Knock Knock. Who’s There? HIPAA. HIPAA Who? I Can’t Tell You.

Problem Statement

All organizations that handle protected health information (PHI) and everyone who does business with them must abide by HIPAA. Putting together an assessment proving your organization is compliant is daunting. This session will help you create a road map to do so.

Shortly after the Health Insurance Portability and Accountability Act (HIPAA) Security Rule was finalized in 2003, Family Service League, Inc. (FSL) began the process of determining whether it was in compliance. FSL was able to handle the required assessment in-house using Excel spreadsheets and documents from the HHS website.

It was a simpler time:

  • Most servers were onsite and data resided within a WAN’s virtual walls
  • The cloud was still a weather term
  • Bills were transmitted using modems and fax machines
  • The only users who had laptops were the top execs
  • There were no electronic health records (EHRs) to speak of
  • Blackberry was king
  • The iPad was just a gleam in the apple of Jobs’s eye

When the Health Information Technology for Economic and Clinical Health (HITECH) Act was finalized in 2013, things became more complicated. Software as a service (SaaS) became the norm, and data in transit took on new meaning. The promise of Meaningful Use funds put EHRs on the map and into practice. Cell phones had more computing capacity than the original IBM PC. And if you did any business with a covered entity, you were required to follow all HIPAA regulations under the Omnibus Rule.

Doing an in-house HIPAA assessment was no longer feasible: the expertise needed to conduct it was vast and the mechanism to keep track of it was unwieldy. The threat of an audit, or even worse, a breach, was untenable. FSL did not want to simply have an assessment “done” but rather wanted to be able to assess, identify weaknesses, prioritize remediation, and then follow through.

This session will illustrate how FSL reached the strategic decision to use an outside vendor to assist with its HIPAA assessment, and how we worked together collaboratively to achieve our goal of HIPAA compliance within one year.

The 2017 audit process is rolling out. Are you ready?

Grace Barry
Family Service League
Director of Information Technology
I am fortunate to have spent the last 15 years as a technologist in the non-profit world. At Family Service League, I am the IT Director of a large behavioral health agency on Long Island in New York. As the need for services expands and the way those services are delivered and reimbursed changes even more, it is my job as a technology leader to make sure that the direction our IT takes always maintains its true north: the mission we support.

Joshua Darrin
Technical Lead
I am an idealist, technologist and strategic thinker with a passion for making a positive impact on the world. I believe in the lost art of listening and have an innate talent to define requirements, design solutions, develop relationships and act as a change agent. My ideals and ethics serve as the foundation for my success. Core competencies include: Client Relationships, Business Development, Technical Architecture, Solutions Design, Salesforce, Virtualization (Public Cloud, Private Cloud and Hybrid Cloud), Data Centers and Compliance (FISMA, SOC2-Type II, HIPAA, PCI).