Annual Requirements and Renewal
Welcome back and thank you for your continued subscription to the Guard via Compliancy Group!
It has now been a year since you last conducted your self-audits. That is the date we base the renewal of your compliance plan off of. So, as a logical jumping off point, we’re going to run through these audits again!
First, you will be refreshed on where to go, as seen above.
Your Coach will be setting up these audits for you via the green Start New Audit button. You are not to use this button! It will give you more work, or overwrite some work. Stay away from it like the plague. This is unless, of course, you enjoy adding unnecessary work to your already full plate. If that is the case, push that button all day long!
Answering the Questions
Being that you have recently been through the process towards compliance with us, you have the policies and procedures in place for what the questions are referencing. For this reason, you will find 98% of the answers are ones of Yes. Only if you feel that your policy is at all inadequate, or you do not understand the question, should you mark No.
During your first renewal appointment with your Coach, they will send you an email containing the same manual audits you had completed previously. You will receive the ‘HIPAA IT Risk Analysis Device Audit’, the ‘HIPAA IT Risk Analysis Questionnaire’ and the ‘Physical Site Audit’. Just as before, sent the two with IT in the title to those who handle your IT needs and complete the ‘Physical Site Audit’ yourself.
In lieu of deleting the previous editions of the audits completed we are going to archive them. This is so we can retain the information, should we ever need to produce it. In addition, this process will allow you to stick that newest copy you have atop the old copies. Read on for further instruction –
First, please navigate to Tracking, then Documents. Once there, click one time on the HIPAA Manual Audits folder to your left-hand side. Towards the middle you will now see that folders contents. Click on any of the three audits listed towards the middle so it highlights black. Now, look straight down from the title of the document to the very bottom where it says Upload New Version (the button with the purple icon affixed). This will furnish a yellow upload window for you. Find your completed audit on your computer via the Choose File button on that yellow window. The Enactment Date is the day the audit was completed. The Review Date is one year following the Enactment. At that point, skip over the check box and don’t fill in Modifications. Last, hit Upload Document. You will notice that the new edition is present and has assumed the name of what was there previously (that’s why we don’t need to enter anything into the Modifications category). The best way to ensure you did it correctly is to look to the far right, next to the file name. You should notice one more version than what was there before. Also, the fresh dates will show for you instead of the ones from the previous year.
Reviewing Business Associate Agreements
Annually you are required to review your Business Associate Agreements. By review we don’t mean that you need to run around gaining signatures and chasing people down once again. Instead you will literally review the document to make sure there has been no material change to the relationship with the vendor, or the documentation which is in place. So long as there is no crazy, whacky change you will simply add in a statement reflecting the fact that you reviewed the B.A.A. within the Associates profile. After saving this statement to the profile, that’s your review for the next twelve months. If there HAS been a material change to relationship or documentation with a certain vendor, send a new B.A.A.
The tricky part about reviewing Business Associate Agreements lies in the navigation within the Guard. This aspect requires you to position yourself in two distinct locales inside the Guard. The first location is within Tracking, then Documents, within the Vendor Contracts folder. The other location is the vendor profile found under Associates.
Now, we need to get that document onto your computer for review. First, click on the title of the document found center-screen. It will turn black to indicate it is highlighted. Now, if you were to look straight down from the ‘Created Date’, (to the very bottom) you will see a button labeled View Selected File with an icon of a magnifying glass on it. Think of that button as being synonymous with download. This action will send the document to your download folder where you may now review it.
Let’s imagine, for the sake of explanation, that there were no material changes to the B.A.A. in place. So, you just need to add in the previously mentioned review statement into the vendor’s profile. Now, is the time where you will navigate away from Tracking > Documents. You will want to head to the first option along the top, ‘Associates’.
Once you are within the Associates tab, scroll to the bottom. There you will find your listing of associates. Click on the name of the Organization that you reviewed the B.A.A. for, so it highlights black.
Since there was no material change to the relationship/documentation, we will now fill-in our review statement inside of the associates profile. The review statement should read as, “BAA REVIEWED BY XXYOUR NAMEXX – NO CHANGES TO BA FOUND – STILL ACTIVE AND CURRENT ON XXTODAY’S DATEXX.”
Please feel free to copy the above statement so you may paste amongst various vendor profiles. After filling in your name and the date reviewed on, be sure to hit Update Vendor so it saves your textual changes. You’ve now completed your B.A.A. review for that associate for the next twelve months!
Check your Users
Annually, you want to be sure to do some ‘clean-up’ on your Users (found under Administration, then Users and Access Controls). You’d want to be sure to inactivate anyone who has left and add in any new folks you have hired. In addition, for the newer folks, please make sure you have a confidentiality agreement in place. Read on for further instruction –
First, let us cover the addition of new Users. Please navigate to Administration, then to Users and Access Controls. Adding a new user requires only 3 fields of data entry. Enter in the new staffers full name, email address (a private one is okay to use) and a default password of password in all lowercase. This default password provides you an easy one to reset to should an employee forget their password and they can always make it better than ‘password’ directly from the main screen in the upper-right.
Let us now cover how to remove someone who has left the company since we last spoke. You will still navigate to Administration, then Users and Access Controls. Scroll to the bottom and click on the name of the person who has stopped employment with you. Now, look to your bottom-right for a button which says Activate/Inactivate Selected User. Click this and you will receive a prompt asking if you are sure. Since you are, please select OK.
NOTE – As mentioned above new folks will need a C.A. signed. Upon signing, you will need to upload that agreement back to the system. Please read on for further instruction on how to place that new agreement back to the Guard
Policy Date Maintenance
Since your policies also require annual attestation, we need to make them available and current. The way to do this is to simply stretch the year out on the Review Date to the following year. How do I do this, you say? Under Tracking > Documents, there are both folders for Security and Privacy (beneath the mid-line). These are your finalized policies. Click directly on either the Security or Privacy folder to see the contents mid-screen. Now, click on the first item listed so it turns black. A bunch of details will now show to the bottom in the center area. In the bottom-right is the review date. Click on the year and send it one year in the future. Finally, hit Update to push that year out. Your policy is now good for another year and ready to be attested to by you and your staff.
Aside from attesting to policies on an annual basis, there’s a few other Federal training requirements that require yearly attention. At the least, your Coach will add in HIPAA 101 training, Incident Management training, and Cyber Security training. If you bill Medicare, your Coach will provide you with Fraud, Waste and Abuse training.
Attestation from the main screen – Directly on the Main Screen, to your left-hand side (centrally located), you will see a header for Important Documents. Beneath this header is where all your training and policies will ultimately show. The documents are all clickable links, which send the selected file to your download folder. Your Coach will provide you with Instructions on how to Set-up your Chrome Browser so that items automatically open, rather than having anyone dig for them. Aside from that, the yellow attestation window will appear. First, review the document which you had clicked on. If it makes sense and you get it, select ‘I Completely Read and Understand the Document’. If you need some further guidance comprehending what you read, please select ‘I Completely Read but do NOT understand the document’. This will send an alert to your security officer, telling them they need to guide you a tad further. If you disregarded the document and never came back to it, please mark ‘I DID NOT read the document’. This way, the training still shows as pending and you can return to it.
Running a training report (admins only) – If you are an Administrator of the Guard you can keep eyeballs on how training is panning out for your Organization rather simply. If you were to navigate to the fourth tab in for Reporting and select Employee Attestation from the dropdown which shows, you will be brought to a rather slim screen that says Acknowledgment with a drop down to the right of it. I’d recommend running the report for Did NOT Read the Document. Initially, this will show you that everyone is yet to read anything. This list will slim down as training progresses. Ultimately, you will receive an error message, stating the system cannot provide search results based on the criteria sought after. This is a GOOD SIGN. It means everyone has completed their training and you are all set!
Closing Remediation Plans
After opening the Remediation Plan, click the Gaps tab. You will now see ‘Associated Gap Items’ to your right. In this instance, the regulation which the plan is tied to ends in numbers within the 300 range. They could also end in numbers which are either in the 500s or 13,000s. For this circumstance (since the regulation ends in 300), you would copy this sentence verbatim into the Notes tab found all the way to the left (see below the next picture pane) – The Policy to remediate the identified Gap from the risk analysis is located in The Guard’s Document Manager under the Security File Folder.
This is where you will find the Notes tab ^^
Now, let’s imagine that this regulation had ended either in the 500s or 13000s. For the Notes tab you would want to be sure to copy this sentence verbatim – The Policy to remediate the identified Gap from the risk analysis is located in The Guard’s Document Manager under the Privacy File Folder.
Almost there! Now, you will want to click the Goals tab directly next to the Gaps tab (see below) and mark any open goals as complete. There may not be any goals listed at all but be sure to mark any present as completed at this point.
Now, review the plan and ensure all is correct because once you close the remediation plan you cannot re-open it. If all is correct, go ahead and close the remediation plan.
Click here for further information on Getting Started > >
Click here for further instructions on Policy > >
This ties back to the Seven Fundamental Elements of an Effective Compliance Plan by, “Conducting Effective Training and Education,” as well as, “Implementing written policies, procedures and standards of conduct.”