Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Health Insurance

What Happens if OCR Shows up – Asking about your HIPAA Compliance?

With only 2 weeks (15 days) left to meet the HIPAA Omnibus Rule, let’s say you have
done everything you could 
possibly do, to be in full compliance with every part of HIPAA:

1.  Finish a current HIPAA Risk Analysis – CHECK
2.  Rewrite Business Associate agreements – CHECK
2.  Rewrite Policies & Procedures – CHECK
3.  Get PHI off the office copiers – CHECK
4.  Gather Documentation in one place – CHECK
5.  Start HIPAA Security Awareness Program – CHECK
6.  Update HR Sanctions Policies – CHECK
7.  Finalize Contingency Plans – CHECK
8.  Add more encryption – CHECK
9.  Implement Plan for Smartphones & Mobile  Devices – CHECK
10. Have staff sign new affirmation Agreements – CHECK

And in spite of your careful preparation, you walk into work on Monday, and the regulators from
OCR are sitting in the Lobby, and they’ve been there since 7:00 AM!

No matter what else you have done, or started, and have not done, your insurance policy is to be
able to pull out your most current (in months, not years) HIPAA Risk Analysis and then pull out all
your supporting documentation including:

1. All information, including network diagrams, on where the PHI is on your network, and the automated
network controls you have implemented.

2.  A record of every application, every database, etc. that hold PHI, are used to create, manage, or
share PHI, in both electronic and paper form.

2.  Rosters going back 3 years of everyone in the organization who’s taken HIPAA training.

3.  A copy of the Policies and Procedures, and Security Plans, printed out and labeled in 3-ring

4.  List of all HIPAA controls that are currently in place and verification documents.

5.  Copies of all Business partners agreements and contracts

6.  A notarized statement signed by the Board Director, CEO or Administrator re-stating
the organization’s Commitment to HIPAA Security & Privacy & Omnibus Rules..

7.  Copies of recent employee surveys validating their stated compliance with all HIPAA
Security,  Privacy, and Omnibus rules.

All of these elements should be printed in their most current versions and put in D-Ring
binders, which you will pull out of a cabinet designed for high security.  Nothing thrills a regulator
or auditor more than getting everything you ask for in a neatly labeled, giant 3-ring binder.

It says “PREPARED”  in a way that having files on the network never will.

And, BTW, you HAVE completed all these steps – right?






The HIPAA Countdown continues, with the HIPAA Omnibus Rule compliance date of September 23rd looming in the distance.

Now that everyone is coming back to work, relaxed from the long weekend (we hope), it’s time to get back to work.

As a HIPAA Risk Analysis expert, I have gotten more than 300 calls and emails in the last 5 days (yes, even on Sunday) about
what NEEDS to be done right now.   Here’s a sample of the questions,

“Should I do a penetration test before Sept 23rd?”
“Should we update our policies before Sept. 23rd?”
“Should I hurry and get the laptops encrypted by Sept 23rd?” 
“We re-wrote our business agreements – what else do I need to do before Sept. 23rd?

To quote Leon Rodriguez, the Director of the Department of Health and Human Services, Office of Civil Rights, which is
the lead federal agency for HIPAA Enforcement, “The Number One Thing you need to do before September 23rd
is to update, or start a new 
HIPAA Risk Analysis.”  

According to the OCR Guideline on Risk Analysis,  “Conducting a risk analysis is the first step in identifying and
implementing safeguards that comply with and carry out the standards and implementation specifications in the Security
Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful
guidance that specifically addresses safeguards and technologies that will best protect electronic health information.”

This is why the First Area that OCR will address when they visit is:  “Where is your HIPAA Risk Analysis?”

Where is yours?  And has it been updated lately?

And did you know that Leon Rodriguez is on Twitter!  His twitter handle is @OCRLeon.




Why HIPAA Compliance is Related to Federal Contracts

Most healthcare organizations take Federal money – whether it’s reimbursement for Medicare services, or if it’s a federal grant for
providing special care or even addiction treatments, or whether they are part of an NIH trial, or receiving grant money for research.

If your organization is part of state government, county government or even city government, your organization probably takes federal money too.

When the hospital, clinic or treatment center gets that Federal check, they have to first sign a contract saying they verify that they are in compliance WITH ALL FEDERAL LAWS, RULES AND GUIDELINES.  In the old days, this may have meant that you didn’t discriminate in your hiring policies, or that you complied with the Americans with Disabilities Act (ADA), or that you complied with federal reporting requirements, like for a GSA Contract, or for billing protocols.

But HIPAA is also a law, and a Federal Rule, and so when you signed that contract, you attested, or ‘represented’ that your organization was in compliance with all the HIPAA laws and rules, too.

I recently talked to a CEO of a large hospital that, as a Level 1 trauma center, received millions of dollars each year from the Federal government – and he wasn’t aware of their HIPAA status!  He didn’t know if a HIPAA risk analysis had been done (it hadn’t), or whether they had amended all their business associate agreements (hadn’t even started), and also had no idea that some of these HIPAA Rules had elements that needed to be formally approved by the Board.

If you’re the HIPAA Compliance Officer, the Privacy Officer, the Information Security Officer, or any functional title that means, the HIPAA Buck stop with you — you need to explain this to your manager or director.  This will get any administrator’s attention, because they don’t want to have to give any of that money back, and they also don’t want to get into a lawsuit over a compliance issue.

So keep talking about that HIPAA Compliance deadline of September 23, 2013, and you’ll get the support you need, and maybe the budget you need to keep all your HIPAA activities in full swing!


AT RISK – YOUR HEALTH – Check out the antidote for overweight Baby Boomers – The Juice Reboot solution featured in new movie, ‘Fat, Sick & Nearly Dead”. It convinced me!

Fat Sick And Nearly Dead: A Movie Review from Dr. Whimsey

Recently, I watched the movie “Fat, Sick, and Nearly Dead,” available on Netflix. The film chronicles the real life adventure of Joe Cross, an entrepreneur from Australia, who decides to go on a 60 day juice fast. Cross had a series of medical conditions that included obesity, and an autoimmune disease commonly referred to as “Chronic Idiopathic Urticaria.”Cross’s decision to go on a juice fast, is based on the idea that his lifestyle choices made him sick. In fact, many healthcare providers now believe that much of America’s epidemic of obesity and chronic disease have more to do with diet and lifestyle choices than anything else.

The film was shot in the United States, and depicts Cross traveling across the country asking people about health and diet, while discussing the current medical epidemic of obesity and chronic disease that has lead to Americans consuming more prescription drugs than any other nation on earth. Along the way Cross meets a truck driver named “Phil,” Phil is 425 pounds and suffering from the same debilitating disease. Phil decides to go on his own juice fast and not only recovers his health but looses close to 200 pounds (for his part, Cross lost around 90 pounds during his fast).

This film is amazingly inspirational, and I highly recommend people watch it. Not just because it demonstrates how diet and exercise can cure disease, but because it addresses, what I have come to believe, are gaping holes in our current healthcare system. Mainly, the lack of emphasis we have placed on diet and lifestyle changes to cure disease in this country, and have opted instead for the “quick fix,” medications can offer instead.

The film maker argues that juicing is better than eating foods raw because it would take far too many fruits and veggies to equal the amount of nutrients found in a single glass of juice. Therefore, in order to maximize the amount of micronutrients available in vegetables it is better to juice them.

This is not a perfect film. I am not a huge proponent of a juice only fast. One of the main reasons I don’t like this type of fast is because it eliminates fiber from the diet. Fiber is vital to our health for a number of reasons. For starters, fiber bulks up our stool helping us to have healthier and more frequent bowel movements (preventing constipation, and decreasing our risk of diverticulitis and polyps). Fiber is also thought to reduce our risk of colon cancer and type II diabetes. Fiber also helps keep our blood sugar stable. It does this by slowing down how quickly sugar can enter the blood stream; preventing the elevated levels you can sometimes get from consuming high sugar content food items like soda pop and white bread.

Instead of the juice only diet seen in this film, I advice people to do both a juice fast combined with nutrient dense foods like plenty of raw veggies, brown rice, and beans. This keeps the blood sugar stable during the fast, while still gaining all of the added benefits of taking in nutrient dense juices.

Like every article we write on Anderson Health Watch, we always want you to ask your doctor before starting any diet or exercise regime to see if it is right for you.


See the original Dr. Whimsey review at:




Last week I showed you my medical records – now I’m going to give you my take on the Healthcare Bill & Accountability! 

I never had health insurance — shocking, isn’t it!!  I grew up and raised two wonderful sons without any health insurance.  Part of it was my natural disinclination for paperwork, part of with my years of being self-employed but the main reason was I never understood why I should pay someone – that is – bet against myself — on my health.

Because I wasn’t saddled with medical paperwork, I could negotiate with the doctors for treatments I needed and usually got the price down 40% BECAUSE they didn’t want to use insurance anyway – it meant they got paid in six months instead of right now. 

My family believed in Adelle Davis – for those younger readers – she wrote “Let’s Eat Right to Keep Fit” and “Let’s Cook It Right”, “Let’s Get Well”, and “Let’s Have Healthy Children”. These books came out in the 50s and my mom was an immediately convert.  In fact, if you find these tattered old paperbacks in a used book store – you’ll see they were ahead of their time, in worrying about aluminum pans contributing to Alzheimer’s, endorsing fresh fruit and veggies for Vitamin C., and taking on the food industry which mightily contributes to disease in this country. 

I was never sick.  One bout of Scarlet fever that left my sister, Linda, deaf in one ear, but other than having two children – I was never sick.  The one year I did have health insurance was a total loss – paid about $3000 for N*O*T*H*I*N*G.  

Mind you, I’m in favor of national healthcare, delivered simply and effectively.  I am NOT in favor of fifteen xrays for a sprained ankle, seventeen mammograms that find nothing and basically – what I call the over-zealous use of medical technology.

Hey – news flash – healthcare is a BUSINESS!! Healthcare providers want to MAKE MONEY. The more procedures they perform – the more money they make.  It’s a very simple system.

So if it’s true that you have to incentivize people to stay healthy – maybe that’s the way to teach personal accountability for your own health!   I am amazed at how many of my friends, who are smart, and well-educated – turn their healthcare over to any doctor and do not question anything the doc says.  They don’t ask about the procedures or the tests, and they always assume that the doc knows best.

Nothing wrong with doctors – I love them.  But it’s YOUR BODY – learn how to take care of it!  Watching all the news about obese children, increase in diabetes, and declining health of the baby boomers (me included – I’m a baby boomer, but still healthy), it’s clear to me that what is missing is the connection between how someone lives every day – and how healthy they are.   So how do you encourage a healthy lifestyle?  That’s the $64,000 question.

My ingredients are simple:

Being outdoors
Taking extra vitamins and herbs
Getting moderate exercise
Eating less animal products
Low fat dairy
Don’t eat refined foods
Having pets
Doing work you love
Stress relieving activities – yoga and meditation work for me.

And… the big secret – being happy every day. 

So I am all for encouraging accountability and changing the insurance picture in this country.    This could mean – sliding scale of insurance costs based on how healthy you are.. like a Good Driver Discount for Staying Healthy! 

Having employer-sponsored plans also weighed and have unhealthy workers penalized.(I know that’s tough love – but they will thank you years later).

And adjusting pricing of health services so that preventive things  — like getting your blood pressure checked, become less expensive than expensive procedures like MRIs and CAT scans. 

Getting back to my original point – if you are totally RESPONSIBLE for your own healthcare – you make the extra effort to stay healthy. It’s a personal choice we all make every day.