Wow what a whirlwind of a month. Since my talk at BSides San Francisco I have been in Dallas, Chicago, San Diego, and points beyond working on the intersection of HIPAA and Infosec as a new paradigm for thinking about how we secure PHI. There was also my guest piece @Tripwire on The New Normal in Breaches, Audits and Enforcement.
On top of that I got to meet with a company called HIPAAtrek, located in St. Louis, MO. HIPAAtrek was founded by an amazing group of individuals headed up by Sarah Badahman. As a quick note, I am not a client of HIPAAtrek, nor did I receive any compensation for this review. Part of what I do for this blog is work to find the best and brightest (in my opinion), products and people out there to help you navigate the HIPAA mine field. To that end, here is what I found on my run through of HIPAAtrek.
The goal behind HIPAAtrek is to develop a platform for HIPAA that works to take the complexity and expense out of compliance and compliance tracking. To that end, the people at HIPAAtrek created a web facing product that serves as the dashboard for your HIPAAtrek experience.
Dashboard and User Tracking
The basic five icons are a bit deceiving in the amount of information they really contain. The manage users tabs allows you, if you choose, to manage every employee in your company, the level of training, alerts, and even when they have accessed the website to review materials. As someone who constantly struggles to get employees to do training, the ability to track, send out alerts, and badger the crap out of someone appeals immensely. There is even a dashboard to tell me who has viewed alerts or other reminders. My understanding is that in the not to distant future HIPAAtrek will offer the ability to administer and track trainings. If they can add videos, tests, and uploaded training materials this portion of the HIPAAtrek offering will really kick it up a notch. Most audits involve the inevitable questions: who did you train; when did you train; and what did you train. Already, many certifying organizations for healthcare require these types of reports and it would be a real cherry on top.
POlicy page and todo’s
The policies page is one of my favorite. Each of the icons represents a different policy or group of policies and frankly makes it a lot easier to figure out what you are looking for when browsing. Even in my own policy set, I often have to hunt until I find something. These intuitive links make that easier. The links here are broken into 20 categories ranging from Security Management Process and Contingency Plan to Workstation Use and Breach Notification. Also, along side each picture is a little number that indicates the number of policies contained within. Once you click one of the icons, you are taken to a policy page. Each category takes you to a page that describes the category, the overall purpose and the policy statements that you create. Also a part of this page, is a nifty progress bar that gives you a percentage of completion for your HIPAA policies. Each of these policies is tagged as either ‘Finalized’ or ‘In Progress.’
This page also gives you a handy download to .pdf option in case those pesky auditors come around or you have an employee who must have paper. Ideally, a feature will be added in the future that will track revision number, date, edits, or even a button to track notes and/or specific things you want to remember when working in this category. Given the emphasis on business continuity and disaster recovery, I could see a place to upload your outcomes, dry runs, and findings from DRBC simulations. This brings me to the real sweet spot and a clear differentiator of HIPAAtrek. By using this service they will help you create your own policies from scratch, import policies you have already created, and yes (gasp) review the policies you have for gaps. A lot of services out there either utilize the pump and dump method where you get blank policies to fill in or they fill out policies with zero feedback or input from the stakeholders. HIPAAtrek leverages a different model that actually feels collaborative.
I have reviewed and used a lot of HIPAA compliance programs that I have not, and would not, review. Too many firms overcharge and under-deliver in an expanding HIPAA compliance field that all too rarely provides fluff and stuff over depth and breadth. As with any compliance efforts, HIPAAtrek will not do the work for you. HIPAA compliance must be looked at like climbing a mountain, you and your organization do the work, but having a sherpa (or HIPAA Sherpa) to guide you along the way makes things significantly smoother and less fraught with icefalls, audits and crevasse. The bottom line is that audits are growing in number and breaches are expanding exponentially. Take a look at this piece I did on the OCR HIPAA Breach Reporting Data if you aren’t convinced.
Prepare now or pay later!
/s/ HH @LegalLevity