HIPAA Survival Guide® Newsletter November 2018: Issue 107
Your HIPAA Compliance Companion
HIPAA Survival Guide® Webinar
Title: Compliance Repository: A Single Version of the Truth!
Description: Storing your Visible Demonstrable Evidence
- EXPRESSO RELEASE 2.0 (in beta testing now!)
- Security Rule Training Pro
A Recommended Approach for
your Compliance Repository
HIPAA regulations require that documentation is produced to demonstrate compliance. Generally, documentation is developed for policies, procedures and tracking mechanisms that demonstrate a Covered Entity ("CE") or Business Associate ("BA") is following HIPAA requirements. The ability to show your VDE (Visible Demonstrable Evidence) of compliance demands a stored copy of your VDE containing appropriate signature approval(s) by your Compliance Officer(s) where applicable. So, the question is "Where do you keep this growing mountain of information?" That's our topic this month: A Recommended Approach for your HIPAA Compliance Repository.
Regardless of whether you're a CE or a BA, you are required not only to perform a Risk Assessment, but also to remediate risks. With Expresso, we recommend an overall goal for each Risk of Medium to Low. Full compliance of 100% for every risk is only an aspirational goal and would be most difficult to obtain because your organizational environment is not static; it can change periodically, and often. A strategic, although also challenging goal, is to place yourself in the "Good Story" realm of the compliance continuum.
After you have expended effort on your risk assessment, having a good compliance story starts with remediation of High Risks and subsequently ensuring that your VDE is kept in a safe location that is backed-up regularly. So, what is the recommendation for how to organize this information? Let's start with a folder for Breach Incidents.
Although Incidents do not always manifest into Breaches, they could, and security incident documentation is mandatory when activities do not follow the usual and expected path. A Security Incident means "the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system."
In your Compliance Repository you will document and store each Incident encountered that requires breach analysis; not all Incidents qualify. Incident documentation should describe the day, time, credentials, IP address, or any other information that is obtained during the investigation of the Incident. Without going into detail about what should be contained in an Incident Document, it is recommended that each Incident has its own folder wherein the Incident document is stored. Since it is plausible that an Incident could become a Breach, then three (3) other folders should be available for each Incident. They are HHS Notification, Media Notification, and Patient Notification. Should this Incident, or any other Incident, become a Breach, then all necessary information for handling a breach should also be stored in your Compliance Repository. In some cases, you may want to save "blank" versions of these documents so that they are ready and, in a place easily found if required.
An example of an Incident might be a Phishing attempt where a hacker is trying to obtain access to your network and subsequently, your Protected Health Information (PHI). At the HIPAA Survival Guide, we provide 3700-Phishing-Ransomware Training to help educate your workforce and avoid unnecessary risk from Phishing attempts. Phishing is an attempt to obtain sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity. Often one will receive an email with an urgent request to resolve a problem with a financial account (e.g. PayPal).
Although these examples are not healthcare related, on March 20, 2018, TechCo News reported
- Amazon Cancellation Scams - a fake Amazon order and offer to cancel it
- Fake PayPal Scam Emails - a phoney PayPal transaction to alarm you
- Facebook Activity Alerts - imitating genuine Facebook notifications
- Disputed Payment Emails - a false claim that a transaction is due
- Google and Gmail Alert Scams - attempts to get your login details
All of the above scams attempt to trick victims in a similar fashion. You're encouraged to click through on a link, at which point, victims can inadvertently hand over sensitive data to scammers.
Another example of a recent Phishing attempt was in May 2017 where a phishing email targeted Gmail users with an estimated cost to the state of Minnesota of $90,000. So, the bottom line is educate, educate, and beware!
One of the HIPAA Administrative Safeguard requirements is §164.308 Information system activity review (Required). This requirement means that CEs and BAs are required to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. By doing so, one may indeed find that there was an attempt to break into the network. If a hacker did NOT get into your network; then the attempt is an Incident, not a Breach.
If a Phishing email was sent to workforce members and they did not click on it, then it is likely there was no harm to PHI. If they did click on the email, then further investigation will be required. Another HIPAA Technical Safeguard implementation standard in the Security Rule is §164.312 Encryption. Encryption of sensitive data is a dominant precautionary measure to prevent Breaches!
The levels of your Compliance Repository folder structure, as will be implemented in Expresso 2.0 are as follows. Starting with your Policies and Procedures, the following folders are recommended:
- Breach Incidents. As discussed, Incidents may not become Breaches, but all Incidents must be logged.
- Breach Notification Rule. When a Breach occurs, you will want to have the necessary files and folders ready for use. There no sense in trying to find the needle in the haystack when time is of the essence.
- Business Associates ("BA"). Only have one Business Associate? Congratulations, you're one of the few. Business Associate contracts and evidence of compliance are necessary to save and track your BA workforce.
- Cloud. What data or applications do you have that are stored on the cloud? Ensure that you have adequate documentation in the event of a disaster!
- Disaster Recovery ("DR"). Do you have sample test results? Documentation for your workforce and application needs? You may choose to store your DR information by application with a special folder for workforce members who would be involved in recovery operations.
- Mobile. What mobile devices does your organization have? Do they have PHI stored on them?
- Patients. Patients often have the need for access to their medical records. Do you track and keep copies of their requests?
- Patients' Bill of Rights. If a patient wants to amend their record, do you track and keep a copy of their request?
- Privacy Rule. Where do you store Privacy Rule VDE?
- Risk Assessments. Where do you store all your Risk Assessments?
- Risk Management. Where do you store your Policies, Procedures and Tracking mechanisms that have been approved by your Compliance Officers?
- Security Rule. Keep your VDE of compliance with Security Rule Controls.
- Social Media. Do you have Social Media sites or portals that are used in your business?
- Workforce. Do you store and track training and clearance activities for workforce members?
Each one of these folders is a "top level" or "root folder" for the documents contained within it. Click here for a document that contains the full Compliance Repository that will be implemented in Expresso 2.0.
At 3Lions Publishing, Inc. our mission is to provide clients with:
- Premium Compliance Products,
- Free Monthly Webinars,
- Newsletter Articles on HIPAA and regulatory topics, as well as
"High Touch" LIVE assistance with Products for Risk Assessment and Remediation.
We do NOT charge extra for compliance support like many of our competitors. The cost for your LIVE assistance is included in your Subscription purchase.
A full 360-degree circle of Risk Assessment and Remediation products are provided in 3Lions Publishing Inc.'s
The Subscription Plan includes Expresso®
, the Risk Assessment "SaaS" based software, over 30+ compliance and remediation products
, and training videos that help Covered Entities and Business Associates understand how to implement the necessary Controls to be in compliance with HIPAA regulations. Our LIVE "High Touch" Assistance helps you "get it done" fast!
Our many Training products
describe various aspects of the regulations as well as demonstrations of how to use Expresso and associated compliance tools. As part of the Subscription Plan, we also provide certification for clients seeking designation as a HIPAA Certified Professional ("HCP")
A "Crosswalk" between Expresso Risks and Remediation tools provides easy access to model policies, procedures and tracking mechanisms for compliance.
FREE Monthly newsletters and webinars provide education on topics of regulatory concern. Missed one? Webinars and articles are posted to the HIPAA Survival Guide Store Website
for future reference.
So, why are we sharing this information in our Newsletter? Education, Education, Education. Stay tuned not only for Product updates but also for new capabilities and value offered to our elite group of clients. Save time and money with our high quality, bargain Subscription Plan!
Or, take advantage of our FREE 15 day trial of Expresso to
complete your Risk Assessment!
Questions? Please call or write using the contact information below.
Phone: (800) 516-7903
For HIPAA Help send us an Email at
Protect Your Practice and Your Business
for HIPAA Survival Guide® Subscription Plan Testimonials
Take advantage of our Heartbeat™ and Pulse™ offerings with The HIPAA Survival Guide® Subscription Plan With Expresso®