.st0{fill:#FFFFFF;}

Podcast

6 Points from HIPAA Summit – Ep 349 

 April 1, 2022

By  Donna Grindle

Share0
Tweet0
Share0

Donna made many notes from the HIPAA Summit. Today, she and David will share six of her top picks, including the difference between an incident and a breach, how a “check the box compliance program” is not a privacy and security program, importance of understanding what your vendor’s incident response plans are and more.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

6 Points from HIPAA Summit – Ep 349

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

PriSec Boot Camp

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Say What!?!

[06:01] In Lucia Savage’s session at the HIPAA Summit she was talking about patient right of access with a room full of attorneys. One attorney asked “when did that part get added to HIPAA?”

Right of access has always been a part of HIPAA. The patient right of access to their records has always been the only required disclosure that a covered entity must make is to the patient or their personal representative. HITECH added layers to it for cost control and cost containment, but it’s always been a part of HIPAA.

405(d) Tip of the Week

[09:05] Another reason to sign up for the 405d mailing list is because we release resources on a regular basis. The 405(d) Awareness Products section of the Resources page is where you’ll find our educational resources. By signing up, you will get email notifications to these FREE resources as they are released.

Recently, during Patient Safety Awareness Week, 405d released a poster and tool kits designed for small, medium and large organizations. Just because it’s no longer Patient Safety Awareness Week doesn’t mean that you couldn’t pull those out and use them in your offices.

6 Points from HIPAA Summit

[13:12] Quotes from Donna’s notes from the HIPAA Summit:

  • Teach what is an incident vs a breach when staff is reporting things.
    • Throwing around the term “breach” creates a lot of confusion.
    • An incident isn’t a breach until we determine it is.
    • An incident is what you want staff reporting.
  • [21:04] Understanding the views of Privacy vs Security teams:
    • Privacy – How do we protect data in all of our business processes? These folks worry about everything, including security, because business processes include technology.
    • Security – How do we secure endpoints and the traffic on the network?
    • It takes both in collaboration to actually protect the business.
  • We believe it is time to go beyond “checking a box for compliance”.
    • If you are worried about checking the box for HIPAA compliance, you are not worried about privacy and security.
    • Checking the box is the bare minimum to meet a regulation rather than doing what’s needed to protect the data that is entrusted to you.
  • [25:12] What are your vendor’s Incident Response Plans for notifications to your business both upstream and downstream?
    • There are lots of state laws popping up everywhere that have timeframe requirements to let clients know of an incident.
    • There is the Department of Justice saying not to cover things up and to make sure vendors are telling it soon after discovery.
    • And there are the HIPAA notification requirements within your BAAs.
    • Everyone should know what their critical vendors’ plans are if they are hit by a cyber attack, natural disaster, etc. What are their plans to take care of their clients?
  • [34:02] The best new phrase for us to use: Data is “on loan” to us from our patients.
    • Extrapolate that and throw in Severino’s example years ago of treating all patient records like a bar of gold.
    • Patient data is on loan to covered entities. Patients expect them to take care of it.
    • Business Associates are entrusted to protecting all those “bars of gold” for all of their clients. They need to do everything that is reasonable, using standards, to make sure they are protecting their client’s data.
  • [38:44] Most important one:
If you haven’t looked at your risk management policies and procedures recently to prevent or mitigate these concerns, now is the time to do so. Lisa Pino, Director of OCR

I call that a line in the sand.

Go to top

So, there are six more points from the HIPAA Summit with a few things thrown in from HIMSS. This won’t be the last we’ve heard of all the tidbits Donna got from the two conferences.  And it won’t be the last you’ve heard of these specific six points.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: