• Home
  • HIPAA
    • HIPAA Made Easy
  • Assessments
  • Incident Response
    • Consult
  • Blog
  • About
  • PURCHASE
    • Cyber Security Assessment - Small
    • HIPAA Compliance Package 1
Tandem Cyber Solutions
  • Home
  • HIPAA
    • HIPAA Made Easy
  • Assessments
  • Incident Response
    • Consult
  • Blog
  • About
  • PURCHASE
    • Cyber Security Assessment - Small
    • HIPAA Compliance Package 1

Blog

Is our HIPAA person keeping us compliant?

11/8/2018

0 Comments

 
Picture
​A complex set of regulations like HIPAA requires constant work to keep up to date within an organization. With requirements ranging from six unique audits per year to training to vendor management, it is not a task that most healthcare organizations can devote the time to. An organization must be more than just familiar with the rules, they must study rulings against other organizations, stay up to date with any changes, update policies, and know cyber security well.  This begs the question, who’s handling HIPAA for you and are they up to the task?

But I have a lawyer or IT guy for that...

Understandably, the complexity and time intensive nature of HIPAA drive most small and medium sized healthcare organizations to outsource this work to a variety of vendors. Some of which include lawyers, IT Management companies, and other Managed Services Providers. It’s no surprise that companies are left with mixed results. IT companies are missing the security or HIPAA knowledge, lawyers don’t know security or tech, and most other vendors are missing some key component to complete HIPAA compliance. The key is finding a partner for HIPAA that can bring all the pieces together.

So how do you tell if your vendor is doing HIPAA compliance correctly? Well, knowing the regulations is one way, but then again, if you had the time you wouldn’t be outsourcing the work.

​We have compiled a few rules of thumb for you and your vendor to follow when it comes to compliance. 

Rules of thumb

1. Do you have a Business Associate(BA) agreement with your HIPAA compliance vendor?

If you don’t, your organization is already off to a bad start. Part of HIPAA that any vendor that interacts with Patient Data (ePHI) should be signing an agreement. See sections 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e).This is a must, especially if they are updating systems or have access to computers and printers. Aside from being a requirement for compliance, this offloads some of your risk as a business by informing the vendor that they must protect the patient information.

Case: Raleigh Orthopaedic Clinic, P.A. of North Carolina was fined $750,000 for not having BA Agreements in place and not having policies in regards to Business Associate Agreements.

Ask your vendor for copies of all of your BA Agreements and visit hhs.gov for sample agreements.
2. Do you have written policies in place for employees?

If not, your employees are being held to a standard that does not exist. Without written policies there’s no way to hold your employees accountable for any misstep that may occur. Don’t expect employees to handle patient information with care if there is no policy. It’s also important to note that verbal briefings won’t hold up in an investigation.

Case: Among other issues, Hospice of Northern Idaho was found to not have written policies in place for mobile devices and was fined $50,000.

​Ask your vendor for a copy of all your policies and a cheat sheet for all the employees. 
3. Do you know your gaps in security?

Every organization has security gaps and if you’re unsure of yours, a proper risk assessment has not been conducted. From my experience in the healthcare community, these are rarely done by qualified[JS1]  people. And by qualified, I mean either experience in the cyber security field or possessing applicable certifications. In other words, having the wrong person/organization assess your security not only doesn’t fulfil the HIPAA requirement but it is like having me look for anomalies in an X-Ray; unless there is a bone broken in half and the pieces are laying beside each other, I’m not sure what I am looking for.

Case: Catholic Health Care Services was fined $650,000 in part due to not having a recent comprehensive risk assessment.

Ask your vendor to show you their credentials, years of experience and certifications as well as a copy of your risk assessment with a security gap analysis.

Conclusion

HIPAA compliance is not an easy feat and if it was, healthcare organizations would not be outsourcing the work. I just caution that you check with your vendors and understand what they are doing. Ultimately, HIPAA is solely your responsibility.

If you would like a FREE COPY of our HIPAA check list, follow this link.

Or if you have any other questions please contact us here. 

Author

​Micheal Small
Co-founder + Ethical Hacker
​

Micheal has over 13 years combined experience in Information Security, Information Technology, and Physical Security. His passion and appetite for the cyber world is unparalleled with exposure to virtually every industry, he continues to hone his skills in Incident Response, Penetration Testing, and Consulting. Recognizing the need for change in cyber security, he volunteers to help entrepreneurs, veterans, and recent graduates. ​

Picture
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Archives

    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018

    Categories

    All
    Cyber Security Basics
    HIPAA
    Information Security
    Insurance
    Insurance Data Security Act
    Monitoring
    Penetration Testing
    SC
    SCIDSA

    RSS Feed

Picture

​Contact Us 

843-309-3058
info@tandemcybersolutions.com
Picture
Picture
Picture
Picture
Tandem Cyber Solutions LLC 6650 Rivers Ave Ste 105 #74137 North Charleston, SC 29406 (843) 309-3058​
  • Home
  • HIPAA
    • HIPAA Made Easy
  • Assessments
  • Incident Response
    • Consult
  • Blog
  • About
  • PURCHASE
    • Cyber Security Assessment - Small
    • HIPAA Compliance Package 1