Shortlist of Questions to ask yourself to see if you need assistance with HIPAA Compliance and Security.
- Do you have a designated security officer?
- Do you have documented designated tasks for the security officer?
- Has the security officer done the additional training?
- Have you documented your Business Associates?
- Have you verified your Business Associates are contracted and compliant?
- Have you done a Risk Analysis?
- Do you have evidence of compliance?
- Are any drives or files encrypted?
- Do you have a file scan report?
- Have you done the general HIPAA training for everyone?
- Do you have copies of the training certificates?
- Do you have copies of implemented HIPAA policies and procedures?
- Do you have a Disaster Recovery plan for physical, administrative, and technical applications?
- Do you have a business continuity plan?
Some basic explanations to Questions you need to ask yourself to see if you need assistance with HIPAA Compliance and Security.
- Do you have an annual Risk Analysis Report (Your risk analysis should identify the likelihood, impact, and risk for specific threats, such as lost or stolen devices, computer virus (malware), and malicious insider, as well as natural and environmental threats)?
- Do you have an annual Remediation Report (Your risk analysis should identify the specific safeguards to reduce risks of threats, such as encryption for a lost/stolen device, or maintaining software with the latest security patches for malware (computer virus)?
- Do you have HIPAA Security Policies (You should have policies and procedures that cover the 18 standards and 36 implementation specifications in the HIPAA Security Rule, such as Encryption, Protection from Malicious Software, Log-in Monitoring, etc.)?
- Guides, Templates, and Toolkits not Completed (fines have been given for using template policies that are not followed)?
- Missing Documents Referenced in Policies (if you have not created all of the documents referenced in your policies, such as a Risk Management Plan, you may not be complying with your own written policies and may be at risk for higher “willful neglect” HIPAA penalties)?
- No Policies for Addressable Implementation Standards (if your policy templates require you to analyze “addressable” policies, you may not have a policy in place if you have not documented what is reasonable for your practice. Addressable does not mean optional)?
- Implementation (identifying a treat in your risk analysis without a plan to implement safeguards to mitigate the risk can lead to heavy fines – you must have an Implementation Plan)?
- No Documentation of HIPAA Activities (if it isn’t documented, it didn’t happen. Record dates, personnel who performed or verified, and other applicable details when safeguards are implemented)?
- Ongoing Compliance Not Reviewed (you need documentation of ongoing compliance, such as when the software is updated with the latest security patch, review of audit logs, verifying termination procedures were followed, etc)?
- New Technology or Operations Not Evaluated (you need to assess new technology or operations, such as upgrading your EHR for Stage 2 Meaningful Use or beginning a social media program for your practice, and implement the appropriate safeguards to comply with the HIPAA Security Rule
You Do LESS
- Less Time on HIPAA compliance
- Less People for HIPAA compliance
- Less Office Disruption to implement
- Less Total Cost of Ownership
- Less Vendor Management
- Less worry about Ransomware
- Less effort in keeping up with Regulations
- Less worry about Audits
- Less Risk with proven implementation
You Get More
- More Time to Work with Patients
- More Competitive Advantage
- More Dollar Savings
- More Compliance
- More Cybersecurity
- More knowing your HIPAA/NIST score
- More Vendor Security
- More Documented proof of compliance
- Harmony with patients
- Harmony with compliance
- Harmony with Budget and compliance
- Harmony with Audits and compliance
- Harmony with HIPAA, Ransomware, and Cybersecurity
- Harmony with Policy and Procedures
- Harmony with Business Associates
Why Harmonize your HIPAA Compliance services
Just like using an Accountant, Lawyer, or HR company, HIPAA compliance is better, safer, and more economically done by a Trained Professional.
- You sleep better knowing that this is implemented properly,
- You avoid the HIPAA Police (OCR) and fines.
- You avoid legal bills and lawsuits from poor or improper implementation.
- You avoid the publicity and loss of patients with a breach.
- BEST OF ALL – you Keep Your Practice in Business. (SBA says 93% of small organizations go out of business within 2 years of a breach).
Statistics – not Harmonized
- The average financial cost for lost or stolen healthcare records exceeds $425 per record. This doesn’t include the lawsuits that follow the cost to defend, the cost to fix, and other long term costs.
- 93% of small to medium businesses are out of business within 2 years of a breach according to the Small Business Administration.
- A report by IDG shows that Healthcare organizations see 340% more malware attacks than the average industry each year and that the attacks are more than twice as likely to involve data theft.
- 85% of all malicious software today is spread through web browsers, and healthcare organizations are prime targets.
- A recent Accenture report found that cyber-attacks over the next few years will cost health systems $305 billion in cumulative lifetime revenue.
- Ransomeware in 2014 cost $8.8 million. 2016 cost – about $1 billion according to the FBI.
Next Steps to the Curran Data Experience
It’s easy for us to make you secure and HIPAA Compliant.
Contact us to see if you qualify for free initial analysis:
What are the consequences of not complying?
If there is a significant breach of the practice
- HIPAA fines of up to $1,500,000 per incident
- Fines and Lawsuits possible from several other government agencies such as the FBI and State Attorney’s Office to start with.
- A 93% chance of going out of business within two years according to the Small Business Agency.
If there are just fines for HIPAA violations (see examples below)
- $150,000 HIPAA Fine (“…failing to identify and address basic risks, such as not regularly updating their IT resources and available patches and running outdated, unsupported software”
- $1,975,220 Fine (“… previously recognized in multiple risk analyses that a lack of encryption… was a critical risk)
- $1.44 Million Dollar Verdict (“Indiana Court of Appeals upheld a $1.4 million verdict against Walgreens Co. and one of its pharmacists who shared confidential medical information about a client that had once dated her husband”
What are the Initial steps to get started
The HIPAA auditor from Health and Human Services will need to see documented proof that the practice is doing its best to comply. Providing an auditor with evidence that the following four things have been done increases the odds of passing the HIPAA audit.
- Identify who’s in charge
- Perform a risk analysis
- Develop and document policies and procedures
- Create a Mitigation plan
5 ways to avoid health data breaches
- Conduct an annual HIPAA security risk analysis
- Inoculate yourself by encrypting data-at-rest
- Conduct more frequent vulnerability assessments and penetration testing.
- Invest in security awareness of your workforce
- Engage with your business associates
What is ransomware
Fundamentally, ransomware is “a type of malicious software designed to block access to a computer system until a sum of money is paid.” Typically, two types of ransomware may be deployed – lock screen or encryption. A lock screen attack is identified by a message popping up on the computer screen, which prevents the user from either using the PC or accessing files. An encryption attack occurs when the files are encrypted and become inaccessible.
Is a Ransomware attack considered a HIPAA breach?
OCR says ransomware usually triggers the HIPAA breach notification rule