WIXLIB

HIPAA Compliance: Important Fundamentals You Need to Knowrequire that new users have toswitch any default ones and meetstrictcomplexityguidelines.No-brainer, right? Monitor controls and make surelogging is working correctly. A keyaspect of the HIPAA Security Rule isthat you pay close attention toaccess of PHI. Simply put, you wantto log everything. IT personnelshould make sure that the loggingfeature is active within all systemsaround-the-clock. In addition to logging, you want to directly monitor viaa system of rules, so you can examine your data accumulation processand be certain that everything iscontinually meeting your access controls. Assess your access controls at alllayers, including the network andyour software. At the level of thenetwork, you have user IDs andstrong passwords. This level of security is usually less problematicbecause it’s managed directly by IT.The other critical layer, though, is thesoftware, when anyone uses it. You9need to maintain control of thatlayer.Plus, although it’s annoying to usersto get locked out of their accounts,Chaudhary noted that it’s a lesserevil to getting hacked. “[A]s an example, if somebody externally breaks inthrough your firewall to get to yoursystems and is now trying to guessthe password, you've got to makesure that you have some sort of alock-out after a few of theseattempts,” he said. “I typically recommend that after 10 failed attempts,one should be locked out.” Pay careful attention to your business associates who are handlingany PHI, aka protected health information. Chaudhury recommendedcarefully reviewing your businessassociate agreement (BAA) that controls your data relationship with eachvendor who is handling your data.Note that as of the effective date ofthe Omnibus Rule (September 23,2013), business associates now aredirectly responsible for meeting theparameters of HIPAA – in otherSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net

HIPAA Compliance: Important Fundamentals You Need to Knowwords, you are now less exposed bythe law since the vendors carry someof the burden. Nonetheless, due diligence is still necessary.His four step plan is:1. Carefully read and sign a businessassociate agreement with thevendor.2. Make sure you are in compliancewith the “minimum necessary” protection. To be clear, “minimum necessary” means that you only disclose theamount of information that you absolutely have to. It’s an expectation setforth in the HIPAA Privacy Rule.73. Conduct a performance assessment of the vendor.4. Every year, reassess whether ornot the business associate is in compliance with the BAA.According to Chaudhary, coveredentities (the healthcare plans, providers, and clearinghouses describedabove) often don’t keep ongoing andupdated records on their businessassociate agreements. “The agreements are not all consistent and notupdated on a regular basis,” he said.10“And most likely, people don't applythe ‘minimum necessary’ rule andthey provide more information thanis necessary to perform that series oftasks that they were hired to do.” Createall-encompassing,step-by-step procedures for incident response and business continuity. Basically, you need businesscontinuity planning to be robust, andincident response planning needs tobe fully described within your finaldocuments. To manage businesscontinuity, it’s essential to conduct abusiness impact assessment, leadinginto a business continuity plan, andfinishing out with a disaster recoveryplan.Chaudhary commented that one element of business continuity that isoften neglected is the people. Youneed to know the people who areultimately responsible to lead theresponse in the event of a disaster.Also, when you are putting togetherthe business impact assessment,keep in mind that your goal is to haveSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net

HIPAA Compliance: Important Fundamentals You Need to Knowa reasonably good gauge of mission-critical systems – telling you therecovery time objectives that mustbe met in order to keep any expenses arising from a loss of businesscontinuity to a minimum.Three specific HIPAA tips youneed to know post-omnibusThe Office for Civil Rights (OCR) ofthe HHS Department started performing HIPAA compliance auditsmore aggressively in 2016. Businesses are understandably concernedabout audits because they don’twant to end up in a publicity nightmare, with their competence andcredibility called into question.Prior to 2016, audits only occurredfollowing a complaint or news reporton problematic activity at a particular covered entity or business associate. A 2015 report found that theOCR was not doing enough tomanage compliance with HIPAA. In2016, the OCR “strengthen[ed] itsreview efforts by implementing asecond phase of audits that was11scheduled to occur in 2014, butencountered a number of delays,”noted Clyde Bennett in Help NetSecurity8. For the assessments thattook place in 2016, “providers withfewer than 15 physicians and healthcare business associates will be subject to audits,” he added.It’s important to update your procedures and related documents so thatyou are up-to-date with HIPAA compliance following the adjustmentsmade within the Final Omnibus Rule.Here are three basic considerations: BAA 2.0 - You want your businessassociate agreement to reflect theOmnibus Rule, which broadenedresponsibility for HIPAA complianceto include business associates. It isnow legally necessary for businessassociates to directly follow allHIPAA law. Next-gen privacy policy - Anotherbig part of the Omnibus Rule wasrevisions of privacy parameters.Changes were made in treatment ofdeceased patients, patient accessSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net

HIPAA Compliance: Important Fundamentals You Need to Know12rights, response to ePHI requests,disclosure to insurance and Medicare, data distribution, immunizations, and how to handle data formarketing, fundraising, and researchpurposes. Forward-focused training - Yourstaff needs to know how this criticalhealthcare law is changing, as indicated by the Omnibus Rule. Providetraining to keep your business free offines and lawsuits. Business associates need to train as well. Documentthis effort so you're audit-ready.Secure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net

ImportantComplianceFundamentalsYou YouNeedto Know\\ The GoodsHIPAA HIPAACompliance:ImportantFundamentalsNeedto Know8 13Checklist: How to Make Sure You’re Compliant(Must-do) Authenticate ePHI. You mustauthenticate because it protectsdata from corruption and incorrectThe team at HIPAA Journal9 wentthrough the HIPAA Security, Privacy,and Breach Notification Rules; andthe HIPAA Omnibus Rule to createthis up-to-date checklist. Whatfollows is a summary of the checklist,which is organized according to thevarious rules of HIPAA:HIPAA Security Rule To-DoTechnical protections Scramble. Encrypt any ePHI tomeet NIST parameters any time it isoutside the firm’s firewalled hardware. (Must-do)destruction. (Or alternatives) Become scramble-ready. All devices that access the system should beable to encrypt and decrypt messages. (Or alternatives) Control activity audits. You wantto log any access efforts and howdata is manipulated. (Must-do) Enable automatic logoff. You logpeople out after a certain set timeframe. (Or alternatives)Physical protections Control access. “This not onlymeans assigning a centrally-controlled unique username and PINcode for each user,” notes HIPAAJournal, “but also establishing procedures to govern the release or disclosure of ePHI during an emergency.” Control facility access. You wantto carefully track the specific individuals who have physical access todata storage – not just engineers,but also repair people and even custodians. You must also take reason-Secure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net

HIPAA Compliance: Important Fundamentals You Need to Knowable steps to block unauthorizedentry. (Or alternatives) Manage workstations. Writepolicy that limits which workstationscan access health data, describeshow a screen should be guardedfrom parties at a distance, and delineates proper workstation use.(Must-do) Protect mobile. You want a mobiledevice policy that removes databefore a device is circulated toanother user. (Must-do) Track servers. You want all yourinfrastructure in an inventory, alongwith information pertaining to whereit’s located. Copy all data completelybefore you move servers. (Or alternatives)Administrative protections Assess your risk. Perform a comprehensive risk assessment for allhealth data. (Must-do) Systematize risk management.14“The risk assessment must berepeated at regular intervals withmeasures introduced to reduce therisks to an appropriate level,” advisesHIPAA Journal. “A sanctions policy foremployees who fail to comply withHIPAA regulations must also beintroduced.” (Must-do) Train your staff. You need to trainon all ePHI access protocols and howto recognize potential hacking.Record all these sessions. (Or alternatives) Build contingencies. You must beable to achieve ongoing businesscontinuity, responding to disasterswith a prepared process that keepsdata safe. (Must-do) Test your contingencies. You musttest your contingency plan on a regular basis, with relation to all key software. A backup system and restoration policy should be adopted. (Oralternatives) Block unauthorized access. Becertain that parties that haven’t beenSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net

HIPAA Compliance: Important Fundamentals You Need to Knowgranted access, such as subcontractors or parent companies, can’t viewePHI. Sign business associate agreements with all partners. (Must-do) Document all security incidents.Note that this step is separate fromthe Breach Notification Rule, whichhas to do with actual successfulhacks. A security incident can bestopped internally before data isbreached. Staff should recognize andreport these occurrences. (Or alternatives)HIPAA Privacy Rule To-Do Respond promptly. HIPAA givesyou 30 days to get back to patientaccess requests. (Must-do) Get down with NPP. Put togetheraNotice of Privacy Practices (NPP) toofficially inform patients and subscribers of data sharing policies.(Must-do) Train your staff. Beyond the training described above, make sure your15personnel understand what data canand cannot be shared “beyond thefirewall.” (Or alternatives) Don’t succumb to corruption.“Ensure appropriate steps are takento maintain the integrity of ePHI andthe individual personal identifiers ofpatients,” instructs HIPAA Journal.(Must-do) Get authority. To have the authority to use ePHI for research, fundraising, or marketing, get permissionfrom the patient. (Must-do) Update your copy. Your authorization forms should now include reference to changes in treatment ofschool immunizations, ePHI restriction in disclosure to health plans, andthe right of patients to their electronic records. (Must-do)HIPAA Breach Notification RuleTo-Do Let ‘em know. When a breach ofePHI occurs, you have to let bothyour patients and the HHS Depart-Secure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net

HIPAA Compliance: Important Fundamentals You Need to Knowment know. If more than 500 people’s records are involved, you alsomust notify the media. (Sound likefun?) Do you think you’re off thehook if it’s under 500 patients?Sorry, but no. You have to submitsmall-scale hacks through the OCRwebsite. “These smaller breachreports should ideally be made oncethe initial investigation has beenconducted,” said HIPAA Journal. “TheOCR only requires these reports tobe made annually.” All of the immediate notifications must be completedwithin 60 days post-discovery.(Must-do) Check twice for four. Make surethat your breach notification message contains these four elements:1.) description of the ePHI and personal identifiers involved; 2.) whatunauthorized party accessed it orrelated information; 3.) whetherdetails were simply seen or taken –viewing vs. acquirement (if youknow); and, 4.) the degree to whichrisk mitigation has succeeded.(Must-do)16HIPAA Omnibus Rule To-DoNote: For space, this section will beabbreviated because it is covered,for the most part, above. Refresh your BAA. Update yourBusiness Associate Agreements toreflect the language of the OmnibusRule. (Must-do) Send new BAA copies. You have toget signed copies of a new BAA (withthe Omnibus information incorporated) to stay compliant. (Must-do) Revitalize your privacy policy. Privacy policies must also reflect Omnibus changes. (Must-do) Modernize your NPP. “NPPs mustbe updated to cover the types ofinformation that require an authorization, the right to opt out of correspondence for fundraising purposesand must factor in the new breachnotification requirements,” advisedHIPAA Journal. (Must-do) Finalize your training. Make sureSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net

HIPAA Compliance: Important Fundamentals You Need to Know17that everyone on your staff is awareof all Omnibus Rule adjustments byconducting thorough training. (Oralternatives)Our advice on the above steps, interms of whatever you need to perform in-house, is it’s a good idea tojust do everything that’s on the list –regardless of whether it’s marked“Must-do” or “Or alternatives.” Afterall, these designations are a bitunhelpful because you do still needto perform the step or a very similaralternative in order to be compliant.In the HIPAA Journal article, theseitems were called “Required” and“Addressable.” “Even though privacyand security measures are referredto as ‘addressable,’ this does notmean they are optional,” explainedthe publication. “Each of the criteriain our HIPAA compliance checklisthas to be adhered to if your organization is to achieve full HIPAA compliance.”Secure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net

HIPAA Compliance: Important Fundamentals You Need to Know18Get Help with HIPAA ComplianceHopefully the information and resources have been helpful. If you need help withHIPAA compliance, Atlantic.Net is here to help!Atlantic.Net has been independently audited to meet all HIPAA compliance standards and requirements. Get a free consultation at 1.800.521.5881 or sales@atlantic.net. Visit tlantic.Net HIPAA Compliance FeaturesBusiness AssociateAgreementIntrusion PreventionSystemFully ManagedFirewallVulnerabilityScansLog ManagementSystemHighly AvailableBandwidthLinux & WindowsServersEncrypted BackupFile IntegrityMonitoringAntimalwareProtectionEncrypted VPNEncrypted StorageSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net

ndamentalsFundamentalsYouYouNeedNeedto Knowto Know\\ The Goods8 arch.nih.gov/pr m/hipaa-compliance-checklist/Secure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net

Get Help with HIPAA Compliance 18 Atlantic.Net HIPAA Hosting Features 18 References 19 Table of Contents HIPAA Compliance: Important Fundamentals You Need to Know \\ Table of Contents What exactly is HIPAA? The Health Insurance Portability and Accountability Act of 1996 is a US lawthat was passed to safeguard data and keep it from getting into .