Compliance | HIPAA + Cybersecurity
HamTECH Solutions offers HIPAA Management, Coaching, and Consultation to medical clients and business associates. We offer a number of HIPAA solutions that help our clients and business associates to become HIPAA compliant.
Organizations can choose either annual or monthly support to achieve compliance. We help physical therapists and rehabilitation practices, physicians, medical collection agencies, mental health practices, HIT companies, and more. We provide tools needed to comply with HIPAA, which includes the HIPAA Compliance Portal.
The HIPAA program was developed by experts knowledgeable of HIPAA Security and Privacy Rules, cybersecurity, and employee training. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.
Why HIPAA Management?
Healthcare organizations are on the hook for making sure their information is protected. These responsibilities include:
Maintaining the confidentiality, integrity, and availability of ePHI
Protecting ePHI from threats
Protecting ePHI from unauthorized use and disclosure
Training employees to stay compliant with the rules.
Complying with these regulations can be time consuming and resource intensive. Most practitioners are overwhelmed with other regulations and billing requirements that HIPAA can easily be overlooked or forgotten.
With HamTECH Solutions's help, HIPAA Compliance can be achieved.
HamTECH Solution's Approach
To be compliant with HIPAA, a risk assessment must be performed either annually or whenever a security-impacting event occurs, but this is one of many steps:
Every organization is different. Applying a cookie cutter approach to every organization will ensure missed gaps.
Planning includes gathering information about the organization’s existing privacy and security protocols, EMR practices, employee access, and ePHI (electronic protected health information) use and disclosure methods.
Now that we have a better understanding of the organization, we can perform a risk assessment.
HamTECH Solutions will visit the practice and review the practice’s current privacy and security issues. These steps can significantly decrease the likelihood of a breach and ensure that “best practices” will be implemented.
Performing a security risk assessment will identify and assist in addressing an organization’s risks and security gaps.
Once the risks and security gaps have been identified and prioritized, HamTECH Solutions can assist in implementing policies and procedures that will provide guidance for management and employees.
HIPAA mitigation includes reviewing the findings from the assessments, putting together a plan, and implementing the plan.
Mitigation is an ongoing process and requires continuous monitoring and management.
HamTECH Solution's HIPAA Coaching Program, will help to reduce risks and save both time and resources.
Risk AssessmentHamTECH Solutions will perform a detailed Risk Assessment that follows the methodology described in NIST Special Publication (SP) 800-30 Revision, which is one of many steps in preventing cyber-attacks and unintended employee accidents. By identifying possible risks, specific controls can be implemented. A HIPAA risk assessment will allow for key risk factors and gaps to be assessed and mitigated. The assessment will look at Administrative, Physical, and Technical Safeguards. But of course, a Risk Assessment by itself will not immediately make you HIPAA compliant. How we do it: Identify and document all locations of where ePHI is stored Identify and document potential threats and vulnerabilities to each storage location Assess current security measures Determine the likeliness of threat occurrence Determine the potential impact of threat occurrence Determine the level of risk Determine additional security measures needed to lower level of risk Document the findings of the Risk Assessment Deliverables include: Executive Summary Report - The Executive Summary is a simplified overview of the overall risk to the organization's systems that contain ePHI and remediation steps to mitigate risk. Detailed Risk Assessment Report - The Detailed Risk Assessment Report gives the full details of all ePHI and documents the threats to the system, the vulnerabilities, the current safeguards in place, and the additional recommended safeguards to mitigate risk to the system. The Work Plan - The Work Plan will be a list of prioritized safeguards that must be implemented. The Work Plan will help keep track of the safeguards as they are implemented within the organization.
Privacy & Breach NotificationOur HIPAA Privacy and Breach Notification Center allows organizations to document breach incidents and follow recommended steps according to the breach notification rules. The Breach Assessment will help determine the overall risk to individual(s) affected by the breach. In the last section of the report there is an overall risk determination. How we do it: We will evaluate all 60 standards, 63 implementation specifications, and 80 audit protocols to provide actionable steps that comply with the breach notification rules. What is included: Documented Incident in HIPAA Portal Breach Notification Assessment Detailed initiatives and work to be completed
Policies & ProceduresWith our HIPAA Compliance Portal we offer over 18 policies that address Administrative Safeguards, Physical Safeguards, Technical Safeguards, the Risk Assessment, and includes a privacy manual. The HIPAA portal is designed to help different organizations meet the requirements of the HIPAA Privacy, Security, and Breach Notification rules. The Policies and Procedures are customized for your organization. How we do it: Our Policy and Procedures contain more than just a set of templates. Each of our 18+ policies and procedures will contain the organization's name and flexible steps they need to be HIPAA Compliant. The Administrative Safeguards are defined in the Security Rule as the “administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” The Physical Safeguards are “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” The Technical Safeguards are defined as the “technology and the policy and procedures that protect electronic protected health information and control access to it (the EPHI).” Each Policy and Procedure is a separate Microsoft Word document. We also include guidance, both in documentation and in expert consulting. The HIPAA Compliance portal policies and procedures address these topics: Administrative Safeguards Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedure Contingency Planning Evaluation Business Associate Contracts Physical Safeguards Facility Access Controls Workstation Use Workstation Security Device and Media Control Technical Safeguards Access Control Audit Control Person or Entity Authentication Transmission Security Other Documents and Safeguards Privacy Manual Device and Media Tracking Computer use guidelines Tracking access to server and equipment rooms Breach notification checklists
Vulnerability AssessmentA vulnerability assessment evaluates existing and potential threats, weaknesses in the organization’s network. The will provide critical insights into the overall network. When vulnerabilities are mitigated, it prevents or deters network breaches from devastating losses. The assessment is an important step in creating a proactive information security program. A vulnerability assessment should be performed routinely. How we do it: HamTECH Solutions and it's partners conduct a series of simulated attacks to test the network. Services include: Phishing Testing External Vulnerability Assessments Wireless LAN Security Review Network Assessment Security Awareness Assessment
Workforce TrainingEmployees play a significant role in cyberattacks. One of the foundational steps in protecting ePHI is to provide security training to all employees. Security training is a requirement under the HIPAA Security Rule. The §164.308(a)(5) specification requires security awareness and training for all members of its workforce. HamTECH Solutions provides in-depth training on the HIPAA Security Rule and includes best practices for protecting ePHI. Staff members can access training online. Training will take up to 2 hours, with the ability to pause the session. Because training is online, users can complete it during work hours or at home. After training, the user must take a quiz. After scoring 80% or higher, the user can print their certificate to acknowledge the completion of the HIPAA Security Training. If the score is below 80%, the user must retake the quiz. How we do it: The online program includes modules on: What is the HIPAA Security Rule? Security Awareness Complying with HIPAA for covered entities Complying with HIPAA for business associates Auditing ePHI Understanding ePHI Protecting ePHI Protecting Passwords Recognizing and Preventing Malware Using Encryption Security Breaches and Violations Practical Security Steps Many more topics HIPAA training should take place regularly for the following occasions: New-hire Changes to regulations Security Incidents and Awareness