ComplianceALL

A Compliance program for Small practitioners

Meeting the Recurring Regulatory Requirements of HIPAA privacy and HIPAA Security

Exclusively for Small practitioners, payers and Business Associates

Does your organization need to comply with regulations and standards such as the Health Insurance portability and Accountability Act (HIPAA) privacy and HIPAA Security? Are your internal resources stretched to capacity and you lack the necessary expertise to identify all compliance gaps and security vulnerabilities? More than ever before, small healthcare practioners, payers as well as domestic or international business associates today need to comply with regulatory requirements to protect sensitive information about their customers, their patients- protected Individual Identifiable Health Information

The penalties associated with not meeting compliance requirements are not insignificant. Further, organizations have to expend precious internal resources to gain compliance expertise and then manage regulatory requirements for privacy and information on a recurring basis. This can be challenging to most organizations. DumaTek can help with its COMPLIANCEALL Solution, the first program of its type in the industry, worldwide.

Legislation mandates require organizations to maintain compliance with reasonable and appropriate safeguards in several specific areas. Compliance requirements result in critical activities that must be conducted on a regular schedule, typically once a year.

On a regular schedule, small practioners must:

  • Assess compliance with the HIPAA privacy Rule
  • Assign responsibility to the security officer who is responsible for coordinating compliance and security initiatives
  • Conduct a comprehensive and thorough risk analysis for identifying vulnerabilities to electronic protected health information (ePHI)
  • Address requirements for contingency planning and disaster recovery
  • Develop and update security policies and procedures
  • Train all members of the workforce
  • Audit the infrastructure for compliance with the HIPAA Security Rule

Executive Summary of COMPLIANCEALL

The COMPLIANCEALL program is tailored to meet your compliance requirements. Key features of the COMPLIANCEALL program are:

  • Bundled outsourced solution for a fixed monthly fee of only $698.00/mo
  • periodic performance of vulnerability assessments, security risk analysis, BIA and contingency planning
  • Training, certification and periodic audit and evaluation to keep your organization fully compliant at all times
  • Keeping you compliant with the regulations, to help you focus on the business of delivering exceptional services and capabilities to your clients
  • A standardized, centralized, stabilized, secure and manageable fully documented EpHI protection system for only $4,998.00 – a one time investment (does not include installation costs which are estimated at $998 for upto 7 workstations – one-time cost )
  • IT on site support at discounted rates
  • Upgrade package available for Covered Entities (CEs) and Business Associates (BAs) who have an upgradeable network infrastructures in place (determined under assessment/risk analysis)

Benefits of the COMPLIANCEALL Solution include:

  • Minimizing productivity losses from unexpected downtime
  • Enabling staff to better focus on business-critical tasks while complying with key regulations of HIPAA
  • In-depth resource capabilities with trusted knowledge of client infrastructure
  • Smooth out volatility in resource demands and costs associated with managing information technology

DumaTek's COMPLIANCEALL program is designed to address critical regulatory requirements. This program allows customers to outsource their regulatory activities, which will lower costs and save time.

Specific Service Offerings

The Figure below summarizes information about COMPLIANCEALL 's Service Offerings.

Sample Regulatory Requirement

Regulatory Description

Service Offerings

HIPAA privacy Rule 45 CFR parts 160, 162, and 164

The Department of Health and Human Services (HHS) has issued the regulation, “Standards for privacy of Individually Identifiable Health Information,” applicable to entities covered by HIPAA.

  • Review access controls for pHI access
  • Review privacy policies and procedures
  • perform Segregation of Duty Review of current accesses across systems
  • Recommend solutions to address privacy gaps

Assigned Security Responsibility

§ 164.308(a)(2)

Organizations must identify the security official who is responsible for the development and implementation of the regulation's required policies and procedures.

  • Inclusion of security responsibility as part of the job roles and responsibilities
  • Inclusion of security requirements in third party contracts / agreements

Risk Analysis

§ 164.308(a)(1)

Conduct an accurate and thorough assessment of the potential risks to and vulnerabilities of the confidentiality, integrity and availability of the organization's sensitive information.

  • COMPLIANCEALL (RA) process for quick and easy assessment designed for the small business practitioner
  • Classify data/assets (CIA) for important data to run business and all EpHI
  • Assess threat likelihood on assets/services covering the relativity of redundancy, virus protection, and power management
  • Evaluate the adequacy in current levels of controls
  • Risk mapping and classification
  • Analyze controls gaps
  • Identify remediation priorities
  • prepare standardized reports
  • Client assisted assessment process

Contingency plan

§ 164.308(a)(7)

Organizations must establish policies and procedures for responding to an emergency.

  • Assess Business processes
  • Conduct Business Impact Analysis (BIA)
  • Analyze existing recovery plan and contingency measures
  • Develop recovery strategies
  • Develop contingency plan documents
  • COMPLIANCEALL server on-site provides a full Backup and Disaster Recovery System (BDRS) consisting of the following; Mirrored Hard drives for redundancy, systematic daily/weekly/monthly backups of all EpHI and pertinent data required to run business, Restore procedures to guarantee good backup sets, and an Off-site backup solution to address complete and natural disaster or last resort for restore
  • Remote assistance for minor data recovery situations

Security Awareness and Training

§ 164.308(a)(5)

Organizations must implement a security awareness and training program for all members of the workforce.

  • Complimentary periodic training and awareness programs on security policies for employees and contractors

Security Incident procedures

§ 164.308(a)(6)

Organizations must address policies and procedures to address security incidents.

  • Training all staff on identifying what constitutes a security incidents
  • Training all staff on how to respond and report to a security incident
  • provided template of COMPLIANCEALL standardized Security Incident Report Forms (SIRF) for tracking security incidences

Evaluation

§ 164.308(a)(8)

Organizations must perform periodic evaluations to determine the extent to which the security policies and procedures meet regulatory requirements.

  • periodic review of information security policies and procedures
  • Review changes to regulatory requirements and make necessary changes to policies
  • Update standards, baselines, procedures to comply with policies
  • Develop dashboard reporting to clearly establish state of compliance
  • Assess remediation actions recommended in risk analysis and actual actions taken by the organization to mitigate risk
  • COMPLIANCEALL evaluations produced accurately from tallied SIRF and SOAF information

Audit Controls

§ 164.312(b)

Organizations must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EpHI.

  • Deployment of COMPLIANCEALL server on-site maintains critical logs of information under a domain-controlled environment.
  • COMPLIANCEALL server is equipped with a standardized tacking system for real picture playback capabilities on all staff computer activity (specific privacy and security training added to address privacy rights and usage of the tracking system)
  • provided template of COMPLIANCEALL standardized Security On-site Authorization Form (SOAF) for tracking on-site repair or replace activity in information systems that contain or use EpHI

policies, procedures and Documentation

§ 164.316

Organizations must implement reasonable and appropriate policies and procedures to comply with regulatory requirements.

  • Review policy and procedure implementation plan
  • Review of the existing information security policies and map to regulatory requirements
  • Access to privacy and security policy templates to address policy gaps
  • COMPLIANCEALL server makes available access to electronic copies of all pertinent documentation for staff referencing or government surveys and audits

Figure: COMPLIANCEALL program for HIPAA Offering.

Program Benefits

Our COMPLIANCEALL program is designed to assist healthcare organizations and business associates manage compliance requirements, security and core components of the Infrastructure. The COMPLIANCEALL program is designed to address critical regulatory requirements. Key benefits of the COMPLIANCEALL program include:

  • Clearly defined deliverables to achieve compliance
  • Expert advisor assigned – serves as interim security advisor
  • Risk analysis conducted on a regular schedule
  • policies maintained on a regular basis
  • Easily tailored to your organizational requirements
  • Very scalable program – can monitor and audit as required
  • Skilled resource pool with expert domain knowledge
  • Quick and easy implementation and install (Turnkey solution)
  • Fixed monthly fee (only $698.00)

The COMPLIANCEALL program provides a 360, end-to-end compliance service spectrum that is designed to meet your specific requirements.

With a complete COMPLIANCEALL program , the end product will be a comprehensively documented computer network system, standardized and configured with a full Backup and Disaster Recovery System (BDRS), maintained through a Remote Monitoring and Support Site.

This solution eliminates the required need for extensive training in IT, time for planning, time for documentation, time for solution research, time for identifying and applying controls to minimize common vulnerabilities and risk to EpHI, time for evaluations, and payroll for personnel required to maintain this program.

And, it makes available a fully documented and comprehensive presentation for a surveyor to research or for an employee or staff member to reference in case of an incident.