lt’s HIPAA Compliance, or HIPAA Disaster

Or lack thereof, if you’re of the 98%. The magnitude of this stuff is off the charts. The only reason our phones aren’t currently ringing off the hook is because only 2% understand that they are in major trouble, or on course for a federal disaster in regards to HIPAA compliance.

The Office for Civil Rights is increasing audits, so 2% will soon be 3%, and then quickly 4% and 5%.

What is HIPAA compliance? HIPAA compliance is perfect alignment with the Security Rule and the Privacy Rule.

HIPAA compliance is total conformity to the federal rulemakers, through strict observance of their guidance and their Breach Notification Rule.

Not only are you in terrible trouble when you are the victim of a breach, you have to call the cops and tell on yourself- pretty much literally.

Except these are federal agents, and they have the power to throw up to $6 million in fines at you per calendar year, aka $12 million if you get audited at year end/new year.

They can also charge you criminally, and we’ve heard rumors recently (August, 2019) of federal inmates even dying on their watch.

It’s wise to watch them, to be a watcher.

And an over-achiever, if we’re back to talking about HIPAA and HITECH.

In addition to visiting a prison that seems to operate with the same style as the Hotel California, and almost one-tenth of a billion dollars in fines, non-compliance with HIPAA could also mean:

• $10 per patient for ongoing credit monitoring (hopefully you haven’t been too successful at growing your practice, or you own a credit monitoring service)
• Payment to the FCC of $40,000 per violation (which door did they sneak in!)
• Penalty of $1,000 per record in the case of class action lawsuits (what if you had 10 years worth of records for a large hospital?)
• Fees to the State Attorneys General ranging from $150,000 – $6.8 million (they really like that $6 million number, and in this case the states must love the feds)

May We Be Blunt about HIPAA Compliance?

You have problems. We have solutions. You can start helping yourself by reading any of our other pages on HIPAA:

https://petronellatech.com/blog/hipaa/15-steps-for-making-your-gmail-google-calendar-and-entire-g-suite-hipaa-compliant/

https://petronellatech.com/blog/hipaa/breach-notification-rule/

https://petronellatech.com/blog/hipaa/ceo-fraud-and-business-email-compromise/

https://petronellatech.com/blog/hipaa/choosing-the-right-penetration-testing-vendor/

https://petronellatech.com/blog/hipaa/hipaa-training/

https://petronellatech.com/blog/hipaa/hipaa-violations-fines/

https://petronellatech.com/blog/hipaa/hitech-act/

https://petronellatech.com/blog/hipaa/the-final-privacy-rule/

https://petronellatech.com/blog/hipaa/ransomware/

Or you can leave the 98%, and come towards the light. For $3k per month, we guarantee total HIPAA compliance in 12 months, with an all-inclusive turnkey package deal:

$3,000 per month for up to 10 users / $300 per extra user over 10 users / $300 month for total hipaa Compliance in 12 months (*A La Carte Services available upon request).

It’s like starting off totally confused, and then making it out the winning side of a maze.

Our service gets a practice compliant with HIPAA. Guaranteed.

There’s a 100% satisfaction guarantee. If at any time, a practice does not feel like they are getting the value provided, they will only pay for what they’ve used.

The web is not called the web for no reason. Things have a way of spidering through it, like veins in a body. With HIPAA/HITECH, it’s all about the privacy and security of mostly electronic health records.

Therefore, your compliance depends on the setup of your processes being closely aligned with federal guidelines/rules.

Likely, you currently have misalignments. The only way to fix them is to overlay your current system with a properly aligned solution. Since HIPAA is very segmented, your solution HAS to be also.

There is absolutely no way to implement a thorough and properly segmented solution without taking it layer by layer.

There is no quick fix to a problem that’s spidered.

It needs to be dealt with at the root cause, and the root can’t be accessed without tracing all the pathways that branch from it.

Slow and steady may not win the race, but it does get you to the finish line.

The fast guys all fall off.

Month 1:
Regulatory HIPAA Compliance

PTG works with our clients to get them in compliance, whether it be HIPAA, NIST or ISO standards. We develop policies and procedures, training materials, and compliance infrastructure to ensure that your organization stays in compliance.

Are you in the HIPAA Crosshairs? If you’re like most PT practices, chances are you are.

Over the next 12 months, join private, encrypted and confidential Zoom sessions with Craig Petronella, a HIPAA compliance and Cybersecurity expert who will act as your Fractional Chief Information Security and Compliance Officer:

Fractional Chief Information Security & Compliance Officer (CISCO)

Senior-level executive responsible for developing and implementing information security and compliance programs. This includes attested policies, published procedures and technical controls that will protect the following from all internal and external threats: confidentiality of all stakeholders (customers, patients, employees, investors, etc.), integrity of all systems, data, and end-point devices, and availability of information communications systems.”

Month 1:
Regulatory HIPAA Compliance

Month 1: Discuss the current state of your medical practice. Craig will walk you through a mini assessment process to help you to:

• Review what you have in place now

• Define all of the work to be done across your People, Process and Technology

• Discuss the policies and procedures that apply to your practice.

• Create a customized game plan for your practice to become HIPAA compliant; broken down into easily digestible monthly installments. Guaranteeing your practice will be compliant on or before month 12

• Discuss PTG Professional Services

Threat and Incident Response: Remote analysis of suspicious or malicious activities, defensive response, hardening, and documentation

Ask Craig Anything: IT coaching and technology advisory about IT, cybersafety or technology

Helpdesk Support: Live phone/remote technical support of hardware/software issues via secure remote mirroring of end-user computers and mobile devices.

Month 2:
What Does it Take to Comply
With HIPAA?

In month 1 we discussed the mini assessment process and came up with a game plan.

In month 2, we start executing the plan.

• Discuss various HIPAA compliant security controls

• Discuss the role and responsibilities of a HIPAA privacy officer

• Discuss in-house vs outsourcing the role of a HIPAA Chief Information Security and Compliance Officer (CISCO)

• Assign one of your employees as your organization’s HIPAA
Chief Information Security and Compliance Officer (CISCO) and have them sign off on the responsibilties as defined in the position agreement

Month 3:
Jobs to Be Done

• Review, discuss and outline all of the jobs to be done and
decide who will do the work

• Discuss pros and cons of doing the work in-house
vs. outsourcing

• Review remediation options and costs of anything found
in the mini assessment

• Discuss common cyber threats such as Ransomware, malware
and zero-day threats

• Discuss secure, turn-key HIPAA compliant hosting vs.
on-premise solutions

Secure Hosting:

PTG WorkSpaces: Secure hosted desktop workspace

PTG Unhackable Server Encryption: Patented digital prophylaxis
for servers

PTG Unhackable Maintenance: Proactive daily updates to operating systems, browsers and third-party applications

PTG Upstream Bandwidth: from PTG Cloud to your office. Up to 100 GB per month total bandwidth

Microsoft Windows Licenses: for server-side hosting

Vmware Virtualization: for hyper-visor layer

PTG Business Continuity Level I: Full backup on all hosted / cloud data within secure Raleigh data center

PTG Cloud file share: (super secure Dropbox like service), up to 50Gb

PTG Domain Controller for User Active Directory: configured to
your practice

PTG Dynamic Resource Allocation: Dynamic expansion to 16GB RAM and 2 CPUs to ensure quality user experience

PTG Endpoint Antivirus: Real-time attack monitoring and defense of end-user computers from server-side prophylaxis (compliments existing anti-virus packages)

PTG Firewall: router & access logging and monitoring, required for HIPAA compliance

PTG Remote-access VPN: encryption of all user access from public WiFi and open networks

PTG Technical Support of Secure Hosting: 24x7x365 via phone, email, or ticket for hosting related issues

Does not cover IT user support inhouse or personal-use computers, laptops, smartphones or wearables

PTG Multi-factor User Authentication: configured with user training guide and HIPAA Policies

Microsoft Office 365 E3: HIPAA compliant, includes BAA
from Microsoft

PTG Unhackable Website: Patented digital prophylaxis for your Website, blogs and related media. Transport Layer Security

Website content backup

Visitor Geo-blocking

Distributed Denial of Service (DDOS) protection

Month 4:
Security Controls

• Review security controls and associated cost options that apply to your practice

• Discuss approved and recommended vendor options for on-premise security controls vs hosted solutions

• Discuss PTG Managed Services

PTG Encrypted DNS: Encrypted Domain Name Service (eDNS) – Encrypts website traffic, automatically blocks malicious websites

PTG Encrypted Password Management: for all devices with monitoring, multifactor authentication, hardware token, 100+ policies and procedures

NOTE: This includes the use of a hardware token, eliminating the vulnerability associated with remembering and inputting passwords

PTG Endpoints Forcefield: Security controls configured against HIPAA Policies for computers, smart phones, phone systems

NOTE: This entails a weekly protocol for validiting that your HIPAA-mandate controls are functioning; includes audit trail and the ability to provide a report
of compliance

PTG Unhackable Email Encryption: Patented digital prophylaxis for all email exchanges

PTG Threat Landscape Management: Proactive monitoring of threat landscape and direct surveillance of malicious penetration attempts, logging and maintenance, across your entire IT infrastructure

PTG Website Forcefield: Reconfigure WordPress (or other CMS), install firewall, malware scanner, IP address blocking

PTG Unhackable Maintenance: Proactive daily updates to operating systems, browsers and third-party applications

PTG Unhackable System Encryption: Patented digital prophylaxis for desktop, laptop, and mobile devices

PTG Unhackable MS Office 365: Patented digital prophylaxis. Maximum security hardening: Notifications for any unusual behavior (changes to mailboxes, forwarding, rules, logins, etc.) as well as implementation and monitoring of the two-factor user authentication

PTG Office 365 Email 100% Uptime: Patented digital prophylaxis that guarantees that your users will have send/receive email capabilities, Addresses downtime of Office 365

PTG Unhackable Endpoint 100GB Backups: Daily virus-free backups of end-user computers (phones and tablets not covered)

PTG Unhackable 50gb Cloud Storage: Secure Replacement for Microsoft OneDrive: Enterprise file sync and sharing. Improved levels permissions, files control, reporting, auditing. Remote wipes of stolen or lost computers or smartphones

PTG HIPAA Compliant Phone Service: with Polycom VVX 350 phones, signed BAA and monitoring as required by HIPAA

PTG Unhackable Virtual Private Network: Patented digital prophylaxis for remote access from any public network. Secure Use of Public WiFi. Tunneling: users may use any WiFi network with assured privacy. Encrypted access: Defeats WiFi network sniffing and capture of user credentials

“PTG CloudUTM: Enterprise Managed Firewall with the ability to support failover

SUMMARY

• New faster/more reliable firewall equipment with lifetime warranty.
If equipment fails, we replace it FREE

• Segmentation

• More reliable and with multiple, secure, network segments

• State of the art security and filtering

• Granular control of the network by using dedicated equipment paired with our CloudUTM with reduced latency

• Block categories of web traffic and run detailed reports

Month 5:
Important Policies and Procedures

• Review and discuss basic HIPAA policies and procedures

• Begin customizing the HIPAA policies and procedures

• Train staff on how to store the basic HIPAA policies and procedures in the secure, encrypted portal

HIPAA Security Policy #1 – Security Management Policy

HIPAA Security Policy #2 – Security Officer Policy

HIPAA Security Policy #3 – Workforce Security

HIPAA Security Policy #4 – Information Access Management

HIPAA Security Policy #5 – Security Awareness

HIPAA Security Policy #6 – Incident Response

HIPAA Security Policy #7 – Contingency Planning

HIPAA Security Policy #8 – Evaluation

HIPAA Security Policy #9 – Business Associate Contracts

HIPAA Security Policy #10 – Facility Access Controls

HIPAA Security Policy #11 – Workstations Use

HIPAA Security Policy #12 – Workstation Security

HIPAA Security Policy #13 – Physical Safeguards Device Media

HIPAA Security Policy #14 – Access Control

HIPAA Security Policy #15 – Audit Controls Policy

HIPAA Security Policy #16 – Integrity Policy

HIPAA Security Policy #17 – Person or Entity Authentication

HIPAA Security Policy #18 – Transimission Security Policy

Month 6:
HIPAA Security Awareness Training

• Discuss common breach types across all aspects of People,
Process and Technology

• Setup HIPAA Security Awareness Training for your staff

• Review and introduce staff to the training portal

• Set a goal of when your staff will complete the training

• Schedule testing for your staff to receive a certificate of compliance

Month 7:
HIPAA Training Continued…

• Train and Quiz staff on common HIPAA infractions

• Discuss the importance of compliance and the ramifications
of non-compliance

• Discuss potential infractions and how to avoid

Month 8:
Risk Assessment Overview

• Discuss the risk assessment process

• Re-assess remediation steps in prior months

• Define what work is left to be done and decide if the timing is
right to begin the annual security risk assessment

Our Consultants work to ensure that your organization is fully informed regarding its risks. We perform comprehensive qualitative assessments that will give your organization a clear picture of its risk landscape. We also help prioritize risk mitigation, implement mitigation measures, and manage your organization’s threats, vulnerabilities and costs related to information security.

Month 9:
Compliance Services

• Begin Risk Assessment

• Organize all organization assets

• Begin risk assessment process

• Schedule HIPAA audit

Discuss PTG Compliance Services:

PTG HIPAA Security Risk Assessment: Annual assessment of practice as required by HIPAA

PTG/MEG HIPAA Bootcamp: 12 Self-directed online training videos and activites with PTG Quizes and worksheets graded for each module

PTG HIPAA Policy Kit: Boiler plate policies and procedures customized to your practice per HIPAA requirements

PTG HIPAA Documentation Service: Customization of Policies and Procedures that comply with HIPAA requirements

PTG Website Policy Kit: Boiler plate policies and procedures customized to your practice per HIPAA requirements

Cyber Insurance for HIPAA Breach and Fine Expenses:
$250,000 policy

PTG Security Awareness User Training and Certification: Self-directed online training videos and activites with PTG Certificate of Compliance for each employee

PTG User Training and Certification for HIPAA: Self-directed online training videos and activites with PTG Certificate of Compliance for each employee

PTG Business Associate Agreement (BAA) Service: Customization of your BA agreements (for legal attestation)

PTG Simulated Phishing Campaigns: A phishing test is where deceptive emails, similar to malicious emails, are sent by an organization to their own staff to gauge their response to phishing and similar email attacks

PTG Employee Vulnerability Assessment: Find out which employee(s) are at high risk to potentially cause a data breach!

PTG Unhackable Newsletter: Regular updates about the current IT security threats, cybercrime tactics, cyberheist schemes, social engineering scams and ransomware attacks. Includes hints and tips to help you block hackers that could cause a HIPAA breach

PTG Dark Web Monitoring: Also known as cyber monitoring, is an identity theft prevention product that enables you to monitor your identity information on the dark web, and receive notifications if your information is found online

PTG Weekly Micro-Training Video & Quiz

PTG Situation Awareness & Reporting: Monthly review of Proactive Cybersafety activities and counter meansures

PTG Breach Reporting: In the event of the actual or suspected breach of PHI/PII, PTG Breach Reporting notifies Federal and State regulatory authorities and consumers as mandated. Your call to PTG about a potential privacy breach will initiate an immediate evaluation of your incident; PTG will determine whether or not to notify authorities and consumers. PTG will file the necessary breach reports on your behalf, leaving it to you notify your patients and affiliates with inputs and talking points from PTG

PTG Incidence Reports for OCR: Preparation of report of findings and remediations (where applicable) for submission to Office for Civil Rights of US Dept of HHS

Month 10:
Remediation

• Discuss issues found

• Discuss remediation options

• Discuss the various types of IT support available to you
and cost options

• Discuss the importance of ongoing monitoring and maintenance

• Begin Remediation

Month 11:
Remediation Continued

• Finalize all open remediation issues

• Schedule final interview with HIPAA underwriting team

• Discuss included PTG Breach Response Services

If your organization’s security of PHI has been breached,
we promptly will:

• Advise on reporting responsibilities

• Assist with breach mitigation

• Conduct Breach Risk Assessment in accordance with
regulatory requirements

• Develop and implement Plan of Correction

Month 12:
HIPAA Compliant and Peace of Mind

• Receive HIPAA certificate (good for 1 year) of compliance with customized policies and procedures customized against security controls as defined above

• Discuss ongoing work to be done, security maintenance, monitoring and controls to remain in-compliance with HIPAA

• Discuss ENFORCEMENT ACTIONS AND LITIGATION SUPPORT. If your organization is facing enforcement actions or litigation, we will work with you and your legal counsel as an expert witness

• Discuss DATA PRIVACY & SECURITY

Our data privacy and security practice ensures that your information is protected at all times. PTG consultants provide the industry knowledge and support to keep your organization and its assets safe and reduce vulnerabilities

Or Just Lead The Pack To HIPAA Compliance

If you’re not ready to join the 2%, you can at least attempt to be a leader of the pack…the pack of 98. Use our HIPAA Toolkit for a once per year fee of $2,800 and get much closer than the rest to the goal of total HIPAA compliance: