Mbm Hipaa Hitech Ss Compliance Risk Assessment


Published on

The increase level of awareness and training is also very important as is the culture impact of the CE’s environment. How you proceed to successfully train and change the culture depends on the choice of an external HIPAA-HITECH privacy and security auditor. Simply stated, your external auditor should possess the skills and knowledge to comprehensively evaluate all aspect of the HIPAA-HITECH impact on your practice. Upon completion of an audit each area should address its findings, impact and corrective action plan. The action plan should incorporate the training requirements and a training plan to address the specific requirements of each staff member’s relevance to their job function within the practice.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mbm Hipaa Hitech Ss Compliance Risk Assessment

  1. 1. MBM eHealthCare SolutionsHIPAA-HITECH Privacy & Security ConsultingOur HIPAA-HITECH compliance consulting services include : Compliance Assessment Risk Control Analysis Readiness Assessment Compliance Remediation Compliance Audits Compliance Training
  2. 2. What is HIPAA ?The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules
  3. 3. Overview of the HIPAA RuleThe Office for Civil Rights enforces theHIPAA Privacy Rule, which protects theprivacy of individually identifiable healthinformation; the HIPAA Security Rule, whichsets national standards for the security ofelectronic protected health information; andthe confidentiality provisions of the PatientSafety Rule, which protect identifiableinformation being used to analyze patientsafety events and improve patient safety.
  4. 4. HIPAA Security ConsiderationsThe HIPAA Security Rule addresses electronic patient health information or ePHI. 19 standards, 42 specifications The documentation requirement is daunting No guidance is provided to address requirements Limited availability of resources Security expertise is expensive
  5. 5. HIPAA Security Rule SpecificsThe following are examples of specific HIPAA requirements:  Administrative Safeguards Standards  Security Management Process  Risk Analysis  Risk management  Information Access Management  Security Awareness & Training  Physical Safeguards  Workstation security & device/media controls  Technical Safeguards  Access controls to ePHI  Audit & transmission security  Organizational Requirements  BA Contracts addressing security of ePHI  Policy & procedures documentation
  6. 6. The HIPAA Security Final Security Rule§164.306(a) General requirements. Covered entities must do the following:(1)Ensure the confidentiality, integrity and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2)Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.(3)Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part; and(4) Ensure compliance with this subpart by its workforce
  7. 7. Summary of the HIPAA RuleThe HIPAA Privacy Rule provides federal protections forpersonal health information held by covered entities andgives patients an array of rights with respect to thatinformation. At the same time, the Privacy Rule isbalanced so that it permits the disclosure of personalhealth information needed for patient care and otherimportant purposes.The Security Rule specifies a series of administrative,physical, and technical safeguards for covered entitiesto use to assure the confidentiality, integrity, andavailability of electronic protected health information.
  8. 8. What is the HITECH Act?The term, HITECH stands for Health Information Technologyfor Economic and Clinical Health which is part of the AmericanRecovery and Investment Act as stated by the U.S Congressin 2009. This act requires medical establishments to adoptmake use of the Electronic Health Records where theirdeadline falls in the year 2019.The government offers incentive programs for medicalestablishments who will be following the HITECH Act. Turningtheir records into EHR systems is highly recommended forbetter security while getting easy access to their files whenneeded. Those who are not able to comply with the HITECHAct will be penalized as stated in the act which medicalpractices are not too keen on experiencing hence the move tothe use of EHR.
  9. 9. HITECH OverviewThe HITECH Act project is by far the boldest move of thegovernment in the hopes that medical practices will be using thelatest technology there is to help facilitate better service to theirpatients. Paper filing system is a thing of the past. With HITECHAct, medical practices will no longer have to spend preciousminutes writing down patient information when they can simplyencode in their computer to be saved with just a click of a mouse.Through this act, medical facilities will no longer be spending alot for form sheets, storage centers and the like just to housepatient information. What’s more, HITECH Act makes itconvenient for patients to get themselves checked up whenneeded without having to fill up yet another form during their visit.Through EHR, patients can get the right diagnosis and treatmentsince all the information needed by the doctor can be accessedthrough the computer database of the medical establishmentquickly.
  10. 10. What is a Compliance, Risk & Readiness Assessment? • Compliance Assessments answer questions like: “Where do we stand with respect to the regulations?” and “How well are we achieving ongoing compliance?” • Risk Assessment (Analysis, in HIPAA terms) answer questions like: “What is our risk exposure to information assets (e.g., PHI)?” and “What do we need to do to mitigate risks?” • Readiness Assessment answers questions like “Have we implemented adequate privacy safeguards?”, “Have we implemented adequate security safeguards?” and are we ready for audit.
  11. 11. Risk Analysis• HIPAA requires that each covered entity conduct a formal risk analysis. Specifically, this means: – Analyze the risks and vulnerabilities to the ePHI each covered entity creates, maintains, stores or transmits – Understand the probability of these risks and vulnerabilities – Assess measures already in place to reduce these risks – Analyze its information and applications to find what is critical and what is not – Conduct a formal risk analysis that balances the cost of security against the expected value of losses – As a result of the analysis each entity must have a formal risk management process that reduces risk to an acceptable level
  12. 12. Risk Analysis OverviewRisk analysis is the first process in the area of riskmanagement. The final HIPAA Security Ruleestablishes both risk analysis and risk managementas required implementation specifications.The objective of risk analysis is to "Conduct anaccurate and thorough assessment of the potentialrisks and vulnerabilities to the confidentiality,integrity, and availability of electronic protectedhealth information held by the covered entity".164.308(a)(1)(ii)(A)
  13. 13. Risk Analysis & NIST Methodology Our Risk Analysis software use the recommended National Institute for Standards and Technology (NIST) methodology as the core component. There are 9 steps:1. Understanding your environment (System characterization)2. Vulnerability identification3. Threat identification4. Assessment of how you safeguard your systems now (Control analysis)5. Likelihood analysis (what is the likelihood of a threat happening?)6. Impact analysis (are there any systems that are "mission critical?)7. Risk determination (ranking these risks)8. Control Recommendations (what are the answers or solutions for your risks)9. Results Documentation (Documenting or reporting your results)
  14. 14. MBM’s HIPAA-HITECH Consulting Features • Endorsed by NIST, Homeland Defense and leading medical organization and societies • Over 55 specific HIPAA requirements addressed • Intuitive and educational • Cost-effective • Differentiation between Required and Addressable items • Reporting and progress reports – Summary or Detailed – Remediation Reporting – Priority and status tracking – GAP Analysis – SAL Diagrams • Tips, definitions, and example compliance efforts • Recording of comments and compliance documentation • Blueprint necessary for HIPAA Security compliance • We work with your IT group and organization
  15. 15. Value Proposition• The HIPAA security rules went into effect April 2005• The rule is complex and requires your practice to ensure the security of ALL electronic patient health information• Considering the potential costs and effort associated with compliance, it is a mistake to install HIPAA “solutions” without first understanding HIPAA “problems”• The cost of remediation is greater than an cost of an independent audit• We have cost-effective solutions that works to ease the pain of HIPAA Security compliance
  16. 16. MBM eHealthCare Solutions Benefits Summary• Comprehensive analysis and support• Scalable for any size organization or environment• Minimal learning curve for your staff• Minimal training needed• No hidden costs• Use as your blueprint for HIPAA Security compliance.• Eliminate employee training expenses and purchases you may not actually need• Will help you make informed decisions about HIPAA Security and what is correct for your institution• We offer most of the products to facilitate remediation
  17. 17. Contact InformationFor more information contact us at: MBM eHealthCare Solutions.Web site: http://www.mbmehs.com Email: info@mbmehs.com Phone: 800-236-249810880 Glenhurst Pass, Suite 101 Johns Creek, GA 30097