HIPAA
Compliance Management Consulting
For organizations that
are undertaking their HIPAA compliance projects
internally, this service provides ongoing consultation to assist a
covered entity with HIPAA Compliance Planning and Project Management.
This aids the organization in planning for the use of individual or
multiple third parties or internal service providers, their integration
and delivery of services, and achievement of required compliance goals.
This provides both oversight, as well as, project management support to
the organization. Depending upon the scope and magnitude of the
organization’s requirements, this includes the placement of a full or
part-time project planner, project manager, and / or services auditor.
Service can include supporting the organization if compliance budgetary
development, as well as actually third-party contractual management for
organizational project simplification. This service is performed
both on the organizations site(s), as well as remotely.
This
service is performed (where possible or desired) in concert with the
organization’s own personnel, and utilizes the entity’s personnel for
maximum effectiveness, so as to: minimize consulting services costs;
transfer maximal knowledge; and to help the entities staff in the
understanding of mitigation tasks, and the long-term maintenance of the
services provided.
Board
of Director's Compliance Project Validation Service
We all understand, that
in the post-ENRON era, the climate for institutional and corporate
boards required far greater oversight. At issue is the potential
institutional and corporate risks associated with your compliance
projects. If you are using in-house dominant recourses, or
external service providers, the potential for error and omission remains
high. Yet with Federal Regulatory compliance, errors and omissions
can result in penalties of many hundreds of thousands of dollars!
The solution is to perform a third-party validation of your current
project. This includes:
-
Auditing the project
documentation for completeness and accuracy
-
Credentials review of
key personnel, and recommendation for any appropriate professional
development and certifications
-
Risk analysis of the
project plan
-
Cost validation of the
project plan
-
Validation of project
milestones
-
Project legal review
(performed by HIPAA regulatory specialist licensed attorneys)
-
Regulatory conflict
analysis
-
Senior management
regulatory guidance
Applications
Assessment Consulting
One of
the areas of great potential risk is the software applications currently
in place, or being developed and deployed by the healthcare enterprise.
Not all applications are created equal, and frequently the original
requirements for an application, be it a desktop app, an enterprise-wide
app, or a mission critical (potential life saving) app. This is
particularly important with web-based applications deployed connecting
to the Internet, or even just on the organization's intranet. Far
to often, the original requirements minimized privacy and security
requirements, through the implementation of a weak authentication
scheme, minimal PHI access tracking, and/or marginal security overall.
HIPAA's Privacy and Security Rules have explicit and implicit
requirements for core requirements for applications which require
careful analysis to avoid and mitigate the risks that applications
present.
Just because an application was commercially developed
and published does NOT mean that its design and specifications meet
HIPAA requirements. Even where the vendor may think that their
application meets the requirements, if it is not, it is the healthcare
organization that will be responsible. In the
end, the HCO assumes ALL risks. Therefore it is imperative to
understand those risks.
This service offers a range
of support and analysis tailored to the specific customer requirements
and risks. This includes:
-
Third-party HIPAA
conformance review - an evaluation of third-party application feature
set for conformance with key HIPAA Privacy and Security requirements, as
a part of overall HIPAA assessments. This typically consists of a
GAP analysis of the application and reporting of key risk factors.
The final work product is the gap analysis and assessment of
conformance.
-
Development support - an ongoing review,
support, and guidance of applications being developed to assist the
development team in meeting the known requirements for HIPAA Privacy and Security. The time requirement is variable
based upon the complexity and scope of the application. The final
product is a formal assessment of conformance with the requirements.
-
Risk factors assessment -
this analyzes existing applications for their risk factors from both a
HIPAA perspective, as well as other known probable security risks.
This is includes: analysis of the authentication scheme, audit and
tracking mechanisms, mission critical requirements and business
continuity, minimum necessary privacy and access issues, transmission
and storage risks, administration requirements and risks. The
final work product is the exhaustive gap analysis and assessment of
conformance.
-
Deployment factors - this
analyzes issues the present supplemental problematic factors associated
with an applications deployment and utilization. These include:
suitability to task (use cases and requirements), feature set
implementation, GUI design issues, ADA & 508c compliance
Our
services is customized to meet the client requirements for the specifics
of the application and organization. We use both paper and software
assessment tools as appropriate for use by our staff and the organization’s own staff
working in concert. This service is performed both on the organizations site(s), as well as remotely
if needed.
This is a fee-based service,
with a quotation provided upon request.
A note about 508c: It
is important to remember, that few applications in use today are 508c
compliant. Federal law requires agencies and businesses that
receive Federal funding to be fully 508c compliant in their workplace,
and in their applications.
Privacy
Assessment Consulting
This service provides a
comprehensive assessment of HIPAA Privacy Rule
compliance status. This is a Gap and Risk Analysis of the
organization's current Privacy (and related Security) compliance
requirements and their current achievement. This addresses all core
Privacy compliance issues, including:
-
Policies and Procedures Compliance and Comprehensiveness
-
Policies and Procedures Publishing, Management, and Training
-
Communication Work Flows
-
Communication Technologies Utilization and Access
-
Direct Voice
-
IVR and Voice Mail
-
Fax
-
Internet
-
Email
-
FTP / File Transfer
-
Intranet
-
Paper
-
Contact or Scheduling Management
-
Customer Contact Work Flows
-
Third-party Business Associates and Trust Requirements
-
Change Management Methodologies and Implementations
-
IT Systems and Infrastructure
-
Software Applications – Both Desktop and Enterprise
-
Records Maintenance and Access
-
IT Security and Access Control
-
Physical Security and Access Control
-
Facility Layout regarding security and incidental disclosure
-
HIPAA Specific Training
-
HIPAA Specific Personnel Job Descriptions
-
Personnel Assignments and Roles
-
Privacy Leakage Risks
-
Hybrid Entity Factors
-
On-site / Off-site Performance and Labor Requirements
-
Document Disposal
-
Patient Disclosure Management
-
Disclosure Records and Accounting
-
Marketing and Business Development Activities
-
Third Party Access
-
Clinical Trial Related Activities
-
Practice / Hospital Management Systems and Accounting – Including
Billing and Collection Practices
-
Business Website / Intranet
-
Patient Customer Service
-
Patient Accessible Applications (Internet or Dial-in)
-
Patient Records Access and Revision
-
Transcription Services
-
Business Continuity and Catastrophe Recovery
-
Document Management & Archiving
-
Patient Folders/Records Inclusion
Optional Regulatory
Assessments performed independently or in concert with the HIPAA
assessment
-
Clinical Trials FDA/ICH GCP Assessment
-
Clinical Trials FDA 21cfr11 Assessment
-
Privacy Act of 1974
5 USC §552a
Our
service is customized to meet the client requirement for all, or a
portion of the above, and our process uses standardized assessment
tools, which identify more than 1000 points of compliance with
administrative simplification, privacy, security, identifiers and code
sets, and electronic signature. We use both paper and software
assessment tools for use by our staff and the organization’s own staff
working in concert. This service is performed both on the organizations
site(s), as well as remotely.
HIPAA
Management Support
Frequently, an organization's management needs ongoing guidance for
their compliance decision making. This service provides the
organization with ongoing guidance under retainer for issues relating to
HIPAA compliance and risk mitigation. This provides for continuing
access to HIPAA subject matter experts acting in a technical support
capacity, to aid the organization’s management in new compliance
encounters, and mitigation planning for organizational change. This
allows management to call in support to meet new compliance challenges,
as well as providing guidance to the organization as changes in the
regulatory environment occur.
This
includes such issues as:
-
Discussion of new legal risks
-
Implementation guidance for changes in regulations, guidelines, and /
or standards
-
Policies and procedures review
-
HIPAA Q & A, what ifs, compliance performance review.
-
HIPAA impact of new solutions, systems, and / or applications during
selection and deployment
-
Basic support for legal or enforcement challenges
-
Privacy and Security Officer Mentoring
This
optionally includes a walk through assessment per quarter of the
organizations facilities, as well as review of internal audit practices
and results. Additionally, this provides prioritized access to services
at a reduction from nominal service rates.
HIPAA
Training & Education
We
are affiliated with
several "best of breed" HIPAA educational and training providers.
These HIPAA education products and services are specifically designed
to provide HIPAA training as required by the HIPAA Privacy Rule, in
compliance with all regulatory requirements, including Rule 508c and
ADA compliant. Required HIPAA training is available in both
English and Spanish, and provided via the Internet for maximum
flexibility. HIPAA training is mandated by HIPAA for every
employee of a covered entity, and is not only required in achieving
ultimate compliance, but also a critical first step in assessing the
state of initial compliance as it develops a larger pool of informed
collaborators. All Business Associates should also train their
personnel to meet the requirements of the Business Associate
Agreements.
Our team
will assess the overall HIPAA Training and Education requirements of
the organization, and recommend the appropriate training solutions for
the organization; then assist the covered entity with planning and
management oversight, then implementation. In this way, we can serve
to aid the organization in the achievement of its training goals
rapidly and effectively, while assuring the organization of the
best-of-breed solution.
This service may be
performed either on the organizations site(s), or remotely.
EDI
/ Transaction Consulting
We are
affiliated with the best EDI practitioners in the industry. These
services are specifically tailored to both the specifics of the
organization, and to its IT infrastructure. Our Team will assess
the overall EDI and HIPAA Transactional requirements, and recommend
appropriate partner service providers to the organization, then assist
the covered entity with project planning and management oversight.
In this way, we can serve to aid the organization in the achievement of
its goals rapidly and effectively, while assuring the organization of
the best-of-breed solutions.
Extended
Legal Support
This
service provides extended support for legal or enforcement challenges
encountered by the organization. This can include:
Click here for additional
information
Business
Partner Negotiation Support
A significant part of
HIPAA Privacy & Security Rule requirements, and the only way to provide
privacy protection in certain situations, requires new Business
Associate and Trust agreements with business partners. We can work with
your legal counsel to identify issues to be negotiated with your
partners for HIPAA compliance, in the development of new agreements.
Certifications
There are numerous
certifications available. Please contact us to explore your
specific certification requirements.
Certifications include:
-
HIPAA Training & Education
-
Policies & Procedures
-
Change Management
-
Business Continuity & Disaster Recovery
-
Information Security
-
Physical Security & Access
-
Patient Disclosure Practices
-
Records Maintenance
-
Privacy Audits
Business Associates
Section
508 Compliance Services
We provide a full spectrum of HIPAA
Compliance Services which include analysis of, and integration of
Section 508 compliance requirements in HIPAA Mitigation activities. This
includes: HIPAA Gap Analysis, HIPAA Application Compliance, and more.
Also includes special 508 impact on HIPAA Privacy and Security rule
requirements
Other
Services
We provide
substantial additional services directly as well as through our affiliated partners.
These additional services meet our philosophy for best-of-breed
offerings, to meet customer’s requirements, and meet or exceed industry
standards for quality. These services are provided direct between the
organization and us, or between the organization and the affiliated
service providers for maximum organizational efficiency, optionally with
us performing project management or oversight where appropriate.
The
services available include:
-
HIPAA and total organizational Policies and Procedures
authoring, revisions, and training services.
-
HIPAA Training and education standard courses, custom course
development and implementation, and learning management system
deployment and consulting
-
EDI / Code Set / Transactional consulting, development, and mitigation
services
-
EDI / Code Set / Transactional testing services
-
HIPAA Information Security assessments, and mitigation services
(please note that the requirements for a HIPAA Infosec assessment far
exceed that of normal “sampled” assessments).
-
HIPAA Document Management and Imaging services
-
HIPAA Application Code Review and / or Functional Assessments
-
Database schema and architecture assessments, development, and
mitigation services
-
Infrastructure privacy (as needed for Hybrid Entity) and security
solutions engineering and mitigation services
-
HIPAA helpdesk immediate response 24/7 services
-
HIPAA seat management services
-
HIPAA privacy outsourcing services
-
HIPAA personnel placement, recruiting, and pre-qualification services
-
HIPAA Legal services
-
Regulatory harmonization
