We prepare for a world where audits are the norm, enforcement is inevitable and fines for non-compliance are costly.
We follow a well defined and systematic channel to comply with the latest requirements of OCR & HIPAA Audit…
1. Carry out or update the HIPAA risk analysis as required by the Security Rule, update the remediation plan and make progress toward remediating high-priority risks. CEs should also perform a gap analysis of the HIPAA safeguards and implementation specifications to better understand where they lack the necessary controls. Pilot audit results indicate risk analysis was ranked in the top five findings for audited CEs.
2. Establish a HIPAA audit response capability. CEs selected for audit have 15 days to respond to requests for information. CEs need to specify the responsive information control owners will have to provide in the event of audit. Examples of responsive information include:
• Letters of designation for privacy and security officers
• Evidence of how the physical, administrative and technical controls implemented to address HIPAA are operating
• A copy of the preemption analysis for determining the most stringent provisions between HIPAA and other federal, state and local health care laws
• Privacy and security policies, procedures and relevant forms
• A copy of HIPAA training records
• A sample of the current Notice of Privacy Practices, supplemented by archived versions
• A copy of most recent internal privacy and security risk assessments, supplemented by archived versions
• Copies of HIPAA program governance reports submitted to executive management
3. Leverage the publicly available results of the pilot audit program to benchmark the organization against the most common findings. The results suggest the following key areas of weakness exhibited by the CEs involved in the pilot:
• User activity monitoring
• Contingency planning
• Media reuse and destruction
• Risk assessment
These recommendations assume that the organization already has an effective HIPAA governance structure in place to address the complexities of the regulations and the broad number of business and technology stakeholders required to support the program.
The Mantra for a successful privacy and Security program
IDENTIFY: Establish the HIPAA program and secure alignment of key business and technology stakeholders, define and achieve compliance objectives.
DIAGNOSE: Perform risk analysis and control gap analysis to reveal areas of control weakness. Determine in-scope business processes including supporting systems, applications and data stores. Map the flow of PHI through business processes. Determine the controls to be implemented and prioritize key controls and systems based on risk.
DESIGN: Design remediation activities to address the highest risks.
IMPLEMENT: Execute the work plan to remediate risks identified in the applications, systems and key business processes. Implement compliance sustainability policies, procedures and tool to support ongoing compliance monitoring, testing and control attestations.
SUSTAIN: Prepare HIPAA compliance readiness packages for regulatory inspection and internal audit review. Periodically assess the program design and underlying control operating effectiveness to demonstrate compliance.
We analyze your exposure to top risks such as bad password management, misconfigured firewalls, malware hazards, remote access vulnerabilities, wireless insecurity, and social engineering.
• Top risks review
• HIPAA Security Rule checklist completion
• External and Internal network vulnerability scan
• HHS HIPAA Compliance Risk Analysis
• System vulnerability identification
• Risk Management Plan
HIPAA Compliance Validation
We conduct a guided assessment of your administrative, physical, and technical safeguards required for HIPAA security compliance. Ultimately, we help you validate your compliance.
• Guided implementation of Risk Management Plan
• Customizable security policies and procedures
• HIPAA privacy training
• HIPAA security training
• Customizable BA agreement
HIPAA compliance is not a single event, but an ongoing process. Our compliance services keep you updated on HIPAA legislation changes, sends compliance reminders, and provides security tips to ensure you remain compliant.