Category Archives: Risk Analysis

How Risk-Based Security Can Reduce Violence in Healthcare

Posted on by 0 Comments

reprinted with permission from www.securityinfowatch.com

Using Risk-Based Security to Stem the Tide of Violence
in Hospitals and Healthcare

Created by:   Caroline Ramsey Hamilton

Date: May 22, 2014

Hospital and healthcare security is experiencing a major increase in violence,
instigated by patients, patient families and even healthcare staff.  Just last year,
there was an active shooter incident in Reno, Nev., in which two physicians were
shot, and in Houma, La., a hospital administrator was shot to death by a terminated
nurse. As recently as Easter Sunday in California, two nurses were stabbed at the
hospitals, where they worked.  One was stabbed in both the upper and lower torso
and is in critical condition. These two incidents add to the more than 100 violent
incidents in 2013 and the first half of 2014.

Since 2010, violence in healthcare has skyrocketed. As a result, the Joint Commission has
issued a “Sentinel Event Alert” on the issue and contributed to numerous articles on shootings
in U.S. hospitals. The Department of Homeland Security and a consortium of state and local
hospitals recently released a standard for active shooters in healthcare. These all point to the
conclusion that the current law enforcement-based hospital security model is not working.

Changes in Healthcare
The changes in healthcare, including the increase in insured Medicaid patients and increased
traffic to emergency departments, highlights the fact that very well-intentioned people are
working with an outdated security model that hasn’t evolved to address a changing healthcare
environment. The change in billing and reimbursements for healthcare organizations, such as
tracking of readmission rates, has squeezed hospital profits causing reductions in funding in many
security departments at a time when violent events are steadily increasing.

A new risk-based model for hospital security is emerging that is less linear and more cyclical.
It uses technology to a greater extent, employs forecasting and statistical models to predict the
likelihood of future incidents, and is proactive instead of reactive, focusing money and energy on
preventing events instead of simply responding to them. This model also uses risk assessment
formulas to quickly assess the current security profile of a hospital, clinic, hospice, or behavioral
health facility, factoring in heightened threat-risk environment, not only for the facility in question,
but also adding in the wealth of healthcare data that’s now available.

Risk –Based Security Focuses on Continual Assessment
A major focus of this model is the continual assessment and evaluation of preventive security
controls, which are reviewed quarterly, semi-annually, or annually to discover gaps in controls,
and to fix gaps as soon as they are identified. This dovetails nicely into the assessment models
already required by the Joint Commission, OSHA and new CMS standards.

Looking at recent high-profile security events that took in place in hospitals shows that incidents
happen because of exploited gaps in the existing security of the healthcare facility. In the past,
security officers successfully worked hard to reduce response time so that often officers could
arrive in under two minutes, but it’s still too long.  In the Reno shooting, response time was under
two minutes, but that was long enough to kill two doctors.

Focusing on prevention makes sense for healthcare, much in the way the Joint Commission
focuses on patient safety, by continually assessing controls, reducing discovered gaps in controls,
and mitigating gaps by reassessing and tightening security, which creates a cycle of continual
improvement in the healthcare security environment.

Taking Advantage of Technology
The healthcare risk-based security model takes advantage of technology. Instead of waiting
for manual recording of security incidents every day, software programs allow hospital security
officers to enter data at the end of each shift, and that means security directors can map what’s
happening in the hospital or facility on a daily, weekly, monthly and yearly basis.  This can go a long
way to identifying trends early and help facilities make appropriate changes in controls so that
negative trends can be reversed quickly and both patient and staff security is increased.

In addition to automating incident collection and analysis, the healthcare security risk assessments
must be automated too.  Risk assessments are too time-consuming and labor intensive to be done
annually.   By the time the risk assessment is over, the environment has changed again.  By
automating the risk assessments, including environment of care and hazard vulnerability,
it produces data that can be used instantly to analyze and recommend the most cost-effective
controls, and rank them by their return-on-investment (ROI).

The role of security in hospital and healthcare organizations is changing too. Security organizations
should no longer be isolated without intensive interaction with others in the organization, including
the human resources department, the facilities managers, safety managers, and the emergency
management staff.

New DHS Guidelines for Active Shooters in Healthcare
With DHS issuing new guidelines for active shooters in healthcare, hospital emergency managers
are now required to prepare for active shooter incidents, as well as storms, hurricanes, tornadoes,
power interruptions and other events related to natural or man-made disasters.  This creates a
natural partnership between the emergency management staff and the security program,
because the skills of both functions are needed to properly prepare an organization for any disaster.

Instead of existing in a vacuum, healthcare security directors and managers should cheer at
this development because it expands the importance of security inside the hospital or healthcare
facility, and underscores its value in protecting the organizational assets –  the physical facility,
patients, visitors and staff –  to proprietary information, including the HIPAA mandated PHI
(Protected Health Information), vehicles, security systems, high-value healthcare equipment
and the healthcare provider’s reputation.

Security budgets have always suffered because security costs are seen as operating
expenses, not an income source, but by tying the security expenses more closely to loss
prevention and protection of the organization, it creates a cost justification for hospital and
healthcare security.

Risk-Based Security Links to Hospital Compliance Standards
A risk-based security model also links security to myriad compliance standards that affect healthcare
and this also supports and justifies the costs related to security. For example, hospitals are required
to have a variety of security controls in place related to tagging of newborns, posting of no-weapons
signs, and environment of care issues. Any healthcare organization accepting funds from Medicare
or Medicaid must comply with the new mandate for annual security risk assessments. 

OSHA 3148 also requires hospitals and healthcare organizations to do annual workplace violence
assessments, and more than 33 states also require enhanced protection of hospital and healthcare staff.

As security incidents continue to increase and violence in healthcare escalates, making the
switch to a risk-based security program will provide better protection for hospitals and healthcare
organizations, making more effective use of existing security personnel, as well as justifying and
expanding healthcare security budgets.

 

For more information:  contactCaroline Ramsey-Hamilton at caroline@riskandsecurityllc.com

 

Why We Need to Switch to a Risk-Based Security Model – School Stabbing at Franklin Regional, Active Shooter Incidents at Fort Hood (twice), LAX, and The Washington Navy Yard.

Posted on by 0 Comments

When I turned on the news today, I was in the middle of writing an article on the 2nd Shooting
at Ft. Hood from last week, and then saw that there had been a violent knife attack at a
Pennsylvania high school, with 20 casualties and at least eight injured critically, the next day,
there was a hate crime shooting at the Jewish community center in Overland Park, Kansas.

Once again, we see violence on a mass scale, the FBI has been brought in, and next will come
information on the victims.   With two major events, in two weeks, what can we deduce about the
security in place at both Franklin Regional High School, Pennsylvania, and Fort Hood, Texas.

        NEWS FLASH:   THE CURRENT SECURITY MODEL IS NOT WORKING!

CURRENT SECURITY MODELS

Disaster preparedness is improving,  Emergency Management is working, but security is
still not where it needs to be.  It is a systemic problem based on the fact that security around
the U.S. is still locked in a REACTIVE mode, not a PROACTIVE mode.

The main reason for this reactive mode in security organizations, is because most security
officers come from a law enforcement background, with a model which is based on crimes
and arrests, and it is totally REACTIVE.  A crime happens and police officers go into action
and arrest the perpetrator(s).

CRIME HAPPENS    =    PERP IS IDENTIFIED    =   PERP IS ARRESTED

Unfortunately, this reactive model does not work for preventing security incidents and mass violence
because it is INCIDENT DRIVEN, not Risk-Driven.  It focuses on individuals, not on a more holistic,
generalized view of Threats, and it totally leaves Solutions (Controls) out of the equation.

After studying pages of after action reviews, post-incident analyses and media sources, the one
recommendation that makes sense is that organizations need to switch to a RISK-BASED,
PROACTIVE mode for security to work.

This was highlighted in a remark made by a Pentagon official, commenting on the 2nd Fort Hood
Shooting on April 2, and the fact that new DOD recommendations for security, had just been released.

“After the Navy Yard shooting in September 2013, another round of recommendations were made
to improve security at all DOD installations, however, a  Pentagon official said that the new
recommendations had not yet been put into effect at Fort Hood.  At Fort Hood, very little had
changed from 2009 regarding security procedures for soldiers at the entrance gates.”

The question for the Department of Defense is “how could this happen again at the same military
base?  I took extra time to study the 89-page document called An Independent Review “Protecting
the Force”, one of 3 reports created after the initial Fort Hood Shooting, whene 13 were killed, and
43 injured.

If you look at the recommendations, they are very bureaucratic and procedural.  They could have
been written by an efficiency expert, not by anyone with a background in security, and covered things
like policy changes, and having screening for clergy and psychologists, and improved mental health
programs.   These are all important, but they do not provide a secure environment.

The LAX after action analysis’ Number One recommendation was to change
the security focus to a Risk-Based approach.

 


RISK-BASED SECURITY

The problem with a reactive approach is that you can’t screen and lock down everyone. At Fort
Hood, for example, there are 80,000 individuals living on the base, and probably hundreds of
visitors who go in and out every day.  It’s impossible to assess the mental health, and the
‘intentions’ of all of them.

FortHoodAmbulances-Medium

That’s why a Risk-Based Approach works – because it focuses on the potential threats and then evaluates the existing controls to see whether they offer the required amount of protection based on the likelihood of the threat occurring.

You stop violent events by controlling access and by controlling weapons.  No matter how unpopular they are, you use metal detectors at certain points, you use security officers at key entrances, you control entrances and exits.

Once the event starts, you can improve security by having faster notification (panic alarms), ability
to block, or disable weapons and attackers, adequate transport, better emergency response, but to
avoid the violence, you need to have strong access control.

The Risk-Based approach makes use of annual risk assessments that are holistic in nature. They
are not done in stovepipes, they include the entire organizations, they include input from staff
members, visitors, students, vendors, soldiers, patients on how they see security from their point
of view, which is always dramatically different from management or administration.

A risk-based approach requires an organization to:

  • Define potential security risks.
  • Develop standardized risk assessment processes, for gathering and
    analyzing information, and use of analytical technology
  • Risk-Based Security focuses on PREVENTION OF NEW INCIDENTS
    whether they are active shooter, general violence, etc.
  • Enhances security’s ability to rapidly respond  to changes in the threat environment.

MORE BANG FOR THE BUCK

According the LAX (LAWA) after action report, “Simply adding more security does not
necessarily provide better security.  Determining priorities and where to achieve great
value for the dollars invested requires regular, systematic assessment of the likelihood
and consequences (risks) associated with a range of threat scenarios that morph and
change more quickly now than ever before. 

Collaborative engagement in a security risk assessment process across the community builds
the buy-in needed to develop and sustain a holistic security program over time. Leaders must
be open to challenging established practices and demonstrate a willingness to change direction”.

Making the switch to a Risk-Based security program is the best recommendation for those who
want to protect their staff, students, patients, vendors, clients, soldiers, and visitors from a mass
casualty event, or for all the organizations who don’t want to have a terrible incident happen in
the first place!

 Caroline Hamilton, friend of Patty Garitty (Soup Kitchen voluteer)

Caroline Ramsey-Hamilton

President, Risk and Security LLC

Caroline@riskandsecurityllc.com

 

www.securityinfowatch.com/blogs

www.riskandsecurityllc.com

After Action report on LAX Shooting Recommends Risk Assessments

Posted on by 0 Comments

The Los Angeles World Airports (LAWA) released the long-anticipated After
Action Analysis on the LAX Active Shooter Incident in 2013.

The 83-page report was written by an independent consultant who analyzed
all aspects of the Shooting incident and includes a list of “Major Observations
and Recommendations.”   The recommendations are “to provide focus for
LAWA’s efforts toward continuous improvement in it’s security and emergency
preparedness programs.  

These areas were highlighted in the report as “7 priority observations that merit
special consideration.

Recommendation 1.1:  Evolve the LAX Security Program to reflect a more
integrated assessment of security risk and provide for the ongoing development
and management of mitigation measures.

Recommendation 1.2:  Based on the RISK ASSESSMENT and updated security
plan, consider the focus and structure of security functions to determine whether
realignment and integration are needed.

Recommendation 1.3:  With the benefit of recent vulnerability and risk assessments,
take a risk-based approach to evaluating current security programs and explore
intelligent use of technology.”

Once again, doing frequent Security Risk Assessments and managing the security
program and enhancements to follow the recommendations of the Risk Assess-
ment are the first recommendations in the After Action Analysis of an Active
Shooter Incident.

In my experience, in most organizations, Facility Security Risk Assessments are
not conducted correctly, are not reported to senior management, and not used as a
tool to ADJUST AND FOCUS the security program based on RISK.

Why aren’t security risk assessments done more often?  

1.  People don’t have the right expertise to do a full risk assessment.

2.  Security managers view Security Risk Assessments are too difficult
     to undertake.

3.  Law enforcement personnel still do not understand the concept of risk 
     assessments and instead, tend to rely on checklists of controls or
     security elements, rather than integrating all the information to
     create a true Risk-Based model for security.

The solution to this problem is to use affordable, easy to use software tools, like
the Risk-Pro Application for Facilties Security Assessment  and their Risk-Pro
Application for Active Shooter Incident to simplify the process of doing more
frequent risk assessments and using them as a management tool to focus
security so it will be able to recommend the security enhancements that are
needed, and not only how MUCH to spend, but actually dictate the order
of necessary controls.

Far from being a boring, intellectual exercise, well done security risk 
assessments can dramatically reduce the possibility of an active shooter
event, and also mitigate the many negative consequences that come
from such disruptive incidents.

 

 

 

DOD-OIG Report on Security Weaknesses at the Navy Yard

Posted on by 0 Comments

The recently released 56-page report by the Department of Defense, Office of the Inspector General found that the Navy Access Control System did not adequately control the risks to the Washington DC Navy Yard and other sites under their control.

NCACS did not effectively mitigate access control risks associated with contractor installation access. This occurred because Commander,
Navy Installations Command (CNJC) officials attempted to reduce access control costs.

As a result, 52 convicted felons received routine, unauthorized installation access, placing military personnel, dependents, civilians, and
installations at an increased security risk.

Additionally, the CNIC N3 Antiterrorism office (N3AT) misrepresented NCACS costs. This occurred because CNIC N3AT did not perform
a comprehensive business case analysis and issued policy that prevented transparent cost accounting of NCACS. As a result, the Navy
cannot account for actual NCACS costs, and DoD Components located on Navy installations may be inadvertently absorbing NCACS costs
.
Furthermore, CNIC N3AT officials and the Naval District Washington Chief Information Officer circumvented competitive contracting
requirements to implement NCACS. This occurred because CNIC N3AT did not have contracting authority. As a result, CNIC N3AT
spent over $1.1 million in disallowable costs and lacked oversight of, and diminished legal recourse against, the NCACS service provider.

You can read the entire report at:  http://www.dodig.mil/pubs/documents/DODIG-2013-134.pdf

 

Courtesy Caroline Ramsey-Hamilton at Risk and Security LLC

caroline@riskandsecurityllc.com

 

 

 

 

What’s Your Active Shooter Risk? How to Assess the Threat!

Posted on by 0 Comments

Just the idea of an Active Shooter in your organization, whether you’re a military base, like Fort Hood, and the Washington Navy Yard, or a school like Sandy Hook, a beauty shop, a cracker factory in Philadelphia, a retail mall, a movie theatre, a grocery store parking lot, or a hundred other places, is a terrifying thought.

I lived about 3 miles from one of the shooting sites, a gas station, used by the Beltway Snipers back in October, 2002.  They killed ten people, totally at random, and critically injured three others.   Both of the snipers were sentenced, and John Muhammad was killed by lethal injection in 2009.

If you lived in the DC area, do you remember how scary it was just to pump gas into your car,  people were huddled against the side of their cars in the gas stations, and hidden by their shopping carts at the local Home Depots.

The fear of the Active Shooter comes from the seeming randomness of the action, which means there’s no way to prevent it, unless you give up, stay home, and hide under the bed all day.

But there are things you can do.  Instead of thinking of an Active Shooter incident as a totally unique situation, it’s really a form a Workplace Violence, Gas Station Violence, Parking Lot Violence and other related forms of random violence.   In fact, the Department of Homeland Security has identified quite a few steps you can take to keep yourself safer if you are in the vicinity of an active shooter (http://www.dhs.gov/active-shooter-preparedness).

Most of the shooters are mentally ill.  Normal individuals do not enjoy planning and killing strangers, and it is usually a last ditch effort, with the suicide of the shooter as the grand finale.   Their actions can sometimes be identified early, and the police can be alerted, or the Human Resources group at work, or even the local Sheriff can intervene before it gets to the actual shooting.

Signs that someone is having trouble negotiating their life, especially if that someone is a gun fanatic, with their living room full of AK-47 assault weapons and hollow point bullets, is not hard to spot, because these individuals often leave lots of warning signs, like:

  • Irrational Posts on Facebook or inappropriate tweets.
  • Threats made against friends and family.
  • A dropoff in personal hygiene, as the person gets more obsessed.
  • Problems negotiating their personal life.
  • Demonstrating signs of isolation and groundless paranoia

Organizations can protect themselves from an potential active shooter through a combination of specific controls that include elements like access control, continuous monitoring of cameras, employee awareness and training programs, clear cut evaluation routes, regular active shooter drills, and hardening of facilities, to name a few.

One of the best preventive measures is to conduct an Active Shooter Risk Assessment, which is similar to other security analyses, except that it is focused on a particular set of threats related to an Active Shooter Incident.   As part of my annual Threat Trend Reports, I’ll be releasing a new set of threat data about the Active Shooter, to help organizations calculate their risk of
having such an incident.   For example, did you know that the number of active shooter incidents has jumped from 1 in 2002
to 21 incidents in 2010?

ActiveShooterIncidentsbyYear

 

 

 

 

 

 
Locations have changed, too, and we found that

About 25% of active shooter incidents occur in schools,
About 25% in retail locations, and
About 37% in workplaces.

In future blogs, we’ll be looking at each element of the active shooter incident, and providing more information to keep
your organization safe.

 

 

Navy Yard Shooting Highlights Effect of Cuts to Navy Security

Posted on by 0 Comments

Security professionals around the entire were shocked and dismayed when they turned on the news and saw the historic Washington Navy Yard locked down, surrounded by emergency vehicles, and looking for an active shooter.

All the shock, the outrage, the Defense Department reaction, the involvement of the overlapping law enforcement jurisdictions, has apparently been already forgotten by the public, moved to the virtual ‘old story’ pile by the latest news of a mall shooting in Kenya, meeting at the UN, and the politics as usual in Washington DC.

If you graph it online, you can see the dramatic spike and then the dramatic drop-off in interest by the general public. This highlights what the security community has to deal with, in the context of a 24 hour news cycle.

My perspective on the event was personal because one of my very best friends was in Building 197 that day, a former navy commander, now a contractor, who went to work at 5 am that morning, and finally returned home at 9 pm that night.  Unlike many shootings, the PCs, smartphones were all up and operational during the event, so people were instantly able to communicate with friends and relatives as the event unfolded.

NavyYard-smallRumors ran rampant that it was terrorism related, that there were three shooters, then that rumor switched to two shooters and eventually to only one shooter, Alexis Aaron, a mentally disturbed young man who had previous events of gun violence and yet had a top secret security clearance at the time of the shooting.

If we took a poll three weeks ago and asked people which facility would they judge to be the safest, the results
would probably look something like this:

1. Military Base in the U.S.
2. Hospital
3. Regional Mall
4. Police Station

Unfortunately – this is more like a list of the places where a shooting is more likely to take place.  As all the work in workplace violence statistics shows, a domestic Military Base has been the site of two mass shootings in only the last 4 years.  This includes the twelve killed and eight wounded at the Washington Navy Yard, as well as the thirteen killed and twenty injured at the Fort Hood shooting in late 2009.  That’s an average of 6 killed each year, and 8 injured, and doesn’t take into account any random shootings, training-related injuries, only the mass shootings.

Hospitals have increased in violent incidents every year for the last ten years, and we just witnessed a mass shooting at a Kenyan Mall.

However, the hospital and the mall are both completely OPEN, they want people to come in, they don’t control access at all.
This is what is so surprising about the Navy Yard shootings, the lack of security, lack of enough armed guards, lack of current background checks, lack of metal detectors, lack of retina scanners, and every other usual form of security control.

Speculation is that the key controls were missing because of budget cuts, which means that the Navy made the decision to reduce security controls, instead of cutting other, less critical programs.  The incident makes a strong case for examining the potential Return on Investment for security controls!

Even if the shooter’s background check was “current”, it certainly had not been updated based on his own recent events, and brushes with the police, and, of course, the anger and mental health problems appears again, and is shrugged off as too tough to manage and track.

However, it is a wake up call for the U.S. Navy, the Department of Defense, the U.S. Capital Police, and a variety of other organizations who “Secure” the Washington DC Capitol zone, and it leads to more questions than answers.

Already, the questions are starting about what controls SHOULD be in place for all military bases, and, naturally, re-examining the background check process and how it could be updated and improved.

Let’s not forget this time.

 

 

 

 

Last-Minute HIPAA Compliance Tips

Posted on by 0 Comments

With only 2 weeks (15 days) left to meet the HIPAA Omnibus Rule, let’s say you
have done everything you could possibly do, to be in full compliance with every
part of HIPAA:

1. Finish a current HIPAA Risk Analysis – CHECK

2. Rewrite Business Associate agreements – CHECK

3. Rewrite Policies & Procedures – CHECK

4. Get PHI off the office copiers – CHECK

5. Gather Documentation in one place – CHECK

6. Start HIPAA Security Awareness Program – CHECK

7. Update HR Sanctions Policies – CHECK

8. Finalize Contingency Plans – CHECK

9. Add more encryption – CHECK

10. Implement Plan for Smartphones & Mobile Devices – CHECK

11. Have staff sign new Affirmation Agreements – CHECK

And in spite of your careful preparation, you walk into work on Monday, and the OCR
regulators are sitting in the Lobby, and they’ve been there since 7:00 AM!

No matter what else you have done, or started, and have not done, your insurance policy is to be
able to pull out your most current (in months, not years) HIPAA Risk Analysis and then pull out all
your supporting documentation including:

1. All information, including network diagrams, on where the PHI is on your network, and the
automated network controls you have implemented.

2. A record of every application, every database, etc. that hold PHI, are used to create,
manage, or share PHI, in both electronic and paper form.

2. Rosters going back 3 years of everyone in the organization who’s taken HIPAA training.

3. A copy of the Policies and Procedures, and Security Plans, printed out and labeled in 3-ring
Binders.

4. List of all HIPAA controls that are currently in place and verification documents.

5. Copies of all Business partners agreements and contracts

6. A notarized statement signed by the Board Director, CEO or Administrator formally
stating the organization’s Commitment to HIPAA Security & Privacy & Omnibus Rules.

7. Copies of recent employee surveys validating their stated compliance with all HIPAA
Security, Privacy, and Omnibus Rules.

All of these elements should be printed in their most current versions and put in D-Ring
binders, which you will pull out of a cabinet designed for high security.  Nothing thrills a regulator
or auditor more than getting everything you ask for in a neatly labeled, giant 3-ring binder.
It says “PREPARED” in a way that having files on the network never will.

And, BTW, you HAVE completed all these steps – right?

For More Information, Contact Caroline Hamilton at caroline@riskandsecurityllc.com

What Happens if OCR Shows up – Asking about your HIPAA Compliance?

Posted on by 0 Comments

With only 2 weeks (15 days) left to meet the HIPAA Omnibus Rule, let’s say you have
done everything you could possibly do, to be in full compliance with every part of HIPAA:

1.  Finish a current HIPAA Risk Analysis – CHECK
2.  Rewrite Business Associate agreements – CHECK
2.  Rewrite Policies & Procedures – CHECK
3.  Get PHI off the office copiers – CHECK
4.  Gather Documentation in one place – CHECK
5.  Start HIPAA Security Awareness Program – CHECK
6.  Update HR Sanctions Policies – CHECK
7.  Finalize Contingency Plans – CHECK
8.  Add more encryption – CHECK
9.  Implement Plan for Smartphones & Mobile  Devices – CHECK
10. Have staff sign new affirmation Agreements – CHECK

And in spite of your careful preparation, you walk into work on Monday, and the regulators from
OCR are sitting in the Lobby, and they’ve been there since 7:00 AM!

No matter what else you have done, or started, and have not done, your insurance policy is to be
able to pull out your most current (in months, not years) HIPAA Risk Analysis and then pull out all
your supporting documentation including:

1. All information, including network diagrams, on where the PHI is on your network, and the automated
network controls you have implemented.

2.  A record of every application, every database, etc. that hold PHI, are used to create, manage, or
share PHI, in both electronic and paper form.

2.  Rosters going back 3 years of everyone in the organization who’s taken HIPAA training.

3.  A copy of the Policies and Procedures, and Security Plans, printed out and labeled in 3-ring
Binders.

4.  List of all HIPAA controls that are currently in place and verification documents.

5.  Copies of all Business partners agreements and contracts

6.  A notarized statement signed by the Board Director, CEO or Administrator re-stating
the organization’s Commitment to HIPAA Security & Privacy & Omnibus Rules..

7.  Copies of recent employee surveys validating their stated compliance with all HIPAA
Security,  Privacy, and Omnibus rules.

All of these elements should be printed in their most current versions and put in D-Ring
binders, which you will pull out of a cabinet designed for high security.  Nothing thrills a regulator
or auditor more than getting everything you ask for in a neatly labeled, giant 3-ring binder.

It says “PREPARED”  in a way that having files on the network never will.

And, BTW, you HAVE completed all these steps – right?

 

 

 

 

HIPAA COUNTDOWN – 26 DAYS LEFT TO COMPLY WITH HIPAA OMNIBUS RULE!

Posted on by 0 Comments

The HIPAA Countdown continues, with the HIPAA Omnibus Rule compliance date of September 23rd looming in the distance.

Now that everyone is coming back to work, relaxed from the long weekend (we hope), it’s time to get back to work.

As a HIPAA Risk Analysis expert, I have gotten more than 300 calls and emails in the last 5 days (yes, even on Sunday) about
what NEEDS to be done right now.   Here’s a sample of the questions,

“Should I do a penetration test before Sept 23rd?”
“Should we update our policies before Sept. 23rd?”
“Should I hurry and get the laptops encrypted by Sept 23rd?” 
“We re-wrote our business agreements – what else do I need to do before Sept. 23rd?

To quote Leon Rodriguez, the Director of the Department of Health and Human Services, Office of Civil Rights, which is
the lead federal agency for HIPAA Enforcement, “The Number One Thing you need to do before September 23rd
is to update, or start a new HIPAA Risk Analysis.”  

According to the OCR Guideline on Risk Analysis,  “Conducting a risk analysis is the first step in identifying and
implementing safeguards that comply with and carry out the standards and implementation specifications in the Security
Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful
guidance that specifically addresses safeguards and technologies that will best protect electronic health information.”

This is why the First Area that OCR will address when they visit is:  “Where is your HIPAA Risk Analysis?”

Where is yours?  And has it been updated lately?

And did you know that Leon Rodriguez is on Twitter!  His twitter handle is @OCRLeon.

 

 

 

Countdown for HIPAA — Less than 25 days to Deadline & How to Get A Free HIPAA Risk Analysis Guide

Posted on by 0 Comments

NEW DEADLINE:  September 23, 2013

The new HIPAA Omnibus rule became law on March 23, 2013.   The main provisions of the Rule, which include new requirements for healthcare organizations, insurance companies, hospitals, clinics, pharmacies, dental practices and many other organizations, also include Business Associates, which means any organization that has access to patient medical records (PHI- Protected Health Information).

So all the data managers, the data storage companies, the lawyers and countless other companies who are part of flow of healthcare and medical data also have to have a completed HIPAA Risk Analysis by September 23, 2013!

For primary healthcare providers, to be in compliance with the HIPAA Omnibus Rule, they have to revise all their policies and procedures, and also rewrite their contracts with business associates, to place responsibility for data protection on the business associates. And business associates have to apply the same policies to their subcontractors too.  So thousands of policies and contracts are being furiously re-written, as I write this!

Completing a  HIPAA Risk Analysis is the best way to prepare for the deadline, and also to pinpoint any area where your organization needs to
improve a control, a policy or their operating procedures.   As a core HIPAA requirement, the Risk Analysis is a kind of summary of where the organization is in relation to all the HIPAA Rules, including HIPAA Privacy, HIPAA Security, NIST SP 800-66, the Office of Civil Rights, and the
Breach Notification Act.

There are great software tools available to help managers do a HIPAA Risk Analysis (like my HIPAA Risk-Pro program), available online at
www.flash-risk.com, or, as another option, many other organizations are hiring HIPAA consultants to come in and do a Risk Analysis for them.

So if you are a healthcare organization, or a designated business associate, you can start your HIPAA Risk Analysis on Tuesday, Sept. 3,
and have it completed by the deadline.

The Office of Civil Rights has a big pot of money, collected from fines, and they have hired more investigators to go out and audit all these organizations for HIPAA Compliance.  Recently a small hospice in Idaho was fined $50,000, and a physicians practice in Arizona was fined $100,000, and
many other organizations, including states and health plans, have been fined more than $1,000,000 for a variety of violations, including not
having a current Risk Analysis.

For more information on how to do a HIPAA Risk Analysis, you can write to:  info@riskandsecurityllc.com and get a free HIPAA Risk Analysis Guide, a free Project Plan, and a copy of exactly what the OCR Regulators look for when they conduct a HIPAA audit.