fbpx
Why a HIPAA Security Risk Assessment is so Important

Why a HIPAA Security Risk Assessment is so Important

Your organization’s annual HIPAA Security Risk Assessment and Analysis are only one element of the compliance process, and whether you’re a Business Associate or Covered Entity, your organization must also “implement security updates as necessary and correct identified security deficiencies”. In other words, you must act via a Corrective Action Plan (CAP) following the required risk assessment process.

Here are a few common Corrective Action Plan steps:

  • Implement technical policies and procedures to allow access only to those persons or software programs that have been granted access rights to information systems maintained.
  • Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
  • Conduct accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
  • Develop a complete inventory of all its categories of electronic equipmentdata systems, and applications that contain or store ePHI, which will then be incorporated into its Risk Analysis, and must complete a Risk Management plan.

 

What happens if I fail to complete my Security Risk Assessment?

Failing to complete your annual Risk Assessment oftentimes means the organization will be required to complete a “robust” Corrective Action Plan (CAP) and often with at least two years of monitoring activity.

Have you ever doubted whether a small billing company or independent physician practice actually ever face penalties?

Well, keep in mind, a Business Associate is a ‘person’ or ‘entity’. This means that there is no billing company too small to have to comply with the Federal HIPAA regulations. Again, if you have not completed an accurate and thorough security risk assessment prior to that, you could also be penalized under ‘willful neglect’. This category alone is $50,000 per violation!

It is important for you to understand that every complaint or potential breach must be investigated by HHS/OCR. If you, a billing company, or another vendor suspects a breach, you must inform the covered entity (your client) and have a breach risk assessment completed to determine key factors and take action.

 

An EZClaim partner, Live Compliance, will help you to make checking off your compliance requirements extremely simple. They provide:

  • Completely online, our role-based courses make training easy for remote or in-office employees.
  • Contact-free, accurate Security Risk Assessments are conducted remotely. All devices are thoroughly analyzed regardless of location. Conducting an accurate and thorough Security Risk Assessment is not only required but is a useful tool to expose potential vulnerabilities.
  • Complete set of HIPAA Policies and procedures built directly into your portal. Includes actionability, change management documentation, and Incident Response Policy to assist with your Corrective Action Planning. Easily share policies with staff with one click.
  • Built directly into your portal, easily monitor where your workforce may be vulnerable with our Dark Web Breach Searches. Easily expose breach sources with ongoing searching of active employee email or domain ensuring continued awareness of potential breach exposure. Weekly automatic email notifications if new breaches are discovered.
  • Short, informative, privacy awareness videos covering technical, administrative, and physical safeguards with topics such as ransomware, phishing, the Dark Web, password protection, and more. All delivered monthly with no logins required, they empower your workforce to make conscious decisions when it comes to your organization’s privacy and security.

 

So, don’t risk your company’s future, especially when Live Compliance is offering a FREE Organization Assessment to help determine your company’s status. For more information, visit their website, e-mail them, or give them a call at 980.999.1585.


ABOUT EZCLAIM:
EZClaim is a medical billing and scheduling software company that provides a best-in-class product, with correspondingly exceptional service and support. Combined, they help improve medical billing revenues. To learn more, visit EZClaim’s website, e-mail them, or call them today at 877.650.0904.

[ Contribution by Jim Johnson with Live Compliance ]

Why a HIPAA Security Risk Assessment is so Important

A Risk Assessment Alone Isn’t Enough: What Steps to Expect Once Your SRA is Complete

As we’ve stressed before, your organization’s annual HIPAA Security Risk Assessment and Analysis are only one element of the compliance process.

Whether you’re a Business Associate or Covered Entity, your organization must also “implement security updates as necessary and correct identified security deficiencies”. In other words, you must act via a Corrective Action Plan (CAP) following the required risk assessment process.

Here are a few common Corrective Action Plan steps. These generally include:

  • Implement technical policies and procedures to allow access only to those persons or software programs that have been granted access rights to information systems maintained.
  • Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
  • Conduct accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
  • Develop a complete inventory of all its categories of electronic equipment, data systems, and applications that contain or store ePHI, which will then be incorporated into its Risk Analysis, and must complete a Risk Management plan.

What happens if I fail to complete my Security Risk Assessment? What happens next?

Failing to complete your annual Risk Assessment oftentimes means the organization will be required to complete a “robust” Corrective Action Plan (CAP) and often with at least two years of monitoring activity.

Have you ever doubted whether a small Billing Company or independent physician practice actually ever face penalties?

Keep in mind, a Business Associate is a ‘person’ or ‘entity’. This means there is no Billing Company too small or too large to comply with the Federal HIPAA regulations. Again, if you haven’t completed an accurate and thorough security risk assessment prior to that, you could also be penalized under ‘willful neglect’. This category alone is $50,000 per violation!

As we have stressed before, it is important for you to understand that every complaint or potential breach must be investigated by HHS/OCR. If you, a billing company, or other vendor, suspects a breach you must inform the covered entity (your client) and have a breach risk assessment completed to determine key factors and take action.

At Live Compliance, we make checking off your compliance requirements extremely simple.

  • Completely online, our role-based courses make training easy for remote or in-office employees.
  • Contact-free, accurate Security Risk Assessments are conducted remotely. All devices are thoroughly analyzed regardless of location. Conducting an accurate and thorough Security Risk Assessment is not only required, but is a useful tool to expose potential vulnerabilities.
  • Complete set of HIPAA Policies and procedures built directly into your portal. Includes actionability, change management documentation, and Incident Response Policy to assist with your Corrective Action Planning. Easily share policies with staff with one click.
  • Built directly into your portal, easily monitor where your workforce may be vulnerable with our Dark Web Breach Searches. Easily expose breach sources with ongoing searching of active employee email or domain ensuring continued awareness of potential breach exposure. Weekly automatic email notifications if new breaches are discovered.
  • Short, informative, privacy awareness videos covering technical, administrative, and physical safeguards with topics such as Ransomware, Phishing, the Dark Web, Password Protection, etc. Delivered monthly with no logins required, empower your workforce to make conscious decisions when it comes to your organization’s privacy and security.

Don’t risk your company’s future, especially when we are offering a free Organization Assessment to help determine your company’s status. Call us at (980) 999-1585, or email me, Jim Johnson at Jim@LiveCompliance.com or visit www.LiveCompliance.com For more information please contact us at (980) 999-1585 or email us at support@livecompliance.com

For more information please contact us at (980) 999-1585 or email us at support@livecompliance.com

Why a HIPAA Security Risk Assessment is so Important

New HIPAA Regulations 2020-2022 and beyond

On January 21, 2021, OCR published a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. OCR says, the goal is to “support individuals’ engagement in their health care, remove barriers to coordinated care, and decrease regulatory burdens on the health care industry, while continuing to protect individuals’ health information privacy interests.” New regulations under consideration are centered around how substance abuse and mental health information records are protected. In addition, the HITECH Act called for an increase in penalties for non-compliance with the HIPAA.

In this article we will address the most recent changes to HIPAA and discuss which rules may have an impact on 2022 and beyond.

2020 CARES Act

2020 CARES Act aligned 42 CFR Confidentiality of Substance Use Disorder Patient Records (Part 2) regulations more closely with HIPAA as well. The CARES Act improves 42 CFR Part 2 regulations by expanding the ability of healthcare providers to share the records of individuals with substance abuse disorder, but also tightens the requirements in the event of a breach of confidentiality.

In short, rather than having to obtain a consent form for the SUD patient, and state the specific parties of whom information will be shared, patients can now give broad consent. It’s been suggested that HHS is considering changes to 42 CFR Part 2 regulations in 2022 to “to protect the privacy of substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided.”

2021 HIPAA Safe Harbor Law

The HIPAA Safe Harbor Bill now instructs HHS to take into account the cybersecurity best practices that a HIPAA-regulated entity has adopted in the 12 months preceding any data breach.
“The bill also requires the HHS to decrease the length and extent of any audits in response to those breaches if industry security best practices have been implemented” says HHS.

21st Century Cures Act

The Cures Act called for the HHS to create a new Rule that would improve the flow of healthcare data between providers, patients, and developers of Health IT. Implementing reasonable and necessary activities that do not constitute information blocking, the implementation of these provisions will advance interoperability and support the access, exchange, and use of electronic health information.

Final Rule Expected on Proposed Changes to the HIPAA Privacy Rule

According to HHS, “the proposed changes to the HIPAA Privacy Rule include strengthening individuals’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.”

The proposed new HIPAA regulations announced by OCR in December 2020 are as follows:

  • Allowing patients to inspect their PHI in person and take notes or photographs of their PHI.
  • Changing the maximum time to provide access to PHI from 30 days to 15 days.
  • Requests by individuals to transfer ePHI to a third party will be limited to the ePHI maintained in an EHR.
  • Individuals will be permitted to request their PHI be transferred to a personal health application.
  • States when individuals should be provided with ePHI at no cost.
  • Covered entities will be required to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy.
  • Healthcare providers and health plans will be required to respond to certain records requests from other covered health care providers and health plans, in cases when an individual directs those entities to do so under the HIPAA Right of Access.

…to name a few.

At Live Compliance, we make checking off your compliance requirements extremely simple.

  • Reliable and Effective Compliance
  • Completely online, our role-based courses make training easy for remote or in-office employees.
  • Contact-free, accurate Security Risk Assessments are conducted remotely. All devices are thoroughly analyzed regardless of location.
  • Policies and Procedures curated to fit your organization ensuring employees are updated on all Workstation Use and Security Safeguards in the office, or out. Update in real time.
  • Electronic, prepared document sending and signing to employees and business associates.

 

Don’t risk your company’s future, especially when we are offering a free Organization Assessment to help determine your company’s status. Call us at (980) 999-1585, or email Support@LiveCompliance.com or visit www.LiveCompliance.com

Have You Performed a Security Risk Assessment?

Have You Performed a Security Risk Assessment?

Have you performed and identified your organization’s vulnerabilities with a Security Risk Assessment this year?

We understand that achieving and maintaining compliance is a delicate matter as it requires auditing, constant supervision, good staffing, adequate policies, and procedures, along with excellent reporting and investigation of any issues.

The process of assessing and maintaining compliance to any standard is the same, irrespective of the industry but especially when HIPAA compliance is required:

1. Start with a complete understanding of all the rules that you are expected to follow.
2. Establish internal policies and procedures to ensure your organization follows the rules.
3. Regularly check and assess whether or not your organization is following the rules.
4. Address issues whenever you discover the rules are not being followed.
5. Document everything.
6. Perform accurate and thorough Security Risk Assessment(s)

Are you unsure or not clear on what your organization is required to do?

THINGS TO CONSIDER:
● A Security Risk Assessment will target vulnerabilities related to what is potentially exposing Protected Health Information. Correct any potential risks identified within your Technical, Administrative, and Physical deficiencies.
● A Security Risk Assessment should be completed at least twice a year to target vulnerabilities
● Your policies and procedures should be thorough and accurate and reflect the Corrective Action Plan that is determined by the Security Risk Assessment and remediation steps should be taken to correct any deficiencies or vulnerabilities found.
● Workforce training should reflect the organization’s HIPAA Policies and Procedures

Would you like to schedule a compliance team meeting phone conference? If so, please contact support@livecompliance.com or at (980) 999-1585, and one of our compliance support team members will reach out to you.


ABOUT EZCLAIM:
As a medical billing expert, EZClaim can help the medical practice improve its revenues since it is a medical billing and scheduling software company. EZClaim provides a best-in-class product, with correspondingly exceptional service and support. Combined, EZClaim helps improve medical billing revenues. To learn more, visit EZClaim’s website, email them, or call them today at 877.650.0904.

Identify Your Organization’s Vulnerabilities

Identify Your Organization’s Vulnerabilities

Have you performed and identified your organization’s vulnerabilities with a Security Risk Assessment this year? We understand that achieving and maintaining compliance is a delicate matter as it requires auditing, constant supervision, good staffing, adequate policies, and procedures, along with excellent reporting and investigation of any issues.

The process of assessing and maintaining compliance to any standard is the same, irrespective of the industry but especially when HIPAA compliance is required:

1. Start with a complete understanding of all the rules that you are expected to follow.
2. Establish internal policies and procedures to ensure your organization follows the rules.
3. Regularly check and assess whether or not your organization is following the rules.
4. Address issues whenever you discover the rules are not being followed.
5. Document everything.
6. Perform accurate and thorough Security Risk Assessment(s)

Are you unsure or not clear on what your organization is required to do?

THINGS TO CONSIDER:

● A Security Risk Assessment will target vulnerabilities related to what is potentially exposing Protected Health Information. Correct any potential risks identified within your Technical, Administrative, and Physical deficiencies.

● A Security Risk Assessment should be completed at least twice a year to target vulnerabilities

● Your policies and procedures should be thorough and accurate and reflect the Corrective Action Plan that is determined by the Security Risk Assessment and remediation steps should be taken to correct any deficiencies or vulnerabilities found.

● Workforce training should reflect the organization’s HIPAA Policies and Procedures

Would you like to schedule a compliance team meeting phone conference? If so, please contact support@livecompliance.com or at (980) 999-1585 and one of our compliance support team members will reach out to you.


ABOUT EZCLAIM:
As a medical billing expert, EZClaim can help the medical practice improve its revenues since it is a medical billing and scheduling software company. EZClaim provides a best-in-class product, with correspondingly exceptional service and support. Combined, EZClaim helps improve medical billing revenues. To learn more, visit EZClaim’s website, email them, or call them today at 877.650.0904.