Embed Size (px)
Citation preview
MBM eHealthCare Solutions
HIPAA-HITECH Privacy & Security ConsultingOur HIPAA-HITECH compliance consulting services include :
Compliance AssessmentRisk Control Analysis
Readiness AssessmentCompliance Remediation
Compliance AuditsCompliance Training
What is HIPAA ?
The Health Insurance Portabilityand Accountability Act of 1996
(HIPAA) Privacy and Security Rules
Overview of the HIPAA Rule
The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.
HIPAA Security Considerations
The HIPAA Security Rule addresses electronic patient health information or ePHI.
19 standards, 42 specificationsThe documentation requirement is daunting
No guidance is provided to address requirements Limited availability of resources Security expertise is expensive
HIPAA Security Rule Specifics
The following are examples of specific HIPAA requirements:
Administrative Safeguards Standards Security Management Process
Risk Analysis Risk management Information Access Management Security Awareness & Training
Physical Safeguards Workstation security & device/media controls
Technical Safeguards Access controls to ePHI Audit & transmission security
Organizational Requirements BA Contracts addressing security of ePHI
Policy & procedures documentation
§164.306(a) General requirements. Covered entities must do the following:
(1)Ensure the confidentiality, integrity and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2)Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3)Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part; and
(4) Ensure compliance with this subpart by its workforce
The HIPAA Security Final Security Rule
Summary of the HIPAA Rule
The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
What is the HITECH Act?
The term, HITECH stands for Health Information Technology for Economic and Clinical Health which is part of the American Recovery and Investment Act as stated by the U.S Congress in 2009. This act requires medical establishments to adopt make use of the Electronic Health Records where their deadline falls in the year 2019.
The government offers incentive programs for medical establishments who will be following the HITECH Act. Turning their records into EHR systems is highly recommended for better security while getting easy access to their files when needed. Those who are not able to comply with the HITECH Act will be penalized as stated in the act which medical practices are not too keen on experiencing hence the move to the use of EHR.
HITECH OverviewThe HITECH Act project is by far the boldest move of the government in the hopes that medical practices will be using the latest technology there is to help facilitate better service to their patients. Paper filing system is a thing of the past. With HITECH Act, medical practices will no longer have to spend precious minutes writing down patient information when they can simply encode in their computer to be saved with just a click of a mouse.
Through this act, medical facilities will no longer be spending a lot for form sheets, storage centers and the like just to house patient information. What’s more, HITECH Act makes it convenient for patients to get themselves checked up when needed without having to fill up yet another form during their visit. Through EHR, patients can get the right diagnosis and treatment since all the information needed by the doctor can be accessed through the computer database of the medical establishment quickly.
What is a Compliance, Risk & Readiness Assessment?
• Compliance Assessments answer questions like: “Where do we stand with respect to the regulations?” and “How well are we achieving ongoing compliance?”
• Risk Assessment (Analysis, in HIPAA terms) answer questions like: “What is our risk exposure to information assets (e.g., PHI)?” and “What do we need to do to mitigate risks?”
• Readiness Assessment answers questions like “Have we implemented adequate privacy safeguards?”, “Have we implemented adequate security safeguards?” and are we ready for audit.
Risk Analysis
• HIPAA requires that each covered entity conduct a formal risk analysis. Specifically, this means:
– Analyze the risks and vulnerabilities to the ePHI each covered entity creates, maintains, stores or transmits
– Understand the probability of these risks and vulnerabilities – Assess measures already in place to reduce these risks – Analyze its information and applications to find what is
critical and what is not– Conduct a formal risk analysis that balances the cost of
security against the expected value of losses– As a result of the analysis each entity must have a formal
risk management process that reduces risk to an acceptable level
Risk Analysis Overview
Risk analysis is the first process in the area of risk management. The final HIPAA Security Rule establishes both risk analysis and risk management as required implementation specifications.
The objective of risk analysis is to "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity". 164.308(a)(1)(ii)(A)
Risk Analysis & NIST Methodology
Our Risk Analysis software use the recommended National Institute for Standards and Technology (NIST) methodology as the core component. There are 9 steps:
1. Understanding your environment (System characterization) 2. Vulnerability identification 3. Threat identification 4. Assessment of how you safeguard your systems now (Control analysis) 5. Likelihood analysis (what is the likelihood of a threat happening?) 6. Impact analysis (are there any systems that are "mission critical?) 7. Risk determination (ranking these risks) 8. Control Recommendations (what are the answers or solutions for your
risks) 9. Results Documentation (Documenting or reporting your results)
MBM’s HIPAA-HITECH Consulting Features
• Endorsed by NIST, Homeland Defense and leading medical organization and societies
• Over 55 specific HIPAA requirements addressed• Intuitive and educational• Cost-effective• Differentiation between Required and Addressable items • Reporting and progress reports
– Summary or Detailed– Remediation Reporting– Priority and status tracking– GAP Analysis– SAL Diagrams
• Tips, definitions, and example compliance efforts • Recording of comments and compliance documentation• Blueprint necessary for HIPAA Security compliance• We work with your IT group and organization
Value Proposition
• The HIPAA security rules went into effect April 2005 • The rule is complex and requires your practice to
ensure the security of ALL electronic patient health information
• Considering the potential costs and effort associated with compliance, it is a mistake to install HIPAA “solutions” without first understanding HIPAA “problems”
• The cost of remediation is greater than an cost of an independent audit
• We have cost-effective solutions that works to ease the pain of HIPAA Security compliance
MBM eHealthCare Solutions Benefits Summary
• Comprehensive analysis and support • Scalable for any size organization or environment• Minimal learning curve for your staff • Minimal training needed • No hidden costs• Use as your blueprint for HIPAA Security compliance.• Eliminate employee training expenses and purchases
you may not actually need• Will help you make informed decisions about HIPAA
Security and what is correct for your institution• We offer most of the products to facilitate remediation
Contact Information
For more information contact us at:
MBM eHealthCare Solutions.Web site: http://www.mbmehs.com
Email: [email protected]: 800-236-2498
10880 Glenhurst Pass, Suite 101Johns Creek, GA 30097
