Road to HIPAA Compliance: Trends in Enforcement Activity

A Conversation about Trends in HIPAA Enforcement Activity

In this webinar, Joseph Kirkpatrick and Mark Hinely discuss historic and 2016 trends in OCR enforcement activity. 2016 was a record year for enforcement and these trends are the most direct way that the OCR can tell us what or where they’re looking.

Mark Hinely has chosen four cases to discuss that represent 2016 enforcement activity trends: UMass Health, St. Joseph Health, Advocate, and University of Mississippi Medical Center. Each of these organizations had breaches that led to massive penalty fines and extensive corrective actions; Advocate’s multiple breaches led to a $5.5 million fine, making it the largest ever. The trends we’re discussing deal with failure to conduct risk analysis and risk management, failure to create and implement effective policies and procedures, and failure to offer proper training to the workforce.

Joseph and Mark also engaged in a Q&A session to answer many questions regarding risk, including:

Q: How do you keep an organization’s risk analysis fresh from year to year?

A: Don’t copy and paste from last year’s risk analysis. Last year is not effective for this year. You need to determine what contains PHI that didn’t last year. Things have changed, even if you think they haven’t.

Q: How do you make a risk analysis more specific from year to year?

A: Bring in a third party assessor, or any type of third party, who can see what you can’t. Even bring in someone internal, but who’s subject matter is different.

Q: What is the difference between a gap analysis and a risk analysis?

A: A gap analysis takes your organization and compares its gaps against strict, specific, published standards. A risk analysis, though, requires you to think more broadly and determine what risks are unique to your organization.

Q: What’s the difference between a risk analysis and risk management?

A: A risk analysis assesses the potential threats to an organization’s confidential information. Risk management takes the information discovered from a risk analysis and acts on it to protect the confidential information.

Listen to the full webinar to learn about each of the cases listed above, hear more of the Q&A session, and learn even further about the current trends in enforcement activity. Contact us today to speak to a HIPAA expert.

Road to HIPAA Compliance: Using the NIST Cybersecurity Framework to Protect PHI

The NIST Cybersecurity Framework: A Common Language for Cybersecurity Issues

The cybersecurity realm is overwhelming – the issues, the regulations, the changes, the threats, the persistence. We’re living in a world where we hear about new breaches every day. None of us can possibly know everything about all cybersecurity issues, and that’s okay. We’re all vulnerable and overwhelmed, but that’s no excuse not to prepare and continually develop your organization’s defenses. We believe that the NIST Cybersecurity Framework is a way to start having a language and a method to understanding what the issues are and how they should be dealt with.

The core of the NIST Cybersecurity Framework includes:

  • Functions – Organization of basic cybersecurity activities at their highest level
  • Categories – Subdivisions of a function into groups of particular activities
  • Subcategories – Subcategorizes further divide a category into specific outcomes of technical and/or management activities
  • Informative References – Specific sections of standards, guidelines, and practices that illustrate a method to achieve the outcome

What is the cybersecurity maturity of your organization? It’s an important question to ask and answer honestly, especially when considering the Framework Implementation Tiers:

  • Partial – Informal, reactive, limited awareness
  • Risk Informed – Approved but not implemented, the staff has adequate resources to perform their cybersecurity duties, not formalized in its capabilities to interact and share information externally
  • Repeatable – Risk management is a formal function and updated regularly, changes in business requirements are reflected in the organization-wide cybersecurity practices, your organization understands its dependencies on partners and interacts accordingly
  • Adaptive – The cybersecurity practices adapt based on lessons learned and predictive indicators which results in continuous improvement, adapts to a changing landscape in a timely manner, cybersecurity risk management is part of the organizational culture, communication, and interaction with partners occurs before a cybersecurity event occurs

Healthcare organizations desperately need individuals who will volunteer to lead the conversation about cybersecurity issues; you don’t have to be a cybersecurity expert, just a good communicator. Our hope? In 5 years, everyone within an organization will understand the language of cybersecurity and will be involved in the cybersecurity conversation. It’s not just IT’s issue, or an executive’s responsibility, or the administration’s problem. Can you be the person at your organization to step up and lead the conversation?

To learn more about our HIPAA compliance services, contact us today.

Road to HIPAA Compliance: Training the Workforce

4 Key Elements of HIPAA Compliance Training

This webinar discusses training your workforce for HIPAA compliance. You may feel some push-back or a lack of enthusiasm from your workforce about HIPAA training, but it may be helpful to remind them that training is not only required, but it’s the key to HIPAA compliance. An effective workforce training program makes an effective HIPAA compliance program. Although it’s a challenge, it is one of the best ways to ensure enterprise-wide HIPAA compliance.

There is some flexibility to HIPAA training because there are so many types of entities, levels of maturity, different sizes, etc. The goal of HIPAA training is to protect the privacy and security of information. HIPAA training is not just to advise employees about different laws; they need to know what their company’s specific rules are in respect to PHI. There are four required elements of workforce training:

  1. Universal Application – Everyone is subject to HIPAA training requirements and everyone is a part of maintaining the confidentiality of PHI. HIPAA training is not only for staff who interact with patients. It’s for everyone, even someone who rarely has access to PHI. Universal application is also required by the Privacy Rule and the Security Rule.
  2. Define PHI – Every entity needs to identify the elements of PHI so that everyone is aware of risks and responsibilities. Ask your organization the question, what does PHI mean to you?
  3. Minimum Necessary – Convey to business associates that just because there is authorized access to PHI doesn’t mean that all PHI should be shared with all people. What PHI do we normally disclose for this task? What do we do about exceptions? For example: what PHI is appropriate to leave on a voicemail?
  4. Authorized Personnel Only – Employee access to PHI must be authorized, and employees should only access PHI when it’s necessary to fulfill job duties. This goes hand-in-hand with the minimum necessary element. If accessing PHI is not a part of an employee’s job duties, then it’s a violation of HIPAA.
  5. Security Awareness – Create a security awareness program that includes security reminders, protection from malicious software, training on log-in monitoring, and password management.

Although it may be a challenge to get your workforce excited about HIPAA compliance training, remind them and yourself that good training is the key to protecting PHI. Listen to the full webinar for more details about the frequency of training, documenting training, and an insightful Q&A. To learn more about training your workforce, contact us today.

Road to HIPAA Compliance: Managing Business Associate Compliance

Why Does Business Associate Compliance Matter?

The goal for this session is to identify the importance of the relations between covered entities and business associates, and to identify the issues that business associates and covered entities must navigate. This webinar is not designed just to benefit the covered entities. If you are a business associate, it will be beneficial to learn the issues that covered entities are dealing with and how that affects you.

Why is important to discuss business associate compliance? We see four areas of significance:

  1. Associated Liability: Business associate breaches have great impact, from a regulatory perspective, on a covered entity.
  2. Regulatory Activity: The OCR has begun Phase 2 HIPAA audits, but after Phase 2 is done, the OCR is planning on have a permanent audit program. Regulatory activity is ongoing.
  3. Market Forces: Covered entities are only going to continue to increase their oversight of business associates, which means the market for business associates is going to get more and more competitive. Business associates need to be able to handle covered entities’ concerns to stay in business.
  4. Scope: The nature of healthcare services in our current climate means that if you’re a covered entity, someone else is likely fulfilling a critical role for you. When your number of business associates is growing, there are more and more opportunities for risk and liability.

Who do covered entities need a Business Associate Agreement with?

The Privacy Rule requires that covered entities receive satisfactory assurance that the business associate will safeguard PHI on behalf of a covered entity. The challenge is knowing who your business associates are. Business associates are defined as “A person or an entity that creates, receives, maintains, or transmits PHI for a regulated healthcare function.” Seems pretty cut and dry, right? There are a couple of ways to think about who a covered entity needs to have a Business Associate Agreement with. Some covered entities have a “better safe than sorry” or “just in case” mindset. They have Business Associate Agreements with anyone who could ever potentially come in contact with PHI. The other end of the spectrum believes that because the requirements and challenges of safeguarding PHI are so great, covered entities should only commit to monitoring business associates that are actually business associate, and to only have Business Associate Agreements with those are legitimately business associates. This webinar also dives into the specific requires elements of Business Associate Agreements.

How does the oversight of business associates work?

There are some weird dynamics when it comes to the legal standards for business associates, and it takes a learning curve to overcome that dynamic and discover what are the actual obligations are. Then there are practical oversight considerations, like covered entities’ reliance on business associates, and their audit and inspection rights. Some of the other issues that arise in business associate oversight are: security measures, mobile devices, audit logs, and business associates’ sophistication.

This webinar is packed full of information and details. Download the whole thing, we promise you’ll learn something. This webinar is for covered entities and business associates. To learn more about HIPAA compliance, contact us today and speak to an expert.

Road to HIPAA Compliance: Understanding the Security Rule

3 Things to Know About Protecting ePHI

This session gives an overview of the Security Rule, which is one of the most familiar aspects of HIPAA Compliance. The goal of the Security Rule is to create security for electronic Protected Health Information (ePHI) by ensuring the confidentiality, integrity, and availability of ePHI, protecting against threats, protecting against unpermitted disclosures, and ensuring workforce compliance. When learning the basics of this regulation, it’s vital to learn about scope, the flexibility of approach, and the three types of safeguards.


The Security Rule only applies to ePHI. Paper PHI is not within the scope of the Security Rule. This doesn’t narrow the scope, but instead tailors it to specific issues, vulnerabilities, costs, and approaches related to the integrity and security of ePHI.

Flexibility of Approach

All the requirements are the same, but the way that an entity complies with those requirements is different depending on the entity-specific considerations. There’s some flexibility when considering required versus addressable implementation specifications under each of the three types of safeguards. The Security Rule says there are some implementation specifications that you must comply with and there is no alternative method. There are also some addressable implementation specifications that allow an entity to choose an alternative or equivalent compensating control.


There are three types of required safeguards to protect ePHI: administrative, technical, and physical. Administrative safeguards cover personnel, training, access and process. Technical safeguards cover access, audits, integrity, and transmission. Physical safeguards cover access, workstations, and devices.

To learn more about the HIPAA Security Rule, contact us today and speak to an expert.