HIPAA Compliance or HIPAA Disaster (2020 Edition)
lt’s HIPAA Compliance, or HIPAA Disaster
Or lack thereof, if you’re of the 98%. The magnitude of this stuff is off the charts. The only reason our phones aren’t currently ringing off the hook is because only 2% understand that they are in major trouble, or on course for a federal disaster in regards to HIPAA compliance.
The Office for Civil Rights is increasing audits, so 2% will soon be 3%, and then quickly 4% and 5%.
What is HIPAA compliance? HIPAA compliance is perfect alignment with the Security Rule and the Privacy Rule.
HIPAA compliance is total conformity to the federal rulemakers, through strict observance of their guidance and their Breach Notification Rule.
Not only are you in terrible trouble when you are the victim of a breach, you have to call the cops and tell on yourself- pretty much literally.
Except these are federal agents, and they have the power to throw up to $6 million in fines at you per calendar year, aka $12 million if you get audited at year end/new year.
They can also charge you criminally, and we’ve heard rumors recently (August, 2019) of federal inmates even dying on their watch.
It’s wise to watch them, to be a watcher.
And an over-achiever, if we’re back to talking about HIPAA and HITECH.
In addition to visiting a prison that seems to operate with the same style as the Hotel California, and almost one-tenth of a billion dollars in fines, non-compliance with HIPAA could also mean:
- $10 per patient for ongoing credit monitoring (hopefully you haven’t been too successful at growing your practice, or you own a credit monitoring service)
- Payment to the FCC of $40,000 per violation (which door did they sneak in!)
- Penalty of $1,000 per record in the case of class action lawsuits (what if you had 10 years worth of records for a large hospital?)
- Fees to the State Attorneys General ranging from $150,000 – $6.8 million (they really like that $6 million number, and in this case the states must love the feds)
May We Be Blunt about HIPAA Compliance?
You have problems. We have solutions. You can start helping yourself by reading any of our other pages on HIPAA:
Or you can leave the 98%, and come towards the light. For $3k per month, we guarantee total HIPAA compliance in 12 months, with an all-inclusive turnkey package deal:
$3,000 per month for up to 10 users / $300 per extra user over 10 users / $300 month for total hipaa Compliance in 12 months (*A La Carte Services available upon request).
It’s like starting off totally confused, and then making it out the winning side of a maze.
Our service gets a practice compliant with HIPAA. Guaranteed.
There’s a 100% satisfaction guarantee. If at any time, a practice does not feel like they are getting the value provided, they will only pay for what they’ve used.
The web is not called the web for no reason. Things have a way of spidering through it, like veins in a body. With HIPAA/HITECH, it’s all about the privacy and security of mostly electronic health records.
Therefore, your compliance depends on the setup of your processes being closely aligned with federal guidelines/rules.
Likely, you currently have misalignments. The only way to fix them is to overlay your current system with a properly aligned solution. Since HIPAA is very segmented, your solution HAS to be also.
There is absolutely no way to implement a thorough and properly segmented solution without taking it layer by layer.
There is no quick fix to a problem that’s spidered.
It needs to be dealt with at the root cause, and the root can’t be accessed without tracing all the pathways that branch from it.
Slow and steady may not win the race, but it does get you to the finish line.
The fast guys all fall off.
Regulatory HIPAA Compliance
PTG works with our clients to get them in compliance, whether it be HIPAA, NIST or ISO standards. We develop policies and procedures, training materials, and compliance infrastructure to ensure that your organization stays in compliance.
Are you in the HIPAA Crosshairs? If you’re like most PT practices, chances are you are.
Over the next 12 months, join private, encrypted and confidential Zoom sessions with Craig Petronella, a HIPAA compliance and Cybersecurity expert who will act as your Fractional Chief Information Security and Compliance Officer:
Fractional Chief Information Security & Compliance Officer (CISCO)
Senior-level executive responsible for developing and implementing information security and compliance programs. This includes attested policies, published procedures and technical controls that will protect the following from all internal and external threats: confidentiality of all stakeholders (customers, patients, employees, investors, etc.), integrity of all systems, data, and end-point devices, and availability of information communications systems.”
Regulatory HIPAA Compliance
Month 1: Discuss the current state of your medical practice. Craig will walk you through a mini assessment process to help you to:
• Review what you have in place now
• Define all of the work to be done across your People, Process and Technology
• Discuss the policies and procedures that apply to your practice.
• Create a customized game plan for your practice to become HIPAA compliant; broken down into easily digestible monthly installments. Guaranteeing your practice will be compliant on or before month 12
• Discuss PTG Professional Services
Threat and Incident Response: Remote analysis of suspicious or malicious activities, defensive response, hardening, and documentation
Ask Craig Anything: IT coaching and technology advisory about IT, cybersafety or technology
Helpdesk Support: Live phone/remote technical support of hardware/software issues via secure remote mirroring of end-user computers and mobile devices.
What Does it Take to Comply
In month 1 we discussed the mini assessment process and came up with a game plan.
In month 2, we start executing the plan.
• Discuss various HIPAA compliant security controls
• Discuss the role and responsibilities of a HIPAA privacy officer
• Discuss in-house vs outsourcing the role of a HIPAA Chief Information Security and Compliance Officer (CISCO)
• Assign one of your employees as your organization’s HIPAA
Chief Information Security and Compliance Officer (CISCO) and have them sign off on the responsibilties as defined in the position agreement
Jobs to Be Done
• Review, discuss and outline all of the jobs to be done and
decide who will do the work
• Discuss pros and cons of doing the work in-house
• Review remediation options and costs of anything found
in the mini assessment
• Discuss common cyber threats such as Ransomware, malware
and zero-day threats
• Discuss secure, turn-key HIPAA compliant hosting vs.
PTG WorkSpaces: Secure hosted desktop workspace
PTG Unhackable Server Encryption: Patented digital prophylaxis
PTG Unhackable Maintenance: Proactive daily updates to operating systems, browsers and third-party applications
PTG Upstream Bandwidth: from PTG Cloud to your office. Up to 100 GB per month total bandwidth
Microsoft Windows Licenses: for server-side hosting
Vmware Virtualization: for hyper-visor layer
PTG Business Continuity Level I: Full backup on all hosted / cloud data within secure Raleigh data center
PTG Cloud file share: (super secure Dropbox like service), up to 50Gb
PTG Domain Controller for User Active Directory: configured to
PTG Dynamic Resource Allocation: Dynamic expansion to 16GB RAM and 2 CPUs to ensure quality user experience
PTG Endpoint Antivirus: Real-time attack monitoring and defense of end-user computers from server-side prophylaxis (compliments existing anti-virus packages)
PTG Firewall: router & access logging and monitoring, required for HIPAA compliance
PTG Remote-access VPN: encryption of all user access from public WiFi and open networks
PTG Technical Support of Secure Hosting: 24x7x365 via phone, email, or ticket for hosting related issues
Does not cover IT user support inhouse or personal-use computers, laptops, smartphones or wearables
PTG Multi-factor User Authentication: configured with user training guide and HIPAA Policies
Microsoft Office 365 E3: HIPAA compliant, includes BAA
PTG Unhackable Website: Patented digital prophylaxis for your Website, blogs and related media. Transport Layer Security
Website content backup
Distributed Denial of Service (DDOS) protection
• Review security controls and associated cost options that apply to your practice
• Discuss approved and recommended vendor options for on-premise security controls vs hosted solutions
• Discuss PTG Managed Services
PTG Encrypted DNS: Encrypted Domain Name Service (eDNS) – Encrypts website traffic, automatically blocks malicious websites
PTG Encrypted Password Management: for all devices with monitoring, multifactor authentication, hardware token, 100+ policies and procedures
NOTE: This includes the use of a hardware token, eliminating the vulnerability associated with remembering and inputting passwords
PTG Endpoints Forcefield: Security controls configured against HIPAA Policies for computers, smart phones, phone systems
NOTE: This entails a weekly protocol for validiting that your HIPAA-mandate controls are functioning; includes audit trail and the ability to provide a report
PTG Unhackable Email Encryption: Patented digital prophylaxis for all email exchanges
PTG Threat Landscape Management: Proactive monitoring of threat landscape and direct surveillance of malicious penetration attempts, logging and maintenance, across your entire IT infrastructure
PTG Website Forcefield: Reconfigure WordPress (or other CMS), install firewall, malware scanner, IP address blocking
PTG Unhackable Maintenance: Proactive daily updates to operating systems, browsers and third-party applications
PTG Unhackable System Encryption: Patented digital prophylaxis for desktop, laptop, and mobile devices
PTG Unhackable MS Office 365: Patented digital prophylaxis. Maximum security hardening: Notifications for any unusual behavior (changes to mailboxes, forwarding, rules, logins, etc.) as well as implementation and monitoring of the two-factor user authentication
PTG Office 365 Email 100% Uptime: Patented digital prophylaxis that guarantees that your users will have send/receive email capabilities, Addresses downtime of Office 365
PTG Unhackable Endpoint 100GB Backups: Daily virus-free backups of end-user computers (phones and tablets not covered)
PTG Unhackable 50gb Cloud Storage: Secure Replacement for Microsoft OneDrive: Enterprise file sync and sharing. Improved levels permissions, files control, reporting, auditing. Remote wipes of stolen or lost computers or smartphones
PTG HIPAA Compliant Phone Service: with Polycom VVX 350 phones, signed BAA and monitoring as required by HIPAA
PTG Unhackable Virtual Private Network: Patented digital prophylaxis for remote access from any public network. Secure Use of Public WiFi. Tunneling: users may use any WiFi network with assured privacy. Encrypted access: Defeats WiFi network sniffing and capture of user credentials
“PTG CloudUTM: Enterprise Managed Firewall with the ability to support failover
• New faster/more reliable firewall equipment with lifetime warranty.
If equipment fails, we replace it FREE
• More reliable and with multiple, secure, network segments
• State of the art security and filtering
• Granular control of the network by using dedicated equipment paired with our CloudUTM with reduced latency
• Block categories of web traffic and run detailed reports
Important Policies and Procedures
• Review and discuss basic HIPAA policies and procedures
• Begin customizing the HIPAA policies and procedures
• Train staff on how to store the basic HIPAA policies and procedures in the secure, encrypted portal
HIPAA Security Policy #1 – Security Management Policy
HIPAA Security Policy #2 – Security Officer Policy
HIPAA Security Policy #3 – Workforce Security
HIPAA Security Policy #4 – Information Access Management
HIPAA Security Policy #5 – Security Awareness
HIPAA Security Policy #6 – Incident Response
HIPAA Security Policy #7 – Contingency Planning
HIPAA Security Policy #8 – Evaluation
HIPAA Security Policy #9 – Business Associate Contracts
HIPAA Security Policy #10 – Facility Access Controls
HIPAA Security Policy #11 – Workstations Use
HIPAA Security Policy #12 – Workstation Security
HIPAA Security Policy #13 – Physical Safeguards Device Media
HIPAA Security Policy #14 – Access Control
HIPAA Security Policy #15 – Audit Controls Policy
HIPAA Security Policy #16 – Integrity Policy
HIPAA Security Policy #17 – Person or Entity Authentication
HIPAA Security Policy #18 – Transimission Security Policy
HIPAA Security Awareness Training
• Discuss common breach types across all aspects of People,
Process and Technology
• Setup HIPAA Security Awareness Training for your staff
• Review and introduce staff to the training portal
• Set a goal of when your staff will complete the training
• Schedule testing for your staff to receive a certificate of compliance
HIPAA Training Continued…
• Train and Quiz staff on common HIPAA infractions
• Discuss the importance of compliance and the ramifications
• Discuss potential infractions and how to avoid
Risk Assessment Overview
• Discuss the risk assessment process
• Re-assess remediation steps in prior months
• Define what work is left to be done and decide if the timing is
right to begin the annual security risk assessment
Our Consultants work to ensure that your organization is fully informed regarding its risks. We perform comprehensive qualitative assessments that will give your organization a clear picture of its risk landscape. We also help prioritize risk mitigation, implement mitigation measures, and manage your organization’s threats, vulnerabilities and costs related to information security.
• Begin Risk Assessment
• Organize all organization assets
• Begin risk assessment process
• Schedule HIPAA audit
Discuss PTG Compliance Services:
PTG HIPAA Security Risk Assessment: Annual assessment of practice as required by HIPAA
PTG/MEG HIPAA Bootcamp: 12 Self-directed online training videos and activites with PTG Quizes and worksheets graded for each module
PTG HIPAA Policy Kit: Boiler plate policies and procedures customized to your practice per HIPAA requirements
PTG HIPAA Documentation Service: Customization of Policies and Procedures that comply with HIPAA requirements
PTG Website Policy Kit: Boiler plate policies and procedures customized to your practice per HIPAA requirements
Cyber Insurance for HIPAA Breach and Fine Expenses:
PTG Security Awareness User Training and Certification: Self-directed online training videos and activites with PTG Certificate of Compliance for each employee
PTG User Training and Certification for HIPAA: Self-directed online training videos and activites with PTG Certificate of Compliance for each employee
PTG Business Associate Agreement (BAA) Service: Customization of your BA agreements (for legal attestation)
PTG Simulated Phishing Campaigns: A phishing test is where deceptive emails, similar to malicious emails, are sent by an organization to their own staff to gauge their response to phishing and similar email attacks
PTG Employee Vulnerability Assessment: Find out which employee(s) are at high risk to potentially cause a data breach!
PTG Unhackable Newsletter: Regular updates about the current IT security threats, cybercrime tactics, cyberheist schemes, social engineering scams and ransomware attacks. Includes hints and tips to help you block hackers that could cause a HIPAA breach
PTG Dark Web Monitoring: Also known as cyber monitoring, is an identity theft prevention product that enables you to monitor your identity information on the dark web, and receive notifications if your information is found online
PTG Weekly Micro-Training Video & Quiz
PTG Situation Awareness & Reporting: Monthly review of Proactive Cybersafety activities and counter meansures
PTG Breach Reporting: In the event of the actual or suspected breach of PHI/PII, PTG Breach Reporting notifies Federal and State regulatory authorities and consumers as mandated. Your call to PTG about a potential privacy breach will initiate an immediate evaluation of your incident; PTG will determine whether or not to notify authorities and consumers. PTG will file the necessary breach reports on your behalf, leaving it to you notify your patients and affiliates with inputs and talking points from PTG
PTG Incidence Reports for OCR: Preparation of report of findings and remediations (where applicable) for submission to Office for Civil Rights of US Dept of HHS
• Discuss issues found
• Discuss remediation options
• Discuss the various types of IT support available to you
and cost options
• Discuss the importance of ongoing monitoring and maintenance
• Begin Remediation
• Finalize all open remediation issues
• Schedule final interview with HIPAA underwriting team
• Discuss included PTG Breach Response Services
If your organization’s security of PHI has been breached,
we promptly will:
• Advise on reporting responsibilities
• Assist with breach mitigation
• Conduct Breach Risk Assessment in accordance with
• Develop and implement Plan of Correction
HIPAA Compliant and Peace of Mind
• Receive HIPAA certificate (good for 1 year) of compliance with customized policies and procedures customized against security controls as defined above
• Discuss ongoing work to be done, security maintenance, monitoring and controls to remain in-compliance with HIPAA
• Discuss ENFORCEMENT ACTIONS AND LITIGATION SUPPORT. If your organization is facing enforcement actions or litigation, we will work with you and your legal counsel as an expert witness
• Discuss DATA PRIVACY & SECURITY
Our data privacy and security practice ensures that your information is protected at all times. PTG consultants provide the industry knowledge and support to keep your organization and its assets safe and reduce vulnerabilities
Or Just Lead The Pack To HIPAA Compliance
If you’re not ready to join the 2%, you can at least attempt to be a leader of the pack…the pack of 98. Use our HIPAA Toolkit for a once per year fee of $2,800 and get much closer than the rest to the goal of total HIPAA compliance:
HIPAA Toolkit Product Description:
Designed to help providers meet HIPAA rules and regulations, this all-in-one package is an ideal resource for covering your HIPAA compliance needs.
The HIPAA Tool Kit includes:
-18 Policies and Procedures ($3,950.00 value) to comply with HIPAA regulations
-Private, Consultative webinar/training ($350.00 value)
-Staff training kit ($400.00 value)
-One month of live, Q/A, compliance roundtables ($99 value)
-HIPAA/Cybersecurity Blog and FAQ Access
-HIPAA/Cybersecurity Handouts (One-Pagers, Quick Guides)
-Threat Vulnerability & Exposure Landscape
OPTION 1 FOR LIGHTNING
OPTION 2 FOR THUNDER