There are currently 100 names in this directory
3 Exceptions to Breaches
Unintentional acquisition, access or use pf PHI. For example, office worker goes to printer as a lab result prints for a nurse. Second, inadvertent disclosures by individuals who is otherwise authorized at a facility operative by a C.E. or a B.A. Last, situation in which the unauthorized person would not have been able to reasonably retain the information.
To provide access to The Guard for someone who had not had it previously. For Administrator use only.
Administration > Users and Access Controls
The location in the Guard which you access to create both Users and Administrators.
An individual who has increased access to The Guard in order to complete their compliance work. They will be able to access all aspects of The Guard, as opposed to a regular User who will only access the Main Screen.
Relates to the dropdown beneath 'Administration' labeled 'Alerts.' Within this section you may review alerts in regards to pertinent reminders about your compliance work. The sections break down as follows; 'Compliance Alerts,' 'Remediation Alerts,' 'Incident Alerts,' 'Document Alerts,' 'Training Alerts,' 'Document Clarification Requests,' and 'Password Requests.' Please review each specifics term for further clarification.
Relates to the dropdown beneath Reporting labeled Remediation Summary. This filter is found within the field marked 'Order Report By.' It will show you who Approved or Rejected any given Remediation Plan.
Relates to the dropdown found beneath 'Reporting' labeled 'Remediation Summary.' This filter is found within the field marked 'Order Report By.' It will show you who was working on any given Remediation Plan, IE, who it was 'Assigned To.'
The location that houses your contracts, notes and technical due diligence efforts, found after clicking 'Associates'. To see the profiles which were already created, click 'Associates' and scroll to the bottom. To bring up any associates profile simply click on their name so it highlights black. Then, hit 'View Selected Item'.
Affirm in an official fashion. In regards to HIPAA Policy and Procedure(s) this means one has agreed to the terms set before them in writing and understands them.
Relates to the dropdown found beneath 'Reporting' labeled 'Questionnaire Results.' This filter allows you to choose which of your previously completed self-audits you wish to review; Security Audit, Privacy Audit, or HITECH Act Audit.
Relates to the dropdown found beneath 'Reporting,' then 'Authorization Summary.' The filters you may add from this feature include, 'Status Options,' 'Requested By,' 'Revoked, or 'Order Report By.' Please review these specific terms for further explanation.
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.
Business Associate (B.A.)
Anyone who you pay money to and their job specifically entails working with your patients' PHI would be considered a Business Associate. Examples of Business Associates include establishments such as a Clearinghouse, a Billing Service, a Collection Agency, 3rd Party Storage Companies, IT Servicers, EHR Platforms, Consultants, or Shredding Companies.
Business Associate Agreement (B.A.A.)
A written agreement between a Covered Entity and a Business Associate which states that both sides will do all they can to maintain safety of PHI and minimal information to complete job will be disseminated to the Business Associate. As per the Omnibus Rule, enacted in 2013 - The Business Associate agrees to also be HIPAA Compliant and the Covered Entity assumes risk if the Business Associate has a breach.
C.S./C.A. - Confidentiality Statement/Agreement
Any Vendor who is in your Employ but is not paid to directly deal with PHI should sign a Confidentiality Agreement. By signing one this Vendor is stating that they will not disseminate anything heard, seen, or touched which may contain PHI they were exposed to by chance. Also, each member of your direct Staff should sign a Confidentiality Agreement.
This should be the first step you take upon logging into the main screen. In your upper-right is a link which says Change Password in green. When you can, please change from the default of password in all lowercase to something unique for yourself.
Clock Key (upper-right hand side, next to Org. name)
If you are ever within the depths of the Guard it is extremely easy to access the main screen once more (for let's say, attestation). If you look to the upper-right you will see your Organization name and 5 icons directly next to it. The one furthest to the right will always bring you back to the main screen.
Relates to the dropdown found beneath 'Reporting' labeled 'Remediation Summary.' This filter is found within the field marked 'Order Report By.' It will show you which of your Remediation Plans are Completed and which ones are still Open.
Relates to the dropdown found beneath 'Administration' labeled 'Alerts.' Beneath 'Compliance Alerts' you will find your Organization's gaps (deficiencies) which are yet to be associated with a remediation plan.
The Individual(s) who will assist in building your compliance plan. Their purpose is to walk you through our process towards HIPAA Compliance, via our platform the Guard.
Relates to the dropdown found beneath 'Reporting' labeled 'Remediation Summary.' This filter is found within the field marked 'Order Report By.' It will allow you to prioritize your search so that this option shows atop the report generated.
Covered Entities Include - Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes and Pharmacies are all Covered Entities but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
Health Plans are also Covered Entities and include; Insurance Companies, HMOs, Company Health Plans, and Government Programs that pay for health care, such as Medicare, Medicaid and the Military/Veterans health care programs Also, a Health Care Clearinghouse would be considered a Covered Entity and includes establishments that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
A training which we will provide to you that covers the basics on how to keep your network secure. This training covers threats, correct actions to take and proper protocols to follow.
The screen seen immediately upon launching the Guard. It contains several tabs and drop downs which follow. You will find this is where you conduct the majority of your work. The Compliance Overview is intended to keep you on course and let you know where you stand within the process at any given time.
Relates to the dropdown found beneath 'Reporting' labeled 'Remediation Summary.' This filter is found within the field marked 'Order Report By.' It will allow you to prioritize your search so this option shows atop the report generated.
Relates to the dropdown found beneath 'Reporting,' then 'Disclosure Summary.' Within this feature you may filter your search by, ''Requested By,' and 'Order Report By.' Please review these specific terms for a more specific explanation.
Display Audit Notes
Relates to the dropdown found beneath 'Reporting' labeled 'Questionnaire Results.' With this check box you may filter your search to either contain or not contain the 'Auditor Notes' which you had inserted initially for any answers of 'Yes' filled in on your self-audits.
Doc(ument) Clarification Requests
Relates to the dropdown found beneath 'Administration' labeled 'Alerts.' Beneath 'Doc(ument) Clarification Requests' you will find who in your Organization's staff has requested explanation of a policy or procedure.
Relates to the dropdown found beneath 'Administration' labeled 'Alerts.' Beneath 'Document Alerts' you will find your Organization's documents which have passed their review dates.
Employee Attestation (Policy/Procedure Crosswalk)
Allows an Administrator within The Guard to generate a report in regards to their Employee's attestations. From here, an Administrator can easily run a scan to see who amongst their Staff has read but not understood any given policy, who has not read any given policy, and who has wholly read/understood the policy. An Administrator may also choose 'All Types' to review all Staff members' Attestations.
The date an audit is completed, the day a contract is signed and placed into effect, or can be thought of as the day which a policy goes 'live'.
Electronic Protected Health Information - This health information is stored or transmitted in an electronic form.
When completing the Self-Audits after your first session with your Compliance Coach you will be presented this option. This will set the answers in stone, so be sure to have answered all questions carefully and honestly. Utilize the 'Previous Question' button to review any answers prior to finalizing.
Fraud, Waste and Abuse
If you bill Medicare you will want to be sure to train on Fraud, Waste and Abuse. Let's break down what this training means - Fraud: An intentional act of deception, misrepresentation or concealment in order to gain something of value. For example, upcoding. - Waste: Over-utilization of services (not caused by criminally negligent actions) and the misuse of resources. - Abuse: Excessive or improper use of services or actions that are inconsistent with acceptable business or medical practice. For example, charging in excess for services or supplies. The Fraud, Waste and Abuse training which we provide to you will satisfy all your needs for Medicare and touches heavily upon these items.
Upon completing your Self-Audits deficiencies, also known as gaps, will automatically populate based on your answers. These gaps are where your Organization's lacking elements necessary in order to be compliant.
The Guard allows you to generate reports at your leisure. Underneath the 'Reporting' tab select 'Gap Analysis' and you will be presented with options labeled 'Gap Options,' 'Remediation Options,' 'Risk Options,' and 'Order Report By.' Please refer to these individual terms within this glossary for a further breakdown of their functions.
Relates to the dropdown found beneath 'Reporting.' Within this feature you may filter your Gap Analysis search to show 'Both Resolved and Open Gaps,' 'Open/Unresolved Gaps,' and 'Resolved Gaps.'
Health and Human Services (H.H.S.)
Federal Department which administers federal programs, covering public health and welfare.
Health Insurance Portability and Accountability Act (H.I.P.A.A.)
A regulation to guarantee patients new rights and protections against the misuse or disclosure of their health records.
The Help Button is found in the upper-right, next to your Organization's name. There are five icons; It is the third one in, labeled with a question mark. When you press this it will always bring you to a new tab, so you don't lose your work from the Guard. You can peruse various over-arching topics along the bottom. You can get very specific as to what you are seeking via the search bar. Merely begin typing in what you're curious about and the search bar will try to fill in the rest for you to provide an accurate search.
A training outlining the basics of HIPAA. It is a PDF file we will provide to you. HIPAA 101 is a training which is required for the full staff by regulation.
You can access the Dashboard screen easily, thanks to the 5 icons found directly next to your Organization's name. The symbol of the little house, furthest to the left, will always bring you back to your dashboard.
The field which all your training will ultimately appear within. Found on the main screen.
To turn off access to someone who previously had the ability to log into The Guard. For Administrator use only.
The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
Relates to the dropdown found beneath 'Administration' labeled 'Alerts.' Beneath Incident Alerts you will find your Organization's incidents which are over 30 days old and are yet to be resolved.
Relates to the dropdown found beneath 'Reporting,' then 'Incident Summary.' Within this feature you may filter your search by, 'Both Resolved and Open Incidents,' ''Open/Resolved Incidents,' or 'Resolved Incidents.'
Found beneath the dropdown for 'Reporting,' this 'Incident Summary' tab allows you to filter your search by 'Incident Options,' 'Vendor Association,' 'Incident Type,' or 'Order Report By.'
Relates to the dropdown found beneath 'Reporting,' then 'Incident Summary.' Within this feature you may filter your search by, 'Show ALL Incident Types,' 'Erroneous Release of Information by Fax,' Erroneous Release of Information by Mail,' 'Theft of Paper ePHI,' 'Theft of Device that Contained ePHI,' 'Lost Device (Laptop, Memory Stick, Blackberry, Etc.) that Contained ePHI,' 'ePHI sent Outside of Companies Protection and not Encrypted,' 'Unauthorized Individual Having Access to Company Protected Information,' 'Employees not Following Company Policy and Procedures in the Handling of ePHI,' 'Known Vendor Breach,' or 'Other Incident Type.'
Launch the Guard
The large green button found in the upper-right of the Main Screen seen immediately after log in (for administrators only). Launch the Guard takes you into your Dashboard.
Here you will find 'Assigned Tasks,' Important 'Documents,' and 'How to Report an Incident.' As an Administrator you will also see 'System Messages,' 'Notifications and Alerts,' and have the ability to Launch The Guard via the green button to the top-right of the screen.
During your first meeting your Coach sent you several attachments in an email. Among those attachments were three 3 MS Excel Worksheets. Two of them had HIPAA IT in the title and should be forwarded to those who manage your IT. The final one is the Physical Site Audit which is a simple walkthrough of your location. These audits satisfy two thirds of your S.R.A. - The Physical and Technical elements.
New HIPAA Docs Folder
Found under Tracking > Documents. A very handy folder which contains a lot of information, such as authorization forms, medical release forms, NPPs, etc.
Notifications and Alerts
This section is found on the Main Screen to the right-hand side. It will inform you of specific information. For example, when a remediation plan is overdue, or when a vendor questionnaire is still pending completion.
Office of Civil Rights (O.C.R.)
The Office of Civil Rights is the division of HHS responsible for enforcing Privacy Rules. Privacy is considered a Civil Right.
Office of Inspector General (O.I.G.)
Federal agency that investigates and prosecutes fraud against Government health care programs, such as Medicare/Aid.
Order Report By
'Order Report By' will be seen many times throughout The Guard. Depending on the area which you see it, it will allow you to filter your inquiry/reports in a certain order for your convenience.
Relates to the dropdown found beneath 'Administration' labeled 'Alerts.' Beneath 'Password Requests' you will find who in your Organization requires/has requested a password reset.
Policies and Procedures
Standards that require a Covered Entity to adopt reasonable practices to comply with the provisions of the HIPAA Security Rule.
Policy Tip Sheet
Also known as the Policy Review Notes and Tips Sheet; This guide is a cliff noted version of the policies themselves. It is indispensable once you reach the point of policy creation (Stage 3). It removes the legalese from the official documentation and presents real-world scenarios to further comprehension on the topic being discussed.
A set of national standards for the protection of certain health information. Goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being.
Protected Health Information
Individually identifiable health information held or transmitted by a Covered Entity or its Business Associate, in any form or media, whether electronic, paper, or oral.
By hovering over 'Reports' and selecting 'Questionnaire Results' you may review previously completed self-audits. Options for the reports include reviewing past answers to your Privacy, Security and HITECH audits. You may also choose to 'Show All Questions,' 'Incorrectly Answered Questions,' and 'Correctly Answered Questions.'
Questionnaires provide us a jumping-off point for your compliance plan. When they are completed 'Gaps' will arise, making them immensely important to the beginning of the process.
The act of fixing deficiencies (Gaps) found by The Guard after completing your self-audits.
Relates to the dropdown found beneath 'Administration' labeled 'Alerts.' Beneath 'Remediation Alerts' you will find your Organization's remediation plans which have passed their due date or are still pending.
Relates to the dropdown found beneath 'Reporting' labeled 'Gap Analysis.' Within this feature you may filter your Gap Analysis search to show 'Both Assigned and Unassigned Gaps,' '(Gaps) Assigned to a Remediation Plan,' '(Gaps) Not Assigned to a Remediation Plan.'
After your deficiencies are automatically discovered through finalizing administrative/policy audits, the plans to fix them are generated simultaneously. These plans document your efforts to fix your gaps as you work at the same time to physically repair your deficiencies.
The Guard allows you to generate reports at your leisure. Underneath the 'Reporting' tab select 'Remediation Summary' and you will be presented with options labeled 'Remediation Options,' 'Status Options,' and 'Order Report By.' Please refer to these individual terms within this glossary for a further breakdown of their functions.
Report an Incident
You may report any perceived HIPAA violation anonymously directly from the Guard's Main Screen. Simply put in the events which occurred on the bottom-left, below Report an Incident. Upon submission, your incident will be logged and your Security Officer will be made aware that a submission has been completed.
The act of generating concise snapshots of work done previously. Options available within The Guard include 'Gap Analysis,' 'Remediation Summary,' 'Questionnaire Results,' 'Incident Summary,' 'Training History,' 'Authorization Summary,' 'Disclosure Summary,' 'Member Breakdown,' 'Vendor Breakdown,' and 'Employee Policy/Procedure Crosswalk.'
Found beneath the dropdown labeled 'Reporting,' then 'Authorization Summary.' Within this 'Requested By' filter you may refine your search to see 'All Possible,' 'Organization,' 'Member,' 'Representative,' 'Legal Guardian,' 'Legal Entity (Law Enforcement, Etc.).'
Requested By (Disclosure Summary)
Found beneath the dropdown labeled 'Reporting,' then 'Disclosure Summary.' Within this 'Requested By' filter you may refine your search by, 'All Possible,' 'Organization,' 'Member,' 'Representative,' 'Legal Guardian,' or 'Legal Entity (Law Enforcement, Etc.).'
Usually a year from any given Enactment Date. This pertains to your annual requirements and when items need completion for another go-around.
Found beneath the dropdown labeled 'Reporting,' then 'Authorization Summary.' Within this 'Revoked' filter you may refine your search by, 'Both Revoked and Non-Revoked,' 'Revoked Authorizations,' or 'Non-Revoked Authorizations.'
Relates to the dropdown found beneath 'Reporting' labeled 'Gap Analysis.' Within this feature you may filter your 'Gap Analysis' search to show 'All Risk Levels,' '5 - Extremely High Risk (Requires Immediate Attention),' '4 - High Risk,' '3 - Moderate Risk (default level of risk),' '2 - Low Risk,' or '1 - Extremely Low Risk (needs to be resolved when time permits).'
Security Risk Analysis (S.R.A.)
Will guide you through a systematic examination of many aspects of your health care practice to identify potential security weaknesses and flaws.
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Relates to the dropdown found beneath 'Reporting' labeled 'Remediation Summary.' Within this feature you may filter your search to show 'Approved, Pending and Rejected Recommendations,' items that were 'Approved,' items 'Pending Approval,' or 'Rejected' items.
Status Options (Authorization Summary)
Relates to the dropdown found beneath 'Reporting,' then 'Authorization Summary.' Within this filter you may refine your search to see, 'Pending, Approved and Rejected Authorizations,' 'Pending Authorizations,' 'Approved Authorizations,' and 'Rejected Authorizations.'
Relates to the dropdown found beneath 'Administration,' then 'System Logs.' Within this feature you are able to track any/all changes made within your Organization's site.
The Six Audits
You may have heard this term via Compliancy Group before. Here, I am going to break it down to bare bones for you. The six audits encompass a Security Risk Assessment which has 3 integral elements. These 3 elements are Administrative, Technical and Physical. Your Administrative requirement is met once you finish the questionnaires found directly inside the Guard, the HIPAA Security Standards Self Audit, the HIPAA Privacy Standards Self Audit and the HITECH ACT Subtitle D Privacy Self Audit. Your Technical requirement is met upon completion of your IT Risk Analysis Device Audit and the IT Risk Analysis Questionnaire. Your Physical requirement is met upon completion of the Physical Site Audit. Finally, upon building of remediation plans, you can confidently say you have a valid Security Risk Assessment (S.R.A.) available.
Beneath this tab you will find options for 'Training,' 'Authorizations and Disclosures,' and 'Documents (Version Control).' Tracking allows you to sort and organize various items within The Guard.
Tracking > Documents
Third tab in, second option down. This will lead you into the Document Repository where you will house some audits, some agreements and policies among other items.
Relates to the dropdown found beneath 'Administration' labeled 'Alerts.' Beneath 'Training Alerts' you will find your Organization's staff who has either not been trained, or whose training occurred over a year ago.
Relates to the dropdown found beneath 'Reporting,' then 'Training History.' You may filter your search via 'Training Options,' or 'Order Search By.'
Relates to the dropdown found beneath 'Reporting,' then 'Training History.' You may filter your search by 'Training Options,' such as 'BOTH Scheduled and Completed Training,' 'Complete Training Courses,' or 'Scheduled Training Courses.'
Treatment, Payment and Operations (T.P.O.)
The rule that patients' PHI may be shared without their authorization for the purposes of Treatment, Payment, Operations. For example, a submission of claim to an insurance company requires no authorization, since this is how you will receive payment for services rendered. If the entity is an integral part of your business that you cannot manage without, (in order to allow the Doctor's to keep functioning as Doctors, for Operations to not cease and you need to close your doors) no particular agreement is required with these Organizations. For further example, Labs, Insurance Companies and General Supply deliveries.
Upload New Version
A method which you may retain previous editions of essential compliance items. You do not ever want to toss anything away because in the case of an audit information needs to go back 6 years. So in lieu of deletion, you will archive the previous edition with the new sitting atop. This is done by clicking on the file itself and hitting Upload New Version at the bottom of the screen.
For larger Organization's we don't want to ask you manually plug each user in. Instead this can be performed for you on this side. Simply provide us an Excel sheet in this exact format - Column A = First name and Last Name, Column B = Email address.
Users and Access Control
This is found beneath the 'Administration' tab and allows an Administrator of The Guard to grant and deny access. It also is used to differentiate every day Employees (Users) from those completing the compliance work (Administrators).
A 'Regular' Vendor is someone in your employ who is not paid to directly handle PHI. Their job may have nothing to do with PHI at all. However, they may see it by chance. A good example of a Vendor who may potentially be exposed to PHI is someone who is a member of a Janitorial Staff, or a Copy Person.
Relates to the dropdown found beneath 'Reporting,' then 'Incident Summary.' Within this feature you may filter your search by, 'Both Assigned and Unassigned Incidents,' 'Incidents Assigned to Vendors,' or 'Incidents not Assigned to Vendor(s).'
Relates to the dropdown found beneath 'Reporting,' then 'Vendor Breakdown.' Within this feature you may filter your searches by, 'Vendor Options,' and 'Order Report By.'
Relates to the dropdown found beneath 'Reporting,' then 'Vendor Breakdown.' Within this feature you may filter your search by 'BOTH Active and Inactive Vendors,' 'Active Vendors,' and 'Inactive Vendors.'
This is how you conduct your due diligence on your BAs. You are required to ensure that your BAs have safeguards in place to protect your PHI. This questionnaire can be sent and scored from the Guard. What you are looking for, upon survey completion, is for the majority of answers to be in the category of 'Yes'. If that is the case, the BA is in the clear. If the majority of answers fall into the 'No' category, we may recommend you find a new BA.
Submit a name