This page contains an archive of 3Lions Publishing Inc.'s monthly HIPAA Compliance Newsletters and Important Announcements! The current issue of the newsletter is not available here until after the month it was issued.
To get a current version of the FREE Newsletter and Webinars you can subscribe here. Don't forget to sign up for the newsletter if you haven't already. You will receive monthly articles on HIPAA and Compliance topics as well as notification of upcoming FREE Webinars.
Our article this month is entitled: Components of a Mature Compliance Program
Our article this month is entitled: Intersection of the Proposed Privacy Rule, Information Blocking, and changes to 42 CFR Part2 regarding case management and case coordination
Our article this month is entitled: Stuck on Stupid: The FINAL 2021 Privacy & the Purported Experts
Our article for December was a re-do of: Re-Do: A Massively Transformative and Disruptive Rule for 2021
Our article this month is entitled: A Massively Transformative and Disruptive Rule for 2021
Our article this month is entitled: HIPAA Security Rule Risks
Our article this month is entitled: Access to Protected Health Information
Our article this month is entitled: Compliance Dynamism
Our article this month is entitled: Creating a Culture of Compliance
Our article this month is entitled: RMF and Swimlane Diagrams
Our article this month is entitled: Poking through the Privacy Rule
Our article this month is entitled: Compliance and Black Swan Events
Our article this month is entitled: COVID, Telemedicine and HIPAA
Our article this month is entitled: HIPAA Enforcement is Alive & Well
Our article this month is entitled: What makes a Compliance Officer Competent?
Our article this month is entitled: Visible, Demonstrable Evidence
Our article this month is entitled: Stuck on Stupid: Managing Multiple Compliance Regimes
Our article this month is entitled: Stuck on Stupid Revisited
Our article this month is entitled: Why SOC-2 will Derail your Cyber-Security Initiative
Our article this month is entitled: No, Actually You Don’t Have HIPAA Under Control
Our article this month is entitled: The Explosion of Third-Party Risk
Our article this month is entitled: Ransomware & Cyber Insurance
Our article this month is entitled: COVID-19 ("C-19") and Ransomware
Our article this month is entitled: Ransomware Resilience: Only the Paranoid Survive!
Our article this month is entitled: A Short History of Cyber War and Why it Matters
Our article this month is entitled: In the Digital Economy, Only the Paranoid Survive
So, you like Technology and all the really, really, cool things it enables? Me too. But Tech has a dark side that is rarely discussed. All the "0's" and "1's" that we love so much can all disappear in a New York minute. And so, if you do not have a robust disaster recovery plan ("DRP") enabled and in place (obviously just having a plan is not enough), then sooner or later the Digital Economy is going to shoot you in the head. Guaranteed. All knowledge workers have inadvertently deleted, corrupted, and/or otherwise lost a document that they were working on. As painful as that may be, that is not what this article speaks about. No! Here we are talking about a massive loss of data that cannot be recovered!
Our article this month is entitled: What you need is a Workflow
We have often preached our mantra that compliance can only be achieved at the granularity level of a requirement ("Requirement"). Further, the only way to show compliance is by providing visible, demonstrable, evidence ("VDE") that the Requirement's result was delivered. A Requirement presupposes the existence of a discrete deliverable. VDE is an abstraction that indicates how this result is accomplished; however, it only works at 10K feet. To make it actionable within your organization you need a process that works at ground level. What you need is a well-defined process that achieves the result. What you need is a workflow.
Our article this month is entitled: What makes a Compliance Officer Competent?
In other words, what are the professional characteristics, including emotional IQ, that an individual must possess to be a competent compliance officer ("CO") in the 21st century? To begin with let's use Steve Hardy's framework for what constitutes a "creative generalist" as a starting point for exploring this question. Paradoxically, a CO's job, even if they focus only on a single compliance regime (e.g. HIPAA, or GDPR, or SOX) constitutes anything but a niche specialized gig. Without using hyperbole in the least, I want to make the argument in this article that a CO's job is one of being a creative generalist at a minimum and a good one at that. Now of course if I made the argument that a CO needed to be a renaissance person that would be hyperbolic. I don't want to overstate the case.
Our article this month is entitled: Security Reminders
Our article this month is entitled: Business Partner Vetting Challenges
Our article this month is entitled: Information System Review Challenges
Our article this month is entitled: A Deeper Dive into 42 CFR Part 2
Our article this month is entitled: The Self-Audit Process
Our article this month is entitled: HHS' Reduction in Enforcement Penalties
Our article this month is entitled: Ten (10) Magic Security Controls
Our article this month is entitled: The Importance of Taxonomies
Our article this month is entitled: The Importance of Taxonomies
Our article this month is entitled: 42 CFR Sections A-D
Our article this month is entitled: Privacy by Design and Privacy by Default
There was no Newsletter for December 2018.
Our article this month is entitled: A Recommended Approach for your HIPAA Compliance Repository
HIPAA regulations require that documentation is produced to demonstrate compliance. Generally, documentation is developed for policies, procedures and tracking mechanisms that demonstrate a Covered Entity ("CE") or Business Associate ("BA") is following HIPAA requirements. The ability to show your VDE (Visible Demonstrable Evidence) of compliance demands a stored copy of your VDE containing appropriate signature approval(s) by your Compliance Officer(s) where applicable. So, the question is "Where do you keep this growing mountain of information?" That's our topic this month: A Recommended Approach for your HIPAA Compliance Repository.
Our article this month is entitled: HIPAA Education: Learning HIPAA in an Attention Deficit Digital World - Part 2
In last month's newsletter, we covered what we consider to be the basics of microlearning from our perspective. However, our webinar introduced the idea of search as a foundational building block for a micro-learning strategy, and I want to take the opportunity to elaborate on that a little this month. First, humans have a primal fear of being lost. The ability to venture forth and find our way back has been essential to our survival for millions of years. The sense of panic that envelopes us when our innate navigation system fails is palpable.
Our article this month is entitled: HIPAA Education: Learning HIPAA in an Attention Deficit Digital World!
Universally employees complain about not having enough training, or the right training, in just about any subject matter domain you can name. HIPAA is no different. We know! We have literally trained thousands of customers in HIPAA over the last 10 years, including most of our competitors. Having said that we still get the same comments: (1) it's too legalistic; (2) it's not "dumbed down" enough; (3) it's more for compliance officers than for clinicians; (4) it's too long, etc. Are these customers right? Yes and no. Why? Because it's impossible to design comprehensive training in a manner that will be best or even satisfactorily suited, for all audiences.
Our article this month is entitled: HIPAA Education: How much training is enough?
Determining the amount of adequate training is not an easy question because the answer is highly dependent on the individual and the organization. Individuals often claim that vendor training provides only the problems, but not the solutions. That is a missed opportunity because if you know the problem and don't have an adequate answer, you're likely to be faced with difficulty responding and potentially encounter an Incident, Breach, or unauthorized disclosure of Protected Health Information ("PHI").
Our article this month is entitled: HIPAA Threat Categories Rationalized: Managing Millions of Threat Vectors is Madness
If you peruse IBM's X-Force Exchange and realize the number of Threat Vectors that exist in the wild, you would soon despair of ever producing a rigorous Risk Assessment. However, there is no need to despair because these millions of vectors can be organized into Threat Categories that effectively rationalize the space. This does not mean that IBM's research is not necessary, quite the opposite, sooner or later you will need to have enough detail on a particular vector to implement a Control that "plugs it."
Our article this month is entitled: Selecting a Compliance Vendor: Why 360 Degree Support Matters
Our article this month is entitled: The Challenge of Dealing with Multiple Compliance Regimes
Our article this month is entitled: HIPAA: A Decade from the HITECH Act
Our article this month is entitled: Information Governance
Information Governance ("IG") will continue to rapidly evolve as a discipline, although admittedly currently an ill-defined one, for the next fifty (50) years or so. We are drowning in our inability to manage information and the signs are everywhere we look; especially in the daily breaches that we all seem to have become jaded to. The regulatory authorities in the U.S. have the resources, at least with respect to HIPAA (i.e. because HIPAA CMPs purportedly end up in HHS' coffers for more enforcement) but appear to lack the will or the know how to dramatically impact the compliance chaos that remains a decade on from the HITECH Act.
Our article this month is entitled: Business in the EU: The 10 Step GDPR Implementation Plan
The objective of this article is to explain GDPR Compliance in simple terms, and provide you with guidelines and tools for implementing, refining and measuring policies and procedures. The GDPR is even more vague and descriptive than HIPAA. Although HIPAA does not provide covered entities and business associates "how to" guidance, it does a good job of describing the "what" at a reasonable level of detail. You're out-of-luck with the GDPR. Lawyers have to extrapolate best practices from reading "between the lines" because of what is there, but at such a high level that it will drive lawyers, consultants, compliance officers and laypersons nuts trying to decipher it.
Our article this month is entitled: You Have Performed a Risk Analysis-That's Nice!
An entire cottage industry and ecosystem has quickly emerged to provide risk analysis ("RA") services to covered entities ("CE") and business associates ("BA"). Sometimes this takes the form of just software, other times it is software plus professional services, and sometimes it is pure professional services. Price points for these services vary widely between approximate $2,500.00 to $30,000.00 USD. RA's are so foundational to a HIPAA Security Rule ("SR") implementation that to not have one likely places a CE or BA in willful neglect. No organization wants to be in willful neglect land because that's where the penalties start at $50K per identical violation. So, the emphasis on RA's are justified. Full stop!
Our article this month is entitled: Breaches Happen: the Tsunami's Largest Waves Await!
We tend not to notice, or are unwilling to notice, threats that rise gradually which result in an inability to react until it's too late. The healthcare frog has been boiling since the HITECH Act was promulgated in 2009. There have been hundreds of high profile breaches and thousands more that don't make frontpage news. Yet it is clear that the industry has failed to take any significant action en masse. The prevailing feeling appears to be "breaches are things that happen somewhere else." Privacy and security are simply not top of mind for clinicians. Nursing schools and medical schools barely teach students enough to allow them to spell HIPAA (mostly) but not much more. The water keeps getting hotter, but the frog remains mostly oblivious. As we all know, this story does not end well for the frog. One day something really bad, but otherwise utterly preventable, happens. This fails to move the needle for the practice next door. In that practice another frog is starting to boil.
Our article this month is entitled: Breach Notification: STILL the 800 LB Gorilla!
This month's article uses the metaphor from the Fifth Discipline, a book written by Professor Peter Senge circa 1990, to describe the system approach required if organizations want to change their compliance DNA. Senge's book contemplates what's required for a "learning organization." This article contemplates what 21st century compliance DNA looks like and why it matters that "systems thinking" underpins all compliance initiatives. First, we address what Senge calls the "learning disabilities."
Our article this month is entitled: Breach Response Plan Key Components (Cont.)
This is Part 2 of a 2-Part Article. Part 1 is located here. In this Part we provide a high-level introduction regarding what each team's responsibilities during a Breach Response. Remember, in any Breach Response you are working with a team of teams. Also, recall why we believe a tech savvy law firm("TSLF") should function as the general manager ("GM") of this team of teams. We will expand on this proposition herein as well. We have inserted the Definitions section below, as it should prove useful once again for the topics covered in this 2-Part Article.
Our article this month is entitled: Breach Response Plan Key Components
This breach response article is designed to help stakeholders (i.e. organizations of all sizes experiencing a breach) understand the requirements of various federal, state and private regulatory regimes. HIPAA is simply one example. After WannaCry and Petya organizations are starting to realize that it's not a question of "if" they will experience an attack that leads to a breach but simply "when."
Our article this month is entitled: Comparing HIPAA and PCIDSS Compliance?
This article compares the HIPAA and PCIDSS compliance regimes. Although as discussed herein there are indeed technical similarities between the two, analogous to the functional similarities between the HIPAA Security Rule controls (i.e. implementation specifications) and the CSC Controls, the two are fundamentally unique and distinct compliance regimes controlled by different kinds of law.
Our article this month is entitled: HIPAA Security is Cybersecurity (sort of)!
This article argues that there has never been any meaningful distinction between CyberSecurity and HIPAA Security from a technical perspective; however, from a legal perspective, each regulatory regime must be treated as a unique and distinctive set of regulations. The WannaCry attack made the technical argument painfully obvious and became a "clarion call."
Our article this month is entitled: WannaCry - PostMortem Lessons Learned
Our article this month is entitled: Culture of Compliance: The Importance of Methodology
Our article this month is entitled: HIPAA OCR Enforcement under Trump?.
The entire premise of this article is that HIPAA and Cybersecurity ("CS") are one and the same. The reason we believe this premise is true will be elaborated upon during the remainder of this article but the foundation rests upon the fact that the HIPAA Privacy Rule ("PR"), Security Rule ("SR"), and Breach Notification Rules ("BNR") (collectively "the Rules" or "Rules") are foundational components of CS. Through force of law only covered entities and business associates are required to comply with the Rules. However, either through new law, or vis-à-vis industry enforced compliance regimes, something akin to the Rules will be required of every significant industry you can think of.
Our article this month is entitled: Showing HHS Visible, Demonstrable, Evidence to HHS.
This article will address the kinds of visible, demonstrable, evidence ("VDE") that your organization should be prepared to show HHS during an audit. It will also discuss what a business associate ("BA") should be prepared to show a covered entity ("CE") when the former is asked by the latter to show proof of compliance. Of course, as you might expect, there is potentially a significant overlap between what a stakeholder might show HHS or a CE (respectively "Requestor"). However, what is shown to a Requestor could also vary widely as discussed herein.
Our article this month is entitled: Reviewing "Audit Controls" under the Security Rule.
In January 2017 HHS issued guidance regarding "Audit Controls" under the Security Rule ("SR") by stating, among other things, the following: "[c]overed Entities and Business Associates should make sure that they appropriately review and secure audit trails, and they use the proper tools to collect, monitor, and review audit trails." HHS specifically references one of the Technical Safeguards, specifically §164.312(b). However, curiously (or maybe not depending on your perspective) the latter is a SR "Standard" that has NO implementation specification associated with it. In short, you are even more on your own than usual when it comes to interpreting how you should comply with this requirement.
Our article this month is entitled: A Compliance Manifesto.
We have educated thousands of stakeholders pursuant to the HIPAA Rules through our monthly webinars and newsletters during the past seven years. We intend to educate many thousands more in the years to come. During that time our own understanding of the Rules has also increased dramatically from our interaction with the marketplace. Through this collaborative effort a great many insights have been added to the HIPAA lexicon. These insights and lessons learned apply not only to HIPAA but to any compliance regime you can think of. Therefore, the Manifesto provided herein should have wide applicability across industries and subject matter domains.