Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
2. Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.
3. Emergency mode operation plan (Required)
. Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security
of electronic protected health information while operating in emergency mode.
4. Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.
5. Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.
Our Contingency Framework ("Framework") offers guidance for complying with this standard. With the Framework, you'll be able to determine what you need to do in order to satisfy these five implementation specifications ("Controls"). In addition, you are provided templates that help you mitigate the risks posed by the absence of these Controls.
These Controls are now generally referred to as "Business Continuity." Business Continuity is a very complex topic; however, similar to the manner in which other wicked problems are attacked, the most important thing that any organization can do is to fail forward fast; that is, to put a foundational solution in place and then proceed to refine it over time as specific requirements manifest.
*Currently Available to HIPAA Survival Guide Subscription Plan Holders
HIPAA Help Answers On!
HIPAA Requirements for the Privacy Rule
including Policies and Procedures
HIPAA Requirements for the Security Rule
including Policies and Procedures
What is Expresso® "The Risk Assessment Express"
For any other HIPAA Help Answers send us an Email at HIPAA Help Answers At
The HIPAA Survival Guide Subscription Plan
Expresso® Now Includes The Risk Assessment Express
Expresso® is an easy to use Risk Assessment software that allows you to identify security objects, risks, threats and vulnerabilities to define impacts and assign controls at a glance!
allows you to do a Baseline Risk Assessment in 3 Hours or less!
Our 'Quick Start Guide" gets you off and running to complete your first Risk Assessment in 3 hours or less. Expresso® comes pre-populated with all the Risks, Threats, Vulnerabilities and Impacts necessary to a complete a baseline Risk Assessment.
- Perform a baseline Risk Assessment in a matter of hours
- Bulk import Security Objects (people, places, assets, processes and other things that Security Controls are applied to)
- Track the results of the Controls applied
- Retain instances of past Risk Assessments for reporting purposes
Expresso® will allow you to do all of the above, and so much much more! In addition the HIPAA Survival Guide Subscription Plan also includes Policies and Procedures customizable to your organization
Included In HIPAA Survival Guide Subscription Plan
HIPAA Compliance Products
HIPAA Training Products Included
Click Here for The HIPAA Survival Guide Subscription Plan Testimonials
Give Your Organization's Compliance Initiative
The Boost It Needs To Survive A HHS Audit With
The HIPAA Survival Guide Subscription Plan With Expresso™
Protect Your Practice and Your Business