SlideShare a Scribd company logo

Implementing Your HIPAA Compliance Plan

SecurityMetrics
SecurityMetrics

Getting HIPAA compliant can take time and feel overwhelming. Check out this month-by-month HIPAA compliance guide!

Healthcare
1 of 17
Download to read offline
IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN A MONTH-BY-MONTH HIPAA COMPLIANCE GUIDE Ebook
IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 2 IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN A MONTH-BY-MONTH HIPAA COMPLIANCE GUIDE In this plan, you’ll see an emphasis on two words: documentation and training. Here’s why: documentation and training are the two most important pieces of the entire the Health Insurance Portability and Accountability Act (HIPAA) compliance process. Documentation helps you understand what has been done, what still needs to be done, and where the problems are. Documentation is also your proof in the case of compromise or investi- gation. Employee training is what keeps your organization compromise-free. Both documentation and training should never be piled into just one day, or one month. If you only train employees once a year, you’re doing it wrong. If you try to document your entire HIPAA compliance plan in December every year, you’re doing it wrong. Documentation and training should be an ongoing part of your plan. Even though 80% of healthcare entities believe their organization is fully HIPAA compliant, many are actually missing key compliance elements with the HIPAA Security Rule.
IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 3 JANUARY UNDERSTAND YOUR ORGANIZATION Before you start anything else on your HIPAA timeline, the first thing you must do is find where your protected health information (PHI) is located. Why? Only by finding PHI, will you know how to protect it. This is the first step to creating that very important HIPAA Risk Analysis required by the Department of Health and Human Ser- vices (HHS). To find your data, you have to learn every single process it goes through, every computer it sits on, every person who touches it, and every technology that has access to it. YOUR JOB THIS MONTH? BECOME THE EXPERT ON ALL THINGS PHI. The people on the ground handling this data on a daily basis will give you the most accu- rate look into the different data lifecycles in your organization. Start your new year by interviewing every department that touches PHI in any way, including third parties. Talk to different people within each department. They can uncover processes and technologies that no organization chart, tool, or previous data analysis could expose. By the time you’re done with your extensive interview process, here are some things you should be able to identify: • How data enters your environment • Where it goes after entering the environment • Where it’s stored • If it’s sent off to a third party • If it’s printed and stored • If it’s recorded straight into the Electronic Health Record (EHR) system • Workforce members who can extract PHI from the EHR system • How employees store PHI after they download it from the EHR system • If it’s encrypted It doesn’t matter what healthcare organization you work for; you will discover hundreds of data paths.
IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 4 Throughout the month, ensure you understand how technology and personnel affect PHI. Record every computer, medical device connected to the Internet, office computer workstation, doctor tablet, and employee BYOD smartphone. Document what you’ve learned; be as detailed as possible. Draw pictures, make lists, and record the who, what, when, where, how, and why. Documentation should rule your world for three main reasons: 1. Your future. If you document, you’re making next year’s job that much easier. 2. Your legacy. Documentation will give future successors a great view into the environment. 3. The HHS. If the HHS comes knocking, documentation is your get-out-of-jail-free card. If you can show them how you’re working toward full HIPAA compliance, they’ll be much more lenient.
IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 5 FEBRUARY CREATE AND DOCUMENT A FLOW CHART What have you learned in the past month? To process the information you learned and organize it in a way that will make sense in the future, craft a PHI flow chart. A PHI flow chart is a graphical representation of where PHI comes into your organization, where it hangs out, who can access it, and where it leaves the organization. Most flow charts look like the typical box and arrow format, but feel free to get creative. FLOW CHARTS ARE OFTEN MASSIVE. HEALTHCARE IS PROBABLY THE MOST INTERCONNECTED INDUSTRY IN THE WORLD. Patients fill out forms at hospitals, which pass patient records to doctors’ offic- es, which then transfer medical records to pharmacies. Patients add sensitive information to third party patient portals online, which then email a dentist receptionist, who then prints and stores it in a giant file cabinet. This interconnectedness is great for patients but an absolute nightmare for security. Generally, the more places that have access to patient information, the higher the chances for a HIPAA compromise or data breach. And that’s why PHI flow charts are so important. They document every instance within your own environment where PHI could enter, exist, or exit. This flow chart will assist you during the rest of this year’s HIPAA compliance plan.
IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 6 MARCH START REGULAR EMPLOYEE TRAINING Now that you’ve got the patient data location part under your belt, it’s time to take a quick break and organize your plan for employee training. Your employees are the lifeblood of your organization. They can also be a security risk. Most HIPAA breaches and security issues within healthcare originate at an employee level. That’s why annual or even quarterly trainings aren’t enough. Make a plan for how often you’ll train employ- ees and which methods you use. Each organi- zation will run employee trainings differently depending on their workforce, but here are some questions to ask during your planning phase: • Will each department lecture their employees every two weeks on a certain topic? • Will each employee be required to take an online training course each month? • Who will be in charge of ensuring employees complete trainings? • Will you send out data security emails to supplement trainings? • Will you require all new hires to pass a test before employment? • What punishments will exist for employees who refuse to attend training? • Will you require employees’ signatures for training sessions? • Will you provide incentives to those with the highest scores or who have completed training? Documentation is a very important part of employee training. If the HHS comes knocking, you should be able to tell them the date each workforce member last underwent train- ing, what that training was about, what past training they’ve had, and the next time they’ll undergo training.
IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 7 APRIL TEST YOUR EMPLOYEES The best way to analyze the effectiveness of your security training program is through employee testing. When incidents happen, how will employees respond? Was last month’s training effective? This idea of testing employees is becoming very popular in the healthcare sector. Here are two common ways you can test employees: Social engineering: Hire an ethical social engineer to see if employees will question or report someone who doesn’t belong in their work environment. Have the social engineer dress in a maintenance uniform, walk into a secured area, and attempt to steal PHI. What do your employees do? Phishing: Send staff a fake phishing email (created by your IT team), and track the number of opens to see how many fall for it. Recently, an Indiana University study found that 15% of staff members click on phishing emails. After analyzing the experiments’ results, make a plan for the future. How will you adjust trainings going forward to ensure employees understand what to do in these situations? As always, don’t forget to document how tests were conducted, who participated, the results, and your future plans to mitigate these failures. The results from your tests will also give you some great statistics to present to a budget-conscious board of directors who need a little nudging when it comes to security.
IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 8 MAY LOCATE PROBLEM AREAS With your intimate knowledge of systems, technologies, and processes (from January and February), locate the risks, threats, and vulnerabilities that currently exist in your organization. • What vulnerabilities exist in your systems, applications, processes, or people? • What threats (internal, external, environmental, and physical) exist for each of those vulnerabilities? • What is the probability of each threat triggering a specific vulnerability? Even if you created a comprehensive PHI flow chart and feel you understand exactly what’s going on at your organization, you probably need someone well-versed in IT data security and HIPAA compliance to help you analyze your vulnerabilities. A MAJOR COMPONENT OF THE REQUIRED RISK ANALYSIS IS TO LOCATE WHERE YOUR ORGANI- ZATION’S SECURITY FAILS. By examining vulnerabilities, threats, and risks, you’ll be able to narrow down which problems must be addressed right away. • Do you use the cloud? What are the implications there? • How are physical copies of PHI stored? • Is encryption implemented throughout the entire organization? • Do third parties use two-factor authentication when using remote access into your environment? • When employees leave workstations, do they turn on a password-protected screensaver? Capture each vulnerability, and record its po- tential impact, risk level, and when you found it. Do yourself a favor and run vulnerability scans to identify more weaknesses in your organiza- tion’s network and systems, or contract with ethical hackers to conduct a penetration test to see where holes exist in your environment. If you’ve documented everything up until this point, you’ve created your HIPAA Risk Analysis.
IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 9 JUNE CREATE A RISK MANAGEMENT PLAN Now that you’ve created a giant list of problems, you’ve got to plan out how you’ll deal with them. Spend June crafting a thorough Risk Management Plan. Your plan should document: • Each HIPAA rule: It’s easiest to organize a Risk Management Plan the same way HIPAA is outlined. Line item each HIPAA rule, and work from there. That way, you won’t miss anything important. • Your plan: Next to each HIPAA rule, detail your organization’s plans to comply with each rule. This portion should outline the detailed action plan for your risks. • Risk level: Each vulnerability discovered from your Risk Analysis should be noted in the corresponding HIPAA rule, and given a risk level (high, medium, low). • Date completed: Including a date completed section is helpful for both HHS documentation and your own records. • Completed by: This is great for practices where two or more people (such as a doctor and office manager) are working to complete a Risk Management Plan together. • Notes section: It’s helpful to include a comments section next to each requirement, including what policy is associated with the requirement; this helps you stay organized for years to come. Creating this plan from scratch will likely take you the entire month (or longer), and should be a joint effort among directors, IT, security administrators, etc.
IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 10 JULY START FIXING YOUR PROBLEMS Now, you have one giant list of HIPAA compliance to do’s. Instead of feeling relieved that you’ve created a Risk Management Plan, you might feel over- whelmed. After all, you haven’t even started fixing any of your problems yet. You’ve just been researching and documenting. Don’t get overwhelmed. Instead, prioritize. IT’S NOT ABOUT FINDING TIME. IT’S ABOUT MAXIMIZING THE LITTLE TIME YOU HAVE. As you prioritize, ask yourself: • What are the most important parts of your Risk Management Plan? • Which vulnerabilities are most likely to be exploited this year? • Where are our highest threats? HIPAA compliance doesn’t have to be unmanageable. Break it up into manage- able pieces. Start with small changes, such as designating a privacy and securi- ty officer, updating your systems, or training employees. Pick the top five problems at your organization and tackle those first. Make an action plan for the next five problems. Pretty soon, you’ll be on your way to total HIPAA compliance.
IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 11 AUGUST CREATE AN INCIDENT RESPONSE PLAN A lot of healthcare organizations have an Inci- dent Response Plan . . . but it’s been collecting dust on a shelf for five years. It’s time to pull it out, blow off the dust, and update it. Your systems, processes, and personnel change constantly. New possible incidents arise every year that your employees might not be pre- pared to deal with. When creating your plan, use the information gleaned from your Risk Analysis and Risk Management Plan to create realistic example situations. STAFF MUST BE TRAINED REGULARLY ON THIS PLAN TO EFFECTIVELY EXECUTE IT. Here are some questions to ask yourself when you create your Incident Response Plan: • What types of security precautions are in place? • What is the protocol if an employee suspects a data breach? • Internally and externally, who should be notified if an incident occurs? • Do employees know their responsibilities before, during, and after an incident? • What if a co-location or business associate is involved in the incident?
IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 12 SEPTEMBER TEST YOUR INCIDENT RESPONSE PLAN Through comprehensive testing, you’ll be able to answer the real question that matters: Does your Incident Response Plan actually work? Why do fire drills exist? If people already know where to go and what to do when the fire alarm goes off, they don’t think. They just act. The same principle applies to testing your incident response plan. By testing, you see how employees work together, what kinds of decisions they make in stressful conditions, and how fast they resolve issues. You’ll see if they follow the plan, follow policies, or just wing it. When crafting tests, pay attention to the situations most likely to arise in your organization, and test your employees on those circumstances. Document fail- ures and successes during your test, and use the results to adjust the incident response plan or training as needed.
IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 13 OCTOBER GET BUSINESS ASSOCIATES ON BOARD It doesn’t matter what type of organization you are: third parties impact your security. Some- times third parties do a stellar job at security. Other times, they fail miserably. That’s why you must be hyper-vigilant with every third party that could impact the security of your patient data. Healthcare entities often believe their busi- ness associate agreements cover them in case of a breach. Unfortunately, that’s not accurate. HIPAA Omnibus ruling states that even if a business associate has never signed a Business Associate Agreement (BAA), they may still be held liable. This also means the covered entity carries liability as well. Specifically, the HIPAA Final Omnibus Rule re- quires covered entities to implement or update a BAA for all relationships wherein the busi- ness associate creates, receives, maintains, or transmits electronic patient information. It’s common for third party vendors to not ful- ly realize they are part of HIPAA regulations, as they may not actually view healthcare data. That’s why this month is a good time to educate your third party vendors, and deter- mine the risk they pose to you and your data. If they are unwilling to sign a BAA, it may be advisable to seek out vendors that will treat your data more securely and are contractually willing to protect it.
IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 14 NOVEMBER UPDATE POLICIES If you’re like 90% of healthcare organizations out there, you already have organi- zational policies. But they probably haven’t been reviewed or updated in years. Or perhaps you have policies, but they haven’t been properly documented. TO MAINTAIN HIPAA COMPLIANCE, UPDATE YOUR CURRENT POLICY AND PROCEDURE DOCUMENTATION, AND ENSURE EMPLOYEES ARE APPROPRIATELY TRAINED. The HHS takes written policies very seriously. At the end of 2013, Adult & Pe- diatric Dermatology, P.C. was fined $150,000 by the HHS for not having breach notification policies. Policies define what and how your organization protects PHI. They should provide guidelines on what workforce members can and can’t do. A policy is basically a security framework for your employees. Here are the policies you should implement at your organization. BREACH NOTIFICATION POLICIES Your policy should include documentation of: • Members and contact information of your breach response team • State and federal breach response laws • Who to notify in case of a breach (e.g., stakeholders, the HHS, law enforcement, patients, and the public) • Response timelines
IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 15 SECURITY POLICIES A few examples of good security policies to include in your business plan include: • Firewall configuration standards • Job descriptions • Network time protocol (NTP) configuration procedures • Physical security procedures • Security awareness training procedures • Workstation functions PRIVACY POLICIES A few examples of good privacy policies to include in your business plan include: • Accounting of disclosures of PHI • Patient access to PHI • Authorization for release of PHI • Minimum necessary for uses and disclosures of PHI • Emailing PHI • Safeguarding and storing PHI • Destruction of PHI Remember, a policy is only as good as its enforcement. Don’t let your policies sit on a shelf! Train your employees on company policies, or all that policy writing will have been for nothing. Review policies on a regular basis to ensure they are updated with system, personnel, and technology changes.
IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 16 DECEMBER  ASSESS YOUR PROCESS HIPAA shouldn’t necessarily be an annual process; it should be an ongoing process. You should do a deep dive and reanalyze your HIPAA compliance plan every year. Assess where you are, and how far you’ve come. Set HIPAA goals and milestones for next year. Plan out employee trainings based on risks and vulnerabilities you found during your risk assessment this year. As always, don’t forget to document your plans for next year!
IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 17 CONCLUSION HIPAA compliance doesn’t have to be an impossible task. Break compliance into small manageable pieces, such as starting your Risk Analysis, creating an Incident Response Plan, or search where PHI is being stored. HIPAA compliance is never completely finished. Your environ- ment is constantly shifting with changes to new workforce, tech- nology, security policies, and medical processes. Because of this, HIPAA should be an ongoing “business as usual” process. HOW VULNERABLE IS YOUR PATIENT DATA? Join over 800,000 organizations and let SecurityMetrics help protect your patient data. consulting@securitymetrics.com 801.705.5656© SECURITYMETRICS

Recommended

A project approach to HIPAA
A project approach to HIPAAA project approach to HIPAA
A project approach to HIPAADaniel P Wallace
 
How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach SecurityMetrics
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical DevicesSecurityMetrics
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101SecurityMetrics
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditSecurityMetrics
 
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterSAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterDavid Sweigert
 
Hipaa Reality Check
Hipaa Reality CheckHipaa Reality Check
Hipaa Reality CheckSecurityMetrics
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementSecurityMetrics
 

Recommended

A project approach to HIPAA
A project approach to HIPAAA project approach to HIPAA
A project approach to HIPAADaniel P Wallace
 
How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach SecurityMetrics
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical DevicesSecurityMetrics
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101SecurityMetrics
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditSecurityMetrics
 
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterSAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterDavid Sweigert
 
Hipaa Reality Check
Hipaa Reality CheckHipaa Reality Check
Hipaa Reality CheckSecurityMetrics
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementSecurityMetrics
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecurityMetrics
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of CompromiseSecurityMetrics
 
HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? SecurityMetrics
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisSecurityMetrics
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA AuditSecurityMetrics
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesSecurityMetrics
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? SecurityMetrics
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data BreachSecurityMetrics
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeSecurityMetrics
 
Auditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptAuditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptSecurityMetrics
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkSecurityMetrics
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationSecurityMetrics
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken MalwareSecurityMetrics
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsSecurityMetrics
 
What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?SecurityMetrics
 
How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessSecurityMetrics
 
Mobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data CompromiseMobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data CompromiseSecurityMetrics
 
Why Breach Protection Isn't Optional Anymore
Why Breach Protection Isn't Optional AnymoreWhy Breach Protection Isn't Optional Anymore
Why Breach Protection Isn't Optional AnymoreSecurityMetrics
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemSecurityMetrics
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service HyderabadCall Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabaddelhimodelshub1
 
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...High Profile Call Girls Chandigarh Aarushi
 

More Related Content

More from SecurityMetrics

Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecurityMetrics
 
HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? SecurityMetrics
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisSecurityMetrics
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA AuditSecurityMetrics
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesSecurityMetrics
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? SecurityMetrics
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data BreachSecurityMetrics
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeSecurityMetrics
 
Auditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptAuditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptSecurityMetrics
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkSecurityMetrics
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationSecurityMetrics
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken MalwareSecurityMetrics
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsSecurityMetrics
 
What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?SecurityMetrics
 
How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessSecurityMetrics
 
Mobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data CompromiseMobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data CompromiseSecurityMetrics
 
Why Breach Protection Isn't Optional Anymore
Why Breach Protection Isn't Optional AnymoreWhy Breach Protection Isn't Optional Anymore
Why Breach Protection Isn't Optional AnymoreSecurityMetrics
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemSecurityMetrics
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 

More from SecurityMetrics (20)

Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of Compromise
 
HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored?
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk Analysis
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your Empolyees
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards?
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing Franchisee
 
Auditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptAuditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java Script
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless Investigation
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken Malware
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit Cards
 
What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?
 
How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for Business
 
Mobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data CompromiseMobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data Compromise
 
Why Breach Protection Isn't Optional Anymore
Why Breach Protection Isn't Optional AnymoreWhy Breach Protection Isn't Optional Anymore
Why Breach Protection Isn't Optional Anymore
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your Problem
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 

Recently uploaded

Call Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service HyderabadCall Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabaddelhimodelshub1
 
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...High Profile Call Girls Chandigarh Aarushi
 
Experience learning - lessons from 25 years of ATACC - Mark Forrest and Halde...
Experience learning - lessons from 25 years of ATACC - Mark Forrest and Halde...Experience learning - lessons from 25 years of ATACC - Mark Forrest and Halde...
Experience learning - lessons from 25 years of ATACC - Mark Forrest and Halde...scanFOAM
 
Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...
Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...
Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...High Profile Call Girls Chandigarh Aarushi
 
Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...
Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...
Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...narwatsonia7
 
Russian Call Girls in Raipur 9873940964 Book Hot And Sexy Girls
Russian Call Girls in Raipur 9873940964 Book Hot And Sexy GirlsRussian Call Girls in Raipur 9873940964 Book Hot And Sexy Girls
Russian Call Girls in Raipur 9873940964 Book Hot And Sexy Girlsddev2574
 
Call Girls Hsr Layout Whatsapp 7001305949 Independent Escort Service
Call Girls Hsr Layout Whatsapp 7001305949 Independent Escort ServiceCall Girls Hsr Layout Whatsapp 7001305949 Independent Escort Service
Call Girls Hsr Layout Whatsapp 7001305949 Independent Escort Servicenarwatsonia7
 
Call Girls Uppal 7001305949 all area service COD available Any Time
Call Girls Uppal 7001305949 all area service COD available Any TimeCall Girls Uppal 7001305949 all area service COD available Any Time
Call Girls Uppal 7001305949 all area service COD available Any Timedelhimodelshub1
 
Call Girl Hyderabad Madhuri 9907093804 Independent Escort Service Hyderabad
Call Girl Hyderabad Madhuri 9907093804 Independent Escort Service HyderabadCall Girl Hyderabad Madhuri 9907093804 Independent Escort Service Hyderabad
Call Girl Hyderabad Madhuri 9907093804 Independent Escort Service Hyderabaddelhimodelshub1
 
Call Girls Kukatpally 7001305949 all area service COD available Any Time
Call Girls Kukatpally 7001305949 all area service COD available Any TimeCall Girls Kukatpally 7001305949 all area service COD available Any Time
Call Girls Kukatpally 7001305949 all area service COD available Any Timedelhimodelshub1
 
Call Girl Gurgaon Saloni 9711199012 Independent Escort Service Gurgaon
Call Girl Gurgaon Saloni 9711199012 Independent Escort Service GurgaonCall Girl Gurgaon Saloni 9711199012 Independent Escort Service Gurgaon
Call Girl Gurgaon Saloni 9711199012 Independent Escort Service GurgaonCall Girls Service Gurgaon
 
Russian Escorts Delhi | 9711199171 | all area service available
Russian Escorts Delhi | 9711199171 | all area service availableRussian Escorts Delhi | 9711199171 | all area service available
Russian Escorts Delhi | 9711199171 | all area service availablesandeepkumar69420
 
Call Girl Bangalore Aashi 7001305949 Independent Escort Service Bangalore
Call Girl Bangalore Aashi 7001305949 Independent Escort Service BangaloreCall Girl Bangalore Aashi 7001305949 Independent Escort Service Bangalore
Call Girl Bangalore Aashi 7001305949 Independent Escort Service Bangalorenarwatsonia7
 
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...delhimodelshub1
 
9711199012 Najafgarh Call Girls ₹5.5k With COD Free Home Delivery
9711199012 Najafgarh Call Girls ₹5.5k With COD Free Home Delivery9711199012 Najafgarh Call Girls ₹5.5k With COD Free Home Delivery
9711199012 Najafgarh Call Girls ₹5.5k With COD Free Home Deliverymarshasaifi
 
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...soniya singh
 
Russian Call Girls in Goa Samaira 7001305949 Independent Escort Service Goa
Russian Call Girls in Goa Samaira 7001305949 Independent Escort Service GoaRussian Call Girls in Goa Samaira 7001305949 Independent Escort Service Goa
Russian Call Girls in Goa Samaira 7001305949 Independent Escort Service Goanarwatsonia7
 
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...ggsonu500
 

Recently uploaded (20)

Call Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service HyderabadCall Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabad
Call Girls Hyderabad Krisha 9907093804 Independent Escort Service Hyderabad
 
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
 
Model Call Girl in Subhash Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Subhash Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Subhash Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Subhash Nagar Delhi reach out to us at 🔝9953056974🔝
 
Call Girls in Lucknow Esha 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
Call Girls in Lucknow Esha 🔝 8923113531 🔝 🎶 Independent Escort Service LucknowCall Girls in Lucknow Esha 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
Call Girls in Lucknow Esha 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
 
Experience learning - lessons from 25 years of ATACC - Mark Forrest and Halde...
Experience learning - lessons from 25 years of ATACC - Mark Forrest and Halde...Experience learning - lessons from 25 years of ATACC - Mark Forrest and Halde...
Experience learning - lessons from 25 years of ATACC - Mark Forrest and Halde...
 
Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...
Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...
Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...
 
Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...
Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...
Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...
 
Russian Call Girls in Raipur 9873940964 Book Hot And Sexy Girls
Russian Call Girls in Raipur 9873940964 Book Hot And Sexy GirlsRussian Call Girls in Raipur 9873940964 Book Hot And Sexy Girls
Russian Call Girls in Raipur 9873940964 Book Hot And Sexy Girls
 
Call Girls Hsr Layout Whatsapp 7001305949 Independent Escort Service
Call Girls Hsr Layout Whatsapp 7001305949 Independent Escort ServiceCall Girls Hsr Layout Whatsapp 7001305949 Independent Escort Service
Call Girls Hsr Layout Whatsapp 7001305949 Independent Escort Service
 
Call Girls Uppal 7001305949 all area service COD available Any Time
Call Girls Uppal 7001305949 all area service COD available Any TimeCall Girls Uppal 7001305949 all area service COD available Any Time
Call Girls Uppal 7001305949 all area service COD available Any Time
 
Call Girl Hyderabad Madhuri 9907093804 Independent Escort Service Hyderabad
Call Girl Hyderabad Madhuri 9907093804 Independent Escort Service HyderabadCall Girl Hyderabad Madhuri 9907093804 Independent Escort Service Hyderabad
Call Girl Hyderabad Madhuri 9907093804 Independent Escort Service Hyderabad
 
Call Girls Kukatpally 7001305949 all area service COD available Any Time
Call Girls Kukatpally 7001305949 all area service COD available Any TimeCall Girls Kukatpally 7001305949 all area service COD available Any Time
Call Girls Kukatpally 7001305949 all area service COD available Any Time
 
Call Girl Gurgaon Saloni 9711199012 Independent Escort Service Gurgaon
Call Girl Gurgaon Saloni 9711199012 Independent Escort Service GurgaonCall Girl Gurgaon Saloni 9711199012 Independent Escort Service Gurgaon
Call Girl Gurgaon Saloni 9711199012 Independent Escort Service Gurgaon
 
Russian Escorts Delhi | 9711199171 | all area service available
Russian Escorts Delhi | 9711199171 | all area service availableRussian Escorts Delhi | 9711199171 | all area service available
Russian Escorts Delhi | 9711199171 | all area service available
 
Call Girl Bangalore Aashi 7001305949 Independent Escort Service Bangalore
Call Girl Bangalore Aashi 7001305949 Independent Escort Service BangaloreCall Girl Bangalore Aashi 7001305949 Independent Escort Service Bangalore
Call Girl Bangalore Aashi 7001305949 Independent Escort Service Bangalore
 
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
 
9711199012 Najafgarh Call Girls ₹5.5k With COD Free Home Delivery
9711199012 Najafgarh Call Girls ₹5.5k With COD Free Home Delivery9711199012 Najafgarh Call Girls ₹5.5k With COD Free Home Delivery
9711199012 Najafgarh Call Girls ₹5.5k With COD Free Home Delivery
 
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
 
Russian Call Girls in Goa Samaira 7001305949 Independent Escort Service Goa
Russian Call Girls in Goa Samaira 7001305949 Independent Escort Service GoaRussian Call Girls in Goa Samaira 7001305949 Independent Escort Service Goa
Russian Call Girls in Goa Samaira 7001305949 Independent Escort Service Goa
 
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
 

Implementing Your HIPAA Compliance Plan

  • 1. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN A MONTH-BY-MONTH HIPAA COMPLIANCE GUIDE Ebook
  • 2. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 2 IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN A MONTH-BY-MONTH HIPAA COMPLIANCE GUIDE In this plan, you’ll see an emphasis on two words: documentation and training. Here’s why: documentation and training are the two most important pieces of the entire the Health Insurance Portability and Accountability Act (HIPAA) compliance process. Documentation helps you understand what has been done, what still needs to be done, and where the problems are. Documentation is also your proof in the case of compromise or investi- gation. Employee training is what keeps your organization compromise-free. Both documentation and training should never be piled into just one day, or one month. If you only train employees once a year, you’re doing it wrong. If you try to document your entire HIPAA compliance plan in December every year, you’re doing it wrong. Documentation and training should be an ongoing part of your plan. Even though 80% of healthcare entities believe their organization is fully HIPAA compliant, many are actually missing key compliance elements with the HIPAA Security Rule.
  • 3. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 3 JANUARY UNDERSTAND YOUR ORGANIZATION Before you start anything else on your HIPAA timeline, the first thing you must do is find where your protected health information (PHI) is located. Why? Only by finding PHI, will you know how to protect it. This is the first step to creating that very important HIPAA Risk Analysis required by the Department of Health and Human Ser- vices (HHS). To find your data, you have to learn every single process it goes through, every computer it sits on, every person who touches it, and every technology that has access to it. YOUR JOB THIS MONTH? BECOME THE EXPERT ON ALL THINGS PHI. The people on the ground handling this data on a daily basis will give you the most accu- rate look into the different data lifecycles in your organization. Start your new year by interviewing every department that touches PHI in any way, including third parties. Talk to different people within each department. They can uncover processes and technologies that no organization chart, tool, or previous data analysis could expose. By the time you’re done with your extensive interview process, here are some things you should be able to identify: • How data enters your environment • Where it goes after entering the environment • Where it’s stored • If it’s sent off to a third party • If it’s printed and stored • If it’s recorded straight into the Electronic Health Record (EHR) system • Workforce members who can extract PHI from the EHR system • How employees store PHI after they download it from the EHR system • If it’s encrypted It doesn’t matter what healthcare organization you work for; you will discover hundreds of data paths.
  • 4. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 4 Throughout the month, ensure you understand how technology and personnel affect PHI. Record every computer, medical device connected to the Internet, office computer workstation, doctor tablet, and employee BYOD smartphone. Document what you’ve learned; be as detailed as possible. Draw pictures, make lists, and record the who, what, when, where, how, and why. Documentation should rule your world for three main reasons: 1. Your future. If you document, you’re making next year’s job that much easier. 2. Your legacy. Documentation will give future successors a great view into the environment. 3. The HHS. If the HHS comes knocking, documentation is your get-out-of-jail-free card. If you can show them how you’re working toward full HIPAA compliance, they’ll be much more lenient.
  • 5. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 5 FEBRUARY CREATE AND DOCUMENT A FLOW CHART What have you learned in the past month? To process the information you learned and organize it in a way that will make sense in the future, craft a PHI flow chart. A PHI flow chart is a graphical representation of where PHI comes into your organization, where it hangs out, who can access it, and where it leaves the organization. Most flow charts look like the typical box and arrow format, but feel free to get creative. FLOW CHARTS ARE OFTEN MASSIVE. HEALTHCARE IS PROBABLY THE MOST INTERCONNECTED INDUSTRY IN THE WORLD. Patients fill out forms at hospitals, which pass patient records to doctors’ offic- es, which then transfer medical records to pharmacies. Patients add sensitive information to third party patient portals online, which then email a dentist receptionist, who then prints and stores it in a giant file cabinet. This interconnectedness is great for patients but an absolute nightmare for security. Generally, the more places that have access to patient information, the higher the chances for a HIPAA compromise or data breach. And that’s why PHI flow charts are so important. They document every instance within your own environment where PHI could enter, exist, or exit. This flow chart will assist you during the rest of this year’s HIPAA compliance plan.
  • 6. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 6 MARCH START REGULAR EMPLOYEE TRAINING Now that you’ve got the patient data location part under your belt, it’s time to take a quick break and organize your plan for employee training. Your employees are the lifeblood of your organization. They can also be a security risk. Most HIPAA breaches and security issues within healthcare originate at an employee level. That’s why annual or even quarterly trainings aren’t enough. Make a plan for how often you’ll train employ- ees and which methods you use. Each organi- zation will run employee trainings differently depending on their workforce, but here are some questions to ask during your planning phase: • Will each department lecture their employees every two weeks on a certain topic? • Will each employee be required to take an online training course each month? • Who will be in charge of ensuring employees complete trainings? • Will you send out data security emails to supplement trainings? • Will you require all new hires to pass a test before employment? • What punishments will exist for employees who refuse to attend training? • Will you require employees’ signatures for training sessions? • Will you provide incentives to those with the highest scores or who have completed training? Documentation is a very important part of employee training. If the HHS comes knocking, you should be able to tell them the date each workforce member last underwent train- ing, what that training was about, what past training they’ve had, and the next time they’ll undergo training.
  • 7. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 7 APRIL TEST YOUR EMPLOYEES The best way to analyze the effectiveness of your security training program is through employee testing. When incidents happen, how will employees respond? Was last month’s training effective? This idea of testing employees is becoming very popular in the healthcare sector. Here are two common ways you can test employees: Social engineering: Hire an ethical social engineer to see if employees will question or report someone who doesn’t belong in their work environment. Have the social engineer dress in a maintenance uniform, walk into a secured area, and attempt to steal PHI. What do your employees do? Phishing: Send staff a fake phishing email (created by your IT team), and track the number of opens to see how many fall for it. Recently, an Indiana University study found that 15% of staff members click on phishing emails. After analyzing the experiments’ results, make a plan for the future. How will you adjust trainings going forward to ensure employees understand what to do in these situations? As always, don’t forget to document how tests were conducted, who participated, the results, and your future plans to mitigate these failures. The results from your tests will also give you some great statistics to present to a budget-conscious board of directors who need a little nudging when it comes to security.
  • 8. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 8 MAY LOCATE PROBLEM AREAS With your intimate knowledge of systems, technologies, and processes (from January and February), locate the risks, threats, and vulnerabilities that currently exist in your organization. • What vulnerabilities exist in your systems, applications, processes, or people? • What threats (internal, external, environmental, and physical) exist for each of those vulnerabilities? • What is the probability of each threat triggering a specific vulnerability? Even if you created a comprehensive PHI flow chart and feel you understand exactly what’s going on at your organization, you probably need someone well-versed in IT data security and HIPAA compliance to help you analyze your vulnerabilities. A MAJOR COMPONENT OF THE REQUIRED RISK ANALYSIS IS TO LOCATE WHERE YOUR ORGANI- ZATION’S SECURITY FAILS. By examining vulnerabilities, threats, and risks, you’ll be able to narrow down which problems must be addressed right away. • Do you use the cloud? What are the implications there? • How are physical copies of PHI stored? • Is encryption implemented throughout the entire organization? • Do third parties use two-factor authentication when using remote access into your environment? • When employees leave workstations, do they turn on a password-protected screensaver? Capture each vulnerability, and record its po- tential impact, risk level, and when you found it. Do yourself a favor and run vulnerability scans to identify more weaknesses in your organiza- tion’s network and systems, or contract with ethical hackers to conduct a penetration test to see where holes exist in your environment. If you’ve documented everything up until this point, you’ve created your HIPAA Risk Analysis.
  • 9. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 9 JUNE CREATE A RISK MANAGEMENT PLAN Now that you’ve created a giant list of problems, you’ve got to plan out how you’ll deal with them. Spend June crafting a thorough Risk Management Plan. Your plan should document: • Each HIPAA rule: It’s easiest to organize a Risk Management Plan the same way HIPAA is outlined. Line item each HIPAA rule, and work from there. That way, you won’t miss anything important. • Your plan: Next to each HIPAA rule, detail your organization’s plans to comply with each rule. This portion should outline the detailed action plan for your risks. • Risk level: Each vulnerability discovered from your Risk Analysis should be noted in the corresponding HIPAA rule, and given a risk level (high, medium, low). • Date completed: Including a date completed section is helpful for both HHS documentation and your own records. • Completed by: This is great for practices where two or more people (such as a doctor and office manager) are working to complete a Risk Management Plan together. • Notes section: It’s helpful to include a comments section next to each requirement, including what policy is associated with the requirement; this helps you stay organized for years to come. Creating this plan from scratch will likely take you the entire month (or longer), and should be a joint effort among directors, IT, security administrators, etc.
  • 10. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 10 JULY START FIXING YOUR PROBLEMS Now, you have one giant list of HIPAA compliance to do’s. Instead of feeling relieved that you’ve created a Risk Management Plan, you might feel over- whelmed. After all, you haven’t even started fixing any of your problems yet. You’ve just been researching and documenting. Don’t get overwhelmed. Instead, prioritize. IT’S NOT ABOUT FINDING TIME. IT’S ABOUT MAXIMIZING THE LITTLE TIME YOU HAVE. As you prioritize, ask yourself: • What are the most important parts of your Risk Management Plan? • Which vulnerabilities are most likely to be exploited this year? • Where are our highest threats? HIPAA compliance doesn’t have to be unmanageable. Break it up into manage- able pieces. Start with small changes, such as designating a privacy and securi- ty officer, updating your systems, or training employees. Pick the top five problems at your organization and tackle those first. Make an action plan for the next five problems. Pretty soon, you’ll be on your way to total HIPAA compliance.
  • 11. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 11 AUGUST CREATE AN INCIDENT RESPONSE PLAN A lot of healthcare organizations have an Inci- dent Response Plan . . . but it’s been collecting dust on a shelf for five years. It’s time to pull it out, blow off the dust, and update it. Your systems, processes, and personnel change constantly. New possible incidents arise every year that your employees might not be pre- pared to deal with. When creating your plan, use the information gleaned from your Risk Analysis and Risk Management Plan to create realistic example situations. STAFF MUST BE TRAINED REGULARLY ON THIS PLAN TO EFFECTIVELY EXECUTE IT. Here are some questions to ask yourself when you create your Incident Response Plan: • What types of security precautions are in place? • What is the protocol if an employee suspects a data breach? • Internally and externally, who should be notified if an incident occurs? • Do employees know their responsibilities before, during, and after an incident? • What if a co-location or business associate is involved in the incident?
  • 12. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 12 SEPTEMBER TEST YOUR INCIDENT RESPONSE PLAN Through comprehensive testing, you’ll be able to answer the real question that matters: Does your Incident Response Plan actually work? Why do fire drills exist? If people already know where to go and what to do when the fire alarm goes off, they don’t think. They just act. The same principle applies to testing your incident response plan. By testing, you see how employees work together, what kinds of decisions they make in stressful conditions, and how fast they resolve issues. You’ll see if they follow the plan, follow policies, or just wing it. When crafting tests, pay attention to the situations most likely to arise in your organization, and test your employees on those circumstances. Document fail- ures and successes during your test, and use the results to adjust the incident response plan or training as needed.
  • 13. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 13 OCTOBER GET BUSINESS ASSOCIATES ON BOARD It doesn’t matter what type of organization you are: third parties impact your security. Some- times third parties do a stellar job at security. Other times, they fail miserably. That’s why you must be hyper-vigilant with every third party that could impact the security of your patient data. Healthcare entities often believe their busi- ness associate agreements cover them in case of a breach. Unfortunately, that’s not accurate. HIPAA Omnibus ruling states that even if a business associate has never signed a Business Associate Agreement (BAA), they may still be held liable. This also means the covered entity carries liability as well. Specifically, the HIPAA Final Omnibus Rule re- quires covered entities to implement or update a BAA for all relationships wherein the busi- ness associate creates, receives, maintains, or transmits electronic patient information. It’s common for third party vendors to not ful- ly realize they are part of HIPAA regulations, as they may not actually view healthcare data. That’s why this month is a good time to educate your third party vendors, and deter- mine the risk they pose to you and your data. If they are unwilling to sign a BAA, it may be advisable to seek out vendors that will treat your data more securely and are contractually willing to protect it.
  • 14. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 14 NOVEMBER UPDATE POLICIES If you’re like 90% of healthcare organizations out there, you already have organi- zational policies. But they probably haven’t been reviewed or updated in years. Or perhaps you have policies, but they haven’t been properly documented. TO MAINTAIN HIPAA COMPLIANCE, UPDATE YOUR CURRENT POLICY AND PROCEDURE DOCUMENTATION, AND ENSURE EMPLOYEES ARE APPROPRIATELY TRAINED. The HHS takes written policies very seriously. At the end of 2013, Adult & Pe- diatric Dermatology, P.C. was fined $150,000 by the HHS for not having breach notification policies. Policies define what and how your organization protects PHI. They should provide guidelines on what workforce members can and can’t do. A policy is basically a security framework for your employees. Here are the policies you should implement at your organization. BREACH NOTIFICATION POLICIES Your policy should include documentation of: • Members and contact information of your breach response team • State and federal breach response laws • Who to notify in case of a breach (e.g., stakeholders, the HHS, law enforcement, patients, and the public) • Response timelines
  • 15. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 15 SECURITY POLICIES A few examples of good security policies to include in your business plan include: • Firewall configuration standards • Job descriptions • Network time protocol (NTP) configuration procedures • Physical security procedures • Security awareness training procedures • Workstation functions PRIVACY POLICIES A few examples of good privacy policies to include in your business plan include: • Accounting of disclosures of PHI • Patient access to PHI • Authorization for release of PHI • Minimum necessary for uses and disclosures of PHI • Emailing PHI • Safeguarding and storing PHI • Destruction of PHI Remember, a policy is only as good as its enforcement. Don’t let your policies sit on a shelf! Train your employees on company policies, or all that policy writing will have been for nothing. Review policies on a regular basis to ensure they are updated with system, personnel, and technology changes.
  • 16. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 16 DECEMBER  ASSESS YOUR PROCESS HIPAA shouldn’t necessarily be an annual process; it should be an ongoing process. You should do a deep dive and reanalyze your HIPAA compliance plan every year. Assess where you are, and how far you’ve come. Set HIPAA goals and milestones for next year. Plan out employee trainings based on risks and vulnerabilities you found during your risk assessment this year. As always, don’t forget to document your plans for next year!
  • 17. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 17 CONCLUSION HIPAA compliance doesn’t have to be an impossible task. Break compliance into small manageable pieces, such as starting your Risk Analysis, creating an Incident Response Plan, or search where PHI is being stored. HIPAA compliance is never completely finished. Your environ- ment is constantly shifting with changes to new workforce, tech- nology, security policies, and medical processes. Because of this, HIPAA should be an ongoing “business as usual” process. HOW VULNERABLE IS YOUR PATIENT DATA? Join over 800,000 organizations and let SecurityMetrics help protect your patient data. consulting@securitymetrics.com 801.705.5656© SECURITYMETRICS