Help Me With Hipaa

A wide variety of questions have come in from listeners over the last few weeks. The list is so good we have a whole episode devoted just to answering listener questions.  At least one of these will likely apply to you if not several. For more information go to HelpMeWithHIPAA.com/105

All of those ransomware outbreaks we have been dealing with since last year were overshadowed this past week by WannaCry.  This has been called called the most destructive attack ever.  The most concerning part is that was how bad it was but the US wasn't hit that hard.  When these kinds of things happen it is always a good idea to review what you learned from the outbreak and any necessary changes you need to make to protect you from this one happening to you.  The is the topic of the day.  What should we learn from WannaCry?   Learn more at HelpMeWithHIPAA.com/104

You may not even know about all the applications and support logins that vendors use on your applications, systems, and networks. Vendors may set up admin passwords and share them with their whole staff to support you. If they have unlimited access to the systems out there and the usernames and passwords never expire or log off automatically that is certainly not secure. How do you manage all of those?  If there are things that automatically log in and run, what about those? More details at HelpMeWithHIPAA.com/103

April has had three more OCR resolution announcements. That's a total of 7 cases for $14.3m in 2017 so far. When we covered resolutions recently I kept waiting for another one to come out and gave up. Then, BAM, three in a row! For more info go to HelpMeWithHIPAA.com/102

Are we creating a crisis of trust in healthcare? A business partner put that question out to us recently. We have already been looking at several angles to discuss the patient part in all of this breach and ransomware news. This question seems like the perfect way to approach it. Let's look at the topic and see what we think - Are we creating a crisis of trust in healthcare?   For more information on this podcast and how to win $100 Amazon gift card go to HelpMeWithHIPAA.com/101

For our 100th episode we wanted to do a Top 10 list.  After some thought, we landed on the Top 10 HIPAA Lessons we hope you get from our little podcast.   It is hard to believe that we are publishing our 100th episodes of Help Me With HIPAA!  Two years ago we started out with this little idea that has become a really exciting venture for both of us.  We truly enjoy the responses and interaction from our listeners.  Well, first, we are thrilled to HAVE listeners.  But more importantly, we love hearing how much people learn and laugh at the same time.  That combination has been our show objective since the very beginning. Another big thing we are doing with this episode is a chance to win a $100 Amazon gift card if you help share and promote us with you social networks.  Listen in or go to the website for more details on how to win!  More info at: HelpMeWithHIPAA.com/100

OCR Resolutions 3 and 4 for 2017 were released in February.  Examples of what not to do from OCR were released AGAIN.  We kept waiting for another resolution to be announced and lump them together.  Once we gave up and recorded this episode to review those two you know another one was announced.  We will hit that one next time.  For now, we review what happened in these cases that resulted in OCR resolutions after a breach notification started an investigation.  They are so kind to give us examples of what not to do from OCR without us paying for it! For more details go to HelpMeWithHIPAA.com/99    

Recently, New Mexico passed a new data breach notification law in March. Once it is signed there will only be 2 states that don't have their own notification rules, Alabama and South Dakota. What do all the state laws mean when you are also required to do HIPAA notifications. Most of them say that if you are subject to GLBA or HIPAA the notification laws do not apply to you. But, it is always best to be sure you know what your state requires. HIPAA says that as long as it is more strict than state laws then HIPAA takes precedence but many times states are now enacting stronger legislation in some areas. California and Texas developed some pretty extensive requirements that apply to CEs and BAs in their states. Massachusetts also added their own twist beyond HIPAA. More info at HelpMeWithHIPAA.com/98

All the news about ransomware and hackers usually gets the biggest headlines.  But, the ones that fly under the radar may be something you should pay more attention to than the big splashy news.  Insiders usually don't have to work hard to plot ways to break into your data, you have invited them in and given them access. A damaging assumption is that you don't have to worry about your insiders. Get more info at HelpMeWithHIPAA.com/97

Call it teleworking, remote access, or mobile access if you have any access to PHI outside of your office, you should have a HIPAA mobile access policy. Any person that accesses you systems and data outside of your internal network should be trained and sign off on commitments to protect your PHI. We've never specifically covered the topic of what should be included in a HIPAA mobile access policy. It is about time we did just that. Learn more at HelpMeWithHIPAA.com/96

Building a culture of a compliance is something we have talked about many times in this podcast.  We never looked at it as a community problem.  The things we heard about training the human element to build a cyber security culture were very exciting to us.  Well, at least to Donna.  The concepts they covered about training not just the workforce but training the community as a whole to better understand what cybersecurity really means. We also followed that up with a session that explained some more scary darknet activity.  Your machine could be for sell on the darknet and you don't even know it. More information at HelpMeWithHIPAA.com/95

If you saw the movie Catch Me If You Can then you know some of Frank Abagnale's story.  Maybe you even read his book Catch Me If You Can: The True Story of a Real Fake.   Tom Hanks said "Abagnale’s lecture may be the best one-man show you will ever see."   He WAS NOT KIDDING!   The famous con man in his youth eventually became a white hat working for the FBI and others to combat fraud and ID theft for over 40 years. Now, he works as a consultant, writer, and speaker on the subject as he continues working with the United States Government   The information he shared with us during his #HIMSS17 session blew us away.  That means we have to tell you guys about it! Learn more at https://HelpMeWithHIPAA.com/94

The first full day of HIMSS17 HIPAA had a big session. It featured Deven McGraw, Deputy Director for Health Information Privacy at the HHS Office for Civil Rights (OCR).  She is also Acting Chief Privacy Officer for the Office of the National Coordinator for Health IT (ONC).  Clearly, it was one of the sessions at the top of the list for us to attend.  We got there early enough to be perched on the front row.  In this episode, we review what McGraw covered in her session and our thoughts on it. For more details and timestamps go to HelpMeWithHIPAA.com/93

HIPAA news stories are sometimes so short we need to bundle them together. Some listeners questions are also addressed today. So, we have a little bit of everything in this episode. So stick with us as we go through our HIPAA hodge podge. For more details go to HelpMeWithHIPAA.com/92

What is HIPAA privacy anyway? The annual reporting deadline for little breaches is up at the end of Feb. That means all those little privacy violations in 2016 must be reported on the HHS website soon if you haven't already done it. Since those little ones often mean so much more than the big ones it made me think it would be a good time to talk about privacy. A recent bizarre case in an Atlanta suburb made me realize just how much we value our privacy but may not realize it until it has been taken from us. More at HelpMeWithHIPAA.com/91

OCR continues releasing new settlement agreements on their new pace. There have been two announced in January 2017. We have no idea what will happen now but since these two brought in over $2.6m there may not be a reason we will see them stop their pace. As always, we believe in learning from other's mistakes (not schadenfreude, though). Time to learn what these two can teach us.... HelpMeWithHIPAA.com/90

More reasons to have this coverage pop up every day. Whether it is your own business risk management or those required by a business partner in a contract, all businesses should at least evaluate getting cybersecurity coverage. To help us share information on that we have a guest on this episode. Interview with John Miller II, Founding Principal, Sterling Risk Advisors 

We reviewed the OCR/HHS list of common HIPAA compliance myths when we first started the podcast. Their list is so long that it spread across 3 episodes. Those episodes are still fairly popular today. For today, though, we are covering our own list of common HIPAA compliance myths that we hear. Common HIPAA Compliance Myths Our list may be very similar to all the other lists out there but it is important to cover those because they are clearly STILL being passed along. Why do we keep hearing the same things over and over?   More at HelpMeWithHIPAA.com/88

At the beginning of 2016, we did some speculation about what the year would be like in the cybersecurity and HIPAA worlds.  Today we plan to review how we did for 2016 and explain expect healthcare breaches continue in 2017. More at https://HelpMeWithHIPAA.com/87

We've talked before about HIPAA showing up in lots of other places. That trend has continue. Now, you will see HIPAA questions on cyber security insurance applications, certification programs from other entities, and now in payment model reforms. Today we are going to talk a little bit about MACRA and HIPAA requirements. If you don't know what MACRA, APMs, and MIPS is all about we may not cover enough to explain it all be we will certainly touch on MACRA and HIPAA crossing paths starting in 2017. More information at HelpMeWithHIPAA.com/86