HIPAA IT Security Risk Analysis
Covering over 5000 providers of all specialities for HIPAA compliance , and over 40,000 staff trained ...
The Health Insurance Portability and Accountability Act (HIPAA) was enacted to protect the privacy and security of patient information. It is a healthcare organization’s responsibility to implement safeguards that ensure patient information is properly protected. MRS, LLC utilizes software to help healthcare organizations identify and implement the proper safeguards to protect patient data and to comply with the HIPAA regulations. It is a software analytics engine and database, based in the cloud for access anywhere, anytime. Our process and software records, analyzes and stores the data for ongoing compliance. The final outcome includes the following components:
1. A Detailed HIPAA Security Risk Assessment, including detail and summary reports and a work plan moving forward to correct any identified gaps.
2. Creation of 18 custom HIPAA Security Policies and Procedures
3. Online training covering Security and Privacy, and compliance testing to all employees with periodic updates
4. Security Incident Tracking details and log
5. Access to the HIPAA Compliance Portal (12 months)
6. Professional assistance from experienced staff only a phone call away
7. Compliance for Objective 1 under MACRA /MIPS
A detailed Risk Assessment is required under the HIPAA Security Rule. The Security Management Process standard in the Security Rule requires organizations to “implement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a) (1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a) (1) (ii) (A) states:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the [organization]. MRS, LLC will perform an administrative, physical, and technical assessment against the HIPAA Security Regulations. The Risk Assessment follows the methodology described in NIST Special Publication (SP) 800-30.
Employee training on security and protecting patient information is a requirement under HIPAA regulations.STANDARD § 164.308(a) (5) Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).Security training for all new and existing members of the covered entity’s workforce is required by the compliance date of the Security Rule. In addition, periodic retraining should be given whenever environmental or operational changes affect the security of EPHI. Changes may include: new or updated policies and procedures; new or upgraded software or hardware; new security technology; or even changes in the Security Rule.Source: Department of Health and Human Services Security Standards: Administrative Safeguard. The HIPAA security service provides in-depth practical training on the HIPAA Security and Privacy Rules as well as advice for best practices in protecting ePHI and patient information. The training is provided in an online format which is both engaging and convenient to staff members. Training requires 60 – 90 minutes to complete. Staff members can begin a training session stop and resume the session from where they left off. They can take the training during work hours or complete the training at home after hours – from anywhere with internet access.
Once staff members have completed the online training, they will take a 25 question online quiz to demonstrate their knowledge regarding the HIPAA Security and Privacy Rules. If they receive a score of 80% or higher, they will receive a certificate with their name that acknowledges that they have successfully completed the HIPAA Security and Privacy Training. If they do not receive an 80% score on the quiz they can retake it as many times as they need to.A Training Report is provided that lists each of the staff members who have completed training, the date/time they took the training and the highest score they received on the training quiz. The report can be easily exported to MS Excel for comparison to an employee roster.
The HIPAA Security Service provides 18 policies and procedures that address the HIPAA security administrative, physical, and technical safeguards, and a complete Privacy Manual. Each policy and procedure is a separate Microsoft Word document. The policies and procedures are customized with the name of the organization. Most organizations do not require additional changes or customizations.
The HIPAA Compliance Portal makes it easy to manage all aspects of HIPAA security compliance. The compliance portal will store the 18 HIPAA security policies and procedures and Privacy Manual. Employees will be able to access the policies and procedures, read summaries of each of the policies and procedures, and watch short entertaining videos that describe each policy and procedure. In addition, the HIPAA compliance portal has the ability to upload other policies and procedures and important documents such as HIPAA privacy policies and procedures, disaster recovery procedures, HR policies and procedures, etc. Employees can access all the policies and procedures via the HIPAA compliance portal.
Administrators of the HIPAA compliance portal can utilize the functionality to perform
the following functions:
1. Access the HIPAA security risk assessment documents.
2. Access HIPAA security and privacy policies and procedures.
3. Track and maintain all business associates including uploading any business associate agreements.
4. Track electronic protected health information (ePHI) that enters or leaves the organization.
5. Capture and record any security incidents that affect patient data or ePHI.
6. Provide HIPAA security and privacy training to new employees.
7. Track repairs or maintenance to critical area such as server rooms and other areas that store sensitive ePHI.
8. Access employee HIPAA security and privacy training reports.