Newsletters & Announcements

This page contains an archive of 3Lions Publishing Inc.'s monthly HIPAA Compliance Newsletters and Important Announcements!  The current issue of the newsletter is not available here until after the month in which it was issued.

To get a current version of the FREE Newsletter and Webinars you can subscribe here. Don't forget to sign up for the newsletter if you haven't already. You will receive monthly articles on HIPAA and Compliance topics as well as notification of upcoming FREE Webinars.

Also, you can view previously recorded webinars online here.

To listen/download our Compliance Manifesto Podcasts, click here.


July 2020

Our article this month is entitled: No, Actually You Don’t Have HIPAA Under Control

When prospecting we often get the answer “No thanks we have HIPAA under control.” Of course, in a few cases that might be true, but often it is just a polite way to get us off the phone. There are many compliance officers (CO) that believe this to be true but have no idea whether their HIPAA compliance initiative is “under control.” Why? Primarily because they have no way to measure it. If we were auditors, the first question we would ask is where is your “Scorecard” that indicates which parts of HIPAA you have implemented. Huh? Followed by that “deer in the headlights” look.

June 2020

Our article this month is entitled: The Explosion of Third-Party Risk

Why is third-party risk exploding? There are at least three factors in play. The first reason is the sheer volume of outsourced relationships that exist, even for small enterprises. For example, in the HIPAA space, the “average” covered entity (“CE”) is said to have approximately twenty-seven (27) business associates (“BA”). However, mid-size CEs likely have hundreds of BAs and large CEs have BAs that almost certainly number in the thousands. But the fun does not end there. Why? Because BAs also have BAs. Therefore, it does not take a rocket scientist to figure out that third-party risk is an exponentially complex problem.


Our article this month is entitled: Ransomware & Cyber Insurance

There is no doubt that the number of ransomware attacks has increased dramatically over the last five years (circa 2015-2020). Phishing emails are likely still the preferred vector into your network because even unsophisticated hackers can launch a brute-force campaign sending tens of thousands of phishing emails to your unsuspecting workforce. All it takes is the wrong-click on a link in the email and the bad guys are in your network starting their ransomware and/or phishing reconnaissance activities. Phishing has proven its efficacy. There is no reason to believe that this vector is going to be less favored anytime soon.

April 2020

Our article this month is entitled: COVID-19 ("C-19") and Ransomware

Attacks are coming sooner rather than later. The bad guys have families to feed. This is not a hobby for them. Ransomware is what they do for a living. The healthcare industry, writ large, is far too vulnerable for the moratorium (if there is one) to last more than a few weeks. This article contains COVID-19 HIPAA guidance from HHS and information to register for our Free April webinar "COVID-19 and HIPAA-What you need to know!"

March 2020

Our article this month is entitled: Ransomware Resilience: Only the Paranoid Survive!

Unfortunately, the U.S. government (“Team USA”), despite being aware of the damage that Ransomware can inflict upon the healthcare industry writ large, including the fact that patients will die if a concerted effort is launched attacking the industry at its weakest links (of which hundreds of thousands exist), offers nothing more than platitudes as to how Ransomware Resilience can be obtained.

February 2020

Our article this month is entitled: A Short History of Cyber War and Why it Matters

If you are a Compliance Officer ("CO") you must care about cybersecurity and cyber warfare; 
that's all there is to it. Compliance and cybersecurity are joined at the hip, they can't be separated. Like peanut butter and jelly. 
OK. So what? Why does history matter? Because that short-lived history will astound you with events that are still applicable today as a daily lived experience for thousands of healthcare enterprises and their business associates. 

January 2020

Our article this month is entitled: In the Digital Economy, Only the Paranoid Survive

So, you like Technology and all the really, really, cool things it enables? Me too. But Tech has a dark side that is rarely discussed. All the "0's" and "1's" that we love so much can all disappear in a New York minute. And so, if you do not have a robust disaster recovery plan ("DRP") enabled and in place (obviously just having a plan is not enough), then sooner or later the Digital Economy is going to shoot you in the head. Guaranteed. All knowledge workers have inadvertently deleted, corrupted, and/or otherwise lost a document that they were working on. As painful as that may be, that is not what this article speaks about. No! Here we are talking about a massive loss of data that cannot be recovered!

Our article this month is entitled: What you need is a Workflow

We have often preached our mantra that compliance can only be achieved at the granularity level of a requirement ("Requirement"). Further, the only way to show compliance is by providing visible, demonstrable, evidence ("VDE") that the Requirement's result was delivered. A Requirement presupposes the existence of a discrete deliverable. VDE is an abstraction that indicates how this result is accomplished; however, it only works at 10K feet. To make it actionable within your organization you need a process that works at ground level. What you need is a well-defined process that achieves the result. What you need is a workflow.

Our article this month is entitled: What makes a Compliance Officer Competent?

In other words, what are the professional characteristics, including emotional IQ, that an individual must possess to be a competent compliance officer ("CO") in the 21st century? To begin with let's use Steve Hardy's framework for what constitutes a "creative generalist" as a starting point for exploring this question. Paradoxically, a CO's job, even if they focus only on a single compliance regime (e.g. HIPAA, or GDPR, or SOX) constitutes anything but a niche specialized gig. Without using hyperbole in the least, I want to make the argument in this article that a CO's job is one of being a creative generalist at a minimum and a good one at that. Now of course if I made the argument that a CO needed to be a renaissance person that would be hyperbolic. I don't want to overstate the case.


Our article this month is entitled: Security Reminders

This seemingly rather basic Security Control rarely gets implemented, and when it does, it's done in a manner that is either trite or overwhelming, neither of which make it actionable for your Workforce. First, let's clear up (again) a myth about what an "Addressable" Control means. 
One bright-line rule that you can take to the bank is that it doesn't mean optional! In plain English, an Addressable Control under the Security Rule means: (1) that you must implement the Control as stated in the Rule; or (2) that you must implement a suitable alternative for an organization of your size, sophistication, resources, etc.; or (3) you must document a compelling rationale why you decided to do nothing. Simply ignoring an Addressable Control is likely to get you a "willful neglect" fine; which starts at $50K a pop (ouch).

Our article this month is entitled: Business Partner Vetting Challenges

Business Partner Vetting ("BPV") is a process designed to help your organization get "satisfactory assurances" from business partners ("Partners") pursuant to the state of compliance of their cybersecurity programs. The overarching purpose is to ensure that your sensitive data is being protected as expected and required. Many compliance regimes mandate that certain data be protected by your Partners (e.g. GDPR with Processors, HIPAA with Business Associates (including Business Associates of Business Associates), and Part 2 with Lawful Holders). 

Our article this month is entitled: Information System Review Challenges

HIPAA's Information System Activity Review implementation specification (i.e. "Security Control") is one of the most insidious yet seemingly innocuous Security Controls that most covered entities ("CEs") and business associates ("BAs"), even the largest ones, do not implement and execute in a sufficiently rigorous and sophisticated way. This Standard is arguably the most important of all the Security Rule's standards.

Our article this month is entitled: A Deeper Dive into 42 CFR Part 2 

Title 42 of CFR part 2 was first promulgated in 1975 during the Nixon Administration(40 FR 27802) and last substantively updated in 1987 (52 FR 21796). The authorizing statute, Title 42, United States Code (U.S.C.) 290dd-2, protects the confidentiality of the records containing the identity, diagnosis, prognosis, or treatment of any patient that are maintained in connection with the performance of any federally assisted program or activity relating to substance abuse (now referred to as substance use disorder 'SUD') education, prevention, training, treatment, rehabilitation, or research.

Our article this month is entitled: The Self-Audit Process

HIPAA self-audits provide a preview of the policies, procedures, standards, and practices of a Covered Entity ("CE") or Business Associate ("BA"). CEs and BAs include individual and organizational providers of health services; health plans of all sizes and functions; health care clearinghouses; and a variety of business associates of these entities. Self-Audits prepare organizations to avoid the "bad day" when (not if) a HIPAA audit arrives due to a Breach.

Our article this month is entitled: HHS' Reduction in Enforcement Penalties

HHS' recent announcement of a reduction in penalties for HIPAA non-compliance is much to do about nothing. In part, this is true because HHS has stopped enforcing HIPAA in any meaningful way other than when a Breach is reported. Once you have a Breach, the costs of notification will likely exceed your civil monetary penalty ("CMP") imposed by OCR based on whatever violations it finds. So, Breach Notification remains the 800-pound enforcement gorilla and, for all intents and purposes, the real non-compliance liability that covered entities and business associates have to worry about. Further, as discussed below, the maximum penalties set forth were for "identical violations" and, as far as we tell, that has not changed.

Our article this month is entitled: Ten (10) Magic Security Controls

The "magic" in these controls is that they apply to almost every conceivable compliance regime you can think of. For example HIPAA, GDPR, PCI DSS, etc. They are cybersecurity 101 controls and when fully and rigorously implemented you will have dramatically improved cybersecurity compliance across your organization. Given the tools that are now available, these controls are nowhere near as burdensome or expensive as they were even a few short years ago. For example, two-factor authentication, as discussed below, is a "no-brainer" because almost universally everyone has a smartphone these days.

March 2019

Our article this month is entitled: The Importance of Taxonomies

What is a Taxonomy? The importance of taxonomies in any knowledge-based work cannot be underestimated. This, of course, includes all documents/artifacts that must be created/manage/maintained/disposed of when launching/evolving a HIPAA compliance initiative ("HCI"), or for doing same with respect to any other regulatory regime. A taxonomy, for our purposes, is nothing more than a structured way of naming folders and sub-folders and the files contained within them. For example, "taxonomy aware litigators" almost always create the same folder/sub-folder for every piece of litigation that they handle. 

Our article this month is entitled: The Importance of Taxonomies

What is a Taxonomy? The importance of taxonomies in any knowledge-based work cannot be underestimated. This, of course, includes all documents/artifacts that must be created/manage/maintained/disposed of when launching/evolving a HIPAA compliance initiative ("HCI"), or for doing same with respect to any other regulatory regime. A taxonomy, for our purposes, is nothing more than a structured way of naming folders and sub-folders and the files contained within them. For example, "taxonomy aware litigators" almost always create the same folder/sub-folder for every piece of litigation that they handle. 

Our article this month is entitled: 42 CFR Sections A-D

The regulations associated with 42 CFR Sections A-D ("42 CFR") are a set of sloppily written regulations and needlessly confusing for obvious reasons. The statutory authority for these regulations reads as follows:
The restrictions of these regulations upon the disclosure and use of drug abuse patient records were initially authorized by section 408 of the Drug Abuse Prevention, Treatment, and Rehabilitation Act (21 U.S.C. 1175). That section as amended was transferred by Pub. L. 98-24 to section 527 of the Public Health Service Act which is codified at 42 U.S.C. 290ee-3.
For our purposes, suffice to say that these regulations are related to Drug Abuse Prevention, Treatment, and Rehabilitation. They are like HIPAA "on steroids" for PHI under the control of government-assisted programs that help patients recover from drug abuse.

Our article this month is entitled: Privacy by Design and Privacy by Default

The need for Privacy has been a long time coming, and many knowledgeable observers felt that it was likely inevitable, although probably not in 2019. Why? Because outside of HIPAA, which only protects a patient's personal information, the U.S. does not have a national privacy law that protects personally identifiable information ("PII") generally. A new federal law would do exactly that.
What impact would a new law protecting PII have on HIPAA? Well, at first maybe nothing at all - laws move slow.

December 2018

There was no Newsletter for December 2018. 

November 2018

Our article this month is entitled: A Recommended Approach for your HIPAA Compliance Repository

HIPAA regulations require that documentation is produced to demonstrate compliance. Generally, documentation is developed for policies, procedures and tracking mechanisms that demonstrate a Covered Entity ("CE") or Business Associate ("BA") is following HIPAA requirements. The ability to show your VDE (Visible Demonstrable Evidence) of compliance demands a stored copy of your VDE containing appropriate signature approval(s) by your Compliance Officer(s) where applicable. So, the question is "Where do you keep this growing mountain of information?" That's our topic this month: A Recommended Approach for your HIPAA Compliance Repository.

October 2018

Our article this month is entitled: HIPAA Education: Learning HIPAA in an Attention Deficit Digital World - Part 2

In last month's newsletter, we covered what we consider to be the basics of microlearning from our perspective. However, our webinar introduced the idea of search as a foundational building block for a micro-learning strategy, and I want to take the opportunity to elaborate on that a little this month. First, humans have a primal fear of being lost. The ability to venture forth and find our way back has been essential to our survival for millions of years. The sense of panic that envelopes us when our innate navigation system fails is palpable. 


September 2018

Our article this month is entitled: HIPAA Education: Learning HIPAA in an Attention Deficit Digital World!

Universally employees complain about not having enough training, or the right training, in just about any subject matter domain you can name. HIPAA is no different. We know! We have literally trained thousands of customers in HIPAA over the last 10 years, including most of our competitors. Having said that we still get the same comments: (1) it's too legalistic; (2) it's not "dumbed down" enough; (3) it's more for compliance officers than for clinicians; (4) it's too long, etc. Are these customers right? Yes and no. Why? Because it's impossible to design comprehensive training in a manner that will be best or even satisfactorily suited, for all audiences. 


August 2018

Our article this month is entitled: HIPAA Education: How much training is enough?

Determining the amount of adequate training is not an easy question because the answer is highly dependent on the individual and the organization. Individuals often claim that vendor training provides only the problems, but not the solutions. That is a missed opportunity because if you know the problem and don't have an adequate answer, you're likely to be faced with difficulty responding and potentially encounter an Incident, Breach, or unauthorized disclosure of Protected Health Information ("PHI").


July 2018

Our article this month is entitled: HIPAA Threat Categories Rationalized: Managing Millions of Threat Vectors is Madness

If you peruse IBM's X-Force Exchange and realize the number of Threat Vectors that exist in the wild, you would soon despair of ever producing a rigorous Risk Assessment. However, there is no need to despair because these millions of vectors can be organized into Threat Categories that effectively rationalize the space. This does not mean that IBM's research is not necessary, quite the opposite, sooner or later you will need to have enough detail on a particular vector to implement a Control that "plugs it."


June 2018

Our article this month is entitled:  Selecting a Compliance Vendor: Why 360 Degree Support Matters

In today's world of evolving regulatory matters, we often find ourselves buried under the weight of regulatory compliance initiatives. If compliance isn't the primary purpose of your workday, then it really becomes a burden of significant magnitude.
First, one must learn what the regulations are saying, which often is accomplished by reading the regulations over and over, ultimately giving up and asking a competent lawyer/consultant. I've heard the saying that although the law looks like English, and it sounds like English, it's NOT English. I can't help but wonder if they (the lawyers) planned it that way to warrant their existence.

May 2018

Our article this month is entitled:  The Challenge of Dealing with Multiple Compliance Regimes

A couple of months back we wrote about Information Governance ("IG"); this month we want to introduce the concept of the Compliance Stack™ and the role it plays in dealing with multiple compliance regimes ("Regimes"). The March article barely scratched the surface of IG. The reality is that a Ph.D. dissertation would likely not do this topic justice. We will continue to explore IG in the coming months; however here we want to discuss the Compliance Stack™ ("the Stack™" or "Stack™") as a framework for understanding the complexity that organizations face when confronted with multiple regulatory Regimes.

April 2018

Our article this month is entitled:  HIPAA: A Decade from the HITECH Act

So, we wanted to take this opportunity to review the "state of HIPAA" a decade from the HITECH Act. Anyone remember the HITECH Act? Specifically, we wanted to attempt to answer, "Whether HIPAA remains a paper tiger?" The short answer to this question is a lawyer's favorite answer, "maybe, it depends."
The lawyer's answer requires more analysis but it's uncertain whether said analysis provides additional clarity. In fact, we argue that it doesn't, but will proceed nonetheless. First, to the extent that Breach Notification has become the 800-pound gorilla of HIPAA enforcement, it's quite clear that the latter has indeed been a game changer (e.g. it's also likely to be a game changer for the EU's GDPR). 

March 2018

Our article this month is entitled:  Information Governance

Information Governance ("IG") will continue to rapidly evolve as a discipline, although admittedly currently an ill-defined one, for the next fifty (50) years or so. We are drowning in our inability to manage information and the signs are everywhere we look; especially in the daily breaches that we all seem to have become jaded to. The regulatory authorities in the U.S. have the resources, at least with respect to HIPAA (i.e. because HIPAA CMPs purportedly end up in HHS' coffers for more enforcement) but appear to lack the will or the know how to dramatically impact the compliance chaos that remains a decade on from the HITECH Act.

February 2018

Our article this month is entitled:  Business in the EU: The 10 Step GDPR Implementation Plan

The objective of this article is to explain GDPR Compliance in simple terms, and provide you with guidelines and tools for implementing, refining and measuring policies and procedures. The GDPR is even more vague and descriptive than HIPAA. Although HIPAA does not provide covered entities and business associates "how to" guidance, it does a good job of describing the "what" at a reasonable level of detail. You're out-of-luck with the GDPR. Lawyers have to extrapolate best practices from reading "between the lines" because of what is there, but at such a high level that it will drive lawyers, consultants, compliance officers and laypersons nuts trying to decipher it.

January 2018

Our article this month is entitled: You Have Performed a Risk Analysis-That's Nice!

An entire cottage industry and ecosystem has quickly emerged to provide risk analysis ("RA") services to covered entities ("CE") and business associates ("BA"). Sometimes this takes the form of just software, other times it is software plus professional services, and sometimes it is pure professional services. Price points for these services vary widely between approximate $2,500.00 to $30,000.00 USD. RA's are so foundational to a HIPAA Security Rule ("SR") implementation that to not have one likely places a CE or BA in willful neglect. No organization wants to be in willful neglect land because that's where the penalties start at $50K per identical violation. So, the emphasis on RA's are justified. Full stop!

December 2017

Our article this month is entitled: Breaches Happen: the Tsunami's Largest Waves Await!

We tend not to notice, or are unwilling to notice, threats that rise gradually which result in an inability to react until it's too late. The healthcare frog has been boiling since the HITECH Act was promulgated in 2009. There have been hundreds of high profile breaches and thousands more that don't make frontpage news. Yet it is clear that the industry has failed to take any significant action en masse. The prevailing feeling appears to be "breaches are things that happen somewhere else." Privacy and security are simply not top of mind for clinicians. Nursing schools and medical schools barely teach students enough to allow them to spell HIPAA (mostly) but not much more. The water keeps getting hotter, but the frog remains mostly oblivious. As we all know, this story does not end well for the frog. One day something really bad, but otherwise utterly preventable, happens. This fails to move the needle for the practice next door. In that practice another frog is starting to boil.

November 2017

Our article this month is entitled: Breach Notification: STILL the 800 LB Gorilla!

This month's article uses the metaphor from the Fifth Discipline, a book written by Professor Peter Senge circa 1990, to describe the system approach required if organizations want to change their compliance DNA. Senge's book contemplates what's required for a "learning organization." This article contemplates what 21st century compliance DNA looks like and why it matters that "systems thinking" underpins all compliance initiatives. First, we address what Senge calls the "learning disabilities."

October 2017

Our article this month is entitled: Breach Response Plan Key Components (Cont.) 

This is Part 2 of a 2-Part Article. Part 1 is located here. In this Part we provide a high-level introduction regarding what each team's responsibilities during a Breach Response. Remember, in any Breach Response you are working with a team of teams. Also, recall why we believe a tech savvy law firm("TSLF") should function as the general manager ("GM") of this team of teams. We will expand on this proposition herein as well. We have inserted the Definitions section below, as it should prove useful once again for the topics covered in this 2-Part Article.

September 2017

Our article this month is entitled: Breach Response Plan Key Components

This breach response article is designed to help stakeholders (i.e. organizations of all sizes experiencing a breach)  understand the requirements of various federal, state and private regulatory regimes. HIPAA is simply one example. After WannaCry and Petya organizations are starting to realize that it's not a question of "if" they will experience an attack that leads to a breach but simply "when."

August 2017

Our article this month is entitled: Comparing HIPAA and PCIDSS Compliance?

This article compares the HIPAA and PCIDSS compliance regimes. Although as discussed herein there are indeed technical similarities between the two, analogous to the functional similarities between the HIPAA Security Rule controls (i.e. implementation specifications) and the CSC Controls, the two are fundamentally unique and distinct compliance regimes controlled by different kinds of law.

July 2017

Our article this month is entitled: HIPAA Security is Cybersecurity (sort of)!

This article argues that there has never been any meaningful distinction between CyberSecurity and HIPAA Security from a technical perspective; however, from a legal perspective, each regulatory regime must be treated as a unique and distinctive set of regulations. The WannaCry attack made the technical argument painfully obvious and became a  "clarion call."

June 2017

Our article this month is entitled: WannaCry - PostMortem Lessons Learned 

WannaCry was the "shot heard round the world!" It dominated both local, national, and international "news cycles" for several days. We are now more than a few weeks from the event and the public is still learning about additional infections. HHS responded to the blitzkrieg by publishing a recurring set of announcements providing mitigation strategies for the healthcare industry. Why? We suspect that HHS knows, as do the rest of us, that we have been fishing out of this pond for a while and the healthcare masses were (and remain) woefully unprepared for this kind of event. 

May 2017

Our article this month is entitled: Culture of Compliance: The Importance of Methodology

HHS has once again provided guidance on the importance of having a methodology to develop, implement, and maintain a comprehensive compliance program ("Program"). The objective of your HIPAA compliance initiative ("HCI") should be to build your Program over time, especially if you are interested in establishing a "Culture of Compliance!"  

April 2017

Our article this month is entitled: HIPAA OCR Enforcement under Trump?.

The entire premise of this article is that HIPAA and Cybersecurity ("CS") are one and the same. The reason we believe this premise is true will be elaborated upon during the remainder of this article but the foundation rests upon the fact that the HIPAA Privacy Rule ("PR"), Security Rule ("SR"), and Breach Notification Rules ("BNR") (collectively "the Rules" or "Rules") are foundational components of CS. Through force of law only covered entities and business associates are required to comply with the Rules. However, either through new law, or vis-à-vis industry enforced compliance regimes, something akin to the Rules will be required of every significant industry you can think of.

March 2017

Our article this month is entitled: Showing HHS Visible, Demonstrable, Evidence to HHS.

This article will address the kinds of visible, demonstrable, evidence ("VDE") that your organization should be prepared to show HHS during an audit. It will also discuss what a business associate ("BA") should be prepared to show a covered entity ("CE") when the former is asked by the latter to show proof of compliance. Of course, as you might expect, there is potentially a significant overlap between what a stakeholder might show HHS or a CE (respectively "Requestor"). However, what is shown to a Requestor could also vary widely as discussed herein.

February 2017

Our article this month is entitled: Reviewing "Audit Controls" under the Security Rule.

In January 2017 HHS issued guidance regarding "Audit Controls" under the Security Rule ("SR") by stating, among other things, the following:  "[c]overed Entities and Business Associates should make sure that they appropriately review and secure audit trails, and they use the proper tools to collect, monitor, and review audit trails." HHS specifically references one of the Technical Safeguards, specifically §164.312(b). However, curiously (or maybe not depending on your perspective) the latter is a SR "Standard" that has NO implementation specification associated with it. In short, you are even more on your own than usual when it comes to interpreting how you should comply with this requirement.

January 2017

Our article this month is entitled: A Compliance Manifesto.

We have educated thousands of stakeholders pursuant to the HIPAA Rules through our monthly webinars and newsletters during the past seven years. We intend to educate many thousands more in the years to come. During that time our own understanding of the Rules has also increased dramatically from our interaction with the marketplace. Through this collaborative effort a great many insights have been added to the HIPAA lexicon. These insights and lessons learned apply not only to HIPAA but to any compliance regime you can think of. Therefore, the Manifesto provided herein should have wide applicability across industries and subject matter domains.

December 2016

Our article this month is entitled: Exploring HIPAA Phishing Schemes.

You make think that mostly uneducated and unsophisticated users of information technology fall into these traps, but you would be wrong. For example, thousands of lawyers are targeted everyday with emails from Asia purporting to have some contractual business that they require legal assistance with. If you are a hungry lawyer (and given the disruption that is occurring in the legal industry there are LOTS of them) then your own pecuniary interest blind you to the fact that business people generally do not randomly select a lawyer from the Internet (the odds of that being legitimate approximate the odds of winning the lotto).

November 2016

Our article this month is entitled: Selecting Risk Assessment Software.

Risk Assessment ("RA") software is a type of "process ware" that should encompass an industry standard methodology for conducting RAs. In the healthcare space there is no de jure standard for conducting a Risk Assessment; however, a de facto standard has emerged in the form of NIST SP800-30 Rev.1 ("Standard"). NIST is the federal government agency responsible for providing cybersecurity advice to all U.S. government agencies, and what NIST recommends is the aforementioned Standard. With respect to HIPAA, this Standard is only a recommendation.  Covered entities ("CEs") and business associates ("BAs") are free to choose their own methodologies for achieving the same objective. However, it would be both misleading and misguided to suggest that CEs and BAs may select any arbitrary methodology as a substitute for the Standard. In short, if OCR is recommending a particular Standard then any substitute that is as good as or better than the Standard is likely to meet the "reasonable and appropriate" requirement of the Security Rule; all others are likely to fall far short.

October 2016

Our article this month is entitled: Breach Notification Rule Audit Requirements Phase II Protocol.

In this prior post, we discussed what the Breach Notification Rule's ("Rule") Audit Protocol requirement was with the Phase I protocol. The Phase II protocol ostensibly adds one more requirement to the Rule, which we highlight below, BUT the significant difference is the language that HHS now uses with respect to what they are demanding for each requirement. Their demands are more detailed and onerous. This language, we believe, was intended to send a message to the marketplace that the game has changed. Below we review each requirement and its new language. Unfortunately, in some cases, HHS also changed what it named an individual protocol; however, the statutory reference remained the same. We use the statutory reference as a guide to illustrate the changes. Everything new will be in blue to highlight the differences. The name of the new protocol will be in "blue bold" and underlined. As you will see, there are multiple protocols per statutory reference in several cases.

September 2016

Our article this month is entitled: Why HIPAA Compliance is a Continuous Improvement Project?

By now you may have realized that HIPAA compliance is not a "one and done" proposition.  For a HIPAA compliance initiative to be effective, it must be Agile. Agile describes a set of principles for development wherein requirements and solutions evolve over time. To evolve means to change.  Agile started out as a software development methodology. However, it has moved into a host of other disciplines including marketing, business planning, product launches, etc. It is a methodology that has also been embraced in other compliance spaces. For example, the US Sentencing Commission Guidelines on sentencing organizations identifies the requirements of an Effective Compliance and Ethics Program to include, among other things:

August 2016

Our article this month is entitled: Introducing Expresso®.

What is Expresso®? Expresso® is a software-as-a-service ("SaaS") that embodies the National Institute of Standards and Technology ("NIST") seven (7) step process for performing Risk Assessments. Expresso® comes pre-populated with (T)hreats, (V)ulnerabilities, and potential business (I)mpacts to your organization-making the calculation of (R)isks easier than the tedious process that our competitors offer. In addition to pre-populating Threats, Vulnerabilities and Impacts, Expresso® comes pre-populated with Controls the cover all Security Rule implementation specifications. Expresso® also allows you to modify all pre-populated data in a manner that best fits your organization.

July 2016

Our article this month is entitled: Dissecting a HIPAA Risk.

This article discusses how HIPAA Security Rule Risks ("Risks") can be categorized and dissected. In previous articles we have focused on Risk Assessments which, generally speaking, require an organization to identify Risks and subsequently identify the controls ("Controls") required to mitigate Risks to levels that are "reasonable and appropriate." This article assumes that you already understand the basic Risk Assessment process and focuses on a more granular examination of the component parts of a Risk.

June 2016

Our article this month is entitled: Ransomware: Rationalizing Risk Assessments.

A Risk Assessment is a process by which an Organization identifies the following: (1) Threats to the Organization (i.e. to its Operations, Assets, or Individuals); (2) Vulnerabilities internal and external to the Organization; (3) The harm (i.e. adverse Impact) that may occur given the potential for Threats exploiting Vulnerabilities; and (4) The Risk associated with a specific Threat, Vulnerability and Impact combination.

May 2016

Our article this month is entitled: Ransomware: The Rising Trend in Computer Scams.

"How much is your data worth to you?" is a question that cyber criminals have been making millions from. Ransomware is a variety of malware that holds your digital information (or assets) hostage and demands payment for release. This activity has seen a rise in popularity in the past few years and made headlines around the globe.

April 2016

Our article this month is entitled: The Network Perimeter is Kaput!

It is difficult (as in damn near useless) to write an article about reducing the "dwell time" for an industry such as healthcare that, seemingly on a daily basis, continues to let "laptops with ePHI" walk out the door completely unencrypted. I am convinced that it is perfect storm of ignorance, arrogance, chutzpah, and a lack of resources that has kept healthcare in the dark ages with respect to privacy and security. You often hear, "we save lives around here" and we don't have C-Suite time to focus on the agenda of "tree huggers," HIPAA consultants and lawyers, until of course there's a major breach, at which time bandwidth and money materialize out of thin air.

March 2016

Our article this month is entitled: Revisiting BYOD & Security of Mobile Devices.

It has been about three years since we last wrote about BYOD. During that time all of our predictions have certainly come true and then some. Further, there have been no shortage of lost or stolen devices to confirm our hypothesis that BYOD would wreak havoc in the healthcare workplace (i.e. vis-a-vis potential breaches of PHI). In this article we actually want to be more proactive regarding actually proposing a reasonable, low cost, high value add, (partial) solution to the problem.

February 2016

Our article this month is entitled: Why Are Risk Assessments so hard?

Risk Assessments ("RAs") are so difficult to do that it is hard knowing where to start. However, let's start with the requirement as it is contained in the HIPAA Security Rule: Risk analysis (Required) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

January 2016

Our article this month is entitled: HIPAA Documentation: More than you ever wanted to know!

You might think that compliance with HIPAA is mostly about documentation. If so, you would be partly correct, but you would be missing the big picture entirely. There is a significant amount of documentation required to comply with HIPAA because the Rules (Privacy, Security, and Breach Notification) require an organization to perform a significant number of tasks. It is recording the performance of these tasks that drives the majority of HIPAA documentation.

 December 2015

Our article this month is entitled: What Triggers Breach Notification?

You might think that the answer to that question is relatively straightforward but, like most things HIPAA, you would be wrong. To answer that question you need to apply a three step analytical framework contained within the Rules but not presented in a manner readily understood even by most compliance officers. In this article we will "demystify" the framework but don't get lulled into a false sense of "OK I got this" because the real world application of the framework is far more challenging than what it looks like "in the lab."

November 2015

Our article this month is entitled: What HIPAA Training Does My Staff Require?

Training is a question that often comes up during our webinars or in inquiries to our customer service department. It is not an easy question to answer in the abstract because the answer is highly dependent on the characteristics of an individual organization. Part of the answer however is that your old "feel good" and largely "dumbed down" training is not sufficient post HITECH. The HITECH Act changed the game for everyone and now all your workforce needs to acquire a higher degree of HIPAA literacy if you hope to build HIPAA compliance into your organization's DNA (i.e. into day-to-day workflows and processes). In our view, if you do not succeed in building compliance into your DNA you have little hope of ever establishing a culture of compliance, something the HHS is auditing for, despite the fact that this requirement is not expressly captured in HHS' Audit Protocol.

October 2015

Our article this month is entitled: Business Associates Everywhere.

We have written about business associates on previous occasions, notably here and here. If you want to get grounded in business associate basics we encourage you to peruse the previous links. This article focuses on the business associates as software vendors and the issues presented by this relationship from the perspective of the business associate.

September 2015

Our article this month is entitled: Tracking your HIPAA Compliance Initiative.

We often write about the need to track your HIPAA compliance initiative at the granularity level of a requirement. Now with our FREELY available Scorecards you can do exactly that. However, to understand how to use our Scorecards you must first understand that we tie HIPAA compliance requirements to Checklist Items. And so that begs the question(s), from our perspective, what is a checklist generally and what are checklist items?

August 2015

Our article this month is entitled: Launch your HIPAA Initiative in 10 Steps...

Notice that the title of this article does not say 10 easy steps. Also notice that the title states "Launch" (not "Complete") your initiative. You will certainly have made significant progress at the end of these 10 Steps but in no way do we mean to imply that you will be done. Clearly you won't be. However, if you are a long time reader you know that we assert, every chance we get, that you will never be done with your HIPAA initiative because by definition, it is a ongoing process. Also, for the sake of transparency, we use our Agile Methodology Project Plans to describe the 10 steps. That said, these 10 steps are written generally so as to apply no matter what purchased or "home grown" tool sets you may be using.

July 2015

Our article this month is entitled: Breach Notification Rule Audit Requirements...

The HHS Audit Protocol for the Breach Notification Rule is kind of a odd bird. First of all, it is very short compared to its importance in the grand scheme of things in the HIPAA universe (only 10 requirements). Second, it is more about "things" that you should be prepared to do rather than "things" you are (or should be) currently doing. If you look at HHS' Audit Protocol for sections 164.404 through 164.414 you will notice that the "protocol" doesn't do much more than repeat what is contained in the regulations AND, in addition, it provides for certain "inquiries." Now to be sure the entire HHS Audit Protocol follows this format but in the case of the Breach Notification Rule the inquiries are about an "eventuality" that may never occur.

June 2015

Our article this month is entitled: Conducting a Risk Assessment...

Conducting an effective Risk Assessment is a daunting task no matter how often you may have done it. However, if it's your first time then your anxiety level is likely to be an order of magnitude higher. Although what we are going to discuss in the article is not a magic elixir for reducing your anxiety, it may help you to put things in proper perspective. The silver bullet in a nutshell is that there is "no such thing as a perfect Risk Assessment" and there is no compliance requirement for one. The objective is not perfection, but rather the objective is to establish a baseline that you can continue to improve on over time.

May 2015

Our article this month is entitled: Business Associates Basics.....

Five years out from the promulgation of the HITECH Act business associates are still struggling with what the Act requires of them under the modified HIPAA regulations. Although under the Omnibus Rule it should be clear that a business associate ("BA") must comply with the Privacy Rule, the Security Rule, and the Breach Notification Rule, it is the requirements of the Security Rule ("SR") that bedevils BAs the most.

Broadly speaking, the SR requires that a BA implement three types of safeguards: (1) administrative, (2) physical, and (3) technical. In addition, it imposes other organizational requirements and a need to document processes analogous to the Privacy Rule ("PR"). That said, creating the necessary SR documentation will likely prove significantly more "vexing" than its PR counterpart, especially for a smaller BA.

April 2015

Our article this month is entitled: The HIPAA Privacy Rule: Ignore it at your own peril...

With the promulgation of the HITECH Act, meaningful use, breach notification, and increased HIPAA violation fines, it appears that the HIPAA Security Rule ("SR") has taken all of the oxygen out of the room, and rightfully so. The SR had largely been neglected for all of those years that the healthcare industry remained on paper. After HITECH and the mass movement to EHRs, it could no longer be ignored. All of a sudden Risk Assessments, encryption, and a host of other SR topics dominated the conversation. In the "rush" to comply with the SR, many organizations have neglected the Privacy Rule ("PR") because after all, most of these organizations felt (or had been told by their compliance officers) that they had long since achieved full compliance with the PR. It was that SR that required all their attention. This article explores various components of the PR and why organizations, despite their protestations to the contrary, are not even close to full compliance with the PR.

March 2015

Our article this month is entitled: Post Anthem: the more things change...

Unless you have been asleep at the wheel for the last couple of weeks we are certain that you have heard the buzz surrounding the Anthem breach. The sheer magnitude of this breach has made it impossible to ignore. There can be no doubt that the HIPAA (post HITECH) awareness level is now "off the charts." However, what we want to explore in this article are the changes that are likely to occur "on the ground" as a result of Anthem (i.e. increased funding for, and acceleration of, HIPAA compliance initiatives).

February 2015

Our article this month is entitled: HIPAA Audits: What's All the Fuss About?

The HIPAA audits are on; no they are off; wait they are back on again; repeat and rinse. For most off the healthcare industry this "wringing of hands and gnashing of the teeth" is entirely futile for a number of reasons: (1) your chances of getting audited (i.e. as opposed to experiencing a major breach or having a patient complaint lead to a finding of "willful neglect") are quite small; and (2) most of the industry will be ill-prepared for audits no matter when they come. In any case the best use of your time is to improve the quality of your HIPAA initiative rather than spending time worrying about the machinations of the HHS in Washington, D.C. The latter is an insiders game at best and even then the consensus wisdom of the insiders is often wrong. In short, good luck to trying to predict when a specific government agency will take action.

January 2015

Our article this month is entitled: HIPAA Lawsuits: A Defacto Right of Individuals to Bring Suit.

This article discusses HIPAA related lawsuits and why we may see an explosion of one particular category of HIPAA lawsuits in the next few years. In general, there are four categories of suits that can be thought of as "HIPAA related:" (1) an action by HHS to enforce sanctions for violations (i.e. in the rare case where a covered entity ("CE") or business associate ("BA") does not settle); (2) an action brought by a state attorney general on behalf of the citizens of a state (i.e. as provided for in HITECH Act Section 13410); (3) a private "class action" suit brought under some a state law theory (usually state breach notification law or negligence); and (4) an action brought by a single individual under state law theory of negligence.

December 2014

Our article this month is entitled: 2014: The Year Privacy & Security Took Center Stage.

In 1996 when HIPAA was first enacted into law we are quite certain that it was viewed as somewhat of a regulatory oddity. It was the first time that protected health information ("PHI") had been regulated under federal law in any significant way. The Privacy & Security Rules, other than the changes introduced by the HITECH Act, were largely as they exist in current form. Of course back then the healthcare industry was still using 19th century administrative procedures (e.g. electronic health records were not yet a glimmer in a Chief Medical Officer's eye) and so the Security Rule, which dealt exclusively with ePHI, could mostly be ignored.

November 2014

Our article this month is entitled: The Case for Cyber Liability Insurance.

What is Cyber Liability Insurance? As it turns out, this is not a simple question to answer. It means different things to different organizations. One thing is clear, whatever is covered under cyber-liability insurance is almost certainly not covered under an organization's general liability, errors and omissions, or malpractice policies.

October 2014

Our article this month is entitled: Healthcare's Evolving Threat Landscape: a New Vocabulary is NOT required!

The hacking of Community Health Systems and the theft of 4.5 million records containing ePHI has sent a shockwave through the HIPAA compliance community. Many high profile executives are now calling for a change from a "compliance strategy" to a "risk management strategy." What these executives mean is that it is not enough to simply comply with the regulations, but rather, that an organizations need to proactively manage (read anticipate) risks in order to effectively reduce the legal liability and other harm that results from a significant breach. However, as discussed in this article, compliance and risk management are not mutually exclusive concepts. In fact, if your organization does not include the latter in the former, then you have been doing it wrong all along. The intent of the HIPAA regulations is not to achieve compliance, but rather to "force" heatlhcare organization to more effectively manage risks.

September 2014

Our article this month is entitled: HIPAA Audits: Why all the Mystery?

This article discusses what to expect during a HIPAA audit. For the longest time HIPAA compliance professionals have approached a "HIPAA Audit" as if it were some kind of mysterious exercise; where only a few "high priests" were actually in the know. Prior to theHITECH Act (i.e. at a time when HIPAA Audits were not mandatory), there was the now famous article about the forty-two (42) questions that you might be asked during a HIPAA Audit (i.e. that purportedly enlightened the "unwashed masses" of what you should really expect during this secret ritual).

August 2014

Our article this month is entitled: HIPAA Data Retention: a Common Sense Approach !

This article discusses how a covered entity or business associate can establish a practical HIPAA Data Retention Program ("DRP") that satisfies HIPAA's data retention requirements as well as those requirements based on other "Record Types" (e.g. accounting, tax, corporate, employment etc.). A well defined DRP not only helps your organization comply with applicable law, it has the potential of dramatically reducing litigation costs when the inevitable lawsuit occurs

July 2014

Our article this month is entitled: HIPAA Business Continuity: a Common Sense Approach.

This article discusses Business Continuity requirements under the HIPAA Security Rule ("SR"), which pertains to all of a covered entity ("CE") or business associate's ("BA") electronic protected health information("ePHI").

June 2014

Our article this month is entitled: Measuring HIPAA Compliance?

Let's assume, for the purposes of this article, that you are the compliance officer for your organization. Further, let's assume that for the good of the organization (and your own job) you have decided that it is high time you have that dreaded conversation with your boss regarding HITECH / HIPAA compliance, and how the organization could be found in "willful neglect" if it doesn't update its long since outdated HIPAA compliance initiative.

May 2014

Our article this month is entitled: Exploding HIPAA Myths!

This article discusses a number of HIPAA misconceptions that keep coming back like the proverbial "bad penny." Compliance with the regulations is far from trivial, however it is not nearly as complex or expensive as some in healthcare would have you believe. There are too many healthcare stakeholders that would rather delay, defer, or refuse to comply altogether. The industry as a whole would be far better off embracing the fact that privacy and security are now a cost of doing business, and simply get on with it.

April 2014

Our article this month is entitled: Who is enforcing PHI laws?

Recent enforcement actions by the FTC and Secret Service have called into question which government agencies, including state agencies, are responsible for enforcing laws related to protected health information("PHI"). Certainly, from a federal government perspective, the Department of Health and Human Services ("HHS") has long been recognized as the enforcer of the HIPAA Regulations. The FTC, on the other hand, has long had the responsibility for enforcing laws related to personally identifiable information ("PII") under the Federal Trade Commission Act of 1914, and its corresponding regulations, which are focused on protection of consumer data.

March 2014

Our article this month is entitled: HIPAA Accounting 4 Disclosures: Reading the Tea Leaves

This article discusses a HITECH Act compliance ticking time bomb known as "Accounting of Disclosures" of PHI and that we prefer to call "Accounting for Disclosures" of PHI or "A4D" for short. Specifically, this article focuses on the "As Is" state of A4D as embodied in Privacy Rule section 164.528 and the implications of HITECH Act section 13405(c) on HHS' proposed A4D rule. HHS' proposed rule has been hotly debated and is long past due in its final form.

February 2014

Our article this month is entitled: The Case for Near Real-Time Risk Analysis?

This article explores why more and more covered entities ("CEs") and business associates ("BAs") may be forced to do a greater number of Risk Assessments per year than first anticipated. The Security Rule generally indicates that a Risk Assessment ("RA") must be done "as required" (e.g. when your operational environment changes OR if, as a practical matter, your organization has never actually done an RA and it is trying to comply with Meaningful Use objectives).

January 2014

This month's featured article is entitled: Why 2014 will be the Year of Agile Compliance?

This article defines Agile Compliance and provides the rationale behind why this approach will likely become the dominant compliance methodology in 2014 and beyond. The article also discusses the problems that Agile Compliance solves more effectively than linear methodologies and why your existing HIPAA compliance methodology may be DOA.

December 2013

This month's featured article is entitled: Launching a HIPAA Risk Management Compliance Program.

This article discusses the Security Rule's ("SR") requirement for establishing a Risk Management compliance program. Risk Management is the process used to identify and implement security measures to reduce risk to reasonable and appropriate levels within your organization. It is based on your organization's unique operational environment.

November 2013

This month's featured article is entitled: Risk Assessments: A Foundational Methodology.

This article will provide an illustration of a foundational methodology that can be used to perform a Risk Assessment that complies with a critical Implementation Specification of the HIPAA Security Rule. It is also the topic of our next Webinar.

October 2013

This month's featured article is entitled: HIPAA 2.0: No More Fill in the Blanks Compliance!

The September 23, 2013 Omnibus Rule deadline has come and gone, but no worries because many of you have filled in the blanks of your new set of templates and are good to go. Right? Wrong!

First, it is likely that many of you don't understand the templates that you have carefully modified with your organization's "name, rank, and serial number." Second, the vast majority of you probably don't have any organizational processes in place to under pin your policies (i.e. your templates). And finally, almost no one has effective tracking mechanisms in place to track process results. In short, your organization may be a long ways from being able to show visible, demonstrable, evidence of compliance.

September 2013

This month's featured article is entitled: Impact of the HIPAA Omnibus Rule: Reading the Tea Leaves?

We have written about the Omnibus Rule ("Rule") on numerous occasions, most recently here and here.However, this month's article will focus less on the specific contents of the Rule and more on the impact it is likely to have on the healthcare industry going forward. The implementation date of the final rule (i.e.September 23, 2013) is fast approaching and yet many within the healthcare industry remain befuddled as to what this implementation date portends.

August 2013

Our article this month is entitled: HIPAA Security: What's the essence of the Rule?

The Security Rule ("SR") is a set of regulations which requires that your Organization identify Risks, mitigate Risks, and monitor Risks over time in order to ensure the Confidentiality, Integrity, and Availability of your Organization's ePHI. That's it. This article is intended to provide you the basic concepts that help you understand, engage, and ultimately master the details.

July 2013

Our article this month is entitled: Cyberwar: The Real Reason This is Not Your Daddy's HIPAA.

This article provides insight as to why HIPAA has grown in importance for a host of reasons that are not directly linked to the HITECH Act. Yes, the HITECH Act was (and is) a transformative piece of legislation, and four years out the healthcare industry is still struggling to comply. The latter condition has more to do with compliance budgets lacking the wherewithal to get the job done than any inherent complexity in the new statute and regulations. Although, to be sure, there is no shortage of complexity.

June 2013

Our article this month is entitled: The HHS Omnibus Rule: HIPAA Myth Making Continues.

This article provides insight as to why HIPAA myths continue to perpetuate and what you can do ensure that you are getting quality guidance. It is somewhat surprising that a law, and a corresponding set of regulations, that have been around for so long remain so widely misunderstood. To an outsider looking in for the first time it is likely far from obvious why the healthcare industry lags in privacy and security compliance (e.g. vis-a-vis other industries such as financial services) despite the fact that privacy and security are now "front and center" national security issues. Why such an enormous disconnect in best practices across industries?

May 2013

Our article this month is entitled: A Business Associate Just Notified You of a Serious Breach: What now?

This article provides guidance regarding on what to expect, and what you should do, once a Business Associate has notified you of a breach. By now, you should already have a plan in place that helps you respond to this dreaded predicament. However, we know from experience that many of you don't, and even if you do, read on, you may learn something new.

April 2013

The featured article this month is entitled: Big Data is the New Oil: Can the healthcare industry leverage it?

Big Data is the latest buzzword sweeping the healthcare industry and like so many others that have recently preceded it (e.g.EHRs, social media, mobile, telemedicine, cloud computing, etc.) promises to be "transformative."

March 2013

The featured article this month is entitled: HIPAA Cloud Storage: Why Microsoft's Office 365 Announcement is a Big Deal?

The reluctance of "big name" cloud storage vendors (e.g. Amazon, Google, and almost every other market participant that we are aware of) to enter into a Business Associate Agreement ("BAA") with a covered entity ("CE") or a business associate ("BA") certainly has put a damper on the healthcare industry's move to the public cloud. Any PHI stored on any vendor's cloud offering requires a BAA. Without one, the CE or BA would be in "gross violation" of the HIPAA Rules and risk exposure to a significant fine.

February 2013

The featured article this month is entitled: HITECH/HIPAA: HHS Omnibus Rule Review.

We have argued that the HHS Omnibus Rule ("the Rule") is neither a "Tweak" or "Sweeping Reform." There is far too much substantive law included in the Rule for it to be characterized as the former. It also cannot be characterized as the latter/ However the HITECH Act WAS sweeping and, for the most part, the Rule is simply HITECH-izing the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule.

January 2013

The featured article this month is entitled: HITECH/HIPAA: Protecting Mobile Devices & Supporting BYOD.

The next few years are going continue to be full of headlines in healthcare journals on the explosion of Mobile Device usage among clinical professionals and the role that these devices continue to play in major PHI data breaches.

December 2012

The featured article this month is entitled: HITECH/HIPAA: The Rise of the Engaged Patient.

Patients have always had the right to access their PHI (post HIPAA), we wrote about the Privacy Rule sections that provide for this access in our Patient's Bill of Rights post. The HITECH Act expands this access under Section 13405 now allowing for treatment, payment and operations (TPO) usages to be disclosed for the past three years as well (i.e. provided that an EHR is in use).

November 2012

The featured article this month is entitled: HITECH/HIPAA: Understanding the Public Policy Rationale.

It provides readers with a perspective on the public policy rationale that underpins the HITECH/HIPAA statutes and regulations. Its central argument is that without a well grounded understanding of the policy, many practitioners will remain lost in the weeds and unable to comprehend the essence of what is required to comply.

October 2012

The featured article this month is entitled: Business Associates: Compliance as a Marketplace Differentiator. .

This article explains why, as a business associate, you have no choice other than to make the best out of the regulatory compliance hand that you have been dealt. You somehow must manage to make lemonade from lemons. If you can't your competitors will. You can either be the the "disruptor" or the "disruptee." The former is preferable.

September 2012

The featured article this month is entitled: Preparing for the Omnibus Rule: building a strong foundation.

Building a solid understanding of the HIPAA Rules, as modified by HITECH, is not an easy task; nor is it a task that can be accomplished simply by reading the "Cliff Notes." The HIPAA Survival Guide contains the full text of the Rules and we encourage readers to peruse them when necessary (and it is often necessary). However, even attorneys don't like reading pure statutory text out of context, so this article will provide a guided tour of how to launch your own education plan based on our suggestions from previous issues.

August 2012

The featured article this month is entitled: What documents must be tracked for HITECH / HIPAA compliance?

The challenges of complying with an OCR HITECH / HIPAA audit are numerous. As such, preparing for a audit can be quite overwhelming. We covered this topic in our June 2012 Newsletter. We also did a number of Blog Talk Radio shows on this topic:

Finally, we did a webinar on this topic and the slides can be found here. What we are covering in this article is another perspective on an audit, specifically the kinds of documents that you may be asked to produce.

July 2012

The featured article this month is entitled Small Providers: Avoiding a Breach Calamity! This is a guest article written by Tom Warley, CSO ofColorado Hi-Tech Solutions, a firm that specializes in helping small providers meet the challenges of implementing the HIPAA Security Rule.

The challenges of securing PHI for small providers in today's regulatory environment can be significant. There are budget constraints, personnel constraints and, for many, a fog of confusion surrounding the HIPAA Security Rule. Even though providers are familiar with HIPAA privacy few understand the true importance of data security, much less how to attain it. Doctors are still under the illusion that HIPAA is a paper tiger, toothless. Old-school doctors in particular are often unswayable in this regard. Some office managers are aware of the Security Rule but consider it a mere formality believing that policies alone suffice for compliance or that "it's the IT guy's job". Many small providers fail to address data security at all, ignoring basic security safeguards altogether. They do so at their peril. The small provider must make the protection of PHI the single most important thing they do other than patient care itself.

June 2012

The featured article this month is entitled HIPAA Compliance: what to expect from an OCR audit?.

Under Section 13411 of the HITECH Act, the Secretary "shall provide for periodic audits" to ensure compliance with the Act. It is the Office of Civil Rights ("OCR") that has the actual authority (under the Secretary) for HIPAA audits and enforcement actions. In 2011, OCR contracted with KPMG to develop an audit methodology and to conduct 150 audits. These audits are well underway. This article discusses what you should expect from an OCR audit.

May 2012

The featured article this month is entitled Healthcare and the Cloud Revisited: it's your data, how do you protect it?.

This article explores how to protect your PHI when moving to the Cloud. It turns out that protecting your PHI on the Cloud is not only fraught with technical complexity, but with a significant amount of legal complexity as well.

We are concerned that many covered entities do not possess either the technical or legal wherewithal to adequately deal with this issue. As always, it's our mission to provide our readers "news you can use." Our objective in this article is to get you "up the curve" so that you can, at a minimum, begin to ask the right questions.

April 2012

The featured article this month is entitled Dispelling the Top Ten (10) Myths of HIPAA/HITECH Compliance.

This month's article is by guest author John 'J' Trinckes Jr., CISO/EVP/Founding Partner CISSP, CISM, CRISC, C-EH, NSA-IAM/IEM Mulholland Information Security,

Summary: The following are the top ten reasons (or myths) regarding HIPAA/HITECH compliance that we have heard in the healthcare industry over the past couple of years. There is no specific order in which these appear; however, I do attempt to explain the fallacy of these thought processes.

March 2012

The featured article this month is entitled HIPAA Compliance: Introducing the H2 Compliance Scorecard.

This month's article is a follow-on article to our October 2011 article entitled: HITECH / HIPAA Compliance: a checklist manifesto?

Our October article explored how:

"in a world that is increasingly becoming more complex, where the volume of knowledge often exceeds an individual's ability to assimilate and communicate it, simple tools such as checklists are having a profound and compelling positive impact on dealing with complexity."

In particular, it explored how checklists can be used as HITECH / HIPAA compliance tools. This month's article introduces our H2 Compliance Scorecardsm and how it can be used in combination with a checklist to measure compliance improvement over time.

February 2012

The featured article this month is entitled HIPAA Compliance: Preview of the HHS Omnibus Rule?

This article explores the proposed HHS Omnibus Rule. The HHS Omnibus Rule ("OR") mostly concerns sections of the HITECH Act that went into effect on February 18, 2010. There was an NPRM that was issued on July 14, 2010 that contained the changes proposed for the final rule. It is quite evident that HHS has not broken any "land speed records" in finalizing the OR, but all indications are that it will be forthcoming "soon." The full text of the OR can be found here.

January 2012

The featured article this month is entitled HIPAA Compliance: The Privacy Rule and the Patient's Bill of Rights?

This article explores the Patient's Bill of Rights ("PBR") contained within the HIPAA Privacy Rule. Although the PBR has existed since the Privacy Rule was first promulgated, changing demographics and marketplace trends will force covered entities (and in many cases business associates) to take a new look at the PBR and its implications. Recently, due to the significant movement to EHRs enabled by the HITECH Act, it is the HIPAA Security Rule that has garnered most of the attention, and rightfully so. However, the PBR may (at the end of the day) be the single biggest driver of compliance change within an organization, superseded only by changes brought on by breach notification.

December 2011

The featured article this month is entitled HIPAA Compliance: The Intersection of Privacy, Security, Mobile and Social Media?

This article explores the use of social media and mobile devices in the healthcare industry and the potential risks associated with such rampant use. It is not a question of whether or not covered entities ("CEs") should engage in this type of use, the fact of the matter is that they are doing so in large numbers. This phenomenon is not about to stop anytime soon, nor should it. Social media and mobile devices provide CEs with a way to engage their patients in a manner that allows CEs to differentiate their offerings in an increasingly more competitive marketplace.

November 2011

The featured article this month is entitled HITECH / HIPAA: The Cost of Non-Compliance?

This article explores the cost of HITECH / HIPAA non-compliance to the healthcare industry. It will examine a number of cost factors and suggest strongly that relatively small investments in compliance could produce significant returns. It will also revisit the reasons why healthcare's compliance status quo is no longer sustainable.

October 2011

The featured article this month is entitled HITECH / HIPAA Compliance: a checklist manifesto?

This article explores how, in a world that is increasingly becoming more complex, where the volume of knowledge often exceeds an individual's ability to assimilate and communicate it, simple tools such as checklists are having a profound and compelling positive impact on dealing with complexity. In particular, this article explores how checklists can be used as HITECH / HIPAA compliance tools.

September 2011

The featured article this month is entitled HITECH / HIPAA and the Cloud: what are the benefits and risks?

This article explores the healthcare industry's emphatic adoption of cloud computing and the benefits and risks of moving to the cloud, including those directly related to HITECH / HIPAA Compliance.

August 2011

The featured article this month is entitled Meaningful Use: How do you verify that you are meeting the requirements?

This article addresses the kinds of information that must be tracked in order to receive your EHR Incentives under the meaningful use stage 1 requirements. Clearly there is quite a bit of information that needs to be tracked, most of which will be coming from a provider's EHR system. However, the information in an EHR system is not static. Therefore, providers must capture all required information to legally attest to HITECH Act compliance as a snapshot in a point intime, which is not a trivial task given the complexity of the objectives.

July 2011

The featured article this month is entitled: HIPAA Breach Notification Decision Points: when is notification triggered?.

This article addresses the kind of analysis required to decide whether breach notification is triggered under the HITECH Act for a given security incident. The bottom line is that not all security incidents trigger notification but the wicked problem remains how to determine the ones that do?

June 2011

The featured article this month is entitled: Tracking Patients Using HITECH / HIPAA Compliance Software.

This article addresses features and functionality required to ensure that your organization can provide visible demonstrable evidence that it is managing patient authorizations, restrictions, incidents, and access requests according to applicable law. This article provides an overview of how our recommended best of breed HIPAA Compliance Software accomplishes these tasks. In subsequent articles we will discuss the other baseline components in greater detail.

Q2 2011

The featured article this quarter is entitled: "Must Have Features in a HITECH / HIPAA Compliance Tracking System."

This article describes the kinds of features and functionality that an organization should seek in a HIPAA compliance software in order to be able to show visible demonstrable evidence that it is serious about meeting its HITECH / HIPAA compliance obligations.We have often written about the concept that compliance is a process and that simply having policies and procedures in place, although necessary, is woefully insufficient with respect to demonstrating process due diligence over time. In short, in addition to providing assistance in the creation and management of policies and procedures, HIPAA compliance software should also allow an organization to manage its compliance processes and to demonstrate evidence that it is doing so.

Q1 2011

The featured article this quarter is entitled: "Disruption in Compliance Governance: Why the old governance model is DOA."

If any reader still believes that the healthcare industry has not already been disrupted more in the last year then it has in the past fifty, with more disruption on the way in 2011, then you have simply been asleep at the wheel for all of 2010. Further, we have a news flash for you, it is no longer the government that is the most active agent in the disruption business, it's that scary (or holy, depending on your point of view) thing we call "the free market" that is driving the disruption.

October 2010

The featured article this month is entitled: "Ten Steps to Selecting the Right EHR Software."

First of all, if you have been following along with this newsletter you understand that there are no ten steps (or five, pick a number) to "solving" any wicked problem (for new readers see here and here). Software selection is clearly a wicked problem and therefore does not lend itself to a linear process. The software selection problem is much more chaotic than what may be apparent on its face. Second, although an EHR implementation and your HITECH compliance initiative are closely intertwined, for reasons to be discussed in this article, we feel compelled to (once again) remind our readers that they are NOT one and the same thing.

September 2010

The featured article this month is entitled: "Healthcare for the 21st Century, it's the architecture stupid."

What is healthcare architecture? My "elevator pitch" answer to this question goes something like this: "architecture concerns itself with making sure that the various parts of a complex system (e.g. healthcare interoperability) work well together." Huh? In short, the question is not an easy, or straightforward, one to answer. We have a 2000-year history of architecture as it relates to the built world, and still the general public has only a vague understanding of its first principles. In the healthcare universe, at least with respect to anything that could be called healthcare interoperability, we have, at most, a very short history indeed (especially in the U.S.) Therefore, it should come as no surprise that even practitioners within the healthcare information technology industry are confused when the word is used.

August 2010

The featured article this month is entitled: "Compliance with HITECH / HIPAA Privacy and Security: Biomedical Device Integration (BMDI)."

This article, by Deborah Leyva, RN, Clinical Solutions Executive, at Nuvon, Inc., presents an overview of the importance of medical device integration vis-a-vis EHR ROI, and the corresponding privacy and security challenges under HITECH.

July 2010

The featured article this month is entitled: "HITECH Breach Notification Framework: an Overview."

This article presents an overview of issues that covered entities ("CE") face when confronted with a breach of PHI and its corresponding reporting requirements under HITECH. To say that theHITECH Act changes everything with respect tobreach notification is not hyperbole. There were no equivalent breach notification requirements underHIPAA, and therefore,HITECH introduces and entirely new regulatory regime in this regard. HITECH's breach notification requirements also have implications with respect tobusiness associates, and with respect to the relationship between a business associate and acovered entity.

June 2010

This month's featured article is entitled: "Business Associate Contracts: HITECH Implications."

Until the HITECH Act was enacted into law on February 17, 2009, as part of ARRA, a business associate's ("BA") compliance with HIPAA's Regulations was mandated only as part of the contract (see 164.504(e)(1) ) with its respective Covered Entity ("CE"). Under HITECH a BA is "directly on the hook" (i.e. via statutory authority) for complying with the0 sections of the HIPAA Security Rule("SR").

May 2010

This month's featured article is entitled: "Business Associates: That was then, this is now."

All business associate contracts will have certain key sections as required by the regulations. This article walks you through each key section from our perspective, highlighting issues that you should consider before entering into a binding agreement. It should be noted that these issues will obviously vary with the individual party using the agreement, and whether or not your organization is a Covered Entity ("CE") or a Business Associate ("BA").

April 2010

This month's featured article is entitled: "Change is Hard: EHR Implementations, Compliance Touch Points & Chaos Theory."

It is a "concept article' with the following introduction

We understand that this newsletter has introduced concepts (e.g. wicked problems and agile methodologies) that may be foreign to healthcare providers. There are several reasons why we have felt compelled to do so: 1) we are bona fide geeks and can't help ourselves; and 2) more importantly, we believe that maybe (just maybe) some of our readers might benefit from our lessons learned (the hard way) in other industries.

March 2010

This month's featured article is entitled: "The HITECH Act One Year Out: Real Healthcare Reform?"

It explores where we have been under HITECH and where we are likely headed. It attempts to provide a big picture view of more than just the regulatory impact, but rather discusses the convergence of law, policy and technology as the real foundation for change. All three combined will produce unprecedented change in the healthcare industry. Why? Because these three meta-concepts are inextricably linked. Trying to understand any one of them without considering the other two is an exercise in futility.

February 2010

This month's featured article is entitled: "HHS' Interim 'Meaningful Use' Regulations (Part 2)."

It is a continuation of the guest article by Deborah Leyva, RN, BSN, contained in January's newsletter. The focus of our newsletter has been primarily on providing a better understanding of the HITECH / HIPAA requirements and on providing insights into strategies that will help providers and facilities meet the objectives of the new regulations. January's guest article began with a discussion of the changes made by ONC and HHS for the first Policy Priority specified by the HIT Policy Committee, covering specifications for Stage I - 2011 Meaningful Use criteria, subsequent to the announcement by ONC and HHS, on December 30th.

January 2010

This month's featured article is entitled: "The Compliance Crisis: Top Five Strategies Guaranteed to Fail."

The focus of our newsletter has been primarily on providing a better understanding of the HITECH / HIPAA requirements and on providing insights into strategies that will help providers and facilities meet the objectives of the new regulations. However, it is often just as useful to examine the status quo and to analyze why existing strategies will no longer work in this new regulatory environment, perhaps more so.The article five compliance strategies guaranteed to fail are as follows: (1) ostrich; (2) our staff's on top of it; (3) members of our legal team are compliance experts; (4) not invented here--healthcare is so different; and (5) the docs know best .

December 2009

The featured article this month is entitled: Understanding HITECH / HIPAA Risk Management Frameworks.

These frameworks are targeted to executives and others who require strategic guidance during these uncertain times. Now that the healthcare marketplace is starting to recognize the scope and magnitude of the HITECH Act, we felt it was necessary to take a step back and provide executive management teams (and other mission critical management staff) our perspective on how to move forward in a responsible and rigorous manner, especially in this highly competitive economic environment that mandates effective cost control. In short, how can an organization achieve HITECH / HIPAA compliance without breaking the bank?

November 2009

The featured article this month is entitled: "The Intersection of HITECH/HIPAA and Meaningful Use: Part IV: HITECH/HIPAA and Meaningful Use Part IV: Attacking the HIPAA Security Rule (Hug the Monster: Redux)."

It is the fourth in a series of featured articles over the next few months that will discuss the transformational impact that the HITECH Act is likely to have on HIPAA's regulatory environment. This featured article explores the HIPAA Security Rule in the second of two parts that discusses "the monster."

October 2009

The featured article this month is entitled: "The Intersection of HITECH/HIPAA and Meaningful Use: Part III: Attacking the HIPAA Security Rule (Hug the Monster)."

It is the third in a series of featured articles over the next few months that will discuss the transformational impact that the HITECH Act is likely to have on HIPAA's regulatory environment. This featured article explores the HIPAA Security Rule in the first of two parts that discusses "the monster."

September 2009

The featured article this month is entitled: "The Intersection of HITECH/HIPAA and Meaningful Use: Part II."

It is the second in a series of featured articles over the next few months that will discuss the transformational impact that the HITECH Act is likely to have on HIPAA's regulatory environment. This featured article explores why an EHR/HITECH/HIPAA implementation is a "wicked problem."

August 2009

The featured article this month is entitled: "The Intersection of HITECH/HIPAA and Meaningful Use: Part I."

It is the first in a series of featured articles over the next few months that will discuss the transformational impact that the HITECH Act is likely to have on HIPAA's regulatory environment. This featured article introduces key aspects of the HITECH Act and why they collectively constitute a game changer.