Shortlist of Questions to ask yourself to see if you need assistance with HIPAA Compliance and Security.

Do you have a designated security officer?
Do you have documented designated tasks for the security officer?
Has the security officer done the additional training?
Have you documented your Business Associates?
Have you verified your Business Associates are contracted and compliant?
Have you done a Risk Analysis?
Do you have evidence of compliance?
Are any drives or files encrypted?
Do you have a file scan report?
Have you done the general HIPAA training for everyone?
Do you have copies of the training certificates?
Do you have copies of implemented HIPAA policies and procedures?
Do you have a Disaster Recovery plan for physical, administrative, and technical applications?
Do you have a business continuity plan?

Some basic explanations to Questions you need to ask yourself to see if you need assistance with HIPAA Compliance and Security.

Do you have an annual Risk Analysis Report (Your risk analysis should identify the likelihood, impact, and risk for specific threats, such as lost or stolen devices, computer virus (malware), and malicious insider, as well as natural and environmental threats)?
Do you have an annual Remediation Report (Your risk analysis should identify the specific safeguards to reduce risks of threats, such as encryption for a lost/stolen device, or maintaining software with the latest security patches for malware (computer virus)?
Do you have HIPAA Security Policies (You should have policies and procedures that cover the 18 standards and 36 implementation specifications in the HIPAA Security Rule, such as Encryption, Protection from Malicious Software, Log-in Monitoring, etc.)?
Guides, Templates, and Toolkits not Completed (fines have been given for using template policies that are not followed)?
Missing Documents Referenced in Policies (if you have not created all of the documents referenced in your policies, such as a Risk Management Plan, you may not be complying with your own written policies and may be at risk for higher “willful neglect” HIPAA penalties)?
No Policies for Addressable Implementation Standards (if your policy templates require you to analyze “addressable” policies, you may not have a policy in place if you have not documented what is reasonable for your practice. Addressable does not mean optional)?
Implementation (identifying a treat in your risk analysis without a plan to implement safeguards to mitigate the risk can lead to heavy fines – you must have an Implementation Plan)?
No Documentation of HIPAA Activities (if it isn’t documented, it didn’t happen. Record dates, personnel who performed or verified, and other applicable details when safeguards are implemented)?
Ongoing Compliance Not Reviewed (you need documentation of ongoing compliance, such as when the software is updated with the latest security patch, review of audit logs, verifying termination procedures were followed, etc)?
New Technology or Operations Not Evaluated (you need to assess new technology or operations, such as upgrading your EHR for Stage 2 Meaningful Use or beginning a social media program for your practice, and implement the appropriate safeguards to comply with the HIPAA Security Rule

You Do LESS

Less Time on HIPAA compliance
Less People for HIPAA compliance
Less Office Disruption to implement
Less Total Cost of Ownership
Less Vendor Management
Less worry about Ransomware
Less effort in keeping up with Regulations
Less worry about Audits
Less Risk with proven implementation

You Get More

More Time to Work with Patients
More Competitive Advantage
More Dollar Savings
More Compliance
More Cybersecurity
More knowing your HIPAA/NIST score
More Vendor Security
More Documented proof of compliance

HIPAA Harmony

Harmony with patients
Harmony with compliance
Harmony with Budget and compliance
Harmony with Audits and compliance
Harmony with HIPAA, Ransomware, and Cybersecurity
Harmony with Policy and Procedures
Harmony with Business Associates

Why Harmonize your HIPAA Compliance services

Just like using an Accountant, Lawyer, or HR company, HIPAA compliance is better, safer, and more economically done by a Trained Professional.

You sleep better knowing that this is implemented properly,
You avoid the HIPAA Police (OCR) and fines.
You avoid legal bills and lawsuits from poor or improper implementation.
You avoid the publicity and loss of patients with a breach.
BEST OF ALL – you Keep Your Practice in Business. (SBA says 93% of small organizations go out of business within 2 years of a breach).

Statistics – not Harmonized

The average financial cost for lost or stolen healthcare records exceeds $425 per record. This doesn’t include the lawsuits that follow the cost to defend, the cost to fix, and other long term costs.
93% of small to medium businesses are out of business within 2 years of a breach according to the Small Business Administration.
A report by IDG shows that Healthcare organizations see 340% more malware attacks than the average industry each year and that the attacks are more than twice as likely to involve data theft.
85% of all malicious software today is spread through web browsers, and healthcare organizations are prime targets.
A recent Accenture report found that cyber-attacks over the next few years will cost health systems $305 billion in cumulative lifetime revenue.
Ransomeware in 2014 cost $8.8 million. 2016 cost – about $1 billion according to the FBI.

Next Steps to the Curran Data Experience

It’s easy for us to make you secure and HIPAA Compliant.

Click here to contact us

What are the consequences of not complying?

If there is a significant breach of the practice

HIPAA fines of up to $1,500,000 per incident
Fines and Lawsuits possible from several other government agencies such as the FBI and State Attorney’s Office to start with.
A 93% chance of going out of business within two years according to the Small Business Agency.

If there are just fines for HIPAA violations (see examples below)

$150,000 HIPAA Fine (“…failing to identify and address basic risks, such as not regularly updating their IT resources and available patches and running outdated, unsupported software”
$1,975,220 Fine (“… previously recognized in multiple risk analyses that a lack of encryption… was a critical risk)
$1.44 Million Dollar Verdict (“Indiana Court of Appeals upheld a $1.4 million verdict against Walgreens Co. and one of its pharmacists who shared confidential medical information about a client that had once dated her husband”

What are the Initial steps to get started

The HIPAA auditor from Health and Human Services will need to see documented proof that the practice is doing its best to comply. Providing an auditor with evidence that the following four things have been done increases the odds of passing the HIPAA audit.

Identify who’s in charge
Perform a risk analysis
Develop and document policies and procedures
Create a Mitigation plan

5 ways to avoid health data breaches

Conduct an annual HIPAA security risk analysis
Inoculate yourself by encrypting data-at-rest
Conduct more frequent vulnerability assessments and penetration testing.
Invest in security awareness of your workforce
Engage with your business associates

What is ransomware

Fundamentally, ransomware is “a type of malicious software designed to block access to a computer system until a sum of money is paid.” Typically, two types of ransomware may be deployed – lock screen or encryption. A lock screen attack is identified by a message popping up on the computer screen, which prevents the user from either using the PC or accessing files. An encryption attack occurs when the files are encrypted and become inaccessible.

Is a Ransomware attack considered a HIPAA breach?

OCR says ransomware usually triggers the HIPAA breach notification rule