HIPAA Security Rule Compliance Assessments
We utilize the 18 Standards and 42 Implementation specifications that comprise the Administrative, Physical and Technical Safeguards (CFR 164.308, 310, 312) for HIPAA Security Rule Compliance Assessments. Additionally, our assessments cover CFR 164.314 and 316 related to Organizational Requirements, Policies and Procedures and Documentation. These rules apply to “covered entities”, which include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit healthcare data in a way that is regulated by HIPAA.
Our professionals will work closely and collaboratively with your management team to determine which sections of the HIPAA standard apply to your business’ operations. Through interviews with key management and IT personnel, we can identify the controls that need to be in place to meet the HIPAA compliance requirement. Once the scope of the project has been determined, we begin the HIPAA Readiness Assessment.
HIPAA Readiness Assessment
A HIPAA Readiness Assessment is a proactive approach to ensuring your security program will meet the necessary compliance and scoring requirements of the HIPAA standard. Entities who are required to undergo HIPAA assessments often find the first year is the most difficult. Not only do they have to comply with new audit requirements, but they need to build out their documentation and processes to comply with the standard. This is where our professionals step in. Once we have identified the scope of the project, we create a detailed document request list which includes every piece of documentation we need to perform walkthroughs. We work side-by-side and collaboratively with your management team and IT personnel to perform walkthroughs to verify essential security controls, programs and metrics are in place and designed effectively. Once walkthroughs have been completed, we prepare a detailed report and gap analysis which will identify which controls will pass and which controls will fail. For each failed control, we will provide remediation assistance.
Once the Readiness Assessment has been completed, we will provide a detailed gap matrix which includes specific remediation steps the client must perform to pass each control. In cases where documentation is required, we assist in the development of policies and procedures. Once controls have been remediated, our team will test the control to ensure it will pass. This second phase of testing is performed at no additional cost to our clients. Our vast experience in this area will create efficiencies in the remediation process, saving your company time and money.
HIPAA Compliance Testing
For clients who do not require a Readiness Assessment, we can begin the HIPAA compliance testing immediately. Once we have identified the scope of the project, we create a detailed document request list which includes every piece of documentation we need to perform our test procedures. This detailed document request list is sent well in advance of on-site fieldwork, saving your personal time and creating efficiencies in the process. Once onsite, we work side-by-side and collaboratively with your management team and IT personnel and walk through each control requirement. Since our professionals are very experienced in HIPAA compliance testing, we are able to minimize disruptions to your business operations while testing is being performed. Our testing procedures will include a mix of interviews, observations, and sampling. Once test results have been compiled, we will share the results with management. We will assist management when drafting responses to any gaps which were identified during testing and draft a report for management’s review.
HIPAA Compliance Reporting
We will tailor the final report to suit the needs of its intended audience. If your agency, department, or bureau intends to use the report for internal purposes, we will conduct a consulting engagement and collaborate with management to determine the best reporting format for your particular needs. If the primary purpose of the report is to present the findings to external parties, we will perform an agreed-upon procedures engagement and draft the report to comply with the standard reporting format.