|HIPAA AUDITS & ASSESSMENTS|
|KNOW YOUR HIPAA COMPLIANCE STATUS|
The wide variety of changes included in the American Recovery and Reinvestment Act (ARRA) make it imperative that every Covered Entity (CE) and Business Associate (BA) reevaluate their level of compliance with the Privacy and Security rules of the Health Insurance Portability and Accountability Act (HIPAA).
The changes that are part of the ARRA impact individual rights, non-compliance penalties and breach notification. Several other changes are also enacted by ARRA. The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is part of the stimulus bill and has major ramifications for the implementation of health IT and electronic health records (EHR).
A HIPAA and HITECH compliance strategy incorporating a HIPAA assessment is recommended for both CEs and BAs. Assessments should include compliance evaluations of HIPAA Privacy and Security rules and should also address the HITECH compliance issues.
HIPAA Solutions, LC offers nationally recognized expertise to perform HIPAA Audits for Privacy and Security that addresses the following areas:
- IT Infrastructure - servers & operating systems
- Network Infrastructure – routers, firewalls, workstations & e-mail systems
- Internal & external network system
- User access - online applications or PHI in records
- Business processes & computer applications
- Compliance status related to the “minimum necessary” rule of HIPAA
- Policies and procedures relating to specific job functions & departments
Analysis of documentation of implementation as proof of compliance for all HIPAA / HITECH legal and technical mandates
- Tracking & documentation of uses & access to Protected Health Information
- Training for initial awareness & updates to address court rulings or regulatory changes
- Security of PHI at facilities & in personnel activity
|BA & GAP ANALYSIS|
BUSINESS ASSOCIATE AUDIT
A Business Associate audit will determine the exact level of compliance of a Business Associate without disrupting either the CE or BA operations. Under the new rules BAs and CEs are “joined at the hip” regarding HIPAA compliance. Lack of compliance by a BA can negatively impact both the BA and any CE that is utilizing the BA for services or products, including fines, audits and civil liability.
A “Verification audit” will determine whether an organization has implemented all legally required controls, including an analysis of the existence of all mandated Privacy and Security controls and identifying any required controls that may be missing.
|STANDARD AUDITS & ASSESSMENTS|
|ESTABLISH A BASELINE FOR COMPLIANCE|
Tasks and personnel involved in conducting a targeted assessment would include the following elements:
- Qualified legal and technical consultants would conduct a review to determine the existence and adequacy of privacy and security controls, i.e., policies and procedures. This is essentially a “sufficiency review of privacy and security policies and procedures.”
- Consultants would conduct a review of the existence of specific security elements for firewalls and intrusion detection controls.
- Recommendations would be created addressing control requirements. This would include recommendations for adding missing controls and identifying the controls, privacy and security policies, or procedures that are needed.
- A privacy education presentation for internal use in a power point format (on-site training priced separately for fee).
HIGH LEVEL ASSESSMENT
Tasks and personnel involved in conducting a high level audit would include the following elements
- All elements of the “Basic Assessment” plus the following elements.
- Recommendations for changes to the content of these controls for basic remediation that will discuss content that is missing and provide guidance on modifications that may be needed.
- A detailed review of client’s existing HIPAA education classes.
- Recommendations on improvement of the education classes with discussion of adequacy of training and recommended changes if necessary. (Creation of customized education can be provided on a separate fee basis)
- A detailed review of the tracking of Protected Health Information (PHI) with discussion and recommendations of changes that may be needed in business processes.
- Basic testing of networks that includes the evaluation of firewall protection, adequacy of intrusion detection, breach exposures related to public web addresses, web servers, wireless infrastructure, and internal servers.
ENTERPRISE LEVEL ASSESSMENT
Tasks and personnel involved in conducting an enterprise wide audit would include the following elements
- An enterprise Level Audit would provide a comprehensive review and analysis of HIPAA Privacy and Security status utilizing ISO 17799 as well as all relevant ISO and Federal standards, the Code of Federal Regulations, and Department of Defense standards that utilize a proprietary analytical methodology.
- Security audit of facilities, IT infrastructure, servers and personnel
Contact HIPAA Solutions, LC toll free at (877) 779-3004 or e-mail firstname.lastname@example.org with questions or to discuss compliance resources.