HIPAA Security

The deadline for HIPAA Security Rule compliance for Covered Entities (CEs) was April 2005! For Business Associates (BAs), the date was February 2010. Additionally, the federal government unveiled its criteria for the Meaningful Use of electronic health records (EHRs) on July 2010. The security criteria must be met and compliance to the Security Rule must be demonstrated in order to pass an audit from your partner's auditor or to provide some form of "safe harbor" in the event of a breach. Cyber Communication's experience and tested methodologies are proven and work!

Struggling to find the expertise and guidance to complete or update your security rule compliance?

Based on our extensive experience in Risk Analysis, Cyber Communication experts have developed Security Rule Analysis methodologies and reporting criteria to help guide your organization to full compliance. This compliance does not need to be done in the first year; we can provide you with a roadmap for compliance that will meet the scrutiny of auditors.

Our team will:

  • Complete a rigorous NIST-based Risk Analysis
  • Analyze unlimited number of Information Assets
  • Identify and prioritize all risks
  • Easily manage 100s of threat-vulnerability pairs
  • Maintain vigilance with dynamic SaaS solutions
  • Stay current with ongoing controls and updates
  • Facilitate informed decision making
  • Create executive dashboards
  • Build and execute your remediation timetables and plans
  • Empower cross-functional teamwork and facilitate training
  • Build living, breathing compliance strategies that survive the scrutiny of auditors
  • Store and manage all HIPAA Security documents – both electronic and paper
  • Updated with all Omnibus final rule changes
  • Updated with all changes to breach reporting and breach remediation strategies

HIPAA Privacy

Although most healthcare covered entities think they’ve got their act totally together when it comes to the HIPAA Privacy Rule. Preliminary OCR observations from the first proactive audits highlighted serious weaknesses in privacy training, safeguards, policies & procedures, sanctions, training and mitigation.

  • Create executive dashboard
  • Build and execute your remediation plan
  • Empower cross-functional team
  • Build living, breathing compliance strategies that service the scrutiny of auditors
  • Store and manage all HIPAA Security documents – both electronic and paper
  • Updated with all Omnibus final rule changes

Consistently, six of the typically 10 requirements of OCR Corrective Action Plans have included:

  • Develop and implement privacy & security policies and procedures
  • Respond to incidents;
  • Training of staff;
  • Implement sanctions for non-compliance;
  • Implement safeguards; and,
  • Monitor results.

HIPAA Risk Analysis

Conducting a security Risk Analysis and mitigating security deficiencies is one of the core objectives for Stage 1 - Meaningful Use Attestation of Electronic Health Records.

Providers that apply for Meaningful Use incentives need documented formal security risk analysis of the EHR system.

Struggling to find the expertise and tools to complete your Risk Analysis?

Based on our extensive experience in Risk Analysis, Cyber Communication experts have developed Risk Analysis methodologies to help you meet the Meaningful Use criteria and qualify for incentives.

Cyber's Security Assessment process:

Phase 1 "Pre-Assessment"

  1. Project Kick-off Call
  2. Policy, Standards & Procedure Review
  3. Interview Scheduling

Phase 2 "On-Site Assessment"

  1. Conduct Administrative Specification Interviews
    • a) Security Management Process, Assigned Security
    • b) Responsibility & Evaluation
    • c) Workforce Security & Information Access Management
    • d) Security Awareness and Training
    • e) Security Incident Procedures
    • f) Contingency Plan
    • g) Business Associate Contracts
  2. Physical Specification Interviews
    • a) Facility Access Controls
    • b) Workstation Use & Workstation Security
    • c) Device and Media Controls
  3. Technical Specification Interviews
    • a) Access Control & Person or Entity Authentication
    • b) Audit Controls
    • c) Integrity & Transmission Security

Phase 3 "Analysis and Roadmap to Compliance"

  1. Documentation
  2. Presentation of Findings in a stratified ranking based on risk
  3. Provide a complete path to compliance based on available resources
  4. A methodology that passes the test of auditors

OCR Audit Readiness

The HITECH Act mandates that HIPAA compliance audits be conducted by the Office of Civil Rights (OCR). The audits will inspect whether or not covered entities and business associates, due to the Omnibus Final Rule, are complying with HIPAA Security, Privacy, and Breach Notification rules. If you receive a notification letter from OCR, you have ten days to gather and provide the requested documentation before the auditors arrive. Are you ready?

The time to prepare is now. Cyber Communication knows the protocols for the OCR HIPAA-HITECH audits along with the HITECH Omnibus Final Rule. We guide you thru the HIPAA-HITECH Privacy, Security, and Breach Notification Rules and assess your evidence of due diligence. We identify gaps and mitigation action steps that are reasonable and appropriate for your enterprise.

Cyber Communication performs facility walk-throughs to inspect for vulnerabilities to your protected health information (PHI). We interview pertinent workforce members to measure and document compliance. We can even provide subsequent live training if needed, all in a risk-based, detailed report of OCR Audit Readiness and an Executive Summary Report and presentation.

Omnibus Final Rule, Business Associate (BA) Monitoring

Because of the Omnibus Final Rule, Business Associates are held to the same standard as the Covered Entity. Cyber Communication assists you in developing your BA inventory and categorizing them based on risk, providing remediation steps in a stratified risk-based report. We provide guidance and/or project management for the initial BA assessments. This type of due diligence is critical to execute with the release of the HITECH Omnibus Final Rule. Attain BA documented evidence of due diligence and determine which BAs may be a high risk due to willful neglect and vulnerabilities.

Policies and Procedures

We review and update your Privacy, Security and Breach Notification rule policies and procedures and Notice of Privacy Practices (NPP) to meet the requirements of the HITECH Omnibus final rule. We provide new policy templates as well to mitigate gaps.

Workforce Training

The highest risk to unauthorized disclosure of protected health information is your workforce. Live training is appropriate when major changes occur to rules. We provide onsite training that includes the impact of the HITECH Omnibus final rule. Cyber Communication discusses recent breaches and helps your workforce understand what they can do to protect your PHI, along with sanctions that they could be subject to for workforce violations. We cover Privacy, Security, and Breach Notification along with a focus on the HITECH Omnibus Final Rule. Cyber Communication tailors training based on the audience.

Health Care -CyberCommunication Inc.

Cyber Communication has consultants who specialize in HIPAA security, privacy and breach management. Our team can guide your organization over the regulatory obstacles with clear and reasonable solutions conforming to the latest standards and guidelines.