FAQ's

The HIPAA Privacy Rule sets national standards for the protection of PHI, including the right of individuals to access and control their own health information. The HIPAA Security Rule requires covered entities to implement safeguards to protect ePHI, including access controls, audit controls, and encryption.

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. Business associates of covered entities, such as contractors and subcontractors, are also subject to HIPAA regulations.

Overall, HIPAA is an important law that helps to protect the privacy and security of personal health information in the healthcare industry.

Who Needs To Comply With H.I.P.A.A.?

If in any way, shape or form you work in healthcare and/or are serving U.S. based patients, H.I.P.A.A. regulation is a requirement and not a choice. Your responsibilities may vary from another Organization because each compliance plan is tailored to the unique environment of every Company.

When Do I Need To Establish A Compliance Plan?

If you handle Protected Health Information (PHI) but are not compliant with HIPAA regulations, you are already in violation of the law. It is imperative that you become compliant immediately as HIPAA compliance is an ongoing and dynamic process that requires regular updates and reviews. Failure to comply with HIPAA can result in serious consequences, including fines and legal action.

Where are my largest areas of concern when generating a compliance plan?

To comply with H.I.P.A.A., you will want to be sure that you are meeting the requirements of the regulation by adopting technical safeguards, administrative safeguards and physical safeguards.

Risk assessment: Conducting a comprehensive risk assessment is crucial to identify potential risks and vulnerabilities that may exist within your organization's operations. This should include an analysis of the types of data you handle, how it is stored, processed, and transmitted, and potential threats and vulnerabilities to the confidentiality, integrity, and availability of that data.
Policies and procedures: Developing and implementing robust policies and procedures that are specific to your organization's needs is essential for maintaining compliance. These policies and procedures should cover a range of areas, such as access controls, data retention, breach response, and employee training and awareness.
Technical safeguards: Implementing technical safeguards to protect PHI is another critical area of concern. This includes measures such as encryption, firewalls, intrusion detection systems, and regular security testing and vulnerability assessments.
Training and awareness: Ensuring that all employees are aware of the policies and procedures related to HIPAA compliance and receive regular training is essential. This will help to ensure that everyone in the organization understands their responsibilities and the importance of protecting PHI.
Business associate agreements: It is also essential to have robust agreements in place with any third-party vendors or contractors that may have access to PHI. These agreements should include provisions to ensure that these entities are also compliant with HIPAA regulations.

Why would I generate a H.I.P.A.A. compliance plan?

In short, you would generate a compliance plan because it is required by the government. However, the broader goal is to establish a standardized framework for ensuring compliance across an entire industry, with the aim of simplifying administrative processes.

What is a Covered Entity (C.E.)?

A Covered Entity refers to a healthcare entity that is responsible for providing healthcare services. This includes hospitals, doctor's offices, insurance plans, and clearinghouses.

What is a Business Associate (B.A.)?

A Business Associate, or simply BA, is an entity third party from yourself that you are

A Business Associate is a third-party vendor who is contracted to perform a specific task for an organization. These vendors are exposed to PHI during the course of their work, as that is the reason for their hire. Examples of common Business Associates include IT professionals, electronic health records (EHR) or electronic medical records (EMR) providers, and paper or industrial shredding companies.

What is a B.A.A. (Business Associate Agreement)?

A Business Associate Agreement is a contract that is established between entities that share Protected Health Information (PHI). The agreement outlines the responsibilities of each party in protecting the PHI and requires each party to notify the other in the event of a breach or unauthorized disclosure. In summary, a Business Associate Agreement is a legally binding agreement that specifies how PHI will be handled and protected between parties.

How do I assign a Primary Privacy Officer?

You will be able to assign a Primary Privacy Officer from the dashboard.

When you click assign under this option in the top-left of your dashboard, the screen will change to look like this -

Find on-screen the name of the person you wish to assign this role. Then, under Actions, select Assign as Privacy Officer

How do I locate Accountable's policy and procedure templates?

To access Accountable's Policy and Procedure Templates, you can start by clicking on the 'Compliance' option located on the left-hand side of the screen. This will open a dropdown menu where you can select 'Policies and Procedures' to access the Policy Template Library provided by Accountable.

Do you or your Organization have policies outside the scope of HIPAA, such as a dress code or code of conduct? While these are not directly related to HIPAA, an Organization can add any training they like which Accountable where it would be a smart forum to do so. Here is how to add a policy of your own design -

When under Policies and Procedures, you can click the blue button labeled 'Add Policy'

When doing so, a drop down will appear. Please ignore Use Template. Instead, let's discuss Upload a PDF and Start from Scratch.

Start from Scratch: When you click this it will bring up a markup window for you. If it will save you any time, please feel free to copy and paste the text of your policy, if you had the text in another document. Otherwise, if you had a pre-formatted document, like a PDF file, please choose Upload a PDF to drag and drop the file.

To utilize an Accountable template, please draw your attention toward the top of the screen. There, you will notice a blue banner that says 'View Template Library'. Select this to view Accountable's templated policies and procedures.

How do I edit and customize Accountable's template policies?

After selecting 'Use Template' you can update language as you see fit, right within Accountable.

How do I publish Accountable's templated policies and procedures?

To publish Accountable's policy and procedure templates, first, go to the 'Compliance' option on the left-hand side of the screen. From the dropdown that appears, select 'Policies and Procedures'. Next, choose the specific policy that you have edited and wish to publish. In the upper-right corner of the screen, you will see a large blue 'Publish' button. Click on this button to publish the edited policy and make it available for use.

*Note - Publishing policies does send an email alert to your staff and all users that they have a new training item to complete*

How do I invite my staff into Accountable for training?

To invite your staff into Accountable to conduct training you will want to go to 'People' and then select 'Invite Team Member'. Invite Team Member is a blue button to the upper-right, seen after navigating to the People section.

A big white box will show after hitting Invite Team Member. In this box, you can do several things:

Add multiple users at once - You can enter a comma in between email addresses to continue to submit user's email.

Add from Google or Microsoft 365 - Import your users with ease by pulling their information into Accountable from one of the two major email services.

Get Shareable Link - if your Company uses Slack or something similar, you can streamline the addition of a user via this option. When the user clicks the link after you provide it to them, they will be able to enter their credentials and sign in on their own.

Next you will set requisites for the training(s) you wish for your staff to complete. Below is an explanation of what each type of training is/means.

HIPAA Training - Also known as HIPAA 101, you will want to require this training for your Staff, as it is an annual requirement per the HIPAA rule.

Security Awareness - Also known as Cybersecurity 101, or Cybersecurity Basics, you will want to require this training for your Staff, as it is an annual requirement per the HIPAA rule.

Company Training - Accountable is happy to host your policies for easier training and document management. By selecting this check box, you are indicating you have policies of your own you intend to add into Accountable and you want your Staff to train on them. Checking this box on is a case-by-case basis and if you ever have a question please email us before clicking the wrong items.

Policy Review - This would require the new User to complete a review of the policies and procedures adopted from Accountable templates. You will want to check this box on so your Staff can perform their annual policy attestation.

*Note - The option is also available to perform a bulk upload of Users via .CSV file. Next to Invite Team Member under People is an option for 'Bulk Assign'.

How would I add my vendors/third parties into Accountable?

First, please navigate to 'Third Parties' on your left, then select 'Manage All'.

Once on the page for Manage All, please look to your upper-right, where you will see a blue button labeled 'Add Third Party Profile'. This is always your first step when addressing third parties. Be sure to create a third party profile for every vendor.

Below are instructions on how to fill the fields out to generate the profile.

Company Name - Please list the name of your Vendor here.
Website - Please list the website for your Business Associate here.
Vendor Type - If you, yourself are a B.A., you would select 'Partner' in the dropdown for fellow BA's, or you would select 'Client' for CE's yet to provide you with a BAA. If you are a CE, 'Client' won't be of consideration, as all BAA's you send will be for 'Partners'.
Services Provided - For simple tracking and efficiency, provide a succinct list here of what this vendor does for you in particular.
Data Stored - For simple tracking of your Data Flow. Data Flow being something you are aware of at all times.
Risk Level - This is somewhat subjective. Choose what you believe to be the best option. It is safe to assume that a large entity like Amazon has a low risk level, while the Mom and Pop shop down the street may have a somewhat higher risk level. Please mark Medium if you are at all uncertain.
Contact Information - To complete the creation of the Vendor Profile we will fill in the email and name of the Representative we correspond with at said Company.
Create Vendor - The blue button at the bottom of the page which will build the Vendor Profile with all of the above filled in.

And there you have it! You have successfully added your vendor into Accountable. Please be sure to build as many profiles for as many vendors as you do have.

How do I execute a B.A.A. in Accountable?

Please be sure to review the faq just above and ensure you first have the Profile for the Vendor built that you wish to execute the B.A.A. with. With that established, please navigate to 'Third Parties', then 'Manage All'.

From there, select the name of the specific Company you are executing the agreement with.

Below is the 'Vendor Details' page and is built using the information provided to Accountable previously. You will notice three tabs lining the top of this page; Vendor Details, Risk Questionnaire and Agreements.

To execute the BAA from within this Vendor Profile, you would select the Agreements tab to the far right. Under the text for 'Sign Business Associate Agreement', choose whether the entity receiving the agreement is a Covered Entity or Business Associate. There is a dropdown which shows next that contains all templates and displays them via version control, to ensure the agreement sent is always current and accurate.

You can preview and pre-sign the agreement. At this time, if you were to hit the button in blue marked 'Send Business Associate Agreement' it would send this agreement to your contact person at this company for their signature. As soon as the signature is applied from their end everything will update inside Accountable.

How do I audit vendor risk in Accountable?

Much like the above faq, we will audit for vendor risk in accountable by navigating to 'Third Parties', 'Manage All' and selecting the specific vendor.

Along the three tabs listed along the top of Vendor Details, you will find that the one in the center is marked 'Risk Questionnaire'.

From this page you may now preview the questions before sending them and, when ready, click the button in blue marked 'Assign Vendor Risk Questionnaire'. The system will send it to your Vendor's person of contact and score the answers provided with no further effort from yourself.

How do I perform a Security Risk Assessment (S.R.A.) in Accountable?

A Security Risk Assessment is easy to perform within Accountable. It has a few steps to it, which you will generate after you complete company training.

*Note - It's super-duper important to remember to wait to complete the items pertaining to your S.R.A. until after you have completed training for your entire Organization.*

Step One; Assessment - You will find 50% of your S.R.A. is complete after finishing the questions in the audit found under 'Compliance', then 'Assessments'.

To perform this audit - Look to your upper-right for a big blue button marked 'New Assessment'. When hitting this, you are brought to a little splash page and you can hit 'Start' to begin answering the questions.

Answering the questions - This is the exact reason we ask you to wait until training is complete to perform the assessment - We do it this way because in many of the circumstances presented via the questions, we have just installed the policy, procedure, or trained our staff on something related to it.

This allows us to answer 'Yes' to a fair chunk of the questions presented here. This is not to discount answers of 'No' or 'N/A'. Honesty is best policy here, so if an answer of Yes makes you uncomfortable, please hit No for any given question. If something is wholly not applicable to your business model. please hit N/A. Doing either of the above is no detriment to your compliance standing or plan.

S.R.A. Step Two; Data Inventory - The other half of your S.R.A. requirements is found under 'Compliance', then the option for 'Data Inventory'.

Once on the Data Inventory screen, please look to your top-right for a big blue button marked 'Add Inventory'.

From here. there are a few fields to fill to complete this task which I'll list below -

Name - Whether it is a Server, a Hosted environment, or just something as simple as '5 Laptops', consider how your devices which can 'touch' ePHI can be segmented and title this field as such.

Inventory ID (Optional) - Seen more often with larger Organizations, if you serialize your devices in any way for the purposes of tracking, please feel free to populate that information here. Otherwise, this section is completely optional and not required.

Estimated Records - It is key to note the word Estimated when looking here, at Estimated Records. The Government does not expect you to be exact, but does require reasonable proof that you are aware of how much PHI you do work with.

I recommend starting with a range regarding records, so you would always start with 0. And from there, consider how many charts that would equate to if thinking of a more antiquated idea of a Doctor's office with paper charts and large bins to hold them - 'How many 'charts' do you have?'

Location - This can be somewhat general. I like to give this example; I live in Queens, New York. However, Accountable is mainly based in Texas. If Accountable was completing a Data Inventory and mistakenly put New York, New York this is still a reasonable answer for the sake of the Data Inventory, since we have that general idea of where our data is flowing.

Data Stored - Type in Protected Health Information

Risk Level - This is somewhat subjective and case by case. You have the options of low, medium and high. It is safe to assume that large entities like Amazon would be low risk, so feel free to mark anything like that low risk. If you know something needs tightening up otherwise, don't be shy with the medium or high risk levels. By putting in the work to fix this stuff now, we will save ourselves boatloads of time in the future.

Contact Information - This would be where you list your information, or whomever you might deem Security Officer.

Create Inventory - In blue, when clicked, will now generate your Data Inventory.

How do I update my billing information within Accountable?

To update your billing information in Accountable, please follow these steps:

First, look to your upper-right for where you see your name and click it.

In the drop-down, please select 'Subscription'. From there, you will see a blue button which says 'Billing Portal'. Click this to update your billing information inside of he Accountable application.

Is there a place in Accountable to check the progress of my staff's training?

You bet! First, please navigate to 'People'.

There you will see your team's profiles listed. The training item furthest left is HIPAA training, second is Security training and last is Policy.

A green check mark denotes completion of the training within the last 365 days, while the gold x mark denotes the particular training has not been completed within the last 365 days.

To sort employees by status for each segment, you can click the filter next to HIPAA, Security, Etc. In that drop down, select which status you want to review by clicking either complete, or not.

Can I send bulk email reminders to staff to complete training?

Yes! When in 'People', you can click on the names of the Individuals in need of a reminder via the check box next to their name.

After selecting those you wish to remind, let's choose what to remind them about.

If you look above where it says 'HIPAA', 'Security', etc, the shape of a filter has been replaced by a tiny bell. By selecting this bell, you will receive a confirmation prompt and when you select Yes, the chosen employees will be sent an email reminder to complete their training.

How does the Dashboard help?

The Accountable Dashboard has many handy features for administrators. Users see different information, but let's discuss administrator view in a more in-depth fashion below!

First, you will see a progress bar which provides you very broad information at a glance with regard to how far along you are in the process of creating your HIPAA compliance plan

Road to HIPAA Compliance:

Primary Privacy Officer

Incidents

Policies

Invite Team

Assessment

Team Training Progress

Data Inventory

Third Parties

Below this is Privacy Officer and Team Members

Policies is the next dashboard item you will notice.

Then Assessment.

Followed by Team Member Progress.

Then, Data Inventory.

Third Parties.

And Incidents

I see there are 'Tags' I can apply to Users. Why tag users?

For the purposes of segmentation, One would add user tags. A good example for when to use tags - If you wish to see how far along in their training a particular department is, you can tag them first when creating their user profiles and filter by tag later to see how everyone is progressing.

What is the Data Breach Monitoring Tool?

Accountable's Data Breach Monitoring tool helps your organization mitigate third-party data breach risk by helping you identify which breaches have impacted employees within your organization. Our proprietary data breach risk score helps you quickly identify if the disclosure is likely to impact your organization along with our notification system helping you to notify the impacted employees and prompt them to take the necessary action, such as changing their password.

How do I report an Incident in Accountable?

Please begin by navigating to 'Security Monitoring' on your left-hand side and choosing 'Incident Response' from the dropdown.

From there, please look to your upper-right for a large blue button labeled 'Report a Breach'.

Above is the page that follows, 'Report an Incident'. Let's dive into each field specifically below!

Reported By - Will pre-populate with the information from your User profile.
Title - This field is up to you but here's a bit of a recommendation - Keep the title simple in favor of providing as much information as possible in 'Details of the Incident'.
Category - This dropdown will allow you to segment your incident by labeling it among the most common ways incidents do happen.
Date and Time of the Incident - Please list this as accurately as you are able.
Pay attention to the tips Accountable provides above where you fill in 'Details of the Incident' and be sure to address these items in your explanation.

How would I remove access for individuals upon leaving the Company (offboard them)?

To remove Accountable access to workforce members no longer with your Organization please follow the steps below -

Navigate to 'People' on the left.
Select 'Manage All' from the dropdown.
Select the names of the Employees who are no long with the Organization via the check box to the left of their name.
Now, look toward the upper-right for a button in blue labeled 'Offboard'.
By offboarding we are not deleting this employees record, merely archiving it.

NOTE - The last part can be a little tricky.

Until a user is selected via checkbox, the option to offboard is not visible. Please be sure to select the employees before attempting to offboard to avoid confusion.

Where can I go to send a training reminder to my staff?

In order to send a training reminder inside of Accountable, please use the following steps -

Navigate to 'People'.

Select 'Manage All' from the drop down.
From 'Manage All', select the employee, employees, or check box to choose all employees.

Now click on the icon which looks like a bell above where it says on screen 'HIPAA', 'Security', or 'Policy' respectively.

Whichever item you had hoped to remind people about will display a prompt before issuing a reminder. Click 'Send' to remind the selected employees or 'Cancel' to close the window.

What is the Accountable Seal of Compliance?

The Accountable Seal of Compliance is a great way to display that you went out of your way and brought along 3rd party experts to develop your compliance plan because you take client and patient information privacy seriously.

Why am I receiving a prompt that this employee's email already exists?

Happens when an employee accidentally creates a free trial account instead of using the link you provided when inviting them into the platform. All you need to do is notify Accountable's Support team or your Compliance Success Manager--providing them the person's email--and they will take care of it.

Can I use my own policies and procedures?

You certainly can! In doing so, please realize we cannot defend them, though. Not being Attorneys, our CSM's cannot properly defend any language which was not published by Accountable.

Why are my employees receiving an upgrade prompt?

Invited Employees Getting Prompted to Upgrade: This tends to happen when an employee doesn't click on the link provided in the invited email and instead goes to the Accountable website. They need to be invited by the Privacy/Data Protection Officer, they can't go to the Accountable website to login unless they have received the invite and clicked on the link that takes them to the webpage to finish signing up and creating their user account.

Why do I get a prompt for my employees saying pending invitation?

This happens when the employee clicks on an expired invitation link. The employee should delete any invitations that were sent and have the Privacy/Data Protection Officer invite them again after 3 minutes.

What typically causes this scenario is that the employee is trying to get in, but doesn't realize that the Privacy/Data Protection Officer had just sent a new invite, but hasn't appeared in their inbox. The employee must click on the link in the NEWEST email invite.

Can I use my own, previously executed BAA within Accountable?

Absolutely! Keep in mind what is stated in the above faq regarding using your own policies and procedures though. By bringing in your own documentation you do so at your own risk.

How can I schedule my Final Review Call?

Please feel welcome to schedule your final review call with your CSM at this link when time is appropriate.

Where can I download my Seal of Compliance?

You can download the Accountable Seal of Compliance by navigating to 'Compliance', then 'Seal of Compliance' and pressing the big blue button for Download on the following screen.

Still a tad confused? Please don't hesitate to reach out! It's why we're here!

Compliance Glossary

Check Training Progress

To-Do List for Accountable Policy Implementation

Knowledge Base Home Page

Smart Tags