Help Me With HIPAA

By Donna Grindle and David Sims

In today's environment of data breaches, identity theft, fraud, and increasing connectivity, HIPAA Privacy and Security rules are a responsibility to your patients and your clients. HIPAA isn't about... more

4.9

6161 ratings

Download on the App Store

Download on the App Store

Get it on Google Play

FAQs about Help Me With HIPAA:

How many episodes does Help Me With HIPAA have?

The podcast currently has 531 episodes available.

Help Me With HIPAA episodes:

September 18, 2015Episode 19: I am vulnerable, too said your smartphone
Mobile devices are vulnerable just like your network, servers, laptops, and desktops. Your risk analysis should include checking on any types of messages, pictures, or access to your data that can be done on your smartphones. Even if you don't put PHI on them they may be able to be used against you in some way to crack your network and your PHI.
Patches

Android updates and know your version of Android

Wipe leaves some stuff on old Android versions

iOS updates and know your version

Windows is so small market share but mention it

Encryption

Android

Option to encrypt this device

Lock screen setting to wipe device after X failed logins

iOS

data protection turns on with password set

set to wipe if after X number failed logins

MDM - Mobile Device Management

What is it

What can you do with it

BYOD - Bring Your Own Device

Set rules to follow

Do checks for software updates

Don't let kids play with phone

MDM?

Backup
If you lose the phone or it dies will you lose important things? Figure out a backup plan but make sure it is properly secured too.
Unsecured WiFi and Bluetooth

Try not to use it unless necessary

Bluetooth can be used to connect to your phone within 30 feet

Personal WAN can be used to jump on your connection and use your data plans

Final Notes
Understand this is the new frontier for hackers. Ransomware and malware for smartphones are growing quickly
...more
43min
September 11, 2015Episode 18: Email isn't secure, really, it isn't
Let's review email systems and how they can be secured for ePHI and other sensitive data.
Find Healthcare IT
HIPAA For MSPs
Kardon Compliance
Alston Article on Email Security

Notes
Leigh from Florida sent us an email asking for us to explain some more specifics about email. She had been listening to Episode 8: HIPAA Myths Part 2 which mentioned it but she had specific questions how can email be secured. This couldn't be covered in a quick 5 minute HIPAA answer episode so we are doing a whole episode.
How does email work - for "real people" to understand
Compare to the post office since that is the way it was originally modeled to match
Why that isn't secure at all, really
http://www.healthcareitnews.com/news/hipaa-breach-letters-go-out-after-email-hack (article on email hacked and it had patient info in it)
open transmissions and many different servers
Misconceptions
I use a password so it is secure
I use https so it is secure
I use TLS so it is secure
I use updated Outlook with Hosted Exchange so that should be secure
Secure email via
End to end encryption tools - each party knows the key
Messaging system - you get an email telling you to log in to get the secure email
Hosted services that allow for specific types of messaging
Hosted exchange
Plug-in apps
Secured internal only messaging systems
Very specific set up to secure the mail database on your internal server
Controls you have in place to prevent email to other domains outside the secure system (usually software required)
Some systems are automatic encryption / others require you to hit a button on the mail to send it secured.
Secure messaging systems for internal discussions that don't use email
whole new way of communications in forums / chats instead of email
Texting also matters but that is a different episode we can touch on it here
A word about spear phishing - excellent example this week from a client
...more
50min
September 04, 2015Episode 17: Compliance Management with ComplyAssistant
Links
ComplyAssistant
FindHealthcareIT
HIPAAforMSPS.com
Kardon Compliance
Notes
Who is Gerry Blass
Been in healthcare for the long ride
Consultant for years
Now consultant and software company
ComplyAssistant - when did you start development and what was your vision for it? What kinds and size of clients do you have - hospital, practices, BAs and CEs of all types
ComplyAssistant features
Due Diligence for BAs
Contract management
Incident Management
Project Management
Documentation, Documentation, Documentation Management
Importance of having a documentation and management system of some sort in place
Why ComplyAssistant instead of using a spreadsheet / folder approach?
...more
41min
August 28, 2015Episode 16: Seven Steps for Nurturing a Culture of Compliance
Culture of compliance is the phrase OCR uses when defining what they are looking for in an audit or investigation. They also use the phrase robust compliance program in the same manner. Using these steps is a great way to make sure your organization is following their lead.
Links
ComplyAssistant Compliance Management Solution
Spher EHR Access Monitoring Solution
FindHealthcareIT
HIPAAforMSPS.com
Kardon Compliance
Notes
7 steps to improving your Privacy & Security policies and procedures and nurturing a Culture of Compliance:
Designate a Compliance (Privacy & Security) OfficerFirst, the law requires you do this. But, if no one is in charge then nothing will happen, we all know that to be the case. Or, in a vacuum of leadership someone else will take charge and handle things the way they think they should be done without the support of management.
Train and educate your staff and BA partnersConstantly restating the same information over and over in a variety of ways may be annoying to some but that means they have heard it! Also, don't forget to work with your BA partners to confirm they actually understand what HIPAA compliance requires in their organizations.
Implement an ongoing Compliance maintenance solutionThis is what we talk about using tools such as ComplyAssistant, Spher, and professional MSP monitoring and management applications. Either use the tools or develop manual internal controls and processes to accomplish those same documentation and audit tasks on a regular basis.
Conduct regular and complete audits and monitoring of all ePHI systems If you are ignoring it then so will everyone else in your organization.
Monitor and respond to Incidents in a timely manner (State & Federal regulations)We all freak out together as soon as we know something could havehappened to our PHI.
Adhere to a strict breach remediation protocolDefine your breach plan and use it every time. After any case that it was used, then review it to make sure you don't need to change or add things in the plan.
Create a open line of communication for management and staffThe law requires you to never retaliate towards any person who files a complaint or reports a problem including a breach. If you don't make it clear that you fully support that rule and all workforce members are free to ask any question, file any complaint, and report any concern then you will likely be missing things just because someone was afraid to tell.
...more
37min
August 21, 2015Episode 15: It's not just about HIPAA anymore
In 2014 NIST introduced the National Cybersecurity Framework (CSF). It is designed for all businesses, large and small, to know things they should be doing to protect their businesses, data, customers, and more. Just how does it compare to HIPAA?
Notes
NIST Cybersecurity Framework
DHS Getting Started for Small and Midsize Businesses (SMB)
US Chamber of Commerce: Internet Security Essentials for Business 2.0
C3 Voluntary Program: Begin the Conversation: Understand the Threat Environment
FindHealthcareIT
HIPAAforMSPS.com
Kardon Compliance
Notes
It's not just HIPAA. All the different guides spell out the same basic concepts.For example:
NIST - Cybersecurity Framework
US Chamber of Commerce: Internet Security Essentials for Business 2.0
STRONG SECURITY IS SMART FOR BUSINESS AND THE NATION COMMON THREATS TO BUSINESS INFORMATION
Hacking and Malware
Lost or Stolen Physical Storage Media
Insider Threat and Human Error
Accidents and Natural Disasters
CYBERCRIME ON THE RISEINTERNET SAFETY AND SECURITY FUNDAMENTALS
Set Up a Secure System
Protect Business Data
Train Your Workforce
Be Prepared
ADD BUSINESS VALUE THROUGH INFORMATION SECURITY
NATIONAL AND PRIVATE SECTOR PERSPECTIVES
Cyber Essentials to Protect Your Business: Managing Cyber Risks in a Time of State and Non-State Threats to Business Security and Resilience - Hosted by US Chamber of Commerce
FBI - Deputy Director
DHS - Undersecretary for Cybersecurity
Secret Service - Atlanta Office Cybersecurity Team
Army Lt Col - Cybersecurity Command
...more
34min
August 14, 2015 Episode 14: HIPAA Log Audits with AMS Spher
An interview with Ray Ribble discussing the AMS Spher product. We learn how Spher can automatically "learn" what access patterns are normal and ask you when something isn't right. Your HIPAA compliance requirement to audit access logs may be solved with this tool. Your very own HIPAA Breach Detection Service!
Links
The AMS SPHER™ Solution
FindHealthcareIT
HIPAAforMSPS.com
Kardon Compliance
Notes
Who is AMS and Ray Ribble?
Tell us about The AMS SPHER™ Solution.
Behaviorial Analytics
SPHER leverages pattern recognition algorithms to determine if there was suspicious behavior on the EHR. It does this by comparing past behaviors to behaviors in the audit log file SPHER is currently reviewing. For example, SPHER may have learned over the past months that an EHR user named John is typically active between 8 AM and 4 PM. In the current audit log file, SPHER notices that John was active on the EHR from 4 PM to 12 midnight which causes SPHER to send you an unusual time of access alert.
It Learns!
You know that John’s shift recently changed from 8 PM to 4 AM. Going through the SPHER incident resolution process, you indicate that this behavior is Normal and Permitted. Based on this feedback, SPHER has now learned that this is normal EHR behavior for John and will not send an alert the next time it sees EHR activity for John during this new time span. As normal behavior on your EHR changes, SPHER learns and does not send false alerts for behaviors you’ve already indicated are normal.

...more
46min
August 07, 2015Episode 13: What is a HIPAA Risk Analysis
Description
What a HIPAA Risk Analysis includes and why you need it for your cybersecurity risk management.
Glossary
CReMaT'ed - Create, Receive, Maintain, Transmit
CIA - Confidentiality, Integrity, Availability
Links
JPP Medical Record
OCR Guidance on Risk Analysis
Training Documentation for this episode
FindHealthcareIT
HIPAAforMSPS.com
Kardon Compliance
Notes
Not a simple checklist it requires a lot of thought, data collection, and analysis.
The analysis part
Define where e-PHI is CReMaT'ed in your organization.
Not just the server that holds the EMR.
Cloud apps used, messaging tools, mobile devices, USB storage devices, home computers
Practice Management system and data analysis tools
Don't forget to include downloads folders and temp folders on all PCs.
Do you need to worry about vendors or consultants - your BAs that may move data around your network, systems, etc.
If they handle it for you do you even know where it is going?
What are the threats to the CIA of the PHI that you have located and identified above?
Human
Natural
Environmental
What would be the impact to your business if the threat did act against your PHI?
Would it be a bump in the road or a sinkhole?
What is the likelihood this threat will actually act against your PHI?
Very likely down to not likely at all
With all this considered what level risk do you think this threat creates to your PHI?
High, Medium, or Low
Based on everything you know then you decide what you are going to do about the threat and the risk it presents?
Accept the risk is just part of doing business
Address the risk with some type of safeguards in your organization
Outsource the risk by hiring another company to handle managing it for you

The assessment part
At this point, you review that plan you have just made to address risks against what you are actually doing
Are doing everything you can to protect the PHI and meet your obligations under HIPAA laws from all those threats?
If you are outsourcing threat management, have you made sure your BAAs are in order?
If you are handling it internally do you have all the written policies and procedures
Is your staff trained to respond accordingly?
Once you complete that process you draw up your final report on what was determined during your analysis and assessment.
What actions need to take place to address those threats and what priority should be applied to them?
This is your full analysis and assessment report that you will use to inform your decision making process for your security policies and procedures.
It is also the report you will review and update on a regular basis. Sometimes minor updates are needed but other times you will need to do most of the whole thing over if there is a major change in your business.
...more
36min
August 05, 2015 Episode A2: HIPAA Answers - BA question from a listener
We have a listener who called in with an example situation to find out what we thought. Is the company a Business Associate? Listen to Donna's answer in Episode A2.
These short "answer episodes" are released weekly on Tuesday mornings when we have them come in.
Send us your questions and we will publish them with our thoughts and the best answers we can muster!
Use the Website form or Speakpipe voicemail You can also find all our social media contact information at HelpMeWithHIPAA.com.

...more
6min
July 31, 2015Episode 12: Breach Response Plans
Description
A Breach Response plan is a required element of your compliance program since HITECH became effective. Everyone must have a written plan and know what needs to be done.
Glossary
NIST National Institute of Standards and Technology
Links
NIST SP 800-61 Revision 2 - Computer Security Incident Handling Guide
APDerm Resolution Agreement See item 2(2)
FindHealthcareIT
HIPAAforMSPS.com
Kardon Compliance
Notes
Establishing an incident response capability should include the following actions:
Creating an incident response policy and plan
Written required - already had an OCR resolution that mentioned not having one (APDerm - $150,000)
Developing procedures for performing incident handling and reporting
Who is your "go to" team for forensics
Setting guidelines for communicating with outside parties regarding incidents
PR will be critical for reputation managment
Selecting a team structure and staffing model
Someone has to be in charge of the whole thing and then others in charge of the parts.
Establishing relationships and lines of communication between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies)
Bigger organizations need to know who is responsible for talking with each department.
Determining what services the incident response team should provide
How far is the team going through the process? Will they pass off follow up or will they do all the activity required from beginning to end. Again, large organizations need to worry about this.
Staffing and training the incident response team
Make a written list and have the team meet regularly to review how to respond to any incident that may come up in the organization.
...more
27min
July 28, 2015 Episode A1: HIPAA Answers - How do I get rid of my printers properly?
How do I get rid of my printers properly? Find out in HIPAA Answers Episode A1.
Thanks for our listener questions that are coming in! It took us a bit to work out the best way to get back to you, so sorry for the delay.
Today we introduce, HIPAA Answers episodes. These short "answer episodes" will be released weekly on Tuesday mornings.
Send us your questions and we will get them answered. Lots of ways to contact us below!
Website form or Speakpipe voicemail
Twitter
LinkedIn
Facebook
Google+
Send us an email
...more
5min

FAQs about Help Me With HIPAA:

How many episodes does Help Me With HIPAA have?

The podcast currently has 531 episodes available.

More shows like Help Me With HIPAA

This Week in Tech (Audio) by TWiT

This Week in Tech (Audio)

3,014 Listeners

The Ramsey Show by Ramsey Network

The Ramsey Show

38,704 Listeners

Wait Wait... Don't Tell Me! by NPR

Wait Wait... Don't Tell Me!

38,649 Listeners

Radiolab by WNYC Studios

Radiolab

43,909 Listeners

The Joe Rogan Experience by Joe Rogan

The Joe Rogan Experience

225,807 Listeners

CyberWire Daily by N2K Networks

CyberWire Daily

1,006 Listeners

Juicy Scoop with Heather McDonald by Heather McDonald & Studio71

Juicy Scoop with Heather McDonald

25,558 Listeners

The Jordan B. Peterson Podcast by Dr. Jordan B. Peterson

The Jordan B. Peterson Podcast

34,045 Listeners

This Past Weekend w/ Theo Von by Theo Von

This Past Weekend w/ Theo Von

27,214 Listeners

Darknet Diaries by Jack Rhysider

Darknet Diaries

7,871 Listeners

CISO Series Podcast by David Spark, Mike Johnson, and Andy Ellis

CISO Series Podcast

187 Listeners

All-In with Chamath, Jason, Sacks & Friedberg by All-In Podcast, LLC

All-In with Chamath, Jason, Sacks & Friedberg

9,095 Listeners

The MeidasTouch Podcast by MeidasTouch Network

The MeidasTouch Podcast

44,368 Listeners

SmartLess by Jason Bateman, Sean Hayes, Will Arnett

SmartLess

57,908 Listeners

The Dr. John Delony Show by Ramsey Network

The Dr. John Delony Show

7,093 Listeners