Social Media, Marketing, and HIPAA

When it comes to social media, marketing, and HIPAA things can get a little dicey. There are certainly many cases where using social media has gone awry in health care cases.  However, when handled correctly, you can actually use social media, marketing, and HIPAA in...

Onboarding and Termination Checklists

Onboarding and termination checklists are often treated as a paperwork hassle.  However, we have seen many times where taking the time to attend to those hassles could have saved time, money and closed open security holes that are very dangerous.  HIPAA requires us to...

Talking To The Boss About HIPAA

How do you talk to the boss about HIPAA? That is a regular question we get around here.  The staff responsible for compliance gets trained and understands what needs to be done but they don’t get leadership support.  Over the years we have had to have those...

OCR Audit Updates Phase 2

During the NIST OCR HIPAA Security Conference we covered in the last two episodes, there was also a session on OCR Audit Updates. OCR gave an update on the information gleaned so far from the compliance desk audits that were started in 2016. Their presentation...

NIST OCR Security Conference Part Deux

This is the second episode covering the things David has to share from the NIST OCR Security conference: Safeguarding Health Information. There are many great points he picked up. As we review them, we keep coming back to the reminder that HIPAA is about patient care...

NIST and OCR Security Conference

The NIST and OCR annual security conference has come around again.  This year, David attended the conference via webcast and shares his notes on the first day of the conference. Before the conference discussion, however, we have to touch on the announcement from...

Disaster Recovery Preparations

We recorded this Disaster Recovery Preparations episode on the day that Harvey was hitting Houston and had no idea just how bad that disaster would eventually become for those on the gulf coast.  On the day we publish this episode, we are both personally involved in...

Should I Use A Local, Data Center, Or Cloud Server?

Every time we discuss HIPAA server security issues it opens a debate about where is the best place to keep your servers.  There are three options that we are going to discuss today. Should I use a local, data center, or cloud server under HIPAA? Help Me With HIPAA by...

What Is Reasonable And Appropriate?

The HIPAA legal reference and guidance mentions reasonable and appropriate all over the place. Many times that concept creates confusion. How do you determine what is reasonable or appropriate for any environment? HIPAA For MSPs by David Sims What is Reasonable &...

Alexa Plus HIPAA Plus Other Questions

Alexa plus HIPAA is a rabbit hole we thought about avoiding.  But sometimes you are just destined to discuss a topic you try to avoid.  When that question came in this week on top of the ones we had already planned to cover it was just too perfect.  So this episode...

Security Incident Investigations Find More Than Expected

Sometimes following the news lets you find things like security incident investigations with interesting details.  But, these cases were different than most.  Even better than that, we learned how a fish tank help hackers!  There were just too many parts of these...

Incident Response Plans V2

Incident response plans have been a topic of our show several times. But, these days we just can’t get enough of a good thing! Actually, there is a reason we are covering it in this episode.  I was reviewing a Business Associate Due Diligence from a software...

Compliance Officer Personal Liability?

Compliance officer personal liability for the compliance of the company. Is that a thing? The recent settlement with a compliance officer says maybe so. The May 2017 settlement agreement between the Treasury Department’s Financial Crimes Enforcement Network...

OCR Cyber Newsletter: Mic Drop For Cloud Providers

The monthly OCR Cyber Newsletter for June had some interesting points.  The fact that OCR mentions multiple times and in multiple ways that they do not endorse, certify, or recommend specific technology or products should serve as their “OCR mic drop...

NotPetya, Windows, and Ransomware

This is not another episode about preventing and responding to the NotPetya ransomware. There are countless articles about those topics.  We are discussing the bigger picture today.  In this episode, NotPetya, Windows, and Ransomware, we discuss what happened in the...

Breach Reporting Costs and Decisions 2017

Breach reporting costs in 2017 are proving to be something you should understand before a crisis, not after the crisis hits.  In June, the NY State Attorney General announced a settlement with CoPilot, a healthcare services company that illegally deferred notice of...

What Is MDM And Why Do I Want It?

What is MDM and why do you want it?  Mobile devices are susceptible to malware attacks, phishing, and other security vulnerabilities just the same as laptops and desktops.  The systems most of us have in place are directed at managing the security for laptops and...

eCW Whistleblower

There are countless times we have covered the “my EHR vendor handles HIPAA for me” misconception. The recent $155 million whistleblower lawsuit settlement between eClinicalWorks (eCW) and the government really brings it home how wrong you can be about EHR...

5 Stages Of Grief During A Cyber Attack

The 5 stages of grief during a cyber attack really do follow the process of dealing with grief in those familiar 5 stages. Many don’t realize that ransomware attacks aren’t always just the result of someone clicking in an email and running a program.  As...

10 Ways HIPAA Should Have Stopped Rodeo Drive Breach

A major breach of PHI was announced by a Beverly Hills plastic surgeon’s office on Jun 1. There are so many things about this case from the fact that it involved a malicious insider to how many different ways proper HIPAA policies and procedures would have...

Disclosure of PHI in May OCR settlements

Disclosure of PHI was the theme for the month of May’s settlements.  OCR continued their enforcement trend for 2017 with 2 more settlements announced in May.  These stand out on their own because the focus is specific disclosure of PHI instead of major breaches....

Answering Listener Questions

A wide variety of questions have come in from listeners over the last few weeks. The list is so good we have a whole episode devoted just to answering listener questions.  At least one of these will likely apply to you if not several. HIPAA For MSPs Answering Listener...

What Should We Learn From WannaCry?

All of those ransomware outbreaks we have been dealing with since last year were overshadowed this past week by WannaCry.  This has been called the most destructive attack ever.  The most concerning part is that was how bad it was but the US wasn’t hit that...

Managing Third Party Access

You may not even know about all the applications and support logins that vendors use on your applications, systems, and networks. Vendors may set up admin passwords and share them with their whole staff to support you. If they have unlimited access to the systems out...

No, No, No Says OCR In Three April Settlements

April has had three more OCR resolution announcements. That’s a total of 7 cases for $14.3m in 2017 so far. When we covered resolutions recently I kept waiting for another one to come out and gave up. Then, BAM, three in a row! HIPAA For MSPs No, No, No Says OCR...

Are We Creating A Crisis Of Trust In Healthcare?

Are we creating a crisis of trust in healthcare? A business partner put that question out to us recently. We have already been looking at several angles to discuss the patient part in all of this breach and ransomware news. This question seems like the perfect way to...

Top 10 HIPAA Lessons

For our 100th episode, we wanted to do a Top 10 list.  After some thought, we landed on the Top 10 HIPAA Lessons we hope you get from our little podcast. There is also a chance to with $100 in here too! It is hard to believe that we are publishing our 100th episodes...

Examples Of What Not To Do From OCR… AGAIN

OCR Resolutions 3 and 4 for 2017 were released in February.  Examples of what not to do from OCR were released AGAIN.  We kept waiting for another resolution to be announced and lump them together.  Once we gave up and recorded this episode to review those two you...

State Privacy Laws vs HIPAA… Who Wins?

State privacy laws are often overlooked in discussions.  More importantly, they can be overlooked in practices too.  If you have state privacy laws (or breach notification laws), you are responsible for understanding those requirements relating to your information...

Insiders May Be Your Biggest Threat To Privacy & Security

All the news about ransomware and hackers usually gets the biggest headlines. But, the ones that fly under the radar may be something you should pay more attention to rather than the big splashy news. Insiders usually don’t have to work hard to plot ways to...

What Is Included In A Mobile Access Policy

Call it teleworking, remote access, or mobile access if you have any access to PHI outside of your office, you should have a HIPAA mobile access policy that applies to that activity. Any person that accesses your systems and data outside of your internal network...

Can we build a national culture of cybersecurity?

Building a culture of a compliance is something we have talked about many times in this podcast.  We never looked at it as a community problem.  The things we heard about training the human element to build a cybersecurity culture were very exciting to us.  Well, at...

Frank Abagnale Can Even Scare Us About ID Theft

If you saw the movie Catch Me If You Can then you know some of Frank Abagnale’s story.  Maybe you even read his book Catch Me If You Can: The True Story of a Real Fake. Tom Hanks said “Abagnale’s lecture may be the best one-man show you will ever...

HIMSS17: Deven McGraw Talks HIPAA Enforcement

The first full day of HIMSS17 HIPAA had a big session. It featured Deven McGraw, Deputy Director for Health Information Privacy at the HHS Office for Civil Rights (OCR).  She is also Acting Chief Privacy Officer for the Office of the National Coordinator for Health IT...

HIPAA Hodge Podge – RDP FAXing Dumpsters

HIPAA news stories are sometimes so short we need to bundle them together.  Some listeners questions are also addressed today.  So, we have a little bit of everything in this episode.  So stick with us as we go through our HIPAA hodge podge. HIPAA For MSPs HIPAA Hodge...

What is HIPAA Privacy Anyway

What is HIPAA privacy anyway? The annual reporting deadline for little breaches is up at the end of Feb. That means all those little privacy violations in 2016 must be reported on the HHS website soon if you haven’t already done it. Since those little ones often...

First HIPAA Settlements of 2017

We already have the first HIPAA settlements of 2017. As always, we review them so we can learn from the mistakes of others.  OCR continues releasing new settlement agreements on their new pace. There have been two announced in January 2017. We have no idea what will...

Cybersecurity Insurance With John Miller of Sterling Risk Advisors

More reasons to have cybersecurity insurance coverage pop up every day. Whether it is your own business risk management or those required by a business partner in a contract, all businesses should at least evaluate getting cybersecurity insurance coverage.  In trying...

8 Common HIPAA Myths

We reviewed the OCR/HHS list of common HIPAA myths when we first started the podcast. Their list is so long that it spread across 3 episodes. Those episodes are still fairly popular today. For today, though, we are covering our own list of common HIPAA myths that we...

Healthcare Breaches Continue in 2017

At the beginning of 2016, we did some speculation about what the year would be like in the cybersecurity and HIPAA worlds.  Today our plan is to review how we did for 2016 and explain why we expect healthcare breaches continue in 2017. HIPAA For MSPs Healthcare...

How MACRA & HIPAA Cross Paths

We’ve talked before about HIPAA showing up in lots of other places. That trend continues. Now, you will see HIPAA questions on cyber security insurance applications, certification programs from other entities, and now in payment model reforms. Today we are going...

2017 Compliance Management Plans

Last January, we did an episode with a 2016 Compliance Management Plan.  We even created a reminder poster that you could download. The episode was about providing a compliance management plan guideline for Compliance Officers who are trying to find a way to fit this...

Healthcare Cyber Attacks

Every day it seems we read about more healthcare cyber attacks.  As the news keeps breaking with more details on the wide variety of cases, we have plenty of work to do just to keep up.  Today, there are so many cases to talk about we couldn’t even decide what...

HIPAA 21st Century Cures Act

For a change, there was a bipartisan bill passed with some big impacts on healthcare.  HIPAA 21st Century Cures Act implications are, of course, our focus.  Today, we review some thoughts on the bill that was signed into law this week. HIPAA For MSPs HIPAA 21st...

Phishing Attacks In Healthcare

Phishing attacks in healthcare are on the rise just like every other industry. However, unlike many other targets, phishing attacks in healthcare have a much higher return on investment if the phisherman gets anyone to take the bait. We’ve talked multiple times...

HIPAA Compliant Cloud

In early October the long-awaited guidance on HIPAA compliant cloud was released by HHS / OCR. There wasn’t a lot of shocking information for us since it just restated, maybe more clearly, that cloud services providers (CSPs) must sign a BAA and meet certain...

OCR Audits and Enforcement 2016

  This week is basically part 2 from last week.  We left off just before reviewing the OCR audits and enforcement 2016 updates announced at the NIST / OCR Security Conference 2016. Listeners questions and mentions. Bill’s question on hospital apps....

HIPAA Security Conference 2016

Donna shares information from the NIST/OCR HIPAA Security Conference 2016.  It is held each year in Washington DC on Safeguarding Healthcare Information.  Sitting in via the webcast Donna enjoyed hearing the nerdy stuff, as always. Learn what she thought was...

Scary HIPAA Stories

It’s time for more scary HIPAA stories.  We tour the HIPAA haunted house in our 2nd annual Halloween episode! Cybersecurity has become a big concern over the last 18 months. Breaches in 2015 have given way to ransomware along with more daring breaches in 2016....

Ransomware and HIPAA

Ransomware and HIPAA have been a topic on the podcast multiple times. They are some of our most popular episodes, in fact.  Recently, we realized we haven’t discussed the OCR guidance on Ransomware and HIPAA.  On July 11, 2016, HHS.gov featured a new post from Jocelyn...