Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View



The HIPAA Countdown continues, with the HIPAA Omnibus Rule compliance date of September 23rd looming in the distance.

Now that everyone is coming back to work, relaxed from the long weekend (we hope), it’s time to get back to work.

As a HIPAA Risk Analysis expert, I have gotten more than 300 calls and emails in the last 5 days (yes, even on Sunday) about
what NEEDS to be done right now.   Here’s a sample of the questions,

“Should I do a penetration test before Sept 23rd?”
“Should we update our policies before Sept. 23rd?”
“Should I hurry and get the laptops encrypted by Sept 23rd?” 
“We re-wrote our business agreements – what else do I need to do before Sept. 23rd?

To quote Leon Rodriguez, the Director of the Department of Health and Human Services, Office of Civil Rights, which is
the lead federal agency for HIPAA Enforcement, “The Number One Thing you need to do before September 23rd
is to update, or start a new 
HIPAA Risk Analysis.”  

According to the OCR Guideline on Risk Analysis,  “Conducting a risk analysis is the first step in identifying and
implementing safeguards that comply with and carry out the standards and implementation specifications in the Security
Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful
guidance that specifically addresses safeguards and technologies that will best protect electronic health information.”

This is why the First Area that OCR will address when they visit is:  “Where is your HIPAA Risk Analysis?”

Where is yours?  And has it been updated lately?

And did you know that Leon Rodriguez is on Twitter!  His twitter handle is @OCRLeon.




AT RISK – YOUR HEALTH – Check out the antidote for overweight Baby Boomers – The Juice Reboot solution featured in new movie, ‘Fat, Sick & Nearly Dead”. It convinced me!

Fat Sick And Nearly Dead: A Movie Review from Dr. Whimsey

Recently, I watched the movie “Fat, Sick, and Nearly Dead,” available on Netflix. The film chronicles the real life adventure of Joe Cross, an entrepreneur from Australia, who decides to go on a 60 day juice fast. Cross had a series of medical conditions that included obesity, and an autoimmune disease commonly referred to as “Chronic Idiopathic Urticaria.”Cross’s decision to go on a juice fast, is based on the idea that his lifestyle choices made him sick. In fact, many healthcare providers now believe that much of America’s epidemic of obesity and chronic disease have more to do with diet and lifestyle choices than anything else.

The film was shot in the United States, and depicts Cross traveling across the country asking people about health and diet, while discussing the current medical epidemic of obesity and chronic disease that has lead to Americans consuming more prescription drugs than any other nation on earth. Along the way Cross meets a truck driver named “Phil,” Phil is 425 pounds and suffering from the same debilitating disease. Phil decides to go on his own juice fast and not only recovers his health but looses close to 200 pounds (for his part, Cross lost around 90 pounds during his fast).

This film is amazingly inspirational, and I highly recommend people watch it. Not just because it demonstrates how diet and exercise can cure disease, but because it addresses, what I have come to believe, are gaping holes in our current healthcare system. Mainly, the lack of emphasis we have placed on diet and lifestyle changes to cure disease in this country, and have opted instead for the “quick fix,” medications can offer instead.

The film maker argues that juicing is better than eating foods raw because it would take far too many fruits and veggies to equal the amount of nutrients found in a single glass of juice. Therefore, in order to maximize the amount of micronutrients available in vegetables it is better to juice them.

This is not a perfect film. I am not a huge proponent of a juice only fast. One of the main reasons I don’t like this type of fast is because it eliminates fiber from the diet. Fiber is vital to our health for a number of reasons. For starters, fiber bulks up our stool helping us to have healthier and more frequent bowel movements (preventing constipation, and decreasing our risk of diverticulitis and polyps). Fiber is also thought to reduce our risk of colon cancer and type II diabetes. Fiber also helps keep our blood sugar stable. It does this by slowing down how quickly sugar can enter the blood stream; preventing the elevated levels you can sometimes get from consuming high sugar content food items like soda pop and white bread.

Instead of the juice only diet seen in this film, I advice people to do both a juice fast combined with nutrient dense foods like plenty of raw veggies, brown rice, and beans. This keeps the blood sugar stable during the fast, while still gaining all of the added benefits of taking in nutrient dense juices.

Like every article we write on Anderson Health Watch, we always want you to ask your doctor before starting any diet or exercise regime to see if it is right for you.


See the original Dr. Whimsey review at:


Unsnarling political differences based on Type preferences

A key component of decision making is laying out all the options to make an informed decision.

Watching the angst of the political parties trying to solve the debt problem shows that they are both charging around saying their favorite rallying cries, which does not promote dialogue, but just inflames the other party.

Think of these two parties, Dems and Repubs, as made up of two TYPES of individuals.  The MBTI (Myers Briggs Type Indicator) personality test is made up of 16 distinct types of people and you can summarize and put them into two main groups – the Traditionalists and the Innovators.

See if this sounds familiar – Traditionalists like for things to stay the same, they always support the status quo.  They dislike change for change’s sake, so they don’t want to raise taxes.  They like to keep a strong sense of order so they
are often military, law enforcement, corporate titans, etc.
  They are often presidents of associations and organizations and they are great at keeping things running efficiently.

Innovators want to explore and try new things – in life AND in politics. They want to get out of Afghanistan and put in a new tax structure, and reinvent old institutions, instead of cherishing them, as the Traditionals do.

Both these groups have great contributions that they make to society – Traditionals keep things organized and running and Innovators find new, better ways of doing things.

Innovators are always searching for the next new thing so it’s so coincidence that
California has more than it’s statistical share of Innovators – they keep kept going west, and kept looking until stopped by the Pacific ocean.

Type preferences are set before you are 5 years old and indicate preferences for your entire life.  I am already seeing types emerge from watching toddlers under the age of 2.

When you understand the values of the other party, according to type preferences, you can have a more civil dialogue because you can now understand where the other side is coming from, so to speak. 

You can find out which type you are,  or just find out more about the MBTI at www.myersbriggs.org.

What do they want? #egypt


Watching events play out on CNN, a saw a commentator ask, “What Do They Want?”, meaning what do these protestors want?   

I know what they want. I know because I have been working with people all over the world for years – both in person and online, by blog, by email, by phone.

Everyone wants the same thing – personal dignity and the chance for a better life for themselves and for their children. The desire for upward mobility is built into our DNA. It is built into the idea of evolution. It is why animals compete for the best perch, the best cave, the best tree, the best nest, the best plumage, the best mate……

You can apply all the slogans you want and make a list of the emotions people everywhere want to feel:


And what that means, as I see it, is that they want:
A better life for their children
To be able to Laugh
To fall in love and have a family
Better education
Stable food supply
Basic healthcare
Affordable basics – like food and housing and energy
Freedom to be themselves.

The internet is sort of like God, without all the judgement. In many ways – the internet is THE GREAT EQUALIZER. That’s why the 60-year old man can hide and pretend to be 27 again on a dating site – or even pretend to be a woman!   When you communicate on the internet, all the external things that people use to stereotype, pigeonhole and judge people are eliminated because of the way the message is communicated. (Remember – the MEDIUM IS THE MESSAGE….)

So it doesn’t matter what you look like on the internet – it doesn’t matter about your religion, race, sex, formal education, job – nothing. The only things that matters are your words – what you choose to tell the world about yourself.

That creates GREAT freedom and the way the internet lets you search and research and look around – so that a person in Cambodia living on one dollar a day can get online and see that amazon has 50 million different things to buy.   And look at those things – and see how much a bag of crackers cost in the US.

So these events in the middle East are earth-shaking for a lot of reasons, but mostly because this yearning for equal opportunity and the yearning to make your own life better is the irresistible siren call. It cannot be stopped. It cannot be silenced and just because it is starting in Egypt, doesn’t mean it is going to take over the world. Because I think it is.

All about the HIPAA Risk Analysis — from the Department of Health & Human Services Office of Civil Rights (OCR).

An amazing development in HIPAA compliance took place on May 7th.  What a great surprise for a Risk Analysis/Risk Assessment Person!  The Department of Health and Human Services, Office of Civil Rights finally came out with their draft guideline for the HIPAA Risk Analysis on May 7th!

While hospitals and health plans, business associates, technical service providers and physicians have struggled to understand the original HIPAA risk analysis requirement, the Health & Human Services Department finally published the draft guidance to help healthcare providers understand what is expected of them in doing a risk analysis of their protected patient health information (ePHI).

This is a critical part of the HIPAA Security Rule, but there was never any ‘official’ guidance of exactly what was expected and how they should accomplish the risk analysis. 

Why the Office of Civil Rights?  Because the new HITECH Act (February 2010) directed that OCR oversee health information privacy including the enforcement of the HIPAA requirement.   And the guidance is long overdue.  I have had dozens of conversations with individuals at hospital and, discussing what a risk analysis is, what are the basic elements, and I am THRILLED to report that the OCR agrees with my methodology.

 The draft guideline on risk analysis also takes the same track that the financial institutions have given as guidance to banks and credit unions.  That is risk analysis is a foundational document that should be used (and referenced) as the organization evaluates and implements appropriate controls.

OCR refers to the risk analysis, not as a one-time drill, but instead, as an ongoing process to help organizations evaluate their risk focusing on the confidentiality, integrity and availability of protected health information.  The Risk Analysis Report, creates the blueprint that an organization will follow as they improve their compliance – for example, deciding what data should be authenticated in particular situations, deciding, when, if or how to use data.

A risk analysis is also the basis for an understanding by organizations of the technologies they will need to secure protected health information, OCR said in the draft guidance May 7. 

To quote directly:  “We begin the series with the risk analysis requirement in § 164.308(a)(1)(ii)(A).  Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.

Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.”

Among the basic elements of a risk analysis, OCR said, organizations must identify data collections, document threats to information that could create a potential for inappropriate disclosure and assess current security measures the organization uses to protect patient information. This was great to read because it follows the elements I have built our solutions around.

Those elements, which were reinforced by the draft guideline include the following five elements of risk analysis (and risk assessment).

1.     Identify and characterize the assets that need protection,  including the databases, the applications, etc.

2.    Analyzing the relevant threat data – focusing on what could adversely affect the assets (ePHI) in this case.

3.    Modeling the potential losses that could result from the threat actually materializing.

4.    Finding the existing vulnerabilities in the current security situation that would increase the odds of the loss actually occurring.

5.   Developing appropriate controls to reduce potential loss, reduce existing vulnerabilities and make sure the controls are cost effective.

 The OCR also referenced the NIST 800-66 to show sample questions that need to be part of the risk analysis.  Luckily – we totally agree with them and have included the NIST 800-66 Guidance in every HIPAA Risk Analysis software solution.

 Here’s another short excerpt from the OCR:

 “Risk Analysis Requirements under the Security Rule

 The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).)  

Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard.  Section 164.308(a)(1)(ii)(A) states:


Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

OCR went on to cite NIST 800-66:  “The following questions adapted from NIST Special Publication (SP) 800-66  are examples  organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:    Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.    What are the external sources of e-PHI?

The publication of this first draft guideline gives healthcare organizations and other affected organizations a hint about which direction the OCR enforcement is going to go.  As I mentioned previously, the regulators are likely to follow the example of financial audits and ask for the current copy of the organization’s risk analysis and use that as the blueprint to measure how well the organization used the risk analysis to prescribe and dictate all other actions which were taken to protection the organization’s protected health information.

In the words of the OCR –

In Summary, Risk analysis is the first step in an organization’s Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI.

For a complete copy of the 8 page OCR guideline, please send an email to chamilton@riskwatch.com.




Last week I showed you my medical records – now I’m going to give you my take on the Healthcare Bill & Accountability! 

I never had health insurance — shocking, isn’t it!!  I grew up and raised two wonderful sons without any health insurance.  Part of it was my natural disinclination for paperwork, part of with my years of being self-employed but the main reason was I never understood why I should pay someone – that is – bet against myself — on my health.

Because I wasn’t saddled with medical paperwork, I could negotiate with the doctors for treatments I needed and usually got the price down 40% BECAUSE they didn’t want to use insurance anyway – it meant they got paid in six months instead of right now. 

My family believed in Adelle Davis – for those younger readers – she wrote “Let’s Eat Right to Keep Fit” and “Let’s Cook It Right”, “Let’s Get Well”, and “Let’s Have Healthy Children”. These books came out in the 50s and my mom was an immediately convert.  In fact, if you find these tattered old paperbacks in a used book store – you’ll see they were ahead of their time, in worrying about aluminum pans contributing to Alzheimer’s, endorsing fresh fruit and veggies for Vitamin C., and taking on the food industry which mightily contributes to disease in this country. 

I was never sick.  One bout of Scarlet fever that left my sister, Linda, deaf in one ear, but other than having two children – I was never sick.  The one year I did have health insurance was a total loss – paid about $3000 for N*O*T*H*I*N*G.  

Mind you, I’m in favor of national healthcare, delivered simply and effectively.  I am NOT in favor of fifteen xrays for a sprained ankle, seventeen mammograms that find nothing and basically – what I call the over-zealous use of medical technology.

Hey – news flash – healthcare is a BUSINESS!! Healthcare providers want to MAKE MONEY. The more procedures they perform – the more money they make.  It’s a very simple system.

So if it’s true that you have to incentivize people to stay healthy – maybe that’s the way to teach personal accountability for your own health!   I am amazed at how many of my friends, who are smart, and well-educated – turn their healthcare over to any doctor and do not question anything the doc says.  They don’t ask about the procedures or the tests, and they always assume that the doc knows best.

Nothing wrong with doctors – I love them.  But it’s YOUR BODY – learn how to take care of it!  Watching all the news about obese children, increase in diabetes, and declining health of the baby boomers (me included – I’m a baby boomer, but still healthy), it’s clear to me that what is missing is the connection between how someone lives every day – and how healthy they are.   So how do you encourage a healthy lifestyle?  That’s the $64,000 question.

My ingredients are simple:

Being outdoors
Taking extra vitamins and herbs
Getting moderate exercise
Eating less animal products
Low fat dairy
Don’t eat refined foods
Having pets
Doing work you love
Stress relieving activities – yoga and meditation work for me.

And… the big secret – being happy every day. 

So I am all for encouraging accountability and changing the insurance picture in this country.    This could mean – sliding scale of insurance costs based on how healthy you are.. like a Good Driver Discount for Staying Healthy! 

Having employer-sponsored plans also weighed and have unhealthy workers penalized.(I know that’s tough love – but they will thank you years later).

And adjusting pricing of health services so that preventive things  — like getting your blood pressure checked, become less expensive than expensive procedures like MRIs and CAT scans. 

Getting back to my original point – if you are totally RESPONSIBLE for your own healthcare – you make the extra effort to stay healthy. It’s a personal choice we all make every day.