Policy Management Software

As organizations grow, they face a continuous increase in the number and complexity of policies and procedures that staff members need to share and collaborate with one another. This is one of the biggest challenges for organizations of all types and sizes. It involves demonstrating compliance to auditors and the best practices to staff. This is required not just at periodic intervals, but also continuously and instantly to a variety of stakeholders.

It is essential to have high quality policy management software to help a company to be on top of itself. Such software allows users to create and refine policies and procedures in compliance with standards that are relevant. When policies are not maintained properly, its value decreases and the policy loses its authority and relevance.

Increasing regulatory requirements these days necessitates organizations be proactive in their management of important documents. Having up-to-date policy reduces the chance of liability and demonstrates an organization is acting in solid governance to government authorities, outside organizations, and even itself.

Misplaced documentation (either through poor organizational structure or poor systems architecture) can cost an organization valuable time, energy, and resources. The easier it is for staff to find documents and update them in a distributed real-time manner, the easier it is to ensure that the most up-to-date information is at the fingertips of those who need it. It is very helpful to have a means of recovering information if portions of a company’s policies, procedures, and guidelines are missing or no longer relevant. This aids in the flexibility of an organization tobounce back on its feet during times of change or disarray.

An end-to-end policy management package ensures that the creation, preservation, and deletion of information in the documentation occur in a step-by-step procedural manner. This process should be free from obstacles such as interference from conflicting processes, confusion on what processes are involved, and confusion as to the roles and responsibilities of who updates what and is accountable for what. A good policy management system takes all of these factors into account, while delegating authority and authorship as needed.

A proper policy management system will not only save time and energy but ultimately the bottom line expenses. There are a countless number of lost work hours that result from creating, recreating, and updating an organization’s policy in an inefficient manner. A seamless process in this regard allows an organization to use human resources elsewhere by taking care of the overhead.

In summary, good policy management software helps an organization maintain rigorous control over its infrastructure, track usage, update, and assimilate various components distributed throughout the organization. It gives individuals in the company a solid means of tracking policy changes and ensuring that authority in updates is delegated, and escalated, to the right parties at the right time. It can continuously reduce ineffective workflows by tracking changes throughout the process without the stopping and backtracking associated with manual policy management.

Read More

HIPAA Compliance Checklist

Once you've concluded you are handling protected health information (PHI), you will have to ensure your organization is HIPAA compliant. Compliance with HIPAA requires going through a series of steps that, altogether achieved, ensure you are in-line with the regulations set forth by the Department of Health and Human Services for patient health records.

Compliance achievement can take the form of checklist that walks through the 4 sets of rules within HIPAA: The Privacy Rule, Security Rule, Enforcement Rule, and Breach Notification Rule. While it is beyond the scope of this article to provide a comprehensive breakdown, we will provide a basic overview of what such a checklist entails.

The Privacy Rule presents standards that protect health records that apply to various health care providers that conduct their transactions electronically. It involves preventing impermissible uses of the PHI, ensure breach notification procedures are in place, ensure appropriate access to the PHI, and provide disclosures to the Secretary of HHS as needed.

The HIPAA Security Rule ensures that various safeguards are in place on Technical, Physical, and Administrative levels. Some are designated as 'required', and others designated as 'addressable' (required for certain organizations).

Technical safeguards deal with: unique user identification, emergency access procedures, automatic logoff, encryption/decryption, audit controls, and authentication systems and methods. Physical safeguards deal with the physical location and the facilities themselves, including: contingency operations, security plans, access control, maintenance records, workstation use, workstation security, disposal of documents, accountability, and data backup/storage procedures.

Administrative safeguards cover the conduct of workers in the organization, and provide measures in place to protect PHI. It requires establishing a privacy officer, conducting staff training, review documentation on a regular basis, performing a risk assessment, creating agreements with the various Business Associates (BA) that partner with your organization.

The Enforcement Rule and Breach Notification Rule are not necessarily actionable in advance, but they spell out the penalties and procedures for hearings related to HIPAA non-compliance, as well as procedures for dealing with a breach of unsecured PHI.

Though seemingly daunting, the HIPAA compliance checklist rules can be applied and enforced in your organization in a systematic manner through a checklist. In addition, automatic tools can enhance the value of a checklist by having systematized procedures to bring your organization into compliance.

Read More

Introducing the HIPAA Omnibus Rule

New standards have been added to HIPAA regulations through the Omnibus Rule. These new additions address holes in the ability to access PHI (Protected Health Information) by those that are non-privy to such data. These standards ensure that "Covered Entities" follow these rules or deal with significantly harsher penalties.Covered Entities, Business Associates and their subcontractors are more liable for compliance lapses under the Omnibus Rule. Enacted on September 23, 2013,the Omnibus Rule has led to a dramatic increase in the cost and complexity for the maintenance of healthcare documentation, requiring even more precise auditing of systems and policies.

There are a variety of points that make up the new HIPAA Omnibus Rule, which include additional HITECH Act enhancements. During a breach of PHI the Covered Entity must notify eachindividual party whose information was breached, the Dept. of Health and Human Services, and media sources. The definition of a secure system is not simply having access or login protection. It requires the data to be thoroughly encrypted when breached, or automatically destroyed before it is accessed. In addition, the Omnibus Rule expanded the scope of what constitutes a breach to even limited sets of data that might contain certain fields.

The Omnibus Rule is an update to the Interim Final Rule published in August 2009 and involves the discarding of a 'harm threshold'. This threshold analyzed the risk of a potential breach's impact in determining the potential recourse for a Covered Entity. However, the Omnibus Rule voided this threshold, but instead presumes a breach unless certain specific factors are taken into account. This includes who the unauthorized person is, whether the PHI was viewed, and how it was acquired.

Sanctions for not providing the required notice are severe, with some state law requirements even more severe than federal laws. Thus, potential breach and all follow-up protocols should include a full analysis of both state and federal regulations.

The Omnibus Act also expands the definition of a Business Associate. Thus, the new BAA (Business Associate Agreement) must specify the general arrangement of data being exchanged in addition toaddressing the repercussions of a potential breach in the transfer of information between Covered Entities and Business Associates. The NPP (Notice of Privacy Policies) has beenmodified to include provisions for distribution, sale, and notification of breach to patients including special provisions for psychotherapy notes.

Penalties for lack of compliance to these rules include $100 per violation and $25,000 if the violation is identical in one calendar year. Privacy breaches have a far greater consequence, including penalties up to $1.5 million.

With the HIPAA Omnibus Rule in effect, it is even more imperative that Covered Entities and Business Associates take active steps in ensuring that their systems are protected, with protocols and audit tools in place to prevent even a seemingly minor PHI breach from occurring. To comply with these changes, both Covered Entities and Business Associates must make updates to their privacy practices, as well as perform an audit of all their policies and procedures on a regular basis.

Read More

HIPAA Omnibus Rule

The HIPAA Omnibus Rule was brought into effect on January 25, 2013. This was a set of rules that directly affected the Health Insurance Portability and Accountability Act in the areas of Security, Privacy and Enforcement. In a day in age where technology runs nearly everything, these provisions to HIPAA helped implement changes to the Health Information Technology for Economic and Clinical Health (otherwise known as the HITECH Act). These provisions protect patients' personal information more directly in today's high tech world.

One of the first things these provisions address is that under the HIPAA Omnibus Rule all associates of a business and all subcontractors of a business are directly liable for complete compliance with HIPAA. It also goes on to limit the use of personal information for the use of marketing purposes. These provisions also expand on the rights of individuals to receive copies of their medical records over the internet.

In times of a breach of privacy, the HIPAA Omnibus Rule and the HITECH Act increase the monetary penalties. Monetary penalties include:

• Accidental disclosure of personal information resulting in a penalty of no less than $100 but no more the $50,000 for each case
• For disclosure due to reasonable cause and not pure neglect resulting in a penalty of no less than $1,000 but no more than $50,000 for each case
• For disclosure due to neglect but fixed in a timely fashion resulting in a penalty of no less than $10,000 but no more than $50,000 for each case
• For disclosure due to neglect that is not fixed in a timely manner resulting in a penalty of $50,000 but no more than $1.5 million per year for each case

Any known use or disclosure of personal information is considered to be a breach of the HIPAA.

The HIPAA Omnibus Rule was brought in to effect to further cover and protect patients' personal information. All healthcare officials and individuals in the healthcare field must be properly educated on the HIPAA Omnibus Rule and practice it to avoid monetary penalties. 

Read More

Compliancy Group promotes The Guard for better compliancy within an orga...

Read More

Why your organization and its team members should attend compliance webinars ?

Compliance has become a buzzword for organizations both large and small.  The main issue with companies and organizations trying to adhere with all regulatory compliance is that both compliance and the HHShave no bias.  Yes, compliance doesn’t care if you have a full time compliance officer, a million dollar budget or absolutely no idea what you are doing.

There are always tons of options regarding ways to educate yourself about compliance. However,most of these options will only focus on a textbook way of achieving compliance education and can be costly.  In our free compliance webinar series, we strive to not only find industry experts, but also to focus on relevant topics that pertain to the compliance industry and what you need to know.

Here at Compliancy Group, we are aware of the gaps in compliance knowledge as a whole and how this can effect an organization of any size.  This is why we decided to create our free education series where the focus revolves around supplying a wide range of compliance webinars.Most importantly, knowledgeable speakers who have expertise in their fields ranging from HIPAA compliance to health care law carry out these compliance webinars. Past topics of compliance webinars have included: HIPAA, HITECH, Meaningful Use, the Omnibus Rule, Business Associates, HIPAA Compliance Checklist, and much moredemonstrated by speakers such as: Frank Ruelas, Matt Fisher, and Bob Grant.

Read More

What is HIPAA and Why Do I Need to Abide by These Rules and Regulations?

If people have heard of HIPAA or the Health Insurance Accountability and Portable Act of 1996, they probably know that it protects their private medical information. HIPAA actually forced the government to create standards designed to protect personal health care information that is submitted and electronically stored. However, a lot of people do not understand what the law really covers.

What is HIPAA?

The Health Insurance Accountability and Portability Act of 1996 contains five titles. Title One of HIPAA provides health insurance protection for employees and their families when they lose or change jobs.

Title Two of the law, also known as the Administrative Simplification Provisions, created national standards for electronic-based health care transactions and national identifiers for health insurance plans, employers and medical providers. This aims to prevent health care abuse and fraud and provides a platform for administrative simplification and medical liability reform.

Title Three of the law deals with tax related provisions that govern medical savings accounts. It standardizes the amount that a person is allowed to save in their pre-medical savings account.

The law’s fourth title specifies conditions for group health plans that cover people who have a pre-existing condition. It also provides clarification regarding continuation coverage requirements including COBRA.

Title Five contains provisions that are related to company-provided life insurance. It also prohibits the tax reduction of interest on company endowments and life insurance loans or contracts.

Reasons to comply with this Law

There are a number of reasons why people and businesses alike should start complying with this law. HIPAA Omnibus Rule has substantially increased civil penalties for non-compliance. The penalty cap for any violations was increased from $25,000 annually to $1,500,000 per violation.

Aside from that, willfully failing or ignoring to be compliant brings mandatory penalties, and investigations can be started by any discovered violation, breach or complaint.

• New Breach Notification Rules

HIPAA rules and regulations now contain new breach notification rules that will increase the quantity of HIPAA violations determined to be breaches. The Omnibus rule has expanded the definition of a breach and the failure consequences. Federal investigations can be triggered when proper notification has been provided.


• The Law is Getting Stricter

States are steadily getting more involved in HIPAA enforcement. Failure to comply with HIPAA means feeling the full force of the law. Aside from that, the Office of Civil Rights, a branch of the Department of Health and Human Services, is expanding its Division of Health Information Privacy Information Team. It is stepping up the implementation of HIPAA compliance activities.

• Maintains a Company’s Reputation

Complying with this law helps health service providers avoid the HIPAA Wall of Shame. The list of reported major breaches and substantial penalties is growing at a rapid rate.

What is worse is that the details of these breaches are widely available to the general public and reported in the media. The consequences of a data breach can include more than just criminal and civil penalties. They can also damage a company’s reputation.

The Bottom Line

Companies face important obligations under HIPAA. If a company provides services as a health care entity and has not begun the process of implementing a compliance program, the time to take action is now. Although maintaining and achieving compliance is a challenge, a company that fails to act may find that overcoming the consequences of non-compliance presents an even greater challenge.

Read More

Choosing HIPAA Compliance Software

Choosing HIPAA compliant software for your business in the healthcare industry is a must. HIPAA regulations can be complicated. The right software simplifies becoming compliant while also assisting you in managing your business by offering training and educational materials for staff. Whether you are an Business Associate in need of HIPAA compliance software or a Covered Entity, you will need to begin by looking at the features that will make operating your business within the current guidelines straightforward.

Features to choose



internal auditing is one of the most important features to look for when choosing HIPAA compliance software. Internal auditing allows you to assess your current methods and procedures for handling sensitive patient information and offers gap remediation that can be implemented within the workplace as needed to meet standard set by HIPAA regulations. HIPAA software should also be user-friendly. The laws and regulations may be complex but the software that you use should be accessible and easy to understand. 

Features such as HIPAA checklists, for example, are available to ensure you are following your plan toward HIPAA compliance. Data backup and emergency operation features are also important for businesses. These features allow you to access and secure patient health information even when you are experiencing problems with your system in the office. Opting for HIPAA software that is backed by customer support is ideal for organizations and entities when there is an issue with your internal electronics systems.

Affordable and Effective

The goal of HIPAA software is reaching compliance but there are also some other advantages for your organization. Internal auditing and included client support can both work to save your business from incredibly expensive outside audits and services. With the right HIPAA compliance software, your organization will be able to handle all aspects of becoming compliant with one simple program.

Read More

The Important of Risk Assessment Tracking and Proof of Efforts

Meaningful use stage two is an important way for healthcare providers too ensures patients receive the best care. Meaningful Use Stage 2 utilizes many of the healthcare initiatives beginning with stage one, but includes some important updates that you will want to know about. Tracking and recording are vital when you are want to provide proof of risk assessments in a hospital or other medical establishment in order to qualify for incentive payments.

Getting Started

You will need to develop a solid, clear plan for tracking and recording risk assessment in order to reach meaningful use standards. Your staff should be aware of any new processes that will be implemented, which processes will be stopped and how long the new practices will be used in the workplace. Offering a training seminar can be an ideal solution to training staff in new recording and tracking methods used by your organization.

Why is Tracking and Recording Important?

The goal of meaningful use stage two is to provide electronic medical records that are accurate, up to date and relevant to the care of patients. The ability to prove that you have use established risk assessment guidelines according to the meaningful use regulations is vital when working with Medicaid and Medicare clients. Your organization will need to use EHRs, or electronic health records, to meet specific goals in order to qualify for state funded incentives. You can satisfy the need for proof by using the EHRs according to regulations and working with your local Regional Extension Center.

The goals of meaningful use are designed to provide a more comprehensive health care system to the public. One of the goals is to share more information with patients to promote a better understanding of medical conditions and treatments. You will need to supply proof that you have been utilizing the EHRs to achieve meaningful use stage two guidelines. Your local Regional Extension Center representative can help you get started on implementing the guidelines in your organization and assist you with learning more about the measures that are used to prove that the guidelines have been used.

Read More