National Health IT Week: Post-Presentation Q&A

In the effort to carry on the theme for National Health IT Week, InfoGard’s technical staff has committed to providing answers to post-presentation questions on “10 Steps to Protect My Covered Entity From Breach” posted on October 6, 2015. Additional Q&A’s will be added to the existing list. Check back for updates periodically. To submit additional questions, email

1. How often should a covered entity conduct an SRA?

An SRA should be conducted commensurate with the changing environment. The more change occurs in the physical environment, policies, and staff, the greater the possibility of new risks emerging, and existing risks becoming more severe. With a rapidly changing environment you might consider an SRA every quarter; with a stable environment every three (3) years may be sufficient.

2. What are the benefits of a third-party risk assessment compared to internally conducted SRAs?

Third-party risk assessments can offer industry-leading expertise. Additionally, they are independent from any employee prejudices of the environment and provide a fresh set of eyes. However, having internal staff members trained can provide cost savings as well as rapid responses to new threats or situations.

3. Should I contract out everything to avoid dealing with all the security requirements myself?

This can be a great solution since some covered entities have many clients and already have experience managing EPHI as required by HIPAA and conducting SRAs. However, many businesses are not. When subcontracting IT services, such as hosting your EHR offsite, ensure that the business associate agreement (BAA) includes all security items for which the business associate (BA) is responsible. Additionally, obtain evidence they are actually doing what is required. While you may be able to avoid direct penalties from OCR by this method, when a breach occurs there still might be damage to your reputation, high staff turnover, and indirect financial cost that often amounts to six (6) figures even for small clinics.

4. I have an employee who is HIPAA certified; does this offer me security?

Security is only as deep as the individual’s expertise. There is no government backed certification program, and all certifications are simply private guarantees. Sitting down with a HIPAA lawyer and other HIPAA security experts at least once can make a huge difference in the security of the site.

5. Do I need to have an employee who is an expert in hacking to avoid a breach?

No. There are many tools available to secure your network and IT equipment which require only a general IT background. Consider purchasing some of the industry tools to help facilitate security. Often times installing these tools will help educate your staff on security in the process.

National Health IT Week: 10 Steps to Protect My Covered Entity From Breach

As part of National Health IT Week, InfoGard presents a prerecorded webinar detailing 10 steps a covered entity can take to help protect itself from a breach.

Our technical staff will be answering questions about this presentation, HIPAA requirements, and security risk assessments via email and here on the blog throughout National Health IT Week. Send your questions to

Slides from this presentation can be found here.


InfoGard is a Proud Partner in National Health IT Week

This October, InfoGard Laboratories is a Proud Partner in National Health IT Week. National Health IT Week is the premier event offering all healthcare stakeholders an opportunity to unite under one banner, expressing the benefits that health information technology (IT) brings to U.S. healthcare. “One Voice, One Vision.”

Initiated in 2006 by the Healthcare Information and Management Systems Society (HIMSS), National Health IT Week has emerged as a landmark occasion for using health IT as part of the overall solution to improve America’s healthcare as a bipartisan, federally led, market driven initiative.

The Week consists of events in Washington DC and across the country, including National Health IT Week participants —vendors, provider organizations, payers, pharmaceutical/biotech companies, government agencies, industry/professional associations, research foundations, and consumer protection groups— all working together to elevate national attention to the advantages of advancing health IT.

As the healthcare community becomes more technologically advanced, InfoGard sees the increasing concern of protecting patient health information (PHI), especially in electronic form. As part of National Health IT Week, InfoGard will release a prerecorded webinar presenting 10 steps that detail how a covered entity can protect itself from a potential breach. Following the presentation, viewers will have the opportunity to submit questions via email which will be answered by InfoGard’s technical staff and posted on our Health IT Blog throughout the Week.

The webinar will be released here on the blog at 11am PDT on Tuesday, October 6, 2015. Visit for a full list of the Week’s activities.

2015 Edition Proposed Rule – Change Reporting for Certified EHRs

In the 2015 Edition Proposed Rule, ONC has put forth a recommendation that would require ONC-ACBs to obtain monthly reports from developers of certified EHR products of any adaptations or updates made to their certified EHRs. These reports would provide awareness to ONC-ACBs of changes and adaptations that could in turn feed into decisions of when to conduct surveillance on a specific EHR (see blog post from May 4, 2015). Continue reading

2015 Edition Proposed Rule – ONC’s Proposed Surveillance Requirements, “In-the-field”

In the 2015 Edition Proposed Rule, ONC proposes to require in-the-field surveillance to be conducted by ONC-ACBs. The concept of in-the-field surveillance has been included in previous Rules, but here ONC provides further guidance on when it must be utilized.

In the Proposed Rule, “in-the-field” is defined as, “an ONC-ACB’s assessment of whether a certified Complete EHR or certified Health IT Module to which it has issued a certification continues to conform to the certification’s requirements once implemented and in use in-the-field.” ONC goes on to clarify that this would require the ONC-ACB to perform the assessment utilizing PHI (or equivalent test data) at a user site. Continue reading

Health IT Module

2015 Edition Proposed Rule – Changing “EHR Module” to “Health IT Module”

In the 2015 Edition Proposed Rule, ONC has recommended that the term “EHR Module” be changed to “Health IT Module”. This change would support the expansion of the ONC Health IT Certification Program to include other types of Health IT besides just EHRs.

ONC has already removed the term “Complete EHR” for any edition after the 2014 Edition (see the 2014 Edition Release 2 Final Rule). The change to Health IT Module would remove the term “EHR” from the Certification Program entirely. Continue reading

Retail Payment vs Medical Record Breaches

Those of us involved in the information security business receive lots of questions from friends, neighbors and family related to their concerns about privacy. At InfoGard, we are heavily involved in evaluating the security of both Healthcare IT and retail payment devices and systems. Questions related to the vulnerability of retail payments have become increasingly common. However, little concern is voiced about the safety of healthcare records. While everyone has heard about Target’s, Supervalu’s (Albertson’s) and Home Depot’s breaches, and more recently, Kmart, the general public lacks an awareness of healthcare breaches. Furthermore, even when they hear the dismal history, they lack the same level of concern. Continue reading

Future Interoperability Challenges

The future effectiveness of Health Information Exchanges (HIEs) requires all healthcare related information to be available on demand to any authorized individual anywhere in the country.  Many government programs and initiatives must come together to make this happen.  Even responsible government officials are not aware of all related efforts underway.  Continue reading

InfoGard is Attending HIMSS14

InfoGard is Attending HIMSS14

We will be sending three representatives to the HIMSS Conference in Orlando, FL (HIMSS14) on February 23-27. InfoGard representatives that will be attending include CTO Doug Biggs, Senior Account Manager Steve Wilson, and EHR Program Manager Milton Padilla. We look forward to the opportunity to talk with you about your EHR and EPCS requirements. Please contact or call us at 805-783-0810 to make an appointment to speak with one of them. See you at the conference!

Indian Health Service Partnerships Conference

In March 2010, President Obama signed comprehensive health reform, the Patient Protection and Affordable Care Act (ACA), into law. The law makes preventive care, including family planning and related services, more accessible and affordable for many Americans.

Last week, August 13-15th, the Indian Health Service (IHS) Partnerships Conference annual meeting was conducted in Denver, Colorado. This meeting is focused on training for key health system staff in the Business Office, Contract Health Services (CHS) Program and Health Information Management (HIM) Program. This year’s conference topic was the implementation requirements related to the ACA. Continue reading