HIPAA Survival Guide® Newsletter June, 2018: Issue 102
Your HIPAA Compliance Companion
HIPAA Survival Guide® Webinar
The semantics that underpin NIST's Risk Assessment Equation
The webinar will break down the various components of the Risk Equation so that stakeholders understand how the equation can be used across compliance regimes!
Date and Time, including Time Zone
June 21, 2018 2:00 pm EST
Selecting a Compliance Vendor:
Why 360 Degree Support Matters
In today's world of evolving regulatory matters, we often find ourselves buried under the weight of regulatory compliance initiatives. If compliance isn't the primary purpose of your workday, then it really becomes a burden of significant magnitude.
First, one must learn what the regulations are saying, which often is accomplished by reading the regulations over and over, ultimately giving up and asking a competent lawyer/consultant. I've heard the saying that although the law looks like English, and it sounds like English, it's NOT English. I can't help but wonder if they (the lawyers) planned it that way to warrant their existence.
In addition, as healthcare, commerce, digital technology and other disruptions enter the global marketplace, the interaction between various laws increase. This interplay may significantly impact the Compliance Officer's ability to manage and track compliance for their organizations. For example, Electronic Health Records (EHRs) dramatically changed the landscape for healthcare professionals not only pursuant to how they provide care to patients but also how that care is documented. Watch this quick video about the first electronic medical records.
Taken a step further, analytics and big data became an opportunity to scrutinize this data as the digital analytics era ensued. In addition, EHRs impacted litigation and preservation of data. Records Management has been around for hundreds of years, but its visibility significantly grew with the advent of electronically stored information and impacted changes to Federal regulations regarding how electronic documentation is handled during a legal discovery process.
In the HIPAA world, regulations tell us WHAT is required, but HOW we comply is left out of the explanation. Why? Perhaps if they told us how to do it, and we followed the instructions and encountered a problem, then government wouldn't have an opportunity for enforcement. They did after all, tell us what and how to comply. In healthcare we start with a HIPAA Risk Assessment and move on to identify those Risks that require remediation. Risk Management achieves these two purposes: 1) identify areas of operational and financial risk to a facility, patients, visitors and employees, and 2) implement measures and remediation to lessen unavoidable risks and losses, as well as prevention of recurrence.[i]
HIPAA is unclear, at best, not only to learn what is required, but also to consider how to comply with the rules in a rigorous, competent manner. Fortunately, we provide model documents with the HOW written in real English by a legal subject matter expert! We provide not only the source of the regulations, but also a short description, a sample policy, controls/processes for compliance, a method for tracking compliance, and more.
Is this enough? Not quite.
Prepare for the next Regulatory Regime!
Do you mean there are other Compliance Regimes with additional regulations looming? If one Compliance Regime is difficult to understand and manage, imagine the difficulty of complying and adequately addressing the regulatory challenges of more than one set of regulations concurrently. How many other regimes are being "marked-up" as we speak to deal with the security breaches and invasions of our privacy that seem to occur on the battlefields of our daily lives. How should organizations prepare to address, understand, establish controls for, and comply with a regulatory environment that is almost certainly going to become more complex; despite all the promises of deregulation?
The European Union ("EU") implemented General Data Protection Regulations ("GDPR") effective May 25, 2018 to address regulations for the protection of Personal Data. GDPR could prove transformative as the first Global Privacy and Security Regulations. Like HIPAA, the Payment Card Industry Data Security Standard ("PCI DSS") has been around for a while. PCI DSS provides standards for organizations that process major credit cards. The Gramm-Leach-Bliley Act (GLB) requires financial institutions to explain information-sharing practices to customers. In addition, the Sarbanes-Oxley Act (SOX) mandates strict financial reforms to protect investors from fraud. These are prominent regimes that are alive and well today. What we don't know, is how the House and Senate will respond to continuing instances analogous to the recent Facebook debacle.
THE COMPLIANCE STACK™ is one way to concurrently address more than one compliance regime and to handle the accompanying explosion of regulations. Let's take a deeper look.
INFORMATION GOVERNANCE STACK™
A stack within a stack? There are many reasons to establish Information Governance policy across and within industries, but healthcare's need to ensure the integrity of personal health information is not only a factor in HIPAA compliance but health information also faces unique challenges of cost and improved care for the patients they serve. The goals of the well-known "Triple Aim" rely on information governance for improving the patient's experience of care, improving the health of populations, and reducing the per capita costs of health care.[ii]
With the advent of digitization, storage of electronic data has become an effective method for Records Management and Data Retention
. However, one of the most difficult questions to answer is what types of data should be retained and how long should data be retained. In healthcare, accurate and timely documentation is essential to the provision of medical care. The Legal Health Record
is used for guidance in health-care settings that could be paper-based, electronic or a hybrid. Legal Liability issues for patient data include "proof of quality" of patient care and "liability related to unauthorized access and handling of patient information." [iii] Do you see hints of HIPAA Privacy and Security?
In the financial industry organizations require recognition of the important connection between data and records management policies to prevent corruption, fraud and maladministration of financial data.[iv]
When a lawsuit seeks discovery of information, it is known as eDiscovery (at least to the extent that electronic documents are sought). The Federal Rules of Civil Procedure ("FRCP") govern all forms of eDiscovery which includes potentially all information that is stored electronically including business and/or patient records.[v]
eDiscovery is a method to obtain facts for a legal matter. So, processes used to manage and retain data are essential not only for business and healthcare but also for potential eDiscovery.
POLICIES AND PROCESSES
Given the different Compliance Regimes and their specific needs, Policies and processes for each aspect of a given compliance regime will be unique, related to its specific requirements. For example, healthcare policy regarding data retention may be significantly different than what is required for SOX or PCI DSS. Here is where your creativity and knowledge are required to establish policies for a specific regime and to leverage, albeit modified, policies across regimes where appropriate. We provide model policies, procedures and tracking mechanisms for HIPAA, but they must be reviewed and may (usually do) require modification to meet the needs of your organization. Each organization has their own definition of what is considered "Reasonable and Appropriate."
SECURITY CONTROLS: Do you understand the hazards of Health IT?
One of the biggest issues facing organizations today is how they can defend themselves from human error and potential cyber attacks.[vi] Establishing effective Security Controls to address and defend against unauthorized disclosure and cyber attacks of protected data is paramount, regardless of regime.
New and innovative technologies are being introduced at a rapid pace - a "disruptive innovation cycle." Authors such as Clayton Christensen in his book The Innovator's Prescription
describes A Disruptive Solution for Health Care, and Stephen Schimpff wrote an article for the Harvard Business Journal entitled, Disruptive Changes Are Coming to the Delivery of Medical Care
. Consider eHealth
as two of the first examples of disruptive changes in healthcare. These disruptions, and others, will require innovative security controls if they are to survive in the marketplace.
Effective Security Controls extend far beyond the protection of computers themselves. An effective program includes both technical and human controls to avoid loss of data, accidental or intentional avoidable activities, prevention of unauthorized access, loss deterrence, recovery after a loss has occurred, and correction of system weaknesses to prevent the incident from happening again.[vii] So cyber attacks are just one aspect of controls that should be implemented; security controls reach far beyond isolated protection and vulnerability incidents.
Many of the regulations we now face in the modern world had their beginning as ethics and values of society. As requirements became more sophisticated, these values and demands became laws. For healthcare, legal and ethical issues initially focused on patient record requirements, confidentiality, informed consent, and access. With HIPAA, the circle widened to encompass Risk Management and Remediation, and requirements for management of records containing Protected Health Information ("PHI").
The complexity of regulatory compliance, regardless of the regime, requires investment of time to understand and implement policies, processes, and security controls. Yet, they offer no source of revenue for the organization's investment, they "offer" civil monetary penalties for non-compliance. We must, as Napolean Bonaparte once said, "Respect the Burden."
Organizations should look beyond tactical solutions when searching for a compliance vendor. Compliance is not a "once and done" activity, it is an ongoing responsibility to monitor and adapt to changes not only in the workplace but also in the regulations. Organizations are better served by identifying long-term partnering opportunities with vendors that continue to innovate not only technically, but more importantly, provide the thought leadership and assistance that will help you navigate these white-water rapids lurking over the horizon.
[i] McWay, Dana C. Legal and Ethical Aspects of Health Information Management. Clifton Park, NY: Delmar Cengage Learning, 2010.
[ii] Berwick, Donald M., Thomas W. Nolan, and John Whittington. "The Triple Aim: Care, Health, And Cost." Health Affairs27, no. 3 (May/June 2008). Accessed May 30, 2018. https://doi.org/10.1377/hlthaff.27.3.759.
[iii] McWay, Dana C. Legal and Ethical Aspects of Health Information Management. Clifton Park, NY: Delmar Cengage Learning, 2010.
[iv] Marlize Palmer, (2000) "Records management and accountability versus corruption, fraud and maladministration", Records Management Journal, Vol. 10 Issue: 2, pp.61-72, https://doi.org/10.1108/EUM0000000007256
[v] McWay, Dana C. Legal and Ethical Aspects of Health Information Management. Clifton Park, NY: Delmar Cengage Learning, 2010.
[vi] Fieldera, Andrew, Emmanouil Panaousisb, Pasquale Malacariac, Chris Hankina, and Fabrizio Smeraldic. "Decision Support Approaches for Cyber Security Investment." Elsevier Decision Support Systems86 (June 2016): 13-23. Accessed May 31, 2018. https://doi.org/10.1016/j.dss.2016.02.012.
[vii] Wright, Marie A. Protecting information: Effective security controls; Review of Business; New York Vol. 16, Iss. 2: 24.
HOW TO COMPLY WITH HIPAA?
At 3Lions Publishing, Inc. our mission is to provide clients with:
- Premium Compliance Products,
- Free Monthly Webinars,
- Newsletter Articles on HIPAA and regulatory topics, as well as
"High Touch" LIVE assistance with Products for Risk Assessment and Remediation.
We do NOT charge extra for compliance support like many of our competitors, the cost for your LIVE assistance is included in your Subscription purchase.
A full 360 degree circle of Risk Assessment and Remediation products are provided in 3Lions Publishing Inc.'s
The Subscription Plan includes Expresso®, the Risk Assessment "SaaS" based software, over 30+ compliance and remediation products, and training videos that help Covered Entities and Business Associates understand how to implement the necessary Controls to be in compliance with HIPAA regulations. Our LIVE "High Touch" Assistance helps you "get it done" fast!
Our many Training products describe various aspects of the regulations as well as demonstrations of how to use Expresso and associated compliance tools. As part of the Subscription Plan we also provide certification for clients seeking designation as HIPAA Certified Professional ("HCP").
A "Crosswalk" between Expresso Risks and Remediation tools provides easy access to model policies, procedures and tracking mechanisms for compliance.
FREE Monthly newsletters and webinars provide education on topics of regulatory concern. Missed one? Webinars and articles are posted to the HIPAA Survival Guide Store Website for future reference.
NEW FEATURES FOR 2018
We are complimenting Expresso with access to:
1) A fully encrypted web-based Compliance Repository and
2) Direct Access to HIPAA Survival Guide Products for Subscription clients.
Your web-based repository will enable you to upload and save your final Visible Demonstrable Evidence of Compliance ("VDE") to secure and encrypted folders. Direct access to HIPAA Survival Guide Products makes it easy for Subscription Customers to get products and compliance information at a single site.
In addition, with the recent European Union (EU) enforcement of the General Data Protection Regulation ("GDPR")
effective May 25, 2018, we are focused on providing a GDPR Personal Data Assessment within Expresso along with compliance tools. We have already made several GDPR policies and training videos available for purchase on the HIPAA Survival Guide Store
. If you intend to conduct business with EU users, customers or businesses, you will need to learn how to conform with these requirements.
So, why are we sharing this information in our Newsletter? Education, Education, Education. Stay tuned not only for Product updates but also for new capabilities and value offered to our elite group of clients. Save time and money with our high quality, bargain Subscription Plan!
Click here to add the Subscription Plan
to your Cart
Questions? Please call or write using the contact information below.
HIPAA Requirements for the
including Policies and Procedures
Protect Your Practice and Your Business
for HIPAA Survival Guide® Subscription Plan Testimonials
Take advantage of our new Heartbeat™ and Pulse™
offerings with The HIPAA Survival Guide® Subscription Plan With Expresso®