The healthcare industry is a major target for hackers and every medical practice must do more than merely meet HIPAA compliancy standards. They must apply superior security technologies and risk management techniques to provide the highest level of data protection and risk reduction to safe guard their patient’s data. Here at AIM Services we guide covered entities and business associates on how to secure their environments and protect their data.
The regulatory requirements of the HIPAA Privacy, Security, and Breach Notification Rules mandate organizations that create, receive, maintain, or transmit protected health information (PHI) must offer the highest level of data protection. This data could exist on patient intake forms, medical devices, or in the cloud. We can help deliver the highest level of data protection in the healthcare industry and offer solutions that will withstand an OCR audit.
AIM’s HIPAA Risk Assessment Service is an all-in-one package with a dedicated AIM Services team member. Together the practice Compliancy Officer and AIM team member will review and complete the Risk Analysis questions, an organization profile, customizable policies and procedures. The online tool includes interactive and engaging multi-media training videos to allow staff to complete HIPAA Privacy training. The risk assessment process will include review of administrative, physical and technical safeguards, and also take into consideration criticality, impact and creation of recommendations identifying mitigation strategies.
AIM Services HIPAA Security Service offers:
1. Access to the HIPAA Compliance Portal (12 months)
2. A detailed HIPAA Security Risk Assessment
3. Customized HIPAA Security Policies and Procedures
4. Online training covering Security and Privacy, and compliance testing for all employees
HIPAA Compliance Portal
HIPAA regulations are complex and confusing but with our robust, easy-to-use, secure portal complying are made easy. The HIPAA Compliance Portal offers:
HIPAA Security Risk Assessment
A Risk Assessment is a requirement of the HIPAA Security Rule and required for MIPS attestation, but unfortunately time and again the Risk Assessment is inadequate or not done at all.
The Security Management Process standard in the Security Rule requires organizations to “implement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a) (1).) “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI)”
AIM Services can conduct an accurate and thorough assessment of the potential threats and vulnerabilities to the confidentiality, integrity and availability of ePHI at your practice. This risk assessment will be performed following industry best practice standards as described by HHS, NIST, ISACA, HIMSS and AHIMA organizations. It should be completed at least once a year or after successful implementation of any major system change, such as office relocation, replacement of EHR system containing PHI, etc.
AIM Services will provide you with a detailed report of the practice’s vulnerability gaps, non-compliance and heightened risk. Risk prioritization and mitigation decisions will be determined by answering which controls and measures should be implemented and the priority in which they should be addressed.
The implementation components of the plan include:
Risk Assessment Process includes:
The output of the Risk Assessment consists of an Executive Summary as well as a detailed report. The Executive Summary is an easy to understand overview that discusses the current state of the overall risk to systems that contain ePHI as well as recommendations to lower the risk to each system. The detailed report looks at each system that contains ePHI and documents the threats to the system, the vulnerabilities to the system, the current safeguards in place to protect the system, and the additional recommended safeguards to lower the risk to the system.
The Risk Assessment report will give a good understanding of the risks to ePHI and provide specific steps and actions that should be taken to lower the risk.
Policies and Procedures
AIM Services offers policies and procedures that address the HIPAA security administrative, physical, and technical safeguards. Each policy and procedure is a separate Microsoft Word document. The policies and procedures are customized with the name of the organization.
Administrative policies and procedures:
Physical policies and procedures:
Technical policies and procedures:
Employee HIPAA Training
Employee training on security and protecting patient information is a requirement under HIPAA regulations.
STANDARD § 164.308(a) (5) Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
Security training for all new and existing members of the covered entity’s workforce is required. In addition, periodic retraining should be given whenever environmental or operational changes affect the security of EPHI. Changes may include: new or updated policies and procedures; new or upgraded software or hardware; new security technology; or even changes in the Security Rule.
The Compliance Portal provides in-depth practical training on the HIPAA Security and Privacy Rules as well as advice for best practices in protecting ePHI and patient information. The training is provided in an online format which is both engaging and convenient to staff members.
Training requires 60 – 90 minutes to complete. Staff members can begin a training session stop and resume the session from where they left off. They can take the training during work hours or complete the training at home after hours – from anywhere with internet access.
Once staff members have completed the online training, they will take a 25 question online quiz to demonstrate their knowledge regarding the HIPAA Security and Privacy Rules. If they receive a score of 80% or higher, they will receive a certificate with their name that acknowledges that they have successfully completed the HIPAA Security and Privacy Training. If they do not receive an 80% score on the quiz they can retake it as many times as they need to.
A Training Report is provided that lists each of the staff members who have completed training, the date/time they took the training and the highest score they received on the training quiz. The report can be easily exported to MS Excel for comparison to an employee roster.
HIPAA Security Officer Tips
Every HIPAA compliant organization needs to designate a HIPAA Security Officer. The Security Officer is responsible for the organization’s implementation and monitoring of its HIPAA Compliance Program. In order to assist each client’s Security Officer, a monthly tip will be sent, via email, which will guide them d towards proper HIPAA compliance implementation. Because HIPAA compliance is a continuous process, the Security Officer tips will serve to remind an organization to maintain and improve its compliance on a monthly basis. Each tip takes less than 5 minutes to read, and the action suggested by the tip should take no more than ½ hour per month to implement.
Management with the Compliance Portal
Organizations have to track and manage HIPAA compliance for several different and distinct HIPAA Covered Entities and/or Business Associates. This can be potentially problematic if the individual assigned to track and manage these accounts must have separate credentials for each affected organization. The portal provides the solution by allowing the administrator to track all managed organizations with one credential and provide easy access to the information associated with each managed organization.