If you really want to protect the privacy of those you serve, it is important to establish a culture of vigilance within your organization.

Now, if that sounds like blah-blah, think again.  The culture of your organization is a real thing.  It is a silent, yet potent communicator of the values reflected in your leadership.  High ethical behavior at the top sets the expectations for all.  

During our January podcast-and-webinar series, we discussed the importance of a Code of Conduct as a starting point for a HIPAA compliance program.  Why?  Because it's a great vehicle for describing ethical standards that employees are expected to meet. If expectations aren't in writing, how are they to know? 

Basic elements of a Code of Conduct set forth principles of:

  • Leadership values
  • Respectful behavior 
  • Protection of privacy
  • Safety
  • Integrity

Importantly, the commitment should go both ways -- with leadership pledging a commitment to a healthy work environment and employees pledging good conduct. (Yes, pledges should be signed!)

Once the basic standards are set, then there is context for the details of HIPAA compliance relating to safety and security.  

If you are a subscriber to MyHIPAA Guide, email Brenna Hughey at This email address is being protected from spambots. You need JavaScript enabled to view it. for a Code of Conduct template if you do not have it already. 

To learn more about our  HIPAA compliance program tailored for dentistry, visit https://www.myhipaaguide.com/3steps/

For our program tailored to residential providers, visit http://hipaa.opra.org/





Published in Blog

Staff working on the ground sees everything; they are the ones likely to come across a problem that demands your attention. You need to have a reporting system established that the staff knows exists to ensure the issue will be communicated.

First, you must manage reporting systems for your agency. Create a process through which staff can submit reports either anonymously or by name. Have a system in place to ensure that once a potential breach has been communicated you have the tools ready to complete an investigation efficiently.

Remember! Review whistleblower reports regularly! Monitor to make sure investigations take place in a timely manner and are resolved.

Having a reporting system in place is only half the battle. You have to also make sure your staff:

Understands yourorganization's reporting system, and Does not fear retaliation for reporting.

Make the duty to report a part of your agency's culture. Promote awareness and understanding of the availability of whistleblower reporting and other resources your agency offers. Also promote your agency's non-retaliation policies. Make these policies known to staff in new-hire orientation and annual training, on your website, in staff memos and through other ways you communicate with staff.

Keep in mind! Communication is a two-way street. Creating a reporting system is meaningless if staff does not know to use it!

For more information, check out the section on Preventing Breaches on page 26 of the MyHIPAA Guide Compliance Manual. MyHIPAA Guide subscribers may access available templates for security incident reports and incident investigations under Appendix E of the Security Policies and Procedures template on Step 3 of the MyHIPAA Guide website.

Published in Blog

Business Associate is a person or organization, other than an employee of a covered entity, who performs functions or provides services related to creating, receiving, maintaining, or transmitting Protected Health Information (PHI) on behalf of your organization.

Remember!With all of your business associates, you need an agreement that legally binds you (the HIPAA covered entity) and the business associate with very clear terms for managing and protecting health information emanating from you.

A written contract with your Business Associate must:

  • Detail the uses and disclosures of PHI the Business Associate may make

  • Require that the Business Associate safeguard PHI

In other words, if any one person or vendor has potential access to private health information, you need to hold them accountable to the same high standards as you are held accountable.

Published in Blog

By now, you know that international ransomware attackers have hit health systems in the United States. While it’s up to the techs within your organization to apply security measures, it’s everyone’s job to thwart thieves by recognizing and avoiding their traps - often hidden in seemingly harmless emails.

Keep in mind that hackers are smart, and it’s their business to fool even the most conscientious employees in close proximity to patient information. That’s why it’s important to know the warning signs of ransomware.

Let’s start with some basics pertaining to email:

  • Beware of any kind of attachments or links within emails that are unknown to you or unsolicited. Malicious links in emails can link you directly to a malicious website the attacker uses to infect a data system. Opening an attachment can have the same effect.
  • Know that attackers may impersonate someone you know. Be extremely cautious of emails you are not expecting or that seem a little off. When in doubt, go to your supervisor or a tech before doing anything.
  • Make it a practice NOT to click on links and attachments you are not expecting.
  • If you get an automated message to update your computer’s antivirus software, click to update it. While the IT people should make sure this is done automatically, that doesn’t always happen in reality.

Of course the goal is to avoid the schemes of hackers, who typically “kidnap” information with the promise of releasing it back to its rightful owner in exchange for money. A joint study conducted by several security firms estimates that creators of one form of ransomware -- called CryptoWall 3.0 - have extracted more than $325 million from victims since January 2015.

In the event you fall victim to a ransomware scheme, you should know the tell-tale signs of being hacked so that you can seek help right away. One common scenario is that you click on a link or open an attachment and immediately realize it is suspicious. Get help, even if you’re not 100 percent sure it’s a problem.

Other indicators of a ransomware include:

  • Unusual activity on your computer for no apparent reason, due to the ransomware searching for, encrypting and removing data files, or, An inability to access certain files as the ransomware encrypts, deletes and renames and/or re-locates data.
  • Recently, attackers have been scanning the Internet for devices equipped with remote access to patient information portals. Once connected, they can try to guess passwords, or look for backdoors to gain entry. Once they’re in, they can operate just like they are logged onto your system from a monitor and keyboard.


If you do not need remote access to a database containing patient information, disable the service on your computer. If you do need remote access, use it only as necessary. And make sure your password is next to impossible to figure out. By now you may wonder what the odds are that you may encounter a ransomware threat. Well, a recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016. That’s a 300% increase over the 1,000 daily ransomware attacks reported in 2015!

That is why everyone needs to have an eagle eye out for the crooks.

Here are just a few other things to keep in mind:

  • Never allow a third-party to have remote access to your computer if the caller’s authenticity cannot be verified directly through your organization or a verified Business Associate.
  • Do not trust unsolicited phone calls, and don’t give out information.
  • Do not download or purchase any unknown software or online services.
  • Follow safe practices when browsing the web - and don’t click on ads from unknown sources.
  • If you see any unauthorized people accessing patient information (including fellow employees), report the activity to your supervisor or a compliance manager.

Simple safety practices on the part of all can thwart thieves so the can’t do their dirty work. That’s the goal -- and it takes a community of dedicated workers to achieve it.

Note: Information included in this post has been compiled from email alerts distributed by the U.S. Office for Civil Rights (OCR) from May 12 through May 16, in response to interational threats impacting healthcare. Reference material includes: February 2, 2016, and March 30, 2016 cyber awareness updates, and a February 2017 newsletter, all from OCR, and a Ransomware Fact Sheet from the U. S. Department of Health and Human Services.

About the author: Diane Evans is Publisher of MyHIPAA Guide, a news and information service that gives organizations a clear and human-centered process for HIPAA compliance. Diane travels around Ohio and beyond, speaking on HIPAA-related topics and leading workshops in an interactive curriculum developed by the MyHIPAA Guide team. You may reach Diane at This email address is being protected from spambots. You need JavaScript enabled to view it..

Published in Blog

The feds have released a new fact sheet that explains how HIPAA Rules permit disclosures of Protected Health Information (PHI) to support public health activities conducted by public health agencies, as authorized by state or federal law. The facc sheet offers examples of instances where the sharing PHI supports public health policies.

You may find the new fact sheet on the federal government's website at:  https://www.healthit.gov/sites/default/files/12072016_hipaa_and_public_health_fact_sheet.pdf

Published in Blog

If you haven't already, read the CMS memo to state survey agencies, ordering a crackdown on social media abuses.  Policies aren't enough, the memo says.  You also need ongoing, sustainable compliance plans.

Published in Blog

In an unprecedented memo to state survey and credentialing agencies earlier this month, the Centers for Medicare & Medicaid Services directed state survey teams to begin enforcing federal privacy regulations to protect patients from social media abuses. The memo cites recent media reports as impetus for the crackdown.

In its memo, dated Aug. 5, 2016, CMS orders state survey teams to review nursing home policies and procedures related to social media abuses beginning in September, and continuing until all skilled nursing homes have been inspected. The memo points out that staff training alone is not enough, and that compliance must include plans for implementing daily practices that protect residents’ privacy. The memo defines “staff” as employees, consultants, contractors, volunteers and others who provide care services to residents.

Indeed, a growing number of  reports are exposing horrific examples of staff members taking embarrassing photos and videos of residents, and then sharing them with friends.  

ProPublica and the Washington Post have been especially out front on this issue. Here is some background to give you an idea of what is taking place:

In December 2015, reports co-published by ProPublica and the Washington Post revealed startling social media abuses within long-term care facilities. Indeed, the findings initially documented 37 incidents since 2012, exposing nursing home workers across the country for posting embarrassing photos of elderly residents on social media. In some cases, residents were partially or completely naked. At least 16 cases involved Snapchat, a social media platform where photos appear a few seconds, and then disappear.

Details of the incidents came from government reports, court cases and stories in the media.

An excerpt from one report on the ProPublica website:                                 

“In February 2014, a nursing assistant at Prestige Post-Acute and Rehab Center in Centralia, Wash., sent a co-worker a Snapchat video of a resident sitting on a bedside portable toilet with her pants below her knees while laughing and singing.”

This February at Autumn Care Center in Newark, Ohio, a nursing assistant recorded a video of residents lying in bed as they were coached to say, ‘I’m in love with the coco,’ the lyrics of a gangster rap song (‘coco’ is slang for cocaine). Across a female resident’s chest was a banner that read, ‘Got these hoes trained.’ It was shared on Snapchat.”

In the latter case, the woman’s son told federal investigators that his mother had worked as a church secretary for 30 years, and would have been mortified.

In some cases, employees have faced criminal charges. 

Meanwhile, in July, the U.S. Office for Civil Rights announced that federal audits have moved into “high gear” under the Health Information Portability and Accountability Act (HIPAA). Those federal audits are in addition to the inspections that state survey teams have now been ordered to conduct.

Published in Blog

Case points to Business Associate Agreements as critical


When it comes to HIPAA enforcement, you can’t hide behind a cloak.  That is the message of the federal government’s settlement with the Archdiocese of Philadelphia.

The Diocese will pay $650,000 to settle potential violations under the Health Insurance Portability and Accountability Act (HIPAA), relating to the theft of a mobile device containing protected health information for 412 nursing home residents.

In this and other recent actions, the feds are underscoring an emphasis on holding Business Associates accountable for safeguarding patient information.

In the Philadelphia case, Catholic Health Care Services (CHCS), an agency of the Diocese, performed IT services as a business associate to six skilled nursing facilities.  Here is what happened, according to an announcement by the U. S. Office for Civil Rights (OCR):

In April 2014, ORC  initiated an investigation following the theft of a CHCS-issued employee iPhone.  The iPhone was unencrypted and was not password protected.  The information on the iPhone included social security numbers, information about diagnoses, medications and treatments, and names of family members and legal guardians.

Investigators found that CHCS had no policies addressing the removal of mobile devices containing patient information from its facility, and no risk analysis or risk management plan.

The feds signaled they went light on the settlement amount, saying they considered that CHCS provides much-needed services in the Philadelphia area.

The Resolution Agreement and Corrective Action Plan can be found on the OCR website at:http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/catholic-health-care-services/index.html.

Published in Blog

In a memo released last month, the U.S. Office for Civil Rights (OCR) raised this question: Is Your Business Associate Prepared for a Security Incident?

Well, how would you answer?

The issue is critical, as OCR audits are in progress under the federal Health Insurance Portability and Accountability Act (HIPAA). The audits extend to business associates, and according to OCR, business associates will need to demonstrate security risk analysis, risk management, and breach reporting procedures.

In its memo, OCR refers to a widespread perception that it is difficult for healthcare providers to know whether their business associates are adequately protecting patient information.

First, let's make sure you know who your business associates are.  In sum, a business associate is any outside person or company with whom you share protected health or personally identifiable information about the people you serve. 

They -- through you -- are obligated to meet all federal privacy and security laws to protect that information.  This includes billing companies, technology vendors, temporary staffing companies and anyone else with potential assess to patient information.  With all of your business associates, you need an agreement that legally binds you (the HIPAA covered entity) and the business associate with very clear terms for managing and protecting health information emanating from you.

In its new memo, OCR also says you should plan in advance for how you will confront a breach by a business associate, including subcontractors. OCR’s memo recommends the following:

1. Business associate agreements should define how and for what purposes patient information may be used or disclosed. Be clear about what constitutes unauthorized disclosures and incidents that need to be reported back to the HIPAA-covered healthcare provider.

HIPAA defines “security incidents” as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations in an information system. This could include:

  • Attempts (either failed or successful) to gain unauthorized access to electronic Patient Health Information (ePHI), or a system that contains ePHI;
  • Unwanted disruption to systems that contain ePHI;
  • Changes to system hardware or software characteristics without the owner's knowledge or consent.

2. Business associate agreements should specify the time frame for business associates or subcontractors to report a breach, security incident, or cyber-attack. Keep in mind: Reporting should be prompt, and covered entities are liable for untimely HIPAA breach reporting to affected individuals, OCR and, in some cases, the media.

The federal government’s website says that HIPAA-covered providers should file a breach notification by filling out and electronically submitting a breach report form to the U.S. Department of Health and Human Services.

If a breach affects 500 or more individuals, covered entities must file a report promptly, and in no case later than 60 days following a breach. If a breach affects fewer than 500 individuals, the covered entity must submit notification no later than 60 days after the end of the calendar year in which breach is discovered. The government’s website also describes circumstances that require reporting to the media.

3. Business associate agreements should identify the type of information a business associate or subcontractor will need to provide in a breach or security incident report. Such reports should include the business associate’s name and point of contact information, and descriptions of:

  • What happened, including the date of the incident and the date of the discovery of the incident, if known.
  • The types of protected health information potentially compromised due to the incident.
  • How the business associate is investigating the incident, and what measures are being taken to protect against further incidents.

4. Finally, covered entities and business associates should train workforce members on incident reporting. OCR says covered entities may want to conduct security to make sure their business agreements are being enforced.

Questions? Contact Diane Evans, Publisher of MyHIPAA Guide, at 330-990-1470, or by email at This email address is being protected from spambots. You need JavaScript enabled to view it..   This article is for informational purposes and does not constitute legal advice for individual circumstances.

Published in Blog

Read about the first criminal charges under HIPAA law, in a commentary by MyHIPAA Guide Publisher Diane Evans, in the June 2016 issue of Compliance Today:

June2016 OpEd

Published in Blog
Page 1 of 6

10 Step HIPAA Plan

  • Step 1: Make Sure you Must Comply with HIPAA +

    What's Inside:
    Lists of who is generally covered and who is not, plus contact for inquiries.
  • Step 2: Designate Team Leaders +

    What's Inside:
    • 7-page HIPAA basics
    • 62-page guide to security and privacy of ePHI
    • Compliance Charter Template
  • Step 3: Develop Security Policies & Procedures +

    What's Inside:
    Templates for Security Policies and Procedures
  • Step 4: Conduct a security risk analysis +

    What's Inside:
    • Guides
    • Short videos
    • Interactive quizzes on risk assessment and contingency preparation
    • 10 common myths

    Interactive tutorial – 156 questions with fill-able PDFs for Windows or iPad. All material from federal sources.
  • Step 5: Develop an action plan +

    What's Inside:
    • 11-page overview on ePHI for small practices
    • 4-page Q&A addresses email with patients
    • Checklists

    Toolkit on 45 implementation specifications
  • Step 6: Reduce Risks of a Breach +

    What's Inside:
    • Overview of expectations
    • Annual Work Plan Template
  • Step 7: Train the Team +

    What's Inside:
    • Form for reporting breach notification
    • Links to details on the notification process and what constitutes a breach.
    • Suite of Training Materials
  • Step 8: Customize Privacy Notices +

    What's Inside:
    FOR ALL:
    • Privacy notice templates to help achieve meaningful consent, in English & Spanish.

    • Professionals' guide covering 2013 updates on communications.

    • Electronic toolkit with patient education and meaningful consent sample materials.
  • Step 9: Execute Business Associate Agreements +

    What's Inside:
    • Sample Business Associate Agreement (BAA) provisions
    • Suite of BA Management Tools
  • Step 10: Verify Compliance with HIPAA +

    What's Inside:
    • Tip sheets
    • Short videos
    • Overviews

    • 94-page guide on the EHR incentive program
    • Beginners' toolkit on reporting to the government

    All from federal sources.
  • 1


Member Access