Within the 2009 American Recovery and Reinvestment Act (ARRA) was a legislative gem, the HITECH Act. HITECH provided a much needed “shot in the arm” (no pun intended) for the vanguard of healthcare technology advocates (including industry leaders, academics, economists, politicians, and concerned citizens), who had been promoting the necessity of modernizing the U.S. healthcare system for years.
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
Slides from our 1/20/2011 webinar - HIPAA & HITECH Requirements, Compliance, Meaningful Use, and IT security assessments...we know it’s confusing!
Let’s focus on what you need to know!
Data breach events result in significant losses each year. Our partners at Bonahoom & Bobilya, LLC, created a presentation about understanding the hidden regulatory risks of a data breach so you can keep your company from going out of business.
This presentation has been shared with permission.
What Is Security Risk Analysis? By: MedSafeMedSafe
What exactly is a Security Risk Analysis? Most practices ask, we deliver. This presentation covers all you should be concerned with. Go to www.MedSafe.com for more information!
HIPAA Security Trends and Future ExpectationsPYA, P.C.
PYA Principal Barry Mathis, a former CIO, CTO, senior IT audit manager, and IT risk management consultant, presented at teh TSCPA Health Care Conference. His presentation, “HIPAA Security Trends and Future Expectations” will focuses on:
- Current HIPAA enforcement activities and future developments.
- Case studies that highlight the changing HIPAA landscape.
- Cyber threats that impact covered entities and business associates.
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
A 8-slide primer on why Business Associates should conduct a HIPAA Security Risk Analysis to meet their new compliance and risk management needs. Includes updates from HITECH Act and HIPAA Omnibus Rule.
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
Slides from our 1/20/2011 webinar - HIPAA & HITECH Requirements, Compliance, Meaningful Use, and IT security assessments...we know it’s confusing!
Let’s focus on what you need to know!
Data breach events result in significant losses each year. Our partners at Bonahoom & Bobilya, LLC, created a presentation about understanding the hidden regulatory risks of a data breach so you can keep your company from going out of business.
This presentation has been shared with permission.
What Is Security Risk Analysis? By: MedSafeMedSafe
What exactly is a Security Risk Analysis? Most practices ask, we deliver. This presentation covers all you should be concerned with. Go to www.MedSafe.com for more information!
HIPAA Security Trends and Future ExpectationsPYA, P.C.
PYA Principal Barry Mathis, a former CIO, CTO, senior IT audit manager, and IT risk management consultant, presented at teh TSCPA Health Care Conference. His presentation, “HIPAA Security Trends and Future Expectations” will focuses on:
- Current HIPAA enforcement activities and future developments.
- Case studies that highlight the changing HIPAA landscape.
- Cyber threats that impact covered entities and business associates.
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
A 8-slide primer on why Business Associates should conduct a HIPAA Security Risk Analysis to meet their new compliance and risk management needs. Includes updates from HITECH Act and HIPAA Omnibus Rule.
The growing costs of security breaches and manual compliance efforts have given rise to new data security solutions specifically designed to prevent data breaches and deliver automated compliance. This paper examines the drivers for adopting a strategic approach to data security, compares and contrasts current approaches, and presents the Return on Security Investment (ROSI) of viable data security solutions.
Guide to hipaa compliance for containersAbhishek Sood
he challenge with HIPAA is that it doesn’t define, at a detailed level, the countermeasures you must put in place to comply with its Security Rule.
With the advent of microservices it is likely that many new healthcare apps are being built with containers, changing how you will secure compliance for them.
In this extensive, 38-page white paper discover how to achieve compliance with the HIPAA Security Rule for containerized workloads for healthcare apps.
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
The Compliancy Group offers FREE HIPAA education with industry experts from across the industry. This months webinar with Axis Technology focuses on Health IT and the challenges that come with it. Register for our upcoming webinars at www.compliancy-group.com/webinar
Dental Compliance for Dentists and Business Associatesgppcpa
This presentation will discuss covered entities, protected health information (PHI) as it relates to dental practices and business associates of those practices.It will update you on major legislation relating to patient privacy laws and explain why PHI Information is important and the consequences for non-compliance with state and federal laws.
Assessing Your Hosting Environment for HIPAA ComplianceHostway|HOSTING
When you’re striving to be HIPAA compliant, the idea of third-party hosting can be daunting. Learn the key elements to consider when assessing your hosting environment for HIPAA compliance.
Doug Copley presented on cybersecurity challenges in healthcare including threats, trends in healthcare, practical steps and building security without boundaries.
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
This white paper discusses how some forward thinking organizations are using the passage of the HITECH Act as an opportunity to modernize how patient information is stored and accessed through electronic health records.
Healthcare IT thought leadership and practice managers continually seek ways to foster a culture of alertness when it comes to HIPAA compliance. They have the dual challenge of staying on the right side of federal regulators and stopping would-be hackers. This is especially true given the potential impact a data breach can have on their organization’s reputation and bottom line. By reflecting on 2015, it becomes clear that covered entities and business associates alike will continue to prepare to mitigate the threat of cyber-attacks and the planned ramp up of OCR Phase 2 Audits.
HIPAA compliance Tune-up for 2016 is the topic of this webinar – which will be focused on mitigation strategies Covered Entities and BA’s alike can take to minimize the risk of data breach or actions prompting an OCR Audit.
The HIPAA Security Rule - An overview and preview for 2014, from Summit Security Group. Summit Security Group is a business partner to Resource One, managed IT services provider for over 15 years to small and mid-sized businesses in the Portland Metro and Southwest Washington area.
Healthcare organizations (HCOs) are facing three major IT security and compliance
challenges. First, IT regulations such as HIPAA are getting stricter and enforcement actions
are becoming more common and costly....
The growing costs of security breaches and manual compliance efforts have given rise to new data security solutions specifically designed to prevent data breaches and deliver automated compliance. This paper examines the drivers for adopting a strategic approach to data security, compares and contrasts current approaches, and presents the Return on Security Investment (ROSI) of viable data security solutions.
Guide to hipaa compliance for containersAbhishek Sood
he challenge with HIPAA is that it doesn’t define, at a detailed level, the countermeasures you must put in place to comply with its Security Rule.
With the advent of microservices it is likely that many new healthcare apps are being built with containers, changing how you will secure compliance for them.
In this extensive, 38-page white paper discover how to achieve compliance with the HIPAA Security Rule for containerized workloads for healthcare apps.
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
The Compliancy Group offers FREE HIPAA education with industry experts from across the industry. This months webinar with Axis Technology focuses on Health IT and the challenges that come with it. Register for our upcoming webinars at www.compliancy-group.com/webinar
Dental Compliance for Dentists and Business Associatesgppcpa
This presentation will discuss covered entities, protected health information (PHI) as it relates to dental practices and business associates of those practices.It will update you on major legislation relating to patient privacy laws and explain why PHI Information is important and the consequences for non-compliance with state and federal laws.
Assessing Your Hosting Environment for HIPAA ComplianceHostway|HOSTING
When you’re striving to be HIPAA compliant, the idea of third-party hosting can be daunting. Learn the key elements to consider when assessing your hosting environment for HIPAA compliance.
Doug Copley presented on cybersecurity challenges in healthcare including threats, trends in healthcare, practical steps and building security without boundaries.
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
This white paper discusses how some forward thinking organizations are using the passage of the HITECH Act as an opportunity to modernize how patient information is stored and accessed through electronic health records.
Healthcare IT thought leadership and practice managers continually seek ways to foster a culture of alertness when it comes to HIPAA compliance. They have the dual challenge of staying on the right side of federal regulators and stopping would-be hackers. This is especially true given the potential impact a data breach can have on their organization’s reputation and bottom line. By reflecting on 2015, it becomes clear that covered entities and business associates alike will continue to prepare to mitigate the threat of cyber-attacks and the planned ramp up of OCR Phase 2 Audits.
HIPAA compliance Tune-up for 2016 is the topic of this webinar – which will be focused on mitigation strategies Covered Entities and BA’s alike can take to minimize the risk of data breach or actions prompting an OCR Audit.
The HIPAA Security Rule - An overview and preview for 2014, from Summit Security Group. Summit Security Group is a business partner to Resource One, managed IT services provider for over 15 years to small and mid-sized businesses in the Portland Metro and Southwest Washington area.
Healthcare organizations (HCOs) are facing three major IT security and compliance
challenges. First, IT regulations such as HIPAA are getting stricter and enforcement actions
are becoming more common and costly....
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!Shelly Megan
All the healthcare applications dealing with PHI data must comply with HIPAA rules and regulations as sensitive patient data is vulnerable to security threats and violations. HIPAA compliance ensures high security and privacy of sensitive healthcare patient data by enforcing measures such as access control, encryption, data disposal, data backup, automatic logging-off, auditing, etc.
What is HIPAA Compliance?
HIPAA stands for the Healthcare Insurance Portability and Accountability Act of 1996. This specifies laws for the protection and use of Personal (or Protected) Health Information (PHI) - essentially, your medical record. HIPAA sets the standard for protecting sensitive patient data. The Administrative Simplification provisions of the Act (HIPAA, Title II) require the U.S. Department of Health and Human Services (HHS) to adopt certain national standards. These cover electronic health care transactions, and national identifiers for providers, health plans, and employers.
Physical, network, and process security measures are involved. The HIPAA Privacy Rule covers the saving, accessing and sharing of medical and personal information for any individual. The HIPAA Security Rule outlines national security standards to protect health data created, received, maintained or transmitted electronically - also known as electronic protected health information (ePHI).
Meeting these standards? That's compliance.
The Compliancy Group is your complete HIPAA Compliance Solution. Try The Guard now to find out how easy HIPAA can be. Solve Omnibus, Meaningful Use, HITECH.
We explain what your business needs to know about the HIPAA Omnibus Rule and share tips for evaluating secure cloud backup solutions that can facilitate compliance with regulatory requirements.
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdfSuccessiveDigital
This is an article about HIPAA-compliant app development for the healthcare industry. It discusses the importance of HIPAA compliance and the risks of non-compliance. The article also outlines the steps involved in developing a HIPAA-compliant app. Some of the important points from this article are that HIPAA compliance is an ongoing process and that there is no certification required to build a HIPAA-secure app.
HIPAA Compliance Mobile App Development: A Complete GuideDashTechnologiesInc
The method for HIPAA-compliant app development is distinct from others. Like other industries, the Healthcare & Medical sector should have digital maturity.
For digital maturity, a mobile-based app is essential. It also provides accessibility to the users. And it’s also one of the many areas in the evolution chain needed for digital transformation.
HIPAA Enforcement Heats Up in the Coldest StateRedspin, Inc.
The June 26th news from HHS announcing a $1.7 million settlement and resolution agreement with the state of Alaska’s Medicaid agency, shows just how serious OCR is.
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Redspin, Inc.
I wasn't the most popular person around the office printer late yesterday afternoon. It was right after HHS and CMS finally released the proposed rule for Stage 2 of the EHR Meaningful Use Incentive Program.
Healthcare IT Security Who's Responsible, Really?Redspin, Inc.
An information security program is one such complex and multifarious business necessity. At its heart, information security is a method of managing risk to information and...
Healthcare IT Security - Who's responsible, really?Redspin, Inc.
An information security program is one such complex and multifarious business necessity. At its heart, information security is a method of managing risk to information and...
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin, Inc.
Learn how to prepare your organization for a HIPAA Risk Analysis. In this webinar, we'll cover a few easy pro-active steps that you can do to speed the process, improve the outcome and lower the potential mitigation costs of performing a HIPAA Security Risk Analysis and achieving the meaningful use core objectives around safeguarding electronic protected health information.
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
RFP Template for healthcare organizations to use when looking for a qualified information security assessment firm to perform a HIPAA Security Risk Analysis as defined in the HIPAA Security Rule 45 CFR 164.308(a)(1)(A).
An emerging risk is the increased use of portable devices in the enterprise. How are you allowing mobile device secure access your sensitive information resources? Use our template to help get started.
Redspin February 17 2011 Webinar - Meaningful UseRedspin, Inc.
· EHR Meaningful Use Incentive Program: Progress to Date
· What's New on the Security Front
· Navigating Meaningful Use Amidst a Changing Political Landscape
· Case Studies
· Mapping Your Internal Security Program for Compliance and Long Term Success
· The Challenges of Creating a Secure, Private Cloud Environment
OK. so, I can't resist commenting on this breaking news and I'm looking forward to seeing where it ends up. It has a little bit
of everything in it - potential invasion of privacy, allegations of hacking, accusations of adultery, maybe even overzealous
prosecution
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Key Trends Shaping the Future of Infrastructure.pdf
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
1. What to Expect from a HIPAA Security Audit
Within the 2009 American Recovery and Reinvestment Act (ARRA) was a legislative gem, the HITECH Act.
HITECH provided a much needed “shot in the arm” (no pun intended) for the vanguard of healthcare technology
advocates (including industry leaders, academics, economists, politicians, and concerned citizens), who had been
promoting the necessity of modernizing the U.S. healthcare system for years.
Under HITECH, the Center for Medicare Services (CMS) launched its “meaningful use” program, a 4-stage plan to
transition from paper-based to electronic medical records (EMR). Stage 1 “meaningful use” specifically calls out core
requirements for covered entities and eligible providers. Benchmarks, goals, and deadlines have been established to
measure the adoption, implementation, and utilization of EMR. Stage 2 requirements will be published in the summer
of 2012. Although early in its lifecycle, the ultimate success of the “meaningful use” program is already widely
considered the cornerstone of IT health transformation.
Although “meaningful use” is not mandated by law, it might as well be. By attesting that they have met Stage 1
requirements, hospitals are eligible for up to a $4 million base payment plus a multiplier for 6 years on Medicare
reimbursements. The program is a combination of financial incentives (the “carrot”) and disincentives, further
supported by existing laws enacted under HIPAA years ago. For example, the HIPAA Security Rule has been around
since 2005. At that time, IT usage in healthcare was limited, and the regulations governing it, relatively toothless.
But “meaningful use,” with its incentives for the adoption of electronic health records (EHR), and HITECH with
increased monetary penalties for the breach of protected health information (PHI) both breathed new life into the
HIPAA Security Rule.
In 2011, the impetus for covered entities to improve their privacy policies and IT security infrastructure has also been
driven by the Stage 1 EHR meaningful use incentive plan. Part of the requirements for attestation is to have conducted
a HIPAA Security Risk Analysis. To fulfill this mandatory requirement, most hospitals hire a 3rd party security
assessment firm such as Redspin, who are experts in IT security and compliance, and can deliver an objective,
unbiased report.
While the “carrot” has been very motivational (over 85% of hospitals say they will attest to Stage 1 by the end of
2012), the “sticks” of increased breach penalties and government-ordered HIPAA security audits have not yet had an
impact in any significant way. That will change in 2012.
Last June, the Department of Health and Human Services (HHS)‟ Office of Civil Rights (OCR) awarded $9.2 million
to KPMG, under Contract No. GS23F8127H, to support OCR in creating a documented HIPAA audit protocol and
conduct such audits on 150 entities by the end of 2012. The 150 organizations selected will include both covered
entities (hospitals) and their business associates (BAs).
As we move toward 2012, the reality of increased breach penalties and government-sponsored audits should be “top
of mind” for the executive leadership at hospitals and hospital systems. Prudent healthcare CIO‟s will naturally want
to first conduct their own security risk analysis before any government auditors show up at their door. Indeed,
Redspin has worked with dozens of “early adopters” in 2011 who hired us to conduct a HIPAA risk assessment to
meet Stage 1 meaningful use deadlines. These admirable entities are well ahead of the game now should they be
selected for an OCR/HIPAA audit as devised by KPMG later this year.
www.redspin.com Meaningful Healthcare IT Security™ 800.721.9177
2. MOVING TARGET
In 2011, The majority of hospitals were not ready to meet the full set of meaningful use requirements and others were
hoping for more guidance from CMS/OCR in regard to specific risk analysis or HIPAA audit scope. Last May, the
agencies were vague at best when the question of what the HIPAA audit protocol would look like was raised at the
Annual HIPAA Security Rule Conference in Washington, D.C. They deferred on the question initially then went on
to stress how seriously they planned to take their enforcement responsibility, even presenting dates/cities for an
upcoming HIPAA Audit Policy and Procedures training program for State Attorneys‟ General.
Most attendees felt that this was putting the cart before the horse. OCR had yet to even award the contract for the
development of the HIPAA Audit Policy and Procedures (which went to KMPG a month later). Adding fuel to the
fire, OCR suggested that the AG training material would unlikely ever be publicly- released. When pressed by an
attendee, the OCR representative deferred to the HIPAA Security Rule “which has been around forever” and
suggested that a good starting point for all would be to read or reread that legislation.
We agreed. For Redspin‟s scope of work, we see no possibility for ambiguity. First, our HIPAA Security Risk Audits/
Assessments are conducted in strict accordance with the HIPAA Privacy and Security Rules (45 CFR 160 and 164
Sub-parts C and E) Second, we consider IT security as a process rather than a project. We test, report findings,
suggest solutions, validate remediation, and test again at a later date. There are ample opportunities to adjust our
scope of work along the way so that we meet compliance objectives. This has always been the way to work with
government-backed industry audits. Times change. Technologies advance. With our flexible assessment approach,
we‟re able to stay in lock-step with the auditors and are thus able to deliver the highest value to our clients.
A good example is likely already at hand. Redspin believes that a large concern at hospitals should be the oversight
of their business associates, a complex and cumbersome, thus oft-neglected responsibility. Particularly when one
considers the sobering statistic that since September 2009, 55% of all major breach incidents (those involving 500 or
more individual‟s records) occurred at BAs and that less than ½ of healthcare organizations conduct any kind of
pre- or post- contract compliance assessments of their BAs. Thus, Redspin has recently added a business associate
portfolio risk assessment service to its offerings.
For business associates themselves, protecting the security and privacy of ePHI/PHI will suddenly become both a
fiduciary responsibility and potentially a competitive issue. The OCR has already confirmed that direct liability for a
breach will extend to BAs at the end of 2012 raising the specter of civil penalties. As hospitals begin to feel increased
audit pressure, they may insist that BAs provide them with documented policies, procedures, and third-party network
security assessments prior to signing or renewing business contracts. Publicly- disclosed violations or civil penalties
assessed to BAs could be brand-damaging at the least and a company killer at their most severe.
A NEW SHERIFF IN TOWN
On their part, OCR is going full steam ahead, at least in terms of continuing to stress enforcement. The KPMG
contract itself requires their auditors to inform organizations in advance that “OCR may initiate further compliance
enforcement action based on the content and findings of the audit.”
In early September, OCR hired Leon Rodriguez as its new director. He had little more to add on the specifics of the
upcoming audit program other than confirming that a KPMG “pilot program” is imminent during which OCR will
conduct a handful of audits to assess and refine the methodology itself.
But as former prosecutor and defense attorney, Mr. Rodriguez‟ bias towards enforcement is becoming clear. During
a recent interview with HealthcareInfoSecurity, he was quoted as saying “enforcement promotes compliance. The fact
that covered entities out there know that they are at risk for penalties is something that, in fact, in many cases will
promote compliance."
www.redspin.com Meaningful Healthcare IT Security™ 800.721.9177
3. He went on to say that he plans to ramp up enforcement of HIPAA with resolution agreements, civil monetary
penalties, and other enforcement actions. "It's always going to be a high priority to focus on those cases that involve
the most egregious conduct - the most serious violations - and also the cases that have the most deterrent value," he
stressed.
In another paragraph, he mentions the word “enforcement” three times in three sentences. In another, he describes
larger “enforcement opportunities” and describes focused efforts to help his people learn to put “a case together.”
HOW WE CAN HELP
If stricter enforcement is indeed coming soon, how should top executives of healthcare organizations (covered entities
and business associates) best prepare for the inevitable day when the government‟s HIPAA Audit team knocks on the
door? Unlike some Beltway pundits, we believe that OCR will see these audits as enforcement opportunities rather
than educational sessions. And unlike other IT security consulting firms, we urge you not to rely solely on the fact
that you‟ve made “good faith” efforts to comply.
Redspin„s mission is to help healthcare organizations safeguard and protect private and confidential health
information. We also have the domain knowledge, business experience and professional savvy to prepare you for a
HIPAA Security Audit. Here are the ten steps we suggest that will protect your organization and keep the auditors
satisfied.
1. Conduct a comprehensive, HIPAA security risk analysis and IT security assessment as soon as possible.
Many organizations make the mistake of deferring this work until some other project is completed, waiting for
a different budget cycle, waiting for a new hire to start, or for some other organizational change to take place.
Don‟t wait!
2. Ensure that your 3rd party IT security assessment provider follows the administrative, physical, and technical
safeguards of the HIPAA Security Rule chapter and verse.
3. Use the Security Risk Analysis Process to organize all relevant documentation. HIPAA Auditors will want
copies of everything. So, not only do you want these policies and procedures to be up-to-date and updated
regularly but make them easy to locate. Nothing is more unnerving than scrambling through file cabinets
under a watchful eye.
4. Plan Your Work. Immediately upon completion of the risk analysis, put an action plan together to address all
findings. You don‟t need to have everything fixed by the time the government audit takes place but you need a
plan in place with assigned tasks and due dates to demonstrate that you‟re aware of the findings and that all
meaningful vulnerabilities are being addressed.
5. Get to Work. The more findings and vulnerabilities you‟ve corrected from the original report, the more
diligent and competent your organization will look to the auditors.
6. Minute the meetings in which the results are discussed and action items assigned.
7. Insist that your 3rd party assessment firm provide you with a hard copy of your assessment report and secure,
online interactive access to the findings. An interactive version of your risk analysis provides you with the
ability to show the auditors up-to-the minute process on your remediation plan. Remember: Security is not a
project; it is a process.
www.redspin.com Meaningful Healthcare IT Security™ 800.721.9177
4. 8. Involve senior management early and often. Form a governance, privacy, and IT security steering committee if
possible. You‟ll need executive support to resolve competing interests among different functional groups. In
addition, the auditors will conduct interviews during site visits with your leadership including the CIO, Chief
Counsel, and medical records director. You don‟t want this to be the first they‟ve heard of the undertaking.
9. Demonstrate that you understand the breach notification procedure and explain how it works in your
organizational context.
10. Demonstrate a formal internal sanction policy for internal privacy violations and non-adherence to policy.
Show examples of past instances where such sanctions have been issued in accordance with policy.
At the end of this process, there will be more benefit to your organization than just a happy HIPAA auditor.
"Across the board, regardless of industry or standard, companies that consistently comply with security requirements
and standards save three times more in security-related expenses annually than companies that are categorized as non-
compliant." (Tripwire/Ponemon, Jan 2011)
www.redspin.com Meaningful Healthcare IT Security™ 800.721.9177