Compliance Helper

HHS Whacks Texas HHS

Tue, 26 Nov 2019 17:33:59 GMT

HHS Whacks Texas HHS
Texas Health and Human Services Commission (TXHHS) got a $1.6 million fine for disclosing the ePHI of over 6,000 individuals. TXHHS failed to comply with numerous HIPAA requirements including access controls and audit controls, and failure to perform a HIPAA Security Rule risk analysis.

The fines imposed were for violations that occurred from 2013 to 2019 and were for the maximum amounts proposed by the OCR to be assessed against TXHHS. Although the OCR provided TXHHS with the opportunity to provide “written evidence of mitigating factors or affirmative defenses and/or written evidence in support of a waiver of a CMP within thirty (30) days from the date of the receipt of the letter,” TXHHS did not respond.
Significantly, they not only failed to respond to an opportunity to remediate the problemm but did not perform a risk analysis until two years after the breach.

The moral to the story is do your risk assessments (We do them quarterly), remediate risks when found, and if HHS and OCR come knocking, answer the door.

Do You Speak NIST?

Thu, 14 Nov 2019 21:47:32 GMT

Do You Speak NIST?
Do any of these terms sound familiar? Do you know their meaning?
Access Control Matrix
Access Vector
Access Strum
Active Server Pages
Ad Hoc HIEs
These are a few of the 412 terms beginning with A in the 6752 entries in the NIST Glossary of terms.
Learning how to speak NIST is no more necessary than learning all of the parts of your car before you can drive it.
The Jumpstart program from Compliance Helper enables you to use the NIST Cyber Security Framework to get HIPAA compliant without speaking NIST.
Go to www.compliancehelper.com and watch the two videos on NIST to see why you need NIST and how to get it.

58% of Healthcare Organizations on NIST CSF

Thu, 07 Nov 2019 18:47:03 GMT

Covered Entities are on NIST CSF; You Must Be Too
According to the 2018 HIMSS Cybersecurity Survey, nearly 58% of healthcare organizations are using the NIST CSF.

When these organizations ask for proof of HIPAA compliance, a Certified NIST CSF Risk Assessment is going to be the most credible response.

Large healthcare organizations pay consultants huge fees to implement the NIST CSF, but what about smaller organizations that have neither the staff nor the budget for implementing the NIST CSF? Automation and the Internet provides the answer.

Automated Compliance Reporting was developed in 2007 by ACR2 Solutions and has been used in industry to support the NIST CSF.
An automated on-line program for managing the process of editing, adopting, and implementing HIPAA policies and procedures was developed by Compliance Helper in 2009. Their Compliance Meter® was an early method of demonstrating HIPAA compliance.

Jumpstart is an automated on-line tool that integrates the policy tools of Compliance Helper with the NIST CSF Risk Assessment tools of ACR2.
For an annual cost of a few thousand dollars a small organization can provide HIPAA proof on the NIST CSF.

Go to www.compliancehelper.com and watch the videos to see why you need to be on the NIST CSF and how you can get there with Jumpstart.

NIST Videos

Thu, 12 Sep 2019 16:23:06 GMT

NIST Videos
As the NIST Cyber Security Framework (CSF) has become the standard for HIPAA compliance in healthcare we have gotten a lot of questions about the background and implications for small and medium organizations.
We have produced two videos: Why HIPAA on NIST and Upgrade to NIST CSF that will help you understand and help you decide what to do.
Upgrade to NIST CSF:
https://vimeo.com/353110012
Why HIPAA on NIST CSF:
https://vimeo.com/353110164
Please let me know if you want an in-depth discussion and demonstration by emailing me at Jack@compliancehelper.com

The Case for a Cybersecurity Framework

Tue, 27 Aug 2019 19:09:07 GMT

I found this HIMSS Podcast and article to be timely and interesting.

The Case for a Cybersecurity Framework
August 05, 2019by Bayardo Alvarez, Director, Information Technology, Boston PainCare Center; HIMSS member and part of the HIMSS Global Conference & Exhibition Success Stories initiative
Growing Pains
So, what can healthcare organizations do to enhance their cybersecurity posture? Where can they find reliable, proven and universal guidance to secure their data and IT systems? How do they address security in new and emerging technologies? These were some of the questions we asked ourselves within my organization. As a young pain management practice, we developed internally and over time, a set of policies, procedures and controls that kept our data and network safe. Nevertheless, as we grew and matured, as we incorporated new technologies and complex systems into our network, and as our providers required new and better ways to access information and deliver care, we found ourselves more often searching for answers to these questions.
Enter the Framework
We knew that cybersecurity frameworks were instruments used to guide information security programs in large organizations. They offer processes, standards and methodologies to improve cyber defenses, and are often the product of a consensus-driven collaborative effort by large communities of experts in a variety of fields and industries.
At a first glance, these frameworks appeared intimidating. A vast collection of processes, diagrams and documents, which were so broad and comprehensive that we could hardly imagine implementing them in a small practice like ours.
However, as we looked closer and learned more about the different alternatives, we found that some frameworks possessed characteristics and offered certain benefits that would make them a good fit for our organization. As we dove deeper into our research, we realized that adopting a cybersecurity framework was feasible, and not a far-fetched idea as we initially thought.
Building the Case
The initiative to adopt a cybersecurity framework would have to be planned as a multi-year program, broken into various phases so that we could learn and adapt as we moved along from one phase to the next. We also wanted to gauge our progress in small periods of time, using the results of the previous phase to encourage and motivate our team into the next one.
The framework we were to select would have to be modular and flexible, allowing us to choose which parts and in which order to implement them. It would have to be easy to understand, since people from different backgrounds would be assisting and participating in the process. The framework would have to be easily scalable, which in our case meant scaling down to an organization of our size.
We already had a number of effective policies and safeguards in place, so our ideal framework should allow us to incorporate these into our program. Finally, we wanted a framework with the lowest cost of entry and with documentation and supporting material freely available, avoiding the process of procuring a budget and scoring an easier buy-in with management.
As of This Writing …
After a careful, thoughtful and well-informed analysis of our options, we selected a framework that best met our requirements and offered the benefits we were looking for. We are today in the very first phase of adoption and pleased with the wealth of information and supporting documentation we have found through different organizations that support and endorse our framework. We are encouraged with the progress we are making, and are excited and looking forward to the upcoming phases.

NIST=HIPAA Proof

Thu, 15 Aug 2019 16:04:28 GMT

NIST=HIPAA Proof
The compliance officer of an organization with access to EPHI needs to know if they are HIPAA compliant. Due to the lack of a formal certification process authorized by HHS we, and other vendors, have tried to create other methods of deciding if an organization is HIPAA compliant. In our case we developed the Compliance Meter® to measure different areas of compliance in real time and display them through the meter.
The NIST Cyber Security Framework or NIST CSF has superseded all other methods of determining HIPAA compliance, and has become the accepted standard for proof.
Specifically, the Certified NIST CSF Risk Assessment is the badge to show to other organizations requiring HIPAA Proof.
Jumpstart is a method developed by Compliance Helper and ACR2 Solutions to automate the process of attaining and maintaining HIPAA compliance on the NIST CSF. This four step method enables an organization to get HIPAA compliant on the NIST CSF in 72 hours for under $1,000

Ten Commandments for Business Associates

Fri, 31 May 2019 20:00:50 GMT

While they were not stricken in stone tablets, they came in the 2019 version; an edict from OCR

Here they are::

1. Failure to comply with the requirements of the HIPAA Security Rule, e.g., performing a risk assessment or implementing the required administrative, physical and technical safeguards.

2. Failure to enter business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.

3. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
Impermissible use or disclosure of PHI, including a use or disclosure that is not permitted under the business associate agreement.

4. Failure to make reasonable efforts to limit the request, use or disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

5. Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) as necessary to enable the covered entity to comply with the patient’s right of access.

6. Failure to provide an accounting of disclosures as necessary to enable the covered entity to comply with its obligations to provide such an accounting when requested.

7. Failure to notify the covered entity or another business associate of a breach of PHI as required by the breach notification rule.
Retaliating against others for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.

8. Failure to provide HHS with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by HHS to information, including protected health information, pertinent to determining compliance.

9. Retaliating against others for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.

10. Failure to provide HHS with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by HHS to information, including protected health information, pertinent to determining compliance.

Proving HIPAA Compliance

Fri, 26 Apr 2019 16:38:59 GMT

Proving HIPAA Compliance
A Webinar
A growing trend in healthcare is requiring companies to provide proof of HIPAA compliance. This has been a challenge in the past due to the lack of a formal certification process approved by Health and Human Services (HHS)
The NIST Cybersecurity Framework (CSF) provides a solution. In this webinar two veteran cybersecurity and HIPAA compliance experts will show how an automated process can lead to a Certified NIST CSF Risk Assessment accepted throughout healthcare as proof of HIPAA compliance.
Registration URL
https://attendee.gotowebinar.com/register/7461290702348550923
Webinar ID
249-271-667

NIST CSF, "Cyber Security Cheat Sheet"?

Tue, 16 Apr 2019 17:14:39 GMT

NIST CSF, “Cyber Security Cheat Sheet”?

Martin Joseph is president of 360IT PARTNERS and in a recent column he referred to the NIST CyberSecurity Framework (CSF) as a “Cyber Security Cheat Sheet” While this probably didn’t resonate at NIST headquarters he has a point. The purpose of a framework is to provide a common language.

Matthew Eggers, executive director for cybersecurity policy with the U.S Chamber of Commerce, feels the framework provides stakeholders in different roles within an organization with a common language.

This is especially important for HIPAA compliance in healthcare because Health and Human Services has refused to provide a certification process for HIPAA. While their position, that HIPAA compliance is a process not an event is valid the accreditation process has worked for years in healthcare. Basically, agencies such as JCAHO are given authority to do and on-site survey (audit) of a facility and if they pass they get a certificate good for three years that is accepted throughout healthcare. To ensure that the facility stays compliant they are subject to unannounced surveys throughout the three year period and must be re-surveyed every three years. The NIST CSF provides the first set of standards that are accepted throughout healthcare. A Certified NIST CSF Risk Assessment is as close as you can get to a HIPAA certification. NIST CSF requires a process and reassessment. The Jumpstart method has built in quarterly risk assessments that are Certified NIST Risk Assessments produced by the ACR2 Solutions Automated Compliance Reporting engine, linked to the Compliance Helper NIST Policies. The Jumpstart method connects consultants (called Helpers) and clients through sophisticated software that provides a path and all of the needed content.

For more information contact Jack@compliancehelper.com

Ransomware Attack Closed ENT Practice

Fri, 05 Apr 2019 18:25:13 GMT

ENT Practice closes their doors after hackers erased all patient records in retaliation for not getting paid the $6500 ransom they demanded.
The founding physicians decided to retire early rather than pay the ransom. $6500 does not seem like a lot to me and preserving the patient records would have been nice. Of course I don’t know all the circumstances but let’s take another look at ransomware.

Hacking into most small practices is certainly a lot easier than hacking a hospital system with a lot of safeguards built in to the system. Once the patient data has been locked up Health and Human Services (HHS) considers this a HIPAA breach, even if it is not proven that the patient records were accessed. In this case the EHR system had encrypted the files so they were probably not accessed.

Since the patient records were apparently not worth $6500 to the founders the hackers erased all the system’s files including patient information and appointment schedules. The medical practice plans to close on April 30 and the staff is providing referrals and answering questions. Not a job that I would relish.

So, check your firewall, say your prayers do your NIST CSF risk assessment and back up your data!

Jack@compliancehelper.com

Do It Yourself NIST CyberSecurity Framework

Tue, 05 Mar 2019 18:33:47 GMT

YOU MAY HAVE HEARD ABOUT THE NIST CYBERSECURITY FRAMEWORK, BUT WHAT EXACTLY IS IT?

And does it apply to you?

NIST is the National Institute of Standards and Technology at the U.S. Department of Commerce. The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data. The Framework is voluntary. It gives your business an outline of best practices to help you decide where to focus your time and money for cybersecurity protection.

You can put the NIST Cybersecurity Framework to work in your business in these ﬁve areas: Identify, Protect, Detect, Respond, and Recover.

1. IDENTIFY

Make a list of all equipment, software, and data you use, including laptops, smartphones, tablets, and point-of-sale devices.

Create and share a company cybersecurity policy that covers:

Roles and responsibilities for employees, vendors, and anyone else with access to sensitive data.

Steps to take to protect against an attack and limit the damage if one occurs.

2. PROTECT

Control who logs on to your network and uses your computers and other devices.
Use security software to protect data.
Encrypt sensitive data, at rest and in transit.
Conduct regular backups of data.
Update security software regularly, automating those updates if possible.
Have formal policies for safely disposing of electronic files and old devices.
Train everyone who uses your computers, devices, and network about cybersecurity. You can help employees understand their personal risk in addition to their crucial role in the workplace.

3. DETECT

Monitor your computers for unauthorized personnel access, devices (like USB drives), and software.

Investigate any unusual activities on your network or by your staﬀ.

Check your network for unauthorized users or connections.

4. RESPOND

Have a plan for:

Notifying customers, employees, and others whose data may be at risk.
Keeping business operations up and running.
Reporting the attack to law enforcement and other authorities.

Investigating and containing an attack.
Updating your cybersecurity policy and plan with lessons learned.
Preparing for inadvertent events (like weather emergencies) that may put data at risk.

Test your plan regularly

5. RECOVER

After an attack:

Repair and restore the equipment and parts of your network that were aﬀected.

Keep employees and customers informed of your response and recovery activities.

For more information on the NIST Cybersecurity Framework and resources for small businesses, go to NIST.gov/CyberFramework

Do It Yourself NIST CyberSecurity Framework

Tue, 05 Mar 2019 18:33:41 GMT

YOU MAY HAVE HEARD ABOUT THE NIST CYBERSECURITY FRAMEWORK, BUT WHAT EXACTLY IS IT?

And does it apply to you?

You can put the NIST Cybersecurity Framework to work in your business in these ﬁve areas: Identify, Protect, Detect, Respond, and Recover.

1. IDENTIFY

Make a list of all equipment, software, and data you use, including laptops, smartphones, tablets, and point-of-sale devices.

Create and share a company cybersecurity policy that covers:

Roles and responsibilities for employees, vendors, and anyone else with access to sensitive data.

Steps to take to protect against an attack and limit the damage if one occurs.

2. PROTECT

Control who logs on to your network and uses your computers and other devices.
Use security software to protect data.
Encrypt sensitive data, at rest and in transit.
Conduct regular backups of data.
Update security software regularly, automating those updates if possible.
Have formal policies for safely disposing of electronic files and old devices.
Train everyone who uses your computers, devices, and network about cybersecurity. You can help employees understand their personal risk in addition to their crucial role in the workplace.

3. DETECT

Monitor your computers for unauthorized personnel access, devices (like USB drives), and software.

Investigate any unusual activities on your network or by your staﬀ.

Check your network for unauthorized users or connections.

4. RESPOND

Have a plan for:

Notifying customers, employees, and others whose data may be at risk.
Keeping business operations up and running.
Reporting the attack to law enforcement and other authorities.

Investigating and containing an attack.
Updating your cybersecurity policy and plan with lessons learned.
Preparing for inadvertent events (like weather emergencies) that may put data at risk.

Test your plan regularly

5. RECOVER

After an attack:

Repair and restore the equipment and parts of your network that were aﬀected.

Keep employees and customers informed of your response and recovery activities.

For more information on the NIST Cybersecurity Framework and resources for small businesses, go to NIST.gov/CyberFramework

HITRUST Implementation of NIST CSF

Tue, 26 Feb 2019 19:19:40 GMT

The answer to why HITRUST is marketing the NIST CSF was given at a previous webinar in response to a question from a attendee. The answer was that many clients or potential clients were demanding certification on the NIST CSF as a higher standard than the HITRUST CSF.

As to the "HITRUST approach", it involves expensive consultants spending hours on-site running up huge bills.

By contrast, the "Jumpstart approach" involves utilizing the Internet to connect with the same quality consultants, editing, adopting, and implementing NIST policies, and receiving quarterly NIST CSF risk assessments. This approach costs thousands, versus hundreds of thousands for the HITRUST approach.

These fundamenntally different approaches deliver the same result but are developed by teams with a different viewpoint. The consultant is always focused on "billable hours" while the software developer is focused on technology to support repeatable process.

For more information go to www.compliancehelper.com

Automated Quarterly Risk Assessments

Thu, 21 Feb 2019 16:57:32 GMT

Quarterly NIST CSF risk assessments have become the standard in other industries and this standard is now moving into healthcare. The advantages are clear; timely reporting for management and timely reminders for staff.

However the thought of annual risk assessments will cause most staff to break out in a cold sweat. Quaterly risk assessments will seem impossible. The solution is automation and the Jumpstart program from Compliance Helper and ACR2 Solutions provides the proof.

The focus for staff is policies, in this case NIST policies. A NIST policy is written to meet the standards of a specific NIST Safeguard. Staff members are responsible for editing templates of NIST policies to fit the organization and then adopting and implementing the policies.

For management, the Jumpstart program pulls data on a quarterly basis and enters it into the ACR2 Solutions Rapid Risk Assessment Engine. A set of reports is sent including a Certified NIST CSF Risk Assessment and a progress report highlighting areas of improvement. This automated method is supported by human Helpers assigned to each account. Automation With a Human Touch

For more information contact Jack@compliancehelper.com

NIST CSF Risk Assessment: Not Reaonable or Appropriate

Tue, 12 Feb 2019 16:58:45 GMT

NIST CSF Risk Assessment: Not Reasonable or Appropriate
As mentioned last week the possible answers to whether you meet the requirements of a NIST CSF Safeguard are: yes, yes, alternate method, no, and NRA (not reasonable or appropriate).
The acceptable reasons for claiming NRA status are: Cost, Organization Size, Complexity, or Alternate Solution.
In the Jumpstart program we have developed patterns of NRA for specific organizations, such as a small office practice, or a startup software company. We ask the company to confirm that these apply to them. If they agree we inactivate these NIST policies. They are no longer visible in the Jumpstart program but can be reactivated if needed in the future.
When we score the NIST CSF Risk Assessment these Safeguards are marked NRA. An NRA answer is scored the same as a Yes. For small organizations this can give them as much as a 30% Jumpstart on their NIST CSF Risk Assessment.
Initial HIPAA compliance can be achieved in a few days and maintained by accomplishing a few tasks per month.
The Jumpstart method is a cost effective, simple, and quick way to get HIPAA compliant and prove it with a NIST CSF Risk Assessment

NIST Safeguard For HIPAA Compliance

Tue, 05 Feb 2019 19:03:04 GMT

The Safeguards in the NIST CSF are requirements to ensure HIPAA compliance. AT-1 is concerned with security awareness training:

AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES

The group writes a security awareness and training policy. The policy will be given to all affected personnel and will be reviewed and updated several times a year. The security awareness and training policy states the purpose for the training, who will carry it out, and what their jobs will entail. The group writes procedures that state how the policy will be carried out. The security awareness and training policy and procedures comply with all laws and rules applicable to the group.

The possible answers are:

Yes, We have a policy in place and have implemented the procedures

Yes ALT, We have implemented an alternative that meets the requirements

No, We are not in compliance but have a plan to get into compliance

NA, This safeguard does not apply to us

What answer(s) best explain why you chose NA?

Cost

Organization Size

Complexity

Alternate Solution

In the Jumpstart program you are supplied with a NIST policy that allows us to answer either Yes or NA when we do your NIST Risk Assessment. In the NIST scoring system an answer of NA scores the same as a Yes.

NIST Safeguard Definition

Tue, 29 Jan 2019 18:12:11 GMT

The HIPAA Security Rule requires organizations to take “reasonable and appropriate” precautions against risks to the integrity, availability and security of protected information. The rule specifies 18 “standards” such as Transmission Security and Workstation use. The 18 standards are further divided into 41 administrative, physical and technical safeguards. Some of these safeguards such as risk analysis and data backup plan are “required”, while others such as automatic logoff and encryption are “addressable” and their associated standards may be achieved in a variety of ways.

An example of a Safeguard: AC-1

AC-1 ACCESS CONTROL POLICY AND PROCEDURES

The group writes, reviews, and updates a policy controlling access to information. Someone is tasked to do this job. This person should have security experience. The group gives the policy to all staff. All staff understands the security policy. The purpose of the security policy is to protect customer information. The policy includes details about how the group protects customer information. Computers that process customer information must be secured. The security system defenses are outlined in the policy. The security policy outlines the types of information that are controlled. The policy tells how information is controlled and who is allowed to access information. The policy assigns security duties to employees.

AC-1 Policy Template (Compliance Helper)

HIPAA Rule Policy/Procedure

ACCESS CONTROL POLICY AND PROCEDURES AC-1

<Organization Name> develops, disseminates, and periodically reviews/updates: (i) a formal, documented, access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the access control policy and associated access controls.

Assigned Responsibility: <Administrator><IT Contractor>

HIPAA References: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4)(i) , 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1)

List of Organizational Entities:

Policy Clauses:

The purpose of the security policy is to protect customer information. The organization writes, reviews, and updates a policy controlling access to protected information. This policy applies to each of the listed organizational entities.
For each of the listed organizational entities, enter the
<organizational entity name>
<information to which the entity is allowed access, i.e. “all” or “some – specified”>
<conditions required for access, i.e. “valid identification” or “need to know”, etc.>
Responsible party <list name or title> is tasked to specify this policy. This person should have security experience.
The organization gives the policy to all staff, including members of all organizational entities. All staff are trained in and understand the security policy.
This policy includes details listed below about how the group restricts customer information within each organizational entity <Note: may require IT support.>, including a description of:
Entity identification procedure
Individual identification procedures
Implemented access control technology, i.e. password/user-id, biometrics, token, other. <Note: erase items that do not apply.>
Computers that process customer information must be secured using the restrictions listed above.
Safeguard Review: Review applicability annually.

Editing, adopting and implementing Policy AC-1 meets the requirements for Safeguard AC-1 and is scored appropriately in the NIST CSF Risk Assessment.

What is a NIST HIPAA Policy?

Wed, 16 Jan 2019 16:30:40 GMT

The NIST CSF (CyberSecurity Framework) provides a standard that has been lacking in HIPAA compliance. It is a solution to the problem created by HHS refusing to establish a "HIPAA Certification Process".

The key to meeting the standards is adopting and implementing a policy written to meet the standards of the NIST CSF. Our HIPAA policy experts worked with cybersecurity experts from ACR2 Solutions to develop easy to understand policies that qualfied.

These NIST policies were then loaded onto the Compliance Helper software platform. The Jumpstart process leads users along a clear and logical path leading to a NIST CSF Risk Assessment. A HIPAA expert (Helper) is assigned to each account to provide oversight. Initial HIPAA complance can be accomplished in a few days and then monthly task list guide the maintenance requirements of the NIST CSF. Quarterly risk assessments reflect the progress made. The NIST CSF Risk assessment is accepted as the industry standard in healthcare for HIPAA compliance.

Together, Compliance Helper and ACR2 Solutions have developed an elegant solution to HIPAA certification. Your Certified NIST CSF Risk Assessment is your proof of HIPAA compliance.

Jack Anderson

CEO

Compliance Helper

Athenahealth Accepts Our Client as HIPAA Compliant

Tue, 25 Sep 2018 17:05:41 GMT

Athenahealth approved Patient Education Genius as HIPAA compliant.
Patient Education Genius used the Jumpstart program from Compliance Helper and ACR2 Solutions to deliver a Certified NIST CSF Risk Assessment as documentation of their HIPAA compliance. The Jumpstart methodology allowed them to achieve this in 20 days at a cost of less than $1,000.
The Jumpstart portal provided templates of NIST policies and a HIPAA expert called a Helper to provide oversight of the editing process. Data pulled from the portal was used to update the risk assessment and deliver quarterly risk assessment reports. The on-line security awareness training program documented staff training to complete the Cycle of Compliance.

On-going compliance will be delivered through the Care program to maintain the Cycle of Compliance

For information on how to get HIPAA compliant and prove it, quickly, and cost effectively contact me: Jack @compliancehelper.com

Who is Causing your HIPAA Pain?

Thu, 06 Sep 2018 17:18:21 GMT

The NIST CyberSecurity Framework or CSF covers all of cybersecurity but there is a subset of safeguards that are specific to HIPAA. These 139 safeguards cover all of the requirements for HIPAA compliance. A risk assessment shows your current level of compliance in a format and standard that is accepted by all auditors and HHS. Periodic risk assessments (we recommend quarterly) demonstrate progress in achieving your HIPAA compliance goals.

So how do you get this magic talisman?

NIST CSF Industry Standard for HIPAA

Wed, 05 Sep 2018 20:21:48 GMT

We still don't have a certification process for HIPAA but with the NIST CSF we have a standard that is accepted by HHS.

NIST CSF is the new standard for HIPAA compliance in 2018, but you need to keep all of the documents from your earlier HIPAA compliance efforts for six years. NIST CSF will lead you into the future while your documentation of historical compliance efforts will protect your past.

In our Jumpstart program clients begin a process of editing new NIST policies, enrolling staff in on-line security awareness training, and receiving quarterly NIST CSF risk assessments. With their old policies as proof of preveious efforts they can proceed with monthly tasks that will move them onto the NIST polices at a brisk but reasonable pace.

However, if they have outside pressure from a client or a regulator they can accelerate the process. A typical client would take six months to complete the editing process and receive an exemplary risk assessment, however we have had clients that completed this process in a few weeks. We had a client that needed a risk assessment with all safeguards "in the green" in order to receive a multi-million dollar investment. Working together we delivered it in under two weeks.

Jumpstart is a unique program developed to expedite the process of upgrading to the NIST CSF for HIPAA. Let me know if you would like a demonstration.

Jack Anderson, jack@compliancehelper.com

Why HITRUST CSF needs NIST CSF

Thu, 16 Aug 2018 17:21:01 GMT

I recently attended a HITRUST webinar titled "How HITRUST Provides NIST Cybersecurity Framework Certification"
In Q&A someone asked why they would offer NIST CSF in addition to HITRUST CSF. The answer was many managers and directors in healthcare demanded additional proof of compliance and the NIST CSF was deemed as higher proof than the HITRUST CSF

My question would be, why pay tens of thousands for HITRUST CSF and then more for NIST CSF if the NIST CSF alone would do the job.
We offer our Jumpstart program for a much lower cost because we deliver it through a SaaS method and it does not require high priced consultants traveling at the clients expense. You get HIPAA compliant on the NIST CSF with policies written specifically for the NIST CSF. This method also allows us to deliver quarterly NIST CSF risk assessments as proof of your on-going HIPAA compliance.

If you would like to see how Jumpstart can get you HIPAA compliant on the NIST CSF for a fraction of the cost of HITRUST CSF send me an email to jack@compliancehelper.com

Simple HIPAA Checklist

Tue, 31 Jul 2018 18:15:56 GMT

The most popular blog I ever wrote was a HIPAA checklist of ten items needed to prove HIPAA compliance. The NIST CyberSecurityFramework or CSF is the new standard.

The process of getting on the NIST CSF for HIPAA has been simplified with the Jumpstart program from Compliance Helper. There are 139 Safeguards (Policies) required for HIPAA compliance.

1. Identify Polices Not Reasonable or Appropriate (NRA)

2. Baseline Risk Assessment (Free on website)

3. Edit first 12 policy templates

4. Schedule on-line security awareness training for staff

5. Update NIST CSF risk assessment to demonstrate progress

6. Repeat quarterly

With a few hours of work over several days you can achieve initial HIPAA compliance. By continuing to accomplish your monthly tasks you can remain HIPAA compliant and have your quaterly NIST CSF risk assessments as proof.

Go to www.compliancehelper.com and try the Free HIPAA Risk Assessment. Then contact me at jack@compliancehelper.com for an on-line demonstration. Pricing starts at $249.

NIST Policies

Tue, 24 Apr 2018 18:06:13 GMT

Trying to do an official certified NIST risk assessment from HIPAA policies written in the past is like translating hieroglyphics into English. It can be done if you have enough time and money, but why bother?

Our goal is to simplify complex processes. Editing and adopting NIST policies leads directly to quarterly NIST CSF risk assessments with no more effort on your part.

The NIST CSF contains 139 safeguards that must be addressed in order to be HIPAA compliant. Policy templates written to this specification and edited to fit the organization assure that your compliance efforts are applied in an efficient manner.

On a quarterly basis we pull the editing data from your site and update your NIST risk assessment. We then send a package of reports including a progress report and gap analysis.

Updated policies, a current risk assessment, and documented training completes the cycle of compliance and assures that you are HIPAA compliant on an on-going basis.

Certified NIST Risk Assessment for HIPAA compliance

Fri, 06 Apr 2018 16:56:28 GMT

Certification has always been the holy grail for HIPAA compliance, but like the holy grail it is elusive if not unobtainable. What you can achieve is a certified NIST risk assessment which is accepted as the gold standard for HIPAA compliance.

The first prerequisite for a certified NIST risk assessment is an NIST policy written specifically to match the NIST safeguard. Editing, adopting and implementing the policy satisfies the requirement and is recorded as a Yes in the risk assessment. If the policy is not reasonable or appropriate (NRA) to the organization it can be marked NRA with an explanation of why it is NRA. This will be scored as a Yes in the risk assessment.

In the Jumpstart program the user deals with editing and updating policies in the Compliance Helper portal. Scoring and updating the risk assessment happens in the background and the user receives a batch of certified NIST risk assessment reports on a quarterly basis.

For a free demonstration of Jumpstart, and how to get a Certified NIST Risk Assessment send me a request at jack@compliancehelper.com