The healthcare industry is a major target for hackers and every medical practice must do more than merely meet HIPAA compliancy standards. They must apply superior security technologies and risk management techniques to provide the highest level of data protection and risk reduction to safe guard their patient’s data. Here at AIM Services we guide covered entities and business associates on how to secure their environments and protect their data.

The regulatory requirements of the HIPAA Privacy, Security, and Breach Notification Rules mandate organizations that create, receive, maintain, or transmit protected health information (PHI) must offer the highest level of data protection. This data could exist on patient intake forms, medical devices, or in the cloud. We can help deliver the highest level of data protection in the healthcare industry and offer solutions that will withstand an OCR audit.

AIM’s HIPAA Risk Assessment Service is an all-in-one package with a dedicated AIM Services team member. Together the practice Compliancy Officer and AIM team member will review and complete the Risk Analysis questions, an organization profile, customizable policies and procedures. The online tool includes interactive and engaging multi-media training videos to allow staff to complete HIPAA Privacy training. The risk assessment process will include review of administrative, physical and technical safeguards, and also take into consideration criticality, impact and creation of recommendations identifying mitigation strategies.

AIM Services HIPAA Security Service offers:

1.   Access to the HIPAA Compliance Portal (12 months)
2.   A detailed HIPAA Security Risk Assessment
3.   Customized HIPAA Security Policies and Procedures
4.   Online training covering Security and Privacy, and compliance testing for all employees

HIPAA Compliance Portal

HIPAA regulations are complex and confusing but with our robust, easy-to-use, secure portal complying are made easy. The HIPAA Compliance Portal offers:

    • easy to understand, interactive, and engaging multi-media training tools that teach employees best practices to protect patient health information. After passing the quizzes employees can print out their training certificate.  Administrators can access the training reports to view when employee completed the training and their scores
    • clear customized HIPAA policies and procedures that align to all HIPAA Security and Breach Notification Rule requirements.  Employees will be able to access the policies and procedures, read summaries of each of the policies and procedures, and watch short entertaining videos that describe each policy and procedure
    • guidance through the risk assessment questions that follow the methodology described in NIST Special Publication (S) 800-30 Revision 1
    • straightforward incident reporting  module that will help you to respond to suspected data breaches
    • the ability to track and maintain all business associates including uploading any business associate agreements
    • the ability to track repairs or maintenance to critical area such as server rooms and other areas that store sensitive ePHI

 

HIPAA Security Risk Assessment

A Risk Assessment is a requirement of the HIPAA Security Rule and required for MIPS attestation, but unfortunately time and again the Risk Assessment is inadequate or not done at all.

The Security Management Process standard in the Security Rule requires organizations to “implement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a) (1).) “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI)”

AIM Services can conduct an accurate and thorough assessment of the potential threats and vulnerabilities to the confidentiality, integrity and availability of ePHI at your practice. This risk assessment will be performed following industry best practice standards as described by HHS, NIST, ISACA, HIMSS and AHIMA organizations. It should be completed at least once a year or after successful implementation of any major system change, such as office relocation, replacement of EHR system containing PHI, etc.

AIM Services will provide you with a detailed report of the practice’s vulnerability gaps, non-compliance and heightened risk. Risk prioritization and mitigation decisions will be determined by answering which controls and measures should be implemented and the priority in which they should be addressed.

The implementation components of the plan include:

  • Risk score (threat and vulnerability combinations) assigned to a particular issue being addressed
  • Recommendation(s) of measures and controls selected to reduce the risk of an issue
  • Ongoing evaluation and monitoring of the risk mitigation measures

Risk Assessment Process includes:

  1. Identifying and documenting all electronic protected health information (ePHI) repositories.  Evaluate every system that stores, receives, maintains, or transmits ePHI
  2. Identify and document potential threats and vulnerabilities to each repository.  Threats include fire, flood, stolen laptops, etc.
  3. Assess current security measures.   Review the current security measures (safeguards / controls) that are currently in place that are used to mitigate identified risks. Examples of current safeguards include: employee security awareness training, encryption, data backups, disaster recovery, etc.
  4. Determine the likeliness of threat occurrence.  For each threat and vulnerability to ePHI that has been identified in step 2 of the Risk Assessment procedure, calculate the likelihood of the threat occurring.  Existing security measures as identified in step 3 of the Risk Assessment procedure may lower the likeliness of a threat.  Existing vulnerabilities as identified in step 2 of the Risk Assessment procedure may raise the likeliness of a threat.  Likeliness is expressed in terms of low, medium or high.            
  5. Determine the potential impact of threat occurrence.  For each threat and vulnerability to ePHI, calculate the associated impact of the threat. Impact is expressed in terms of low, medium, or high impact. 
  6. Determine the level of risk.  For each threat and vulnerability to ePHI, calculate the level of risk of the associated threat. The level of risk is calculated by using the likeliness of a threat, as calculated in step 4 of the Risk Assessment procedure and the resulting impact of a threat, as calculated in step 5 of the Risk Assessment procedure.  Risk is expressed in terms of low, medium, or high risk.           
  7. Determine additional security measures needed to lower level of risk. Based on the determination of the level of risk as defined in step 6 of the Risk Assessment procedure, additional security measures (safeguards / controls) may be need to lower the risk.  
  8. Document the findings of the Risk Assessment.  The final step in the Risk Assessment process is to document and publish all of the findings in each of the steps of the Risk Assessment procedure

The output of the Risk Assessment consists of an Executive Summary as well as a detailed report.  The Executive Summary is an easy to understand overview that discusses the current state of the overall risk to systems that contain ePHI as well as recommendations to lower the risk to each system.  The detailed report looks at each system that contains ePHI and documents the threats to the system, the vulnerabilities to the system, the current safeguards in place to protect the system, and the additional recommended safeguards to lower the risk to the system.

The Risk Assessment report will give a good understanding of the risks to ePHI and provide specific steps and actions that should be taken to lower the risk.

 

Policies and Procedures

AIM Services offers policies and procedures that address the HIPAA security administrative, physical, and technical safeguards. Each policy and procedure is a separate Microsoft Word document. The policies and procedures are customized with the name of the organization.

Administrative policies and procedures:

  • Security Management Process
  • Assigned Security Responsibility
  • Workforce Security
  • Information Access Management
  • Security Awareness and Training
  • Security Incident Procedure
  • Contingency Planning
  • Evaluation
  • Business Associate Contracts

Physical policies and procedures:

  • Facility Access Controls
  • Workstation Use
  • Workstation Security
  • Device and Media Control

Technical policies and procedures:

  • Access Control
  • Audit Control
  • Person or Entity Authentication
  • Transmission Security

 

Employee HIPAA Training

Employee training on security and protecting patient information is a requirement under HIPAA regulations.

STANDARD § 164.308(a) (5) Security awareness and training.  Implement a security awareness and training program for all members of its workforce (including management).

Security training for all new and existing members of the covered entity’s workforce is required.  In addition, periodic retraining should be given whenever environmental or operational changes affect the security of EPHI.  Changes may include: new or updated policies and procedures; new or upgraded software or hardware; new security technology; or even changes in the Security Rule.

The Compliance Portal provides in-depth practical training on the HIPAA Security and Privacy Rules as well as advice for best practices in protecting ePHI and patient information.  The training is provided in an online format which is both engaging and convenient to staff members.

Training requires 60 – 90 minutes to complete.  Staff members can begin a training session stop and resume the session from where they left off.  They can take the training during work hours or complete the training at home after hours – from anywhere with internet access.

Once staff members have completed the online training, they will take a 25 question online quiz to demonstrate their knowledge regarding the HIPAA Security and Privacy Rules.  If they receive a score of 80% or higher, they will receive a certificate with their name that acknowledges that they have successfully completed the HIPAA Security and Privacy Training.  If they do not receive an 80% score on the quiz they can retake it as many times as they need to.

A Training Report is provided that lists each of the staff members who have completed training, the date/time they took the training and the highest score they received on the training quiz.  The report can be easily exported to MS Excel for comparison to an employee roster.

HIPAA Security Officer Tips

Every HIPAA compliant organization needs to designate a HIPAA Security Officer.  The Security Officer is responsible for the organization’s implementation and monitoring of its HIPAA Compliance Program.  In order to assist each client’s Security Officer, a monthly tip will be sent, via email, which will guide them d towards proper HIPAA compliance implementation.  Because HIPAA compliance is a continuous process, the Security Officer tips will serve to remind an organization to maintain and improve its compliance on a monthly basis.  Each tip takes less than 5 minutes to read, and the action suggested by the tip should take no more than ½ hour per month to implement.

Management with the Compliance Portal

Organizations have to track and manage HIPAA compliance for several different and distinct HIPAA Covered Entities and/or Business Associates.  This can be potentially problematic if the individual assigned to track and manage these accounts must have separate credentials for each affected organization.  The portal provides the solution by allowing the administrator to track all managed organizations with one credential and provide easy access to the information associated with each managed organization. 

Make an appointment
with a coach now