Newsletters & Announcements

This page contains an archive of 3Lions Publishing Inc.'s monthly HIPAA Compliance Newsletters and Important Announcements!  The current issue of the newsletter is not available here until after the month it was issued.


To get a current version of the FREE Newsletter and Webinars you can subscribe here. Don't forget to sign up for the newsletter if you haven't already. You will receive monthly articles on HIPAA and Compliance topics as well as notification of upcoming FREE Webinars.


 

NEWSLETTERS

January 2022

Our article this month is entitled:  The difference between Privacy and Security regimes

December 2021

Our article for December was a re-do of: Re-Do: A Massively Transformative and Disruptive Rule for 2021

November 2021

Our article this month is entitled: A Massively Transformative and Disruptive Rule for 2021

October 2021

Our article this month is entitled: HIPAA Security Rule Risks

September 2021

Our article this month is entitled: Access to Protected Health Information

August 2021

Our article this month is entitled: Compliance Dynamism

July 2021

Our article this month is entitled: Creating a Culture of Compliance

June 2021

Our article this month is entitled: RMF and Swimlane Diagrams

May 2021

Our article this month is entitled: Poking through the Privacy Rule

April 2021

Our article this month is entitled: Compliance and Black Swan Events

March 2021

Our article this month is entitled: COVID, Telemedicine and HIPAA

February 2021

Our article this month is entitled: HIPAA Enforcement is Alive & Well

 

January 2021

Our article this month is entitled: What makes a Compliance Officer Competent?

 

December, 2020        No Newsletter or Webinar this month.

November 2020

Our article this month is entitled: Visible, Demonstrable Evidence

To demonstrate compliance with a legal Requirement, like the many associated with HIPAA an organization must not only provide results of a comprehensive Risk Assessment but also they must be able to provide visible, demonstrable evidence (“VDE”) for each Requirement mandated by the Compliance regime. Compliance is not an abstraction. You can only comply at the granularity level of a Requirement.
 
 

October 2020

Our article this month is entitled: Stuck on Stupid: Managing Multiple Compliance Regimes

Most compliance vendors whose software allows customers to conduct risk assessments (RA) use the National Institute of Science and Technology (NIST) methodology encompassed in Special Publication 80-30 Rev1 (Model). The NIST Model mandates the matching of Threats with Vulnerabilities to identify risks that may require remediation or status verification. Expresso is no exception.
 

September 2020

Our article this month is entitled: Stuck on Stupid Revisited

More than a decade after the HITECH Act was promulgated it remains somewhat surprising to us that most covered entities (CE) and business associates (BA) remain stuck on stupid concerning HIPAA compliance. Having taught thousands of stakeholders the Rules (HIPAA Privacy, Security, and Breach Notification) over the last decade through our webinars, newsletters, and products, we now believe we have some insights into why stuck on stupid remains “a thing.” more than a decade after the HITECH Act was promulgated it remains somewhat surprising to us that most covered entities (CE) and business associates (BA) remain stuck on stupid concerning HIPAA compliance. Having taught thousands of stakeholders the Rules (HIPAA Privacy, Security, and Breach Notification) over the last decade through our webinars, newsletters, and products, we now believe we have some insights into why stuck on stupid remains “a thing.” 
 

August 2020

Our article this month is entitled: Why SOC-2 will Derail your Cyber-Security Initiative

First let me start with a question that most compliance officers (COs) will not get right, which is this: “How many security laws do we have in the U.S.?” Many will answer fifty (50) because each state has at least one. Others will “throw-in” GLBA, FERPA, etc. The answer is one. The HIPAA Security Rule (HSR). What the states have are their own privacy and breach notification laws. GLBA and FERPA are for the most part privacy laws.
 

July 2020

Our article this month is entitled: No, Actually You Don’t Have HIPAA Under Control

When prospecting we often get the answer “No thanks we have HIPAA under control.” Of course, in a few cases that might be true, but often it is just a polite way to get us off the phone. There are many compliance officers (CO) that believe this to be true but have no idea whether their HIPAA compliance initiative is “under control.” Why? Primarily because they have no way to measure it. If we were auditors, the first question we would ask is where is your “Scorecard” that indicates which parts of HIPAA you have implemented. Huh? Followed by that “deer in the headlights” look.
 

June 2020

Our article this month is entitled: The Explosion of Third-Party Risk

Why is third-party risk exploding? There are at least three factors in play. The first reason is the sheer volume of outsourced relationships that exist, even for small enterprises. For example, in the HIPAA space, the “average” covered entity (“CE”) is said to have approximately twenty-seven (27) business associates (“BA”). However, mid-size CEs likely have hundreds of BAs and large CEs have BAs that almost certainly number in the thousands. But the fun does not end there. Why? Because BAs also have BAs. Therefore, it does not take a rocket scientist to figure out that third-party risk is an exponentially complex problem.
 

 

Our article this month is entitled: Ransomware & Cyber Insurance

There is no doubt that the number of ransomware attacks has increased dramatically over the last five years (circa 2015-2020). Phishing emails are likely still the preferred vector into your network because even unsophisticated hackers can launch a brute-force campaign sending tens of thousands of phishing emails to your unsuspecting workforce. All it takes is the wrong-click on a link in the email and the bad guys are in your network starting their ransomware and/or phishing reconnaissance activities. Phishing has proven its efficacy. There is no reason to believe that this vector is going to be less favored anytime soon.
 

April 2020

Our article this month is entitled: COVID-19 ("C-19") and Ransomware

Attacks are coming sooner rather than later. The bad guys have families to feed. This is not a hobby for them. Ransomware is what they do for a living. The healthcare industry, writ large, is far too vulnerable for the moratorium (if there is one) to last more than a few weeks. This article contains COVID-19 HIPAA guidance from HHS and information to register for our Free April webinar "COVID-19 and HIPAA-What you need to know!"
 

March 2020

Our article this month is entitled: Ransomware Resilience: Only the Paranoid Survive!

Unfortunately, the U.S. government (“Team USA”), despite being aware of the damage that Ransomware can inflict upon the healthcare industry writ large, including the fact that patients will die if a concerted effort is launched attacking the industry at its weakest links (of which hundreds of thousands exist), offers nothing more than platitudes as to how Ransomware Resilience can be obtained.
 

February 2020

Our article this month is entitled: A Short History of Cyber War and Why it Matters

If you are a Compliance Officer ("CO") you must care about cybersecurity and cyber warfare; 
that's all there is to it. Compliance and cybersecurity are joined at the hip, they can't be separated. Like peanut butter and jelly. 
 
OK. So what? Why does history matter? Because that short-lived history will astound you with events that are still applicable today as a daily lived experience for thousands of healthcare enterprises and their business associates. 
 

January 2020

Our article this month is entitled: In the Digital Economy, Only the Paranoid Survive

So, you like Technology and all the really, really, cool things it enables? Me too. But Tech has a dark side that is rarely discussed. All the "0's" and "1's" that we love so much can all disappear in a New York minute. And so, if you do not have a robust disaster recovery plan ("DRP") enabled and in place (obviously just having a plan is not enough), then sooner or later the Digital Economy is going to shoot you in the head. Guaranteed. All knowledge workers have inadvertently deleted, corrupted, and/or otherwise lost a document that they were working on. As painful as that may be, that is not what this article speaks about. No! Here we are talking about a massive loss of data that cannot be recovered!


Our article this month is entitled: What you need is a Workflow

We have often preached our mantra that compliance can only be achieved at the granularity level of a requirement ("Requirement"). Further, the only way to show compliance is by providing visible, demonstrable, evidence ("VDE") that the Requirement's result was delivered. A Requirement presupposes the existence of a discrete deliverable. VDE is an abstraction that indicates how this result is accomplished; however, it only works at 10K feet. To make it actionable within your organization you need a process that works at ground level. What you need is a well-defined process that achieves the result. What you need is a workflow.


Our article this month is entitled: What makes a Compliance Officer Competent?

In other words, what are the professional characteristics, including emotional IQ, that an individual must possess to be a competent compliance officer ("CO") in the 21st century? To begin with let's use Steve Hardy's framework for what constitutes a "creative generalist" as a starting point for exploring this question. Paradoxically, a CO's job, even if they focus only on a single compliance regime (e.g. HIPAA, or GDPR, or SOX) constitutes anything but a niche specialized gig. Without using hyperbole in the least, I want to make the argument in this article that a CO's job is one of being a creative generalist at a minimum and a good one at that. Now of course if I made the argument that a CO needed to be a renaissance person that would be hyperbolic. I don't want to overstate the case.

 

Our article this month is entitled: Security Reminders

This seemingly rather basic Security Control rarely gets implemented, and when it does, it's done in a manner that is either trite or overwhelming, neither of which make it actionable for your Workforce. First, let's clear up (again) a myth about what an "Addressable" Control means. 
 
One bright-line rule that you can take to the bank is that it doesn't mean optional! In plain English, an Addressable Control under the Security Rule means: (1) that you must implement the Control as stated in the Rule; or (2) that you must implement a suitable alternative for an organization of your size, sophistication, resources, etc.; or (3) you must document a compelling rationale why you decided to do nothing. Simply ignoring an Addressable Control is likely to get you a "willful neglect" fine; which starts at $50K a pop (ouch).
 

Our article this month is entitled: Business Partner Vetting Challenges

Business Partner Vetting ("BPV") is a process designed to help your organization get "satisfactory assurances" from business partners ("Partners") pursuant to the state of compliance of their cybersecurity programs. The overarching purpose is to ensure that your sensitive data is being protected as expected and required. Many compliance regimes mandate that certain data be protected by your Partners (e.g. GDPR with Processors, HIPAA with Business Associates (including Business Associates of Business Associates), and Part 2 with Lawful Holders). 
 

Our article this month is entitled: Information System Review Challenges

HIPAA's Information System Activity Review implementation specification (i.e. "Security Control") is one of the most insidious yet seemingly innocuous Security Controls that most covered entities ("CEs") and business associates ("BAs"), even the largest ones, do not implement and execute in a sufficiently rigorous and sophisticated way. This Standard is arguably the most important of all the Security Rule's standards.
 

Our article this month is entitled: A Deeper Dive into 42 CFR Part 2 

Title 42 of CFR part 2 was first promulgated in 1975 during the Nixon Administration(40 FR 27802) and last substantively updated in 1987 (52 FR 21796). The authorizing statute, Title 42, United States Code (U.S.C.) 290dd-2, protects the confidentiality of the records containing the identity, diagnosis, prognosis, or treatment of any patient that are maintained in connection with the performance of any federally assisted program or activity relating to substance abuse (now referred to as substance use disorder 'SUD') education, prevention, training, treatment, rehabilitation, or research.
 

Our article this month is entitled: The Self-Audit Process

HIPAA self-audits provide a preview of the policies, procedures, standards, and practices of a Covered Entity ("CE") or Business Associate ("BA"). CEs and BAs include individual and organizational providers of health services; health plans of all sizes and functions; health care clearinghouses; and a variety of business associates of these entities. Self-Audits prepare organizations to avoid the "bad day" when (not if) a HIPAA audit arrives due to a Breach.
 

Our article this month is entitled: HHS' Reduction in Enforcement Penalties

HHS' recent announcement of a reduction in penalties for HIPAA non-compliance is much to do about nothing. In part, this is true because HHS has stopped enforcing HIPAA in any meaningful way other than when a Breach is reported. Once you have a Breach, the costs of notification will likely exceed your civil monetary penalty ("CMP") imposed by OCR based on whatever violations it finds. So, Breach Notification remains the 800-pound enforcement gorilla and, for all intents and purposes, the real non-compliance liability that covered entities and business associates have to worry about. Further, as discussed below, the maximum penalties set forth were for "identical violations" and, as far as we tell, that has not changed.
 

Our article this month is entitled: Ten (10) Magic Security Controls

The "magic" in these controls is that they apply to almost every conceivable compliance regime you can think of. For example HIPAA, GDPR, PCI DSS, etc. They are cybersecurity 101 controls and when fully and rigorously implemented you will have dramatically improved cybersecurity compliance across your organization. Given the tools that are now available, these controls are nowhere near as burdensome or expensive as they were even a few short years ago. For example, two-factor authentication, as discussed below, is a "no-brainer" because almost universally everyone has a smartphone these days.
 

March 2019

Our article this month is entitled: The Importance of Taxonomies

What is a Taxonomy? The importance of taxonomies in any knowledge-based work cannot be underestimated. This, of course, includes all documents/artifacts that must be created/manage/maintained/disposed of when launching/evolving a HIPAA compliance initiative ("HCI"), or for doing same with respect to any other regulatory regime. A taxonomy, for our purposes, is nothing more than a structured way of naming folders and sub-folders and the files contained within them. For example, "taxonomy aware litigators" almost always create the same folder/sub-folder for every piece of litigation that they handle. 
 

Our article this month is entitled: The Importance of Taxonomies

What is a Taxonomy? The importance of taxonomies in any knowledge-based work cannot be underestimated. This, of course, includes all documents/artifacts that must be created/manage/maintained/disposed of when launching/evolving a HIPAA compliance initiative ("HCI"), or for doing same with respect to any other regulatory regime. A taxonomy, for our purposes, is nothing more than a structured way of naming folders and sub-folders and the files contained within them. For example, "taxonomy aware litigators" almost always create the same folder/sub-folder for every piece of litigation that they handle. 
 

Our article this month is entitled: 42 CFR Sections A-D

The regulations associated with 42 CFR Sections A-D ("42 CFR") are a set of sloppily written regulations and needlessly confusing for obvious reasons. The statutory authority for these regulations reads as follows:
 
The restrictions of these regulations upon the disclosure and use of drug abuse patient records were initially authorized by section 408 of the Drug Abuse Prevention, Treatment, and Rehabilitation Act (21 U.S.C. 1175). That section as amended was transferred by Pub. L. 98-24 to section 527 of the Public Health Service Act which is codified at 42 U.S.C. 290ee-3.
 
For our purposes, suffice to say that these regulations are related to Drug Abuse Prevention, Treatment, and Rehabilitation. They are like HIPAA "on steroids" for PHI under the control of government-assisted programs that help patients recover from drug abuse.
 

Our article this month is entitled: Privacy by Design and Privacy by Default

The need for Privacy has been a long time coming, and many knowledgeable observers felt that it was likely inevitable, although probably not in 2019. Why? Because outside of HIPAA, which only protects a patient's personal information, the U.S. does not have a national privacy law that protects personally identifiable information ("PII") generally. A new federal law would do exactly that.
 
What impact would a new law protecting PII have on HIPAA? Well, at first maybe nothing at all - laws move slow.
 

December 2018

There was no Newsletter for December 2018. 


November 2018

Our article this month is entitled: A Recommended Approach for your HIPAA Compliance Repository

HIPAA regulations require that documentation is produced to demonstrate compliance. Generally, documentation is developed for policies, procedures and tracking mechanisms that demonstrate a Covered Entity ("CE") or Business Associate ("BA") is following HIPAA requirements. The ability to show your VDE (Visible Demonstrable Evidence) of compliance demands a stored copy of your VDE containing appropriate signature approval(s) by your Compliance Officer(s) where applicable. So, the question is "Where do you keep this growing mountain of information?" That's our topic this month: A Recommended Approach for your HIPAA Compliance Repository.


October 2018

Our article this month is entitled: HIPAA Education: Learning HIPAA in an Attention Deficit Digital World - Part 2

In last month's newsletter, we covered what we consider to be the basics of microlearning from our perspective. However, our webinar introduced the idea of search as a foundational building block for a micro-learning strategy, and I want to take the opportunity to elaborate on that a little this month. First, humans have a primal fear of being lost. The ability to venture forth and find our way back has been essential to our survival for millions of years. The sense of panic that envelopes us when our innate navigation system fails is palpable. 

 

September 2018

Our article this month is entitled: HIPAA Education: Learning HIPAA in an Attention Deficit Digital World!

Universally employees complain about not having enough training, or the right training, in just about any subject matter domain you can name. HIPAA is no different. We know! We have literally trained thousands of customers in HIPAA over the last 10 years, including most of our competitors. Having said that we still get the same comments: (1) it's too legalistic; (2) it's not "dumbed down" enough; (3) it's more for compliance officers than for clinicians; (4) it's too long, etc. Are these customers right? Yes and no. Why? Because it's impossible to design comprehensive training in a manner that will be best or even satisfactorily suited, for all audiences. 

 

August 2018

Our article this month is entitled: HIPAA Education: How much training is enough?

Determining the amount of adequate training is not an easy question because the answer is highly dependent on the individual and the organization. Individuals often claim that vendor training provides only the problems, but not the solutions. That is a missed opportunity because if you know the problem and don't have an adequate answer, you're likely to be faced with difficulty responding and potentially encounter an Incident, Breach, or unauthorized disclosure of Protected Health Information ("PHI").

 

July 2018

Our article this month is entitled: HIPAA Threat Categories Rationalized: Managing Millions of Threat Vectors is Madness

If you peruse IBM's X-Force Exchange and realize the number of Threat Vectors that exist in the wild, you would soon despair of ever producing a rigorous Risk Assessment. However, there is no need to despair because these millions of vectors can be organized into Threat Categories that effectively rationalize the space. This does not mean that IBM's research is not necessary, quite the opposite, sooner or later you will need to have enough detail on a particular vector to implement a Control that "plugs it."

 

June 2018

Our article this month is entitled:  Selecting a Compliance Vendor: Why 360 Degree Support Matters

In today's world of evolving regulatory matters, we often find ourselves buried under the weight of regulatory compliance initiatives. If compliance isn't the primary purpose of your workday, then it really becomes a burden of significant magnitude.
 
First, one must learn what the regulations are saying, which often is accomplished by reading the regulations over and over, ultimately giving up and asking a competent lawyer/consultant. I've heard the saying that although the law looks like English, and it sounds like English, it's NOT English. I can't help but wonder if they (the lawyers) planned it that way to warrant their existence.
 

May 2018

Our article this month is entitled:  The Challenge of Dealing with Multiple Compliance Regimes

A couple of months back we wrote about Information Governance ("IG"); this month we want to introduce the concept of the Compliance Stack™ and the role it plays in dealing with multiple compliance regimes ("Regimes"). The March article barely scratched the surface of IG. The reality is that a Ph.D. dissertation would likely not do this topic justice. We will continue to explore IG in the coming months; however here we want to discuss the Compliance Stack™ ("the Stack™" or "Stack™") as a framework for understanding the complexity that organizations face when confronted with multiple regulatory Regimes.
 

April 2018

Our article this month is entitled:  HIPAA: A Decade from the HITECH Act

So, we wanted to take this opportunity to review the "state of HIPAA" a decade from the HITECH Act. Anyone remember the HITECH Act? Specifically, we wanted to attempt to answer, "Whether HIPAA remains a paper tiger?" The short answer to this question is a lawyer's favorite answer, "maybe, it depends."
 
The lawyer's answer requires more analysis but it's uncertain whether said analysis provides additional clarity. In fact, we argue that it doesn't, but will proceed nonetheless. First, to the extent that Breach Notification has become the 800-pound gorilla of HIPAA enforcement, it's quite clear that the latter has indeed been a game changer (e.g. it's also likely to be a game changer for the EU's GDPR). 
 

March 2018

Our article this month is entitled:  Information Governance

Information Governance ("IG") will continue to rapidly evolve as a discipline, although admittedly currently an ill-defined one, for the next fifty (50) years or so. We are drowning in our inability to manage information and the signs are everywhere we look; especially in the daily breaches that we all seem to have become jaded to. The regulatory authorities in the U.S. have the resources, at least with respect to HIPAA (i.e. because HIPAA CMPs purportedly end up in HHS' coffers for more enforcement) but appear to lack the will or the know how to dramatically impact the compliance chaos that remains a decade on from the HITECH Act.


February 2018

Our article this month is entitled:  Business in the EU: The 10 Step GDPR Implementation Plan

The objective of this article is to explain GDPR Compliance in simple terms, and provide you with guidelines and tools for implementing, refining and measuring policies and procedures. The GDPR is even more vague and descriptive than HIPAA. Although HIPAA does not provide covered entities and business associates "how to" guidance, it does a good job of describing the "what" at a reasonable level of detail. You're out-of-luck with the GDPR. Lawyers have to extrapolate best practices from reading "between the lines" because of what is there, but at such a high level that it will drive lawyers, consultants, compliance officers and laypersons nuts trying to decipher it.


January 2018

Our article this month is entitled: You Have Performed a Risk Analysis-That's Nice!

An entire cottage industry and ecosystem has quickly emerged to provide risk analysis ("RA") services to covered entities ("CE") and business associates ("BA"). Sometimes this takes the form of just software, other times it is software plus professional services, and sometimes it is pure professional services. Price points for these services vary widely between approximate $2,500.00 to $30,000.00 USD. RA's are so foundational to a HIPAA Security Rule ("SR") implementation that to not have one likely places a CE or BA in willful neglect. No organization wants to be in willful neglect land because that's where the penalties start at $50K per identical violation. So, the emphasis on RA's are justified. Full stop!


December 2017

Our article this month is entitled: Breaches Happen: the Tsunami's Largest Waves Await!

We tend not to notice, or are unwilling to notice, threats that rise gradually which result in an inability to react until it's too late. The healthcare frog has been boiling since the HITECH Act was promulgated in 2009. There have been hundreds of high profile breaches and thousands more that don't make frontpage news. Yet it is clear that the industry has failed to take any significant action en masse. The prevailing feeling appears to be "breaches are things that happen somewhere else." Privacy and security are simply not top of mind for clinicians. Nursing schools and medical schools barely teach students enough to allow them to spell HIPAA (mostly) but not much more. The water keeps getting hotter, but the frog remains mostly oblivious. As we all know, this story does not end well for the frog. One day something really bad, but otherwise utterly preventable, happens. This fails to move the needle for the practice next door. In that practice another frog is starting to boil.


November 2017

Our article this month is entitled: Breach Notification: STILL the 800 LB Gorilla!

This month's article uses the metaphor from the Fifth Discipline, a book written by Professor Peter Senge circa 1990, to describe the system approach required if organizations want to change their compliance DNA. Senge's book contemplates what's required for a "learning organization." This article contemplates what 21st century compliance DNA looks like and why it matters that "systems thinking" underpins all compliance initiatives. First, we address what Senge calls the "learning disabilities."


October 2017

Our article this month is entitled: Breach Response Plan Key Components (Cont.) 

This is Part 2 of a 2-Part Article. Part 1 is located here. In this Part we provide a high-level introduction regarding what each team's responsibilities during a Breach Response. Remember, in any Breach Response you are working with a team of teams. Also, recall why we believe a tech savvy law firm("TSLF") should function as the general manager ("GM") of this team of teams. We will expand on this proposition herein as well. We have inserted the Definitions section below, as it should prove useful once again for the topics covered in this 2-Part Article.


September 2017

Our article this month is entitled: Breach Response Plan Key Components

This breach response article is designed to help stakeholders (i.e. organizations of all sizes experiencing a breach)  understand the requirements of various federal, state and private regulatory regimes. HIPAA is simply one example. After WannaCry and Petya organizations are starting to realize that it's not a question of "if" they will experience an attack that leads to a breach but simply "when."


August 2017

Our article this month is entitled: Comparing HIPAA and PCIDSS Compliance?

This article compares the HIPAA and PCIDSS compliance regimes. Although as discussed herein there are indeed technical similarities between the two, analogous to the functional similarities between the HIPAA Security Rule controls (i.e. implementation specifications) and the CSC Controls, the two are fundamentally unique and distinct compliance regimes controlled by different kinds of law.


July 2017

Our article this month is entitled: HIPAA Security is Cybersecurity (sort of)!

This article argues that there has never been any meaningful distinction between CyberSecurity and HIPAA Security from a technical perspective; however, from a legal perspective, each regulatory regime must be treated as a unique and distinctive set of regulations. The WannaCry attack made the technical argument painfully obvious and became a  "clarion call."


June 2017

Our article this month is entitled: WannaCry - PostMortem Lessons Learned 

WannaCry was the "shot heard round the world!" It dominated both local, national, and international "news cycles" for several days. We are now more than a few weeks from the event and the public is still learning about additional infections. HHS responded to the blitzkrieg by publishing a recurring set of announcements providing mitigation strategies for the healthcare industry. Why? We suspect that HHS knows, as do the rest of us, that we have been fishing out of this pond for a while and the healthcare masses were (and remain) woefully unprepared for this kind of event. 

May 2017

Our article this month is entitled: Culture of Compliance: The Importance of Methodology

HHS has once again provided guidance on the importance of having a methodology to develop, implement, and maintain a comprehensive compliance program ("Program"). The objective of your HIPAA compliance initiative ("HCI") should be to build your Program over time, especially if you are interested in establishing a "Culture of Compliance!"  

April 2017

Our article this month is entitled: HIPAA OCR Enforcement under Trump?.

The entire premise of this article is that HIPAA and Cybersecurity ("CS") are one and the same. The reason we believe this premise is true will be elaborated upon during the remainder of this article but the foundation rests upon the fact that the HIPAA Privacy Rule ("PR"), Security Rule ("SR"), and Breach Notification Rules ("BNR") (collectively "the Rules" or "Rules") are foundational components of CS. Through force of law only covered entities and business associates are required to comply with the Rules. However, either through new law, or vis-à-vis industry enforced compliance regimes, something akin to the Rules will be required of every significant industry you can think of.


March 2017

Our article this month is entitled: Showing HHS Visible, Demonstrable, Evidence to HHS.

This article will address the kinds of visible, demonstrable, evidence ("VDE") that your organization should be prepared to show HHS during an audit. It will also discuss what a business associate ("BA") should be prepared to show a covered entity ("CE") when the former is asked by the latter to show proof of compliance. Of course, as you might expect, there is potentially a significant overlap between what a stakeholder might show HHS or a CE (respectively "Requestor"). However, what is shown to a Requestor could also vary widely as discussed herein.


February 2017

Our article this month is entitled: Reviewing "Audit Controls" under the Security Rule.

In January 2017 HHS issued guidance regarding "Audit Controls" under the Security Rule ("SR") by stating, among other things, the following:  "[c]overed Entities and Business Associates should make sure that they appropriately review and secure audit trails, and they use the proper tools to collect, monitor, and review audit trails." HHS specifically references one of the Technical Safeguards, specifically §164.312(b). However, curiously (or maybe not depending on your perspective) the latter is a SR "Standard" that has NO implementation specification associated with it. In short, you are even more on your own than usual when it comes to interpreting how you should comply with this requirement.


January 2017

Our article this month is entitled: A Compliance Manifesto.

We have educated thousands of stakeholders pursuant to the HIPAA Rules through our monthly webinars and newsletters during the past seven years. We intend to educate many thousands more in the years to come. During that time our own understanding of the Rules has also increased dramatically from our interaction with the marketplace. Through this collaborative effort a great many insights have been added to the HIPAA lexicon. These insights and lessons learned apply not only to HIPAA but to any compliance regime you can think of. Therefore, the Manifesto provided herein should have wide applicability across industries and subject matter domains.