The Health Insurance Portability and Accountability Act (HIPAA) was enacted to protect the privacy and security of patient information. It is a healthcare organization’s responsibility to implement safeguards that ensure patient information is properly protected.
PRN Advisors has put together a HIPAA Security Service that helps healthcare organizations identify and implement the proper safeguards to protect patient data and to comply with the HIPAA regulations. The HIPAA Security Service consists of the following:
- Creation of 18 custom HIPAA security policies and procedures
- Perform and document a detailed HIPAA Security Risk Assessment
- Provide online training and compliance testing to all employees
- Access to the HIPAA Compliance Portal
- Implement corrective action against any HIPAA Security gaps
1. Policies and Procedures
The HIPAA Security Service provides 18 policies and procedures that address the HIPAA security administrative, physical, and technical safeguards. Each policy and procedure is a separate Microsoft Word document. The policies and procedures are customized with the name of the organization.
Administrative policies and procedures
The administrative policies and procedures address the following:
- Security Management Process
- Assigned Security Responsibility
- Workforce Security
- Information Access Management
- Security Awareness and Training
- Security Incident Procedure
- Contingency Planning
- Business Associate Contracts
Physical policies and procedures
The physical policies and procedures address the following:
- Facility Access Controls
- Workstation Use
- Workstation Security
- Device and Media Control
Technical policies and procedures
The technical policies and procedures address the following:
- Access Control
- Audit Control
- Person or Entity Authentication
- Transmission Security
2. Security Risk Assessment
A detailed Risk Assessment is required under the HIPAA Security Rule.
The Security Management Process standard in the Security Rule requires organizations to “implement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a) (1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a) (1) (ii) (A) states:
RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the [organization].
PRN Advisors will perform an administrative, physical, and technical assessment against the HIPAA Security Regulations. The Risk Assessment follows the methodology described in NIST Special Publication (SP) 800-30.
The output of the Risk Assessment consists of a 10-15 page Executive Summary as well as a 50+ page detailed report. The Executive Summary is an easy to understand overview that discusses the current state of the overall risk to systems that contain ePHI as well as recommendations to lower the risk to each system. The detailed report looks at each system that contains ePHI and documents the threats to the system, the vulnerabilities to the system, the current safeguards in place to protect the system, and the additional recommended safeguards to lower the risk to the system.
The Risk Assessment report will give a good understanding of the risks to ePHI and provide specific steps and actions that should be taken to lower the risk.
3. HIPAA Security Training and Compliance Testing
Employee training on security and protecting patient information is a requirement under HIPAA regulations.
The HIPAA security service provides in-depth training on the HIPAA Security Rule as well as advice for best practices in protecting ePHI and patient information. The training is provided in an online format which is both engaging and convenient to staff members.
Training usually takes around 1 hour to complete. Staff members can start a training session stop and resume the session from where they left off. They can take the training during work hours or complete the training at home after hours.
Once staff members have completed the online training, they will take a short 15-20 question online quiz to demonstrate their knowledge regarding the HIPAA Security Rule. If they receive a score of 80% or higher, they will receive a certificate with their name that acknowledges that they have successfully completed the HIPAA Security Training. If they do not receive an 80% score on the quiz they can retake it as many times as they need to.
4. HIPAA Compliance Portal
The HIPAA Compliance Portal makes it easy to manage all aspects of HIPAA security compliance. The compliance portal will store the 18 HIPAA security policies and procedures. Employees will be able to access the policies and procedures, read summaries of each of the policies and procedures, and watch short entertaining videos that describe each policy and procedure.
5. Implementing Corrective Action
Based on the results of your assessment there may be a good chance that your organization will have to implement corrective action to meet HIPAA Security guidelines. PRN Advisors will work with your organization on a ‘right-sized’ solution to ensure you are compliant and secure.