Need Assistance selecting an EMR/EHR? OCR Launches Full Scale HIPAA Audits in 2013 Are you ready for a HIPAA Audit?

Transcription

1 OCR Launches Full Scale HIPAA Audits in 2013 Are you ready for a HIPAA Audit? The results of the Office of Civil Rights (OCR) pilot audit program shows: Small covered entities had more issues than larger ones. Health care providers had more problems than plans or clearinghouses. Security is the biggest problem. Secure Data Consortium Provides: HIPAA Privacy Rule Gap Analysis HIPAA Security Rule Gap Analysis Vulnerability Assessments Yearly Required Risk Assessments Breathe easier by letting the professionals of Secure Data Consortium, with over 20 years experience, guide you through the maze of HIPAA compliance. SECURE DATA CONSORTIUM At Secure Data consortium, we understand that time is of the essence. We identify and correct IT issues at Medical Practices expediently. Call us today to take the headache out of Healthcare IT! SDC (9732) info@securedataconsortium.com Need Assistance selecting an EMR/EHR? We have over 4 years experience designing and implementing practice management software. Let us ensure your practice has a smooth transition to a digital environment. Call us for a free analysis of your practice. These days a medical office typically uses products from multiple vendors. When there are problems, staff can have problems identifying exactly where the problem lies which can cause critical systems to be down for extended periods of time. These problems create frustration among staff and patients. Common problems include: Virus/Spyware Infections Printer problems Domain resources not available User(s) not able to access critical Healthcare data securely EMR/EHR not working properly PACS equipment not communicating properly Lab Equipment issues Servers/Workstations not properly maintained Dictation software/hardware malfunctioning Because we are new this market area and would like to use your office as a reference for other offices, we would be willing to offer you all of these services for the Bundled Discount Price of $3,500. Normal Price $5,000 Discounted Price: $3,500

2 Bios Shirley Singleton Shirley Singleton, Principle of Secure Data Consortium, has more than 15 years of Information Technology Consulting experience. Shirley is an accomplished Information Technology Security Professional who has directly implemented or advised on secure solutions to companies such as the world s largest retailer Walmart; the country s 5th largest property insurer Citizens Property Insurance Corporation; Citicorp, Bank of America, Vistakon and the US Department of Forestry. As a Jacksonville native who attended the University of Florida, Shirley taught herself to program multiple computer languages at age 15 and was able to successfully turn her hobby into a career in Information Technology development and systems integration. For the past 8 years she has focused on Information Security and Regulatory Compliance (HIPAA, SOX GLB, PCI) she her commitment to excellence in earning some of the industry s highest security certifications: CISSP, CSSLP and CRISC. Certifications: CISSP Certified Information Security Professional CRISC Certified in Risk Information System Control CSSLP Certified Secure Lifecycle Professional Erik Gregg Erik Gregg, Chief Integration Consultant of Secure Data Consortium has over 10 years experience in the IT field. Erik is a Network Engineer/Administrator. Erik has performed as an IT Manager for a software development company providing EMR solutions in the healthcare industry for 5 years. Erik has been responsible for securing all resources on the company networks as well as maintaining networks of between medical practices in the South Florida region complying with the strict regulations of Healthcare IT. After receiving a degree in Electronics Engineering Technology from Palm Beach State College, Erik worked for multiple companies providing Network Security solutions and Network Administration. Erik is has maintained networks that included Terminal Servers, File Servers, Application Servers and most switch, router and firewall vendors.

3 Services Services will be inclusive but not limited to the following areas. Strategy Establish in house contact person to work with in regards to user account Access Control. Establish in house contact person to work with on drafting of practice wide policies and procedures for HIPAA Security Rule compliance. Perform Gap Analysis to show present state of practices compliance to standards outlined in HIPAA Security Rule, Privacy Rule and Breach Notification. Create policies and procedures documentation to address required and addressable HIPAA standards for Security Rule, Privacy Rule and Breach Notification. Outline additional work needed to be done to satisfy compliance based off of the GAP Analysis Perform Risk Assessment (Required yearly by HIPAA Security Rule) Gap Analysis Perform a Gap Analysis of current practice current state verses a future state of full implementation of standards and requirements of the HIPAA Security Rule, Privacy Rule and Breach Notification Rule. Security Rule Part of the Security Rule states that Covered Entities and Business Associates need to maintain reasonable and appropriate administrative, technical and physical safeguards to protected health information in electronic form (e-phi). Administrative Safeguards How do you determine what are reasonable and appropriate safeguards while still ensuring the confidentiality, integrity and availability of the e-phi? This is done through the implementation of Risk Analysis and Risk Management controls. Risk Analysis allows you to evaluate the likelihood and impact of potential risks while Risk Management addresses ways to mitigate identified risks. A yearly Risk Assessment which is a report covering both analysis and management strategy is required under the Security Rule. Technical Safeguards Access Control safeguards help to ensure that only authorized personnel with a need to know have access to e-phi while Audit Controls give you a reporting mechanism to review user access and action histories. Integrity Controls help to make sure that information is not altered inadvertently or without appropriate permission or destroyed. Transmission Controls are to help guarantee that e-phi data is not intercepted or altered by unauthorized users while being transmitted across an internal or external network.

4 Physical Safeguards Workstation and Device Security is an implementation of the Covered Entity or Business Associates policies and procedures as it relates to the use and access of workstations and electronic media. This also covers the use of removable drives and the disposal and reuse of electronic media. Facility Access and Control is used to limit physical access to the facility while ensuring that authorized access is allowed. Privacy Rule Covered Entities are subject to the implementation of the entire Privacy Rule, which includes but is not limited to the abbreviated summary of the Administrative Requirements listed below. Privacy Policies and Procedures. A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule. Privacy Personnel. A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity s privacy practices. Workforce Training and Management. Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity) A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule. Data Safeguards. A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure. Complaints. A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. The covered entity must explain those procedures in its privacy practices notice. Retaliation and Waiver. A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule.

5 Documentation and Record Retention. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented. Breach Notification Establish processes and procedures for the notification of affected individuals, the Secretary of Health and Human Services and in in some cases the media following a breach of unsecured e-phi. A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information (PHI) by its workforce or its Business Associates in violation of its privacy policies and procedures or the Privacy Rule. Summary Once these policies, processes, procedures and controls have been documented and implemented they should be relatively easy for staff to maintain and update. Because we are new this market area and would like to use your office as a reference for other offices, we would be willing to offer you all of these services for the Bundled Discount Price of $3,500. Normal Price $5,000 Discounted Price: $3,500