ZenGRC

Simply Powerful GRC

ZenGRC Team

4 Steps to Ensure HIPAA Compliance

· ·

Get started with HIPAA Compliance

If your business deals with healthcare providers or healthcare data, chances are you’ve heard of the Health Insurance Portability and Accountability Act, or HIPAA. If you have to be HIPAA compliant, here are some easy ways to get started.

1. Learn the Basics.

The US Department of Health and Human Services (HHS) is responsible for HIPAA administration, and they publish a great resource called “HIPAA for Professionals”. In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) added additional controls that intended to promote the use of technology. With this in mind, it’s important that the HIPAA security officer understand the security standards for which they are responsible. 

2. Identify Who You Are

  • Covered Entity: Covered entities are defined as one of the following:  Health Care Providers (such as a dentist, pharmacy, or other medical practice),  Health Plans (such as a health insurance company), or Health Care Clearinghouses (an entity that processes health information from one format to another, such as a transcriptionist who performs data entry of a doctor’s notes or a company processing paper records into an electronic format).
    • As a Covered Entity, compliance is your responsibility, so you’ll need to figure out how to implement appropriate controls.
    • As a Covered Entity, compliance is your responsibility, so you’ll need to figure out how to implement appropriate controls.
  • Business Associate: If you do business with or on behalf of a covered entity and you handle protected health information (PHI), they will require that you sign a Business Associate Agreement (BAA). Business associate agreements are legally binding contracts that obligate you to meet some or all of the mandates of HIPAA as a business partner.
    • As a Business Associate, you’ll be required to engage in a risk assessment and implement the needed access control as specified by the covered entity you’re doing business with.
    • As a Business Associate, you’ll be required to engage in a risk assessment and implement the needed access control as specified by the covered entity you’re doing business with.

3. Identify the Rules:

  • HIPAA Security Rule, which provides requirements for security, confidentiality, integrity, and availability of electronic protected health information (EPHI). Under the HIPAA security rule, security measures include technical safeguards  and physical safeguards. 
  • HIPAA Privacy Rule, which provides requirements for preventing unauthorized disclosure of electronic health information.
  • HIPAA Breach Notification Rule, which requires that you provide notification in the event of a data breach. You’ll most likely need a process and capability to notify the subjects in the event of any security incidents (the individuals whose data was subject of theft), as well as HHS. 

4. Identify controls:

  • NIST Special Publication 800-66, which provides a detailed roadmap of controls for HIPAA compliance. These controls are pulled from NIST Special Publication 800-53, which provides a comprehensive information security control library.
  • NIST SP 800-53 contains a crosswalk of its controls against the ISO 27002 framework. If you’ve implemented ISO controls, you can leverage some of your existing work to jumpstart your HIPAA compliance effort.
  • The HITRUST Alliance, a consortium of healthcare and technology companies, has created the Common Security Framework (CSF). This is a rationalized set of controls which can be used to satisfy multiple compliance regimes, including HIPAA and SOC 2.

HIPAA compliance can be complicated, but utilizing a compliance tool like ZenGRC eases the risk analysis and audit controls burden . ZenGRC comes pre-loaded with content for NIST 800-53, ISO 27001/27002, and the HITRUST CSF. It also contains consolidated content to help map the gaps between your existing programs and new requirements related to HIPAA.

ZenGRC v2.1 Release Features Improved Audit Capabilities, Simplified Customer Support

· ·

Our latest ZenGRC product release continues to deliver improvements designed to simplify management of your compliance program. New capabilities now available in v2.1 include:

 

Workflow and Task Creation Improvements

A Workflow is a set of tasks, but sometimes you don’t know what the full series of tasks are. Many of our customers have also voiced the desire to create tasks at various points within the process, where the ability didn’t previously exist. Based on this input, we’ve started a renovation of our workflow module to help simplify workflow and task creation.


With v2.1 you can now create tasks from any point in your instance, without having to create an entire workflow and related tasks. You can now create a task while looking at any list of objects.

Create tasks from any point in your instance


Going through a set of controls and need to flag a few for review? Simply click on the control object to open the preview modal, then click the ellipsis button, and then “Create task”. The new task creation function also gives you the flexibility to adjust the due date for the task, and have the option of mapping the task to other objects if needed.


Tasks created this way can be moved into an existing workflow or live in your Backlog (One-time workflow), which is a catch-all workflow for ad-hoc tasks that haven’t yet been assigned a frequency (i.e. non-recurring tasks).

Create a new task


With this update to the workflow module, you can also create a task from any object page or add tasks to currently active one-time workflow cycles, so you don’t need to have all the tasks in a workflow defined before it kicks off.

Assessment Recurrence

We are continuing to make Audit improvements, and in v2.1 we’ve added recurrence to our Assessment object. The assessment object is typically used as your workpaper for testing and concluding upon a particular control in scope for the audit.


We recognized that it’s cumbersome to create one-off assessments to review and conclude upon controls when you need to conduct these reviews on a regular basis. Consequently, we’ve added new functionality that automatically re-generates an assessment based on a frequency that you can set and edit. Assessments can now recur:

  • Never
  • Monthly
  • Quarterly
  • Semi-annually
  • Annually

Simply select the recurrence frequency when creating or editing the assessment:


Assessment Object Recurrence
Once the assessment is tested and concluded upon for effectiveness and marked as finished, the verifier receives an email. The verifier can then raise issues (i.e. create Issue objects) or request additional evidence (i.e. create Request objects). When all requests are satisfied, the verifier marks the assessment as verified and it is considered complete.

 

New Import/Export Buttons

We are constantly evolving ZenGRC to make it as user friendly as possible.  With that in mind, v2.1 introduces new import/export buttons. The icon displaying an up arrow into the cloud represents upload (import into ZenGRC). The icon displaying a down arrow into a HDD represents download (get a .csv export onto your computer).
These buttons can be found in the top right corner of any list of objects.
new import and export icons

Need help? Contact support@zengrc.com

We’ve simplified the customer support process. Need assistance? You can now send us a note at support@zengrc.com and we will get right back to you. We’re here to help.
As always, please contact us with questions about the new features available in ZenGRC v2.1.

Introducing the new Reciprocity

· ·

Reciprocity logo

Update 2024: Please note, Reciprocity officially rebranded to ZenGRC in July 2024. Any mentions of Reciprocity refer to the company and product ZenGRC.

When I first started Reciprocity in 2009 a logo was the last thing on my mind, so I picked a generic star and started building the team.  
However, as our team and ZenGRC Platform have grown, we have realized that the star logo is missing a key component of who we are – working together with our customers to help you achieve your compliance mission.
Today I’m proud to unveil our new logo, which represents the Reciprocity of today.

Reciprocity Logo

The interlocking shapes represent the strong relationship between Reciprocity and you, our partners, as well as the relationship between you, the compliance team, and the rest of your organization.  The shape when they are brought together is evocative of the zen-like infinity symbol, which is no mistake, given the name of our product ZenGRC.
The end result is a logo that we are very proud of, that represents our evolution as a company and our vision for the future. We will continue partnering with you to make your compliance program successful.
 
Photo Credit: john mcsporran

Governance, Risk Management and Compliance Definitions

· ·

common compliance terms

 
Governance, risk management and compliance is a complex and challenging business even for the most seasoned of experts. Which makes it even more arduous for those just starting out. Understandably, it is common for startups and organizations that are just beginning their compliance program to turn to an existing staff member to tackle the job, rather than hire a compliance specialist.

With that in mind, we wanted to share some common terms and definitions that are key to understand if this is your first foray into compliance:

  • Compliance – adherence to a set of rules established by a regulatory body
  • Risk – the chance that a negative outcome, financial loss, or error can damage the organization
  • Control – a step in the process that monitors and mitigates risk
  • Audit – an examination performed by an independent third party that verifies the guidelines outlined by a regulatory body
  • Attestation – like an audit, except the organization and third-party examiner share the responsibility of an inaccurate examination
  • Framework – an approach with risks, controls, and processes to put in place a compliance model
  • Regulatory body – the organization that defines the rules and methods to verify the rules
  • Standard – the specific law, rules, or requirements that make up the scope during an examination
  • Scope – the boundaries to examine, which are usually dictated by a regulatory body
  • Objective – discrete requirement within a compliance framework
  • Consolidated Objectives – common requirements across frameworks

For more information and understanding on compliance, check out our eBook, Insider’s Guide to Compliance: How To Get Compliant and Stay Agile.

Finding the Compliance Management Tool You Need

· ·

 

Many organizations today turn to Microsoft Excel as their compliance tool of choice when first undertaking a GRC program. It makes a lot of sense. Excel is widely used, just about everyone in the business is familiar with it and knows how to use it, and it offers a lot of flexibility.

But at some point in your compliance journey, as your needs expand, Excel will become more of a burden than a benefit. The challenge is knowing when you will reach that point.

We have put together a simple roadmap infographic below to help you determine if an Excel-based compliance management system will work for you, or if your needs are complex enough that you require a more sophisticated governance, risk and compliance solution.

[Click to enlarge/download infographic]

Compliance Tool Roadmap Infographic