HIPAA & ARRA-HITECH COMPLIANCE ASSESSMENT
Covered Entities and Business Associates that handle Protected Health Information MUST comply with HIPAA & ARRA-HITECH. No exceptions!
Our HIPAA & ARRA-HITECH Compliance Assessment takes the guess work out of the compliance equation. Health Compliance Partners performs a Security assessment, risk-threat assessment, policy and procedure assessment and a gap analysis. We review, assess and report upon vitally important elements of your Risk Management program including the Contingency Plan (Disaster Recovery Plan), Incident Response Plan, and your Change Control process. Each is assessed for adequacy and conformance with compliance standards and safeguards. Results are captured in an easily understandable findings matrix with prioritized risk remediation recommendations. We provide a safeguard roadmap to see you through the mitigation process and help ensure your conformance with the standards and safeguards. We’ll also create a Risk Reduction Table that captures the ongoing mitigated risk environment.
Risk Management Includes: Overall Security and Privacy program, Policies and Procedures, Disaster Recovery, Incident Response and Configuration Management (Change Control) among other critical elements. HIPAA compliance should never be construed as a project; it’s a program that requires PERPETUAL Risk Management over Policies and Procedures, Disaster Recovery, Incident Response and Configuration Management and other operational areas. Each is interdependent of the other. Failure of one translates into possible failure of all. And all of them are directly controlled and related to a HIPAA compliant Risk Management program.
Policy and Procedure
Policy and Procedure – Establishes the foundation and governance mandate of the firm’s business operation. Inadequate or absent Policy and Procedure is considered a gap, and this absence of control unnecessarily exposes the firm to risk. And with respect to compliance, Policy and Procedure are on the Auditors top three list of items to obtain if and when an audit is to be performed. Health Compliance Partners will help ensure your Policies and Procedures are current, properly scoped, have ‘teeth’ and meet or exceed requirements.
Incident Response and Disaster Recovery
With proper planning, a business should be ready to respond to an incident that may eventually become a disaster. The two may be inextricably intertwined, and without proper planning, could prove to be catastrophic. The events of 9-11 bear this out.
What to do, when things go wrong is apt to describe an Incident Response Plan. The plan needs to be at the ready, so when that threat on the horizon unexpectedly materializes you have a plan and procedures in place to help protect personnel first and then the business. But an incident doesn’t have to be of severe magnitude to cripple business. Malware infestation, domestic violence, among other natural or man-made threats materializing may be the cause. Whatever the situation, preparedness is important. Having an Incident Response Plan AND Incident Response Procedures is critical.
HIPAA mandates having Incident Response controls in place. Health Compliance Partners has written these plans and procedures for healthcare, finance, manufacturing, federal agency and small businesses. We understand the unspoken in this area. To not have the support organization defined, trained, in place and exercising up to date plans opens the door for undesired and unnecessary risk. Likewise, it’s important to note that Disaster Recovery and Incident Response Policy and Procedure at the corporate level need to be in place to comply with HIPAA and ARRA-HITECH.
Disaster Recovery - Health Compliance Partners 9-11 experienced Certified Business Continuity Planners (CBCP) have performed Business Impact Analysis (BIA) and created disaster recovery plans for hospitals, international healthcare providers, international financial services providers, government agencies and defense contractors as well as single practice practitioners.
HIPAA specifies a Contingency Plan AND an Incident Response Plan must be in place as safeguards. Contingency translates to Disaster Recovery; Disaster Recovery translates to having identified the mission critical people, process and product infrastructure necessary to first ensure the safety of personnel then run the financially productive and administrative facing functions of the organization within specified recovery times and data recovery points in the event of a business interruption. Determining what to recover, when to recover and the time needed to recover is accomplished through a Business Impact Analysis. The analysis enables strategic planning and eventually creating the actual recovery plans. The important part here is to have the infrastructure, the people, policy, procedure and product identified and ready in advance. Health Compliance Partners deep experience in this area ensures you’re ready to recover in the event of an untimely business interruption.
Configuration Management/Change Control
Configuration Management/Change Control - Absent Configuration Management and good Change Control processes will virtually guarantee the failure of both of these Plans at the time of need. Both must be maintained current with changes made in the enterprise. It’s easy to understand. With Disaster Recovery, change server B hardware or software configuration and perform that same change in your alternate recovery site environment and your best Disaster Recovery or Incident Response plans may be crippled or fail, causing you to miss your Recovery Time Objective and make guessing your Recovery Point Objective an experience to remember. And in Incident Response, without knowing exactly what you’re dealing with opens you to forensic folly and possible failure. Remedy both! Have Health Compliance Partners review these plans in conjunction with, or separate from, your regular assessment to find out precisely where you stand! Better to find out now rather than when the moment hits and it’s needed.