If you haven’t noticed, cybersecurity is a major issue in the world, politically, economically, and even personally.  No one wants their identity stolen.  No business wants to deal with customer (patient) retaliation caused from losing their personal health information, whether it’s boycotting, bad press, negative social media or a class action lawsuit.

In general the U.S. government is taking action to help protect small businesses by requesting a new standard cybersecurity guide be written by the National Institute of Technology.  More specifically for the healthcare industry, the Health and Human Services Office of Civil Rights is now checking to make sure all covered entities are taking steps to improve cybersecurity to protect PHI.  The HHS OCR now requires that covered entities and business associates can show they have a risk management plan in place and are correcting issues found in the security risk analysis (risk assessment).

If you’re a healthcare provider you might ask, “How do I secure PHI?”  I actually wrote a blog about this recently.  Check out that blog for starters.  If you have not performed a Security Risk Analysis you should do that first. That should give you a prioritized list of issues you must address.  The top priority should be cybersecurity.

We strongly suggest you use a next generation compliance management tool, like CyberCompass, to manage your HIPAA compliance.  It makes HIPAA compliance simple, easy, and affordable.

Take action, Protect Your Patients, Protect Your Practice, Protect Yourself.

Third Rock is seeking HIPAA partners and consultants! If you are a HIPAA guru like us, working to help physicians, covered entities, and business associates complete their HIPAA requirements in a simple and worry-free manner, we would love to talk with you! Our CompassDB platform combines annual security risk analysis (SRA), remediation tracking and guidance, customized policies and procedures, BA Management, training logs and other HIPAA necessities in one easy-to-use portal for each of your customers.

Because of the ease in automation, it allows you to provide better and faster results and remediation guidance to your customer base more rapidly and accurately. CompassDB™ is saving people like you up to 70% in time for back end reporting and managing it all in one place. Plus, you provide your clients with the required electronic book of evidence for OCR. You can white label the tool with brand, so you look like a current, professional, consulting firm.

If this sounds like you and you want to save time, grow your business and help customers, we want to hear from you! Check out our website at www.thirdrock.com and www.compassdb.io for information.

If interested you can either contact Brian Davis, personally at brian.davis@thirdrock.com or use the form below.

There is a way to really make compliance Worry-Free!

As you know, Meaningful Use required a Security Risk Analysis (SRA).  It’s also important for you to know that MACRA lists the Security Risk Analysis as the first requirement to qualify and receive payments. Meaningful Use helped many providers learn about the Security Risk Analysis and MACRA continues that requirement.

It’s very important to realize the SRA is the beginning step to becoming HIPAA Compliant.  The word on the street is that the Office of Civil Rights (OCR) plans to audit every provider within three years.  With an audit looming, it’s important to realize the OCR is also requiring that you have a body of evidence that shows you have been performing SRAs or Risk Assessments (Privacy and Security Risk Analysis) for several years.  You must also provide your body of evidence in electronic format.  With those requirements, it’s very important to use a compliance management tool to guide your through the HIPAA compliance process, to log everything involved and to generate a report for auditors in electronic format.

CompassDB is a compliance management tool that will save you time, effort, and money and is very affordable. For more information check out CompassDB.

This is the second in a two part series concerning the value of compliance.  Our mission is, Worry-Free Compliance, to help you obtain a culture of compliance through normal business operations.  Our vision is to reduce the complexity, cost and burden of HIPAA compliance using a next-generation compliance management platform.

What does a next-generation management platform provide?  Here’s a list:

• • Complete
    • Manages the entire compliance process
    • Maintains custom policies and procedures
    • Provides and tracks training
    • Creates & maintains Body of Evidence for audits
• • Simple and Easy
    • Understandable format, HIPAA expertise not required
    • Logic driven questions reduces assessment time
    • Supporting documentation easily attached and managed
    • Generates electronic reports for audits
• • Significantly Reduces Time and Effort
    • Intuitive, step-by-step workflow
    • Provides remediation guidance and support
    • Automates building the body of evidence
    • Reduces man-hours by over 50%
    • Reduces overall cost of HIPAA compliance by 65%
• • Greatly reduces liabilities

Before you buy a HIPAA kit that will sit on your shelves and collect dust or hire a HIPAA auditor/consultant to perform a security risk analysis for you, then leaves you a checklist of issues to correct, you should consider using an online tool that makes you more compliant, in less time and helps you maintain your culture of compliance.

The first post in this two-part series was Value Proposition of HIPAA Compliance.

Take our free mini-Risk Assessment to see how compliant you are.

Protect your patients, protect your practice, protect yourself.

The healthcare industry is beginning to realize that HIPAA is here to stay and they are probably going to be audited sooner or later.  What physicians and all healthcare providers need to understand is that if you don’t protect your patients’ PHI/ePHI the following can happen to your patients as a result of their identity being stolen and used.

NOT Protecting Your Patients’ (PHI/ePHI):

1. You can cause them financial difficulties or even financial ruin.
2. You can cause them undue stress, even a stroke or heart attack.
3. You can cause them to be denied healthcare insurance.
4. You can cause them to be denied healthcare services.
5. You can cause them to be denied medicines, treatments, and therapies.
6. You can cause them to be misidentified during healthcare treatment, causing incorrect operations, procedures, medicines, or even death.
7. You can cause the death of your patient.
8. You will suffer the consequences listed under “NOT Protecting Your Practice”.

You might think, these can’t happen, but all of them have already happened, with the exception of causing a death, but there have been several close calls with death because of identity theft.

What HIPAA “forces” you to do, is what you should already be doing:  operating a safe, secure, efficient, productive, and profitable healthcare provider organization.  That’s right, if you were doing what needs to be done to protect your patients’ PHI/ePHI, you would be HIPAA compliant and you would be protecting your practice (business) and yourself.

NOT Protecting Your Practice:

1. You will likely be breached and lose access to or have your patient’s ePHI stolen.
2. You will receive the maximum fine from the HHS OCR audit, which may close your doors.
3. You will likely have a class action lawsuit by your patients against you.
4. You will have approximately 40% of your patients abandon you and your services.  (People don’t like having their identity stolen.)
5. You will have to pay for the remediation of your HIPAA non-compliance issues with government oversight.
6. You will have to pay for cyber theft protection insurance for all of your patients.
7. You will suffer from negative social media.
8. You will suffer major interruption to your cash flow.

And last but not least, you must realize you need to protect yourself.  The HIPAA law provides for the prosecution of individuals who neglect to protect their patients’ PHI/ePHI or those individuals who destroy, lose, or steal a patient’s PHI/ePHI. If you don’t want to wear an orange jump suit you might want to consider working on becoming HIPAA compliant.

NOT Protecting yourself:

1. You could find yourself sued by patients.
2. You could find yourself fined for failure to protect PHI.
3. You could find yourself found guilty of breaking the law.
4. You could find yourself in federal prison.

Protect your patients, protect your practice, protect yourself.

I would strongly suggest you use a Compliance Management Platform to build the required body of evidence, reduce the work load, increase compliance, simplify electronic reporting and save money while working to become HIPAA compliant.  Check out CompassDB™ at http://compassdb.com/.

If you want to know where you stand with your HIPAA compliance take the free HIPAA Quick-Check.