HIPAA Compliance Audit

• Security Management Process
• Assigned Security Responsibility
• Workforce Security
• Information Access Management
• Security Awareness and Training
• Security Incident Procedure
• Contingency Planning
• Evaluation
• Business Associate Contracts

Physical Safeguards These provisions are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Policies and Procedures include:

• Facility Access Controls
• Workstation Use
• Workstation Security
• Device and Media Control

Technical Safeguards These provisions are defined as the “technology and the policy and procedures that protect electronic protected health information and control access to it (the EPHI).”

Policies and Procedures include:

• Access Control
• Audit Control
• Person or Entity Authentication
• Transmission Security

Each Policy and Procedure is a separate Microsoft Word document. The Policies and Procedures are customized with the name of your organization. Most of our clients do not require any changes or additional customizations to the Policies and Procedures but customization is an optional service if you need it.

In addition to the 18 Policies and Procedures, HIPAA Secure Now! also includes forms and checklists that address:

Risk Assessment: A detailed Risk Assessment is required under the HIPAA Security Rule. It is also considered the foundation of the HIPAA Security Rule.

The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A) states:

RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the [organization].

Foris IT will perform a detailed Risk Assessment that follows the methodology described in NIST Special Publication (SP) 800-30. Specifically the Risk Assessment will do the following:

Risk Assessment Process Methodology described in NIST Special Publication (SP) 800-30

The output of the Risk Assessment consists of a 10-15 page Executive Summary as well as a 20+ page detailed report. The Executive Summary is an easy to understand overview that discusses the current state of your overall risk to your systems that contain ePHI as well as recommendations to lower the risk to each system. The detailed report looks at each system that contains ePHI and documents the threats to the system, the vulnerabilities to the system, the current safeguards in place to protect the system and the additional recommended safeguards to lower the risk to the system.

The Risk Assessment report will give you a good understanding of the risks to ePHI and provide you with specific steps and actions that you should take to lower the risk.