HIPAA Privacy

Compliance Officer Job Description

HIPAA Compliance Officer Job Description

3 Things to Include in Your HIPAA Compliance Officer Job Description Today, I am discussing what 3 things your HIPAA Compliance Officer job description should include. First, I need to share some background with you, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires Covered Entities and their third-party vendors to formally designate a Compliance Officer.  Your Compliance Officer will be responsible for managing the security of protected health information (PHI). That means their job description needs to outline responsibilities for establishing and maintaining HIPAA compliant mechanisms. This is necessary to ensure the confidentiality, integrity, and accessibility of the healthcare information systems and any electronic PHI they are entrusted with. These responsibilities will vary according to the nature and size of your organization. With that said let me take this opportunity to tell you it does not matter what size you are, what you do. Even if YOU are the only one who does everything you are still required to implement each of the HIPAA requirements. Who Can It Be Now? Identify who in your organization has a passion for technology and desire to Keep PHI Secure – this individual makes the best data security champion!! Remember: this does NOT have to be someone with an Information Technology degree!! OR You could outsource your HIPAA Compliance activities and designate a consultant as your HIPAA Security Officer. And as always … Remember to document your choice, an auditor may ask for it!! Did you know? Your HIPAA Compliance Officer is responsible for implementing the following activities: Analyzing risks, threats, and vulnerabilities to PHI from internal and external factors; Developing and implementing policies and procedures to ensure the confidentiality, integrity, and availability of the electronic PHI in your organization. Adopting security policies and procedures and responsible for training workforce how to keep PHI secure. Third-party vendor due diligence is another element your HIPAA Compliance Officer should address for any organization that creates, receives, maintains, or transmits PHI. Every third-party vendor is required to have a current and signed Business Associate Agreement (BAA) or subcontractor agreement on file before exchanging ANY PHI. Remember ANYONE who has access to PHI and you pay with via 1099 is a third-party vendor!! Covered Entities and third-party vendors should understand that patients are entrusting them with their private and intimate details, and they expect them to remain secure.

Social Media Policy

Social Media Policy – Do You Have One? Your social media policy should define and control your organization’s use of social media. Remember: There is no one size fits all solution, so what we recommend is to review a variety of approaches in order to determine what may work well for you. Here are some resources to help you get started. Here are some things you should consider: Who gets to speak on behalf of your organization and under what guidelines? For example, many organizations have selected an individual (or an organization) to serve as the “voice of the company.” By taking this approach an organization can easily implement “message control” (and damage control when necessary). Be sure to use specific clarity that protected health information (PHI) is NOT to be shared online in any way, shape, or form without the express authorization of the governance committee and the patient. All workforce members, including doctors and volunteer workforce, need to be trained on the organization’s social media policy (including personal use at work) as part of HIPAA training and/or employee orientation training. The list is not exhaustive. It is intended to get you thinking about the implications of social media and the intersection with HIPAA compliance. Social Media Policy Concepts Start by implementing a social media policy in your practice. First create a policy that fits YOUR culture, how you practice and most importantly be sure patient’s privacy is at the forefront. • Make it easy to understand. If you use buzzwords, tech jargon and legalizes you will confuse your workforce. • Create a rollout plan for your new policy. • Educate your workforce on your new policy. • Don’t forget to include all relevant parties and departments when creating and reviewing your policy. Social Media Healthful Tips • Keep personal social media accounts separate from organization accounts • Avoid “friending” patients, subscribers, and clients • Remember things are never fully deleted on the Internet • Private personal page posts can still be accessed and distributed • Never repost, retweet or “regram” patient information on personal pages Understand the list of 18 personal identifiers – very little information can lead to a breach • Post signs in facilities describing photos and videos may not be taken • Post a commenting policy on your social media sites • Collaborate with human resources, legal counsel, risk management, privacy officer, security officer, compliance officer, marketing, and sales During their 2018 Fall Conference OCR shared that they will be paying more attention to social media!! Remember – they are always watching. Need help developing your social media policy? Let HIPAA alli help develop your healthcare social media strategy before you start connecting.

Social Media – The Good, The Bad, and The Ugly

Social Media – The Good, The Bad, and The Ugly … Without guidance from Health and Human Services, it can be difficult to know how to navigate the healthcare social media rules. Providers, agencies, and brands need to create informative, engaging social content. At the same time, you need to follow industry rules and regulations. For all the potential good, there are many risks associated with the use of social media.  These are well documented, and in the case of the newer devices and technologies are only just evolving.  Remembering back only a few years, computing was done on a larger and less portable device.  The risks of today and tomorrow will not only be based on the applications themselves but on the smaller and more portable devices, we find them running on.     Social Media – The Good Healthcare organizations can use social media for “The Good” is to develop social media campaigns to drive awareness on a specific topic. Examples include: • Breast Cancer Awareness – for patients and families • Babies – targeting new moms • Pediatric – focusing on children’s health   Social Media – The Bad Patients have been discussed by their caregivers. Names may not have been used, but still, references to a patient in a certain room or a description of the patient or why they are being treated may still provide enough information to identify individuals. Negative comments can get posted about patients, co-workers, providers, working conditions, salary, and benefits, or administration. A potential risk that should not be overlooked is that on many sites anything can be posted regardless of the truth. These postings may include information that may be protected under HIPAA or can affect your brand, reputation or good name. While you may be able to block or remove posted content, you will have no control of where it may have been copied to or whom it was seen by. A disclosure or incident may have occurred which will require time and resources to address, even though your organization may have had nothing to do with posting it in the first place.   Social Media – The Ugly When I say ugly, I MEAN UGLY!! This was reported in June 2018, after an EMS worker from Tennessee responded to a call after a patient suffered a heart attack in his chicken coop. But … Posted the following on her Facebook account: “Well, we had a first… We worked a code in a chicken coop! Knee deep in chicken droppings.” In the comment section to her post, the worker also wrote, “It was awful,” and “I’m pretty sure y’ all could smell us in dispatch” The patient’s wife called the County EMS to complain about the post, but they didn’t return her call. DO NOT IGNORE PATIENT PRIVACY COMPLAINTS – even if it IS social media!! Healthcare social media is NOT something anyone should do without understanding the implications of their actions. Do you think this Facebook post is a HIPAA violation?     Let HIPAA alli help develop your healthcare social media strategy before you start connecting.      

Social Media – When Things Get Really Ugly

When Things Get Really Ugly … Here is an example of what NOT to do on social media!! This post was made in a PUBLIC Facebook group for medical billers. When I saw it …     That’s right it did make my blood boil.     I immediately sent a private message to the originator of the post to let them know they had shared protected health information (PHI). I waited over 24 hours and if you know me and HIPAA that was a REALLY LONG, LONG, LONG TIME!! When that didn’t work I added a public comment that the post violated HIPAA. Then added an image to help clarify my point: The post was eventually taken down but not before I was able to capture it. Who knows who else also has a copy of it too since it was in a PUBLIC Facebook group!! Here is exactly what they wrote including spelling errors (PHI redacted for this article): Good Afternoon. I am in need of some advice regarding a BBB complaint filed by a patient and how to respond to the complaint without violating HIPAA. We treated an entire family (xxxxxxxxxxxxxxxxx [patient genders identified] that ranged in age from xxxxxxxxx [ages identified]) for physicaltherapy (PT) following an xxxxxxxxxxx, from the onset the Mom lied to us and told us that she did not have an attorney then she refused to give us the xxxxxxxxxxx information to file claims to and the list goes on and on. One of the last visits that we saw the Mother she was sitting in a chair in one of our PT roooms when one of our PT aides dropped a small padded board (weights less than half an ounce) that we use for physical therapy treatment and it hit the Mom on the forehead, we called the physical therapist in, he looked at it, there was no bruising or any mark whatsoever. Patient stated she was fine. The physical therapist even asked the patient if she needed to go to the ER. The patient replied, NO, that she was fine. The patient continued her treatment that day and returned for 4 more additional visits which completed her PT treatment plan. One month later we receive notice that we are being sued by this patient because of her ongoing injury caused by being hit in the head. She states she has severe whiplash and has been having heaaches sincee the incident. We had filed all the claims for the husband and the kids to Tricare, they paid all of the claims but the patient had a copay on each visit (Current Balance approximately $2000.00) The Mom’s claims were sent to Medicare, all of the claims were denied beacuse of the “auto accident” therefore the Mom currently has a balance of over $6000.00! In August, a representative from her auto insurance called and requested a copy of itemized billing records on the husband and the four daughters so that they could write us a check for the outstanding baalnce. This information was sent to them. A few weeks later the Mom started calling requesting itemized statements as well stating that she wanted to get reimbursed from her auto insurance for the copays. I was told by the owner that we were not to speak her, that since she had a pending lawsuit that she needed to direct all of her questions through her attorney. She refuses to do so and continues to call and leave very vulgar messages on our voice mail. First of all, the patient is receiving statements each and every month so she knows exactly what her balance is! I think she found out that the insurance company would reimburse her for the copays so she thought she would try to get the check written directly to her instead and then never pay us. Now she has filed a BBB complaint against us stating that she has been requesting a statement from us for over 6 months so that she can pay us and that we refuse to take her calls and we will not send her a statment. I am so fed up with this account! I share this post with you to make a point of how easy it is to violate patients’ privacy on social media. As you can see the post contains enough information to identify who the patients are by linking it to where the person works. Healthcare social media is not something anyone should do without understanding the implications of their actions.   Let HIPAA alli help develop your healthcare social media strategy before you start connecting.

When it comes to healthcare, what does Minimum Necessary mean?

HIPAA Privacy Rule Minimum Necessary In this week’s “Know The Rules!,” I am discussing the Privacy Rule minimum necessary standard, [45 CFR 164.502(b), 164.514(d)]. Minimum necessary applies: When using or disclosing protected health information (PHI) or when requesting PHI from another Covered Entity (CE) or Business Associate (BA), a CE or BA must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.  Here Is How the Rule Works The Privacy Rule requires CEs and their BAs evaluate their practices and take reasonable steps to limit uses, disclosures, or requests of PHI. The minimum necessary standard does not apply to the following: • Disclosures to or requests by a healthcare provider for treatment purposes. • Disclosures to the individual who is the subject of the information. • Uses or disclosures made following an individual’s authorization. • Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules. • Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes. • Uses or disclosures that are required by other law.   CEs and BAs are required to develop and implement policies and procedures appropriate for their organization, reflecting the organizations business practices and workforce. Your policies and procedures must identify the persons or classes of persons who need access to the information to carry out their job duties, the categories or types of PHI needed, and conditions appropriate to such access. What Does This Mean? PHI should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. For example, hospitals may implement policies that permit doctors, nurses, or others involved in treatment to have access to the entire medical record, as needed. Likewise, for a small practice your receptionists should not have access to treatment records and nurses should not have access to patient financial data. Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure. Don’t forget keeping your patient’s PHI secure IS your responsibility! Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy! Why are you leaving yourself wide open to such risks?   For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.

HIPAA Notice of Privacy Practices

Get to Know the HIPAA Notice of Privacy Practices

Get to Know the HIPAA Notice of Privacy Practices The first time you see a healthcare provider or dentist, (known as a Covered Entity), or check in to a hospital or change health insurance coverage, you will likely be asked to read and sign several different forms. One of those forms, called the Notice of Privacy Practices (NPP).  The NPP explains your rights regarding the privacy of your protected health information (PHI) and how it can be used or shared. Most providers must give you the NPP at your first appointment, and most health plans must give you the NPP when you enroll. A copy of the NPP must be posted in a clear, easy to find location in a doctor’s office, pharmacy or hospital, be mailed to you by your health insurance company, or be posted on a provider’s or health insurance company’s website. If you can’t find it, ask for it, your provider or health insurance company must give it to anyone who asks for it.it 4 Things the Notice of Privacy Practices Must Include The NPP must describe: How the HIPAA Privacy Rule allows providers to use and disclose PHI. It must also explain that your permission (authorization) is necessary before your health records are shared for any other reason. The organization’s duties to protect health information privacy. Your privacy rights, including the right to complain to HHS and to the organization if you believe your privacy rights have been violated. How to contact the organization for more information and/or to make a complaint. When Should I Receive the Notice of Privacy Practices? You will usually receive a copy of the organization’s NPP at your first appointment. In an emergency, you should receive the NPP as soon as possible after the emergency. The NPP must also be posted in a clear and easy to find location where patients are able to see it, and a copy must be provided to anyone who asks for one. If an organization has a website, it must also post the notice on their website. A health plan must give its notice to you at enrollment. It must also send a reminder at least once every three years, and you can ask for the notice at any time.* *Note: A health plan can give the notice to the “named insured” (subscriber for coverage). It does not also have to give separate notices to spouses and/or dependents. Do I Have to Sign it? The law requires your provider, hospital, or other care providers to ask for written proof that you received the Notice of Privacy Practices, or what they might call an “acknowledgement of receipt.” The law DOES NOT require you to sign the acknowledgement form. If you choose NOT to sign, your provider’s must keep a record that they did not get your signature, but they still have to treat you. But, if you sign it, you have NOT given up ANY of your rights or agreed to ANY special uses of your health records. It simply means you are acknowledging you received the providers Notice of Privacy Practices. Covered Entities and third-party vendors should understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.

Anti-Kickback Statute

Today, I am presenting a case study of what happens when a Covered Entity (CE) and a pharmaceutical company collude to violate the Federal Anti-Kickback Statute and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Healthcare has a Federal Anti-kickback Statute (AKS), 42 U.S.C. § 1320a-7b(b), that makes it illegal for providers to knowingly and willfully accept bribes or other forms of remuneration in return for generating Medicare, Medicaid or ANY other federal health care program business. What does remuneration mean under the Anti-Kickback Statute? The AKS provides criminal penalties, as defined in the table below, for individuals and entities that knowingly and willfully offer, pay, solicit or receive remuneration in order to induce business(es) for which payment(s) may be made under a federal healthcare program. Kickbacks in healthcare have lead to: → Over utilization → Increased program costs → Corruption of medical decision making → Patient steering → Unfair competition Did You Know? The kickback prohibition applies to ALL sources of referrals, even patients. For example, where the Medicare and Medicaid programs require patients to pay co-pays for services and CEs are generally required to collect that money from your patients. Routinely waiving co-pays could activate the AKS and you are not allowed to advertise that you will forgive co-payments. However, you are free to waive a co-payment IF you make an individual determination that the patient cannot afford to pay or if your reasonable collection efforts fail. The Government does not need to prove patient harm or financial loss to the programs to show that a physician violated the AKS. A physician can be guilty of violating the AKS even if the physician actually rendered the service and the service was medically necessary. Taking money or gifts from a drug or device company or a durable medical equipment (DME) supplier is not justified by the argument that you would have prescribed that drug or ordered that wheelchair even without a kickback. Now that I’ve shared all that with you it is time for… Drum Roll Please! Case Study: What Happens When Drug Company Offers Kick-backs To Doctors It doesn’t happen often, but when it does, the Department of Justice (DOJ) WILL impose criminal penalties for ANY HIPAA violation(s). This is one such case that resulted in two criminal convictions – a violation of HIPAA and obstructing a criminal healthcare investigation. Here is what happened: From January 2011 through November 2011, a Massachusetts gynecologist allowed a pharmaceutical company sales representative from Warner Chilcott to access the protected health information (PHI) in her patients’ medical files. When questioned later, she later provided false information to federal agents when interviewed about her relationship with Warner Chilcott. On October 29, 2015, Warner Chilcott U.S. Sales LLC, a subsidiary of pharmaceutical manufacturer Warner Chilcott PLC, pled guilty to paying kickbacks to induce physicians to prescribe their drugs. Warner Chilcott agreed to pay $125 Million to resolve criminal liability and several False Claims Acts allegations. The DOJ investigation didn’t end there; In September 2018, the gynecologist was sentenced to one year of probation for violating HIPAA and one count of obstruction of a criminal healthcare investigation. Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy! Why are you leaving yourself wide open to such risks?     For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.

HIPAA Workstation Use

Workstation Use In this week’s “Know The Rules!,” I am diving into the second standard of Physical Safeguards of the Health Insurance Portability and Accountability Act (HIPAA) Security Standards: Workstation Use, 45 CFR § 164.310(b). Physical security is an important component of the HIPAA Security Rule that is often overlooked. What constitutes appropriate physical security controls will depend on each organization and its risk analysis and risk management process. A workstation is defined in the Rule as: “an electronic computing device, for example, a laptop or desktop computer, or any other device (including mobile) that performs similar functions, and electronic media stored in its immediate environment.” The Workstation Use standard requires Covered Entities (CEs) and Business Associates (BAs) specify the proper functions to be performed by electronic computing devices. Inappropriate use of computer workstations expose CEs and/or BAs to risks, such a virus attacks, malware, compromise of information systems, and possible breaches of confidentiality. This standard does not have corresponding implementation specifications. However, compliance with the standard itself is required (R). For this standard, CEs and BAs must: “Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information (ePHI).” Many CEs and BAs may have existing policies and procedures that address appropriate business use of workstations. In this case, it may be possible for you to update your existing documentation to address security issues. CEs and BAs must assess their physical surroundings to ensure that any risks associated with a workstation’s surroundings are known and analyzed for any possible negative impacts. The Workstation Use standard also applies to CEs and BAs with workforce members that work off-site using workstations that can access ePHI. This includes your workforce member who work from home, in satellite offices, or in another facility, don’t forget about your temporary and volunteer workforce members too! Your workstation policies and procedures must specify the proper functions to be performed, regardless of where the workstation is located. NOTE: The Workstation Use and Workstation Security standards have no implementation specifications, but like all standards must be implemented.   Some common practices that may already be in place include logging off or locking the workstation before leaving a workstation for an extended period of time, as well as using and continually updating antivirus software.       Sample questions for CEs and BAs to consider: Are policies and procedures developed and implemented specifying the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of specific workstations or class of workstation(s) that can access ePHI? Do your policies and procedures identify workstations that access ePHI and those that do not? Do your policies and procedures specify where (and how) to place and position workstations to only allow viewing by authorized individuals? Do your policies and procedures specify the use of additional security measures to protect workstations with ePHI, such as using privacy screens, enabling password protected screen savers, locking or logging off the workstations? Do your policies and procedures address workstation use for users that access ePHI from remote locations (i.e., satellite offices or telecommuters)? NOTE: At a minimum, all safeguards required for office workstations must also be applied to workstations located off-site. Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy! Why are you leaving yourself wide open to such risks?     For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.

Keep Your Health Information Private & Secure

Tips For Keeping Your Health Information Safe There are laws that protect the privacy of your health information held by those who provide you healthcare services. But as it becomes easier to get and share your own health information online, you need to take steps to protect it. Does HIPAA Protect All Health Information? No! The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules are federal laws that set national standards for protecting the privacy and security of health information. Health information that is kept by healthcare providers (referred to as Covered Entities [CEs] and their Business Associates [BAs]), health plans and organizations acting on their behalf is protected by these federal laws. However, you should know there are several organizations that do not have to follow these laws: • Patient owned or held information stored in a mobile app or on a mobile device, such as a smartphone or tablet. • Share over social media websites or health-related online communities, such as message boards. • Information stored in a personal health record (PHR) that is not offered through a CE or health plan covered by HIPAA. Keep Your Electronic Health Information Secure There are a number of ways you can help protect your electronic protected health information (ePHI). Here are some tips to ensure your PHI is private and secure when accessing it electronically. When Using Social Media Think carefully before you post anything on the Internet that you don’t want to be made public – do not assume that an online public forum is private or secure. If you decide to post health information on a social media platform, consider using the privacy setting to limit others’ access. Remember information posted on the web could remain there permanently. When Using Mobile Devices Research mobile apps – software programs that perform one or more specific functions – before you download and install any of them. Be sure to use known app websites or trusted sources. Read the terms of service and the privacy notice of the mobile app to verify that the app will perform only the functions you approve. Consider installing or using encryption software for your device. Encryption software is now widely available and increasingly affordable.     Install and activate remote wiping and/or remote disabling on your mobile devices. The remote wipe feature allows you to permanently delete data stored on a lost or stolen mobile device. Remote disabling enables you to lock data stored on a lost or stolen mobile device, and unlock the data if the device is recovered.   For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today!!  

Mobile Devices and Protected Health Information

Mobile Devices in Healthcare These days more mobile devices and Internet of Medical Things (IoMT) devices are more powerful and hold more information than ever before and pose heightened security risks. This includes your smartphone, tablet, medical device (medical equipment storing electronic protected health information [ePHI]), and any other type of equipment that provides convenient access to your computer, ePHI, email, banking and social media accounts. Unfortunately, it could also provide the same convenient access for hackers. Healthcare organizations, Covered Entities (CEs) and Business Associates (BAs), rely heavily on these devices in their organization to create, receive, maintain, or transmit ePHI and must include them in their enterprise-wide risk analysis and take action(s) to reduce risks identified to a reasonable and appropriate level. See 45 C.F.R. § 164.308(a)(1)(ii)(A)–(B). Additional risks when using mobile devices for PHI Due to their small size and portability, mobile devices are at a greater risk of being lost or stolen. A lost or stolen mobile device containing unsecured PHI could lead to a breach, triggering HIPAA breach notification obligations for a CE and/or their BAs. Additional risks and extra precautions should be taken when using personal mobile devices to store or access PHI. Permitting the use of personal mobile devices must be included in the risk analysis and requires the implementation of security measures sufficient to reduce those risks. If an organization prohibits the use of personal mobile devices for work activities (especially those activities involving PHI), policies, making any prohibitions clear, should be in place and enforced. Did you know? Access to information on mobile devices need not be limited to nefarious actions by malicious software and/or hackers, but could also originate from more mundane applications. A seemingly harmless mobile app or game may grant access to your contacts, pictures or other information on your device and send such data to an external entity without your knowledge. As mobile devices are increasingly and consistently used by CEs and BAs and their workforce members to store or access PHI, it is important that the security of mobile devices is reviewed regularly, and modified when necessary, to ensure PHI remains protected. See 45 C.F.R. § 164.306(e). Mobile Device Default Settings Mobile devices, similar to many other computer systems, may be delivered by third party vendors with default settings, such as preset passwords or out dated firmware, which may create vulnerabilities. Such default settings may enable automatic connectivity to unsecure Wi-Fi, Bluetooth, cloud storage, or file sharing network services. Organizations should take steps to ensure that mobile devices are properly configured and secured BEFORE allowing the device to create, receive, maintain, or transmit PHI. Additionally, workforce members should be trained in the proper, secure use of mobile devices to store or access PHI. Training Training should include educating workforce members on the dangers of using unsecured Wi-Fi networks, such as public Wi-Fi offered in airports and coffee shops, as well as unsecured cloud storage and file sharing services. Workforce members should also be trained on the risks of viruses and malware infecting mobile devices. Just as with other computer systems, malicious software that infects mobile devices could provide access to unauthorized individuals which could result in a breach of PHI. Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks? Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat about your compliance program – schedule a call with HIPAA alli today!