The document discusses MBM eHealthCare Solutions' HIPAA and HITECH compliance consulting services. It provides an overview of the HIPAA Privacy and Security Rules and their requirements regarding protected health information. MBM offers compliance assessments, risk analyses, audits, and training to help covered entities meet HIPAA's standards for privacy, security, and electronic health records.
1. MBM eHealthCare Solutions
HIPAA-HITECH Privacy & Security Consulting
Our HIPAA-HITECH compliance consulting services include :
Compliance Assessment
Risk Control Analysis
Readiness Assessment
Compliance Remediation
Compliance Audits
Compliance Training
2. What is HIPAA ?
The Health Insurance Portability
and Accountability Act of 1996
(HIPAA)
Privacy and Security Rules
3. Overview of the HIPAA Rule
The Office for Civil Rights enforces the
HIPAA Privacy Rule, which protects the
privacy of individually identifiable health
information; the HIPAA Security Rule, which
sets national standards for the security of
electronic protected health information; and
the confidentiality provisions of the Patient
Safety Rule, which protect identifiable
information being used to analyze patient
safety events and improve patient safety.
4. HIPAA Security Considerations
The HIPAA Security Rule addresses electronic
patient health information or ePHI.
19 standards, 42 specifications
The documentation requirement is daunting
No guidance is provided to address requirements
Limited availability of resources
Security expertise is expensive
5. HIPAA Security Rule Specifics
The following are examples of specific HIPAA requirements:
Administrative Safeguards Standards
Security Management Process
Risk Analysis
Risk management
Information Access Management
Security Awareness & Training
Physical Safeguards
Workstation security & device/media controls
Technical Safeguards
Access controls to ePHI
Audit & transmission security
Organizational Requirements
BA Contracts addressing security of ePHI
Policy & procedures documentation
6. The HIPAA Security Final Security Rule
§164.306(a) General requirements. Covered entities must
do the following:
(1)Ensure the confidentiality, integrity and availability of all
electronic protected health information the covered
entity creates, receives, maintains, or transmits.
(2)Protect against any reasonably anticipated threats or
hazards to the security or integrity of such information.
(3)Protect against any reasonably anticipated uses or
disclosures of such information that are not permitted or
required under subpart E of this part; and
(4) Ensure compliance with this subpart by its workforce
7. Summary of the HIPAA Rule
The HIPAA Privacy Rule provides federal protections for
personal health information held by covered entities and
gives patients an array of rights with respect to that
information. At the same time, the Privacy Rule is
balanced so that it permits the disclosure of personal
health information needed for patient care and other
important purposes.
The Security Rule specifies a series of administrative,
physical, and technical safeguards for covered entities
to use to assure the confidentiality, integrity, and
availability of electronic protected health information.
8. What is the HITECH Act?
The term, HITECH stands for Health Information Technology
for Economic and Clinical Health which is part of the American
Recovery and Investment Act as stated by the U.S Congress
in 2009. This act requires medical establishments to adopt
make use of the Electronic Health Records where their
deadline falls in the year 2019.
The government offers incentive programs for medical
establishments who will be following the HITECH Act. Turning
their records into EHR systems is highly recommended for
better security while getting easy access to their files when
needed. Those who are not able to comply with the HITECH
Act will be penalized as stated in the act which medical
practices are not too keen on experiencing hence the move to
the use of EHR.
9. HITECH Overview
The HITECH Act project is by far the boldest move of the
government in the hopes that medical practices will be using the
latest technology there is to help facilitate better service to their
patients. Paper filing system is a thing of the past. With HITECH
Act, medical practices will no longer have to spend precious
minutes writing down patient information when they can simply
encode in their computer to be saved with just a click of a mouse.
Through this act, medical facilities will no longer be spending a
lot for form sheets, storage centers and the like just to house
patient information. What’s more, HITECH Act makes it
convenient for patients to get themselves checked up when
needed without having to fill up yet another form during their visit.
Through EHR, patients can get the right diagnosis and treatment
since all the information needed by the doctor can be accessed
through the computer database of the medical establishment
quickly.
10. What is a Compliance, Risk & Readiness Assessment?
• Compliance Assessments answer questions like:
“Where do we stand with respect to the regulations?”
and “How well are we achieving ongoing
compliance?”
• Risk Assessment (Analysis, in HIPAA terms) answer
questions like: “What is our risk exposure to
information assets (e.g., PHI)?” and “What do we
need to do to mitigate risks?”
• Readiness Assessment answers questions like
“Have we implemented adequate privacy
safeguards?”, “Have we implemented adequate
security safeguards?” and are we ready for audit.
11. Risk Analysis
• HIPAA requires that each covered entity conduct
a formal risk analysis. Specifically, this means:
– Analyze the risks and vulnerabilities to the ePHI each
covered entity creates, maintains, stores or transmits
– Understand the probability of these risks and vulnerabilities
– Assess measures already in place to reduce these risks
– Analyze its information and applications to find what is
critical and what is not
– Conduct a formal risk analysis that balances the cost of
security against the expected value of losses
– As a result of the analysis each entity must have a formal
risk management process that reduces risk to an
acceptable level
12. Risk Analysis Overview
Risk analysis is the first process in the area of risk
management. The final HIPAA Security Rule
establishes both risk analysis and risk management
as required implementation specifications.
The objective of risk analysis is to "Conduct an
accurate and thorough assessment of the potential
risks and vulnerabilities to the confidentiality,
integrity, and availability of electronic protected
health information held by the covered entity".
164.308(a)(1)(ii)(A)
13. Risk Analysis & NIST Methodology
Our Risk Analysis software use the recommended
National Institute for Standards and Technology (NIST)
methodology as the core component. There are 9 steps:
1. Understanding your environment (System characterization)
2. Vulnerability identification
3. Threat identification
4. Assessment of how you safeguard your systems now (Control analysis)
5. Likelihood analysis (what is the likelihood of a threat happening?)
6. Impact analysis (are there any systems that are "mission critical?)
7. Risk determination (ranking these risks)
8. Control Recommendations (what are the answers or solutions for your
risks)
9. Results Documentation (Documenting or reporting your results)
14. MBM’s HIPAA-HITECH Consulting Features
• Endorsed by NIST, Homeland Defense and leading medical
organization and societies
• Over 55 specific HIPAA requirements addressed
• Intuitive and educational
• Cost-effective
• Differentiation between Required and Addressable items
• Reporting and progress reports
– Summary or Detailed
– Remediation Reporting
– Priority and status tracking
– GAP Analysis
– SAL Diagrams
• Tips, definitions, and example compliance efforts
• Recording of comments and compliance documentation
• Blueprint necessary for HIPAA Security compliance
• We work with your IT group and organization
15. Value Proposition
• The HIPAA security rules went into effect April 2005
• The rule is complex and requires your practice to
ensure the security of ALL electronic patient health
information
• Considering the potential costs and effort
associated with compliance, it is a mistake to install
HIPAA “solutions” without first understanding HIPAA
“problems”
• The cost of remediation is greater than an cost of an
independent audit
• We have cost-effective solutions that works to ease
the pain of HIPAA Security compliance
16. MBM eHealthCare Solutions
Benefits Summary
• Comprehensive analysis and support
• Scalable for any size organization or environment
• Minimal learning curve for your staff
• Minimal training needed
• No hidden costs
• Use as your blueprint for HIPAA Security compliance.
• Eliminate employee training expenses and purchases
you may not actually need
• Will help you make informed decisions about HIPAA
Security and what is correct for your institution
• We offer most of the products to facilitate remediation
17. Contact Information
For more information contact us at:
MBM eHealthCare Solutions.
Web site: http://www.mbmehs.com
Email: info@mbmehs.com
Phone: 800-236-2498
10880 Glenhurst Pass, Suite 101
Johns Creek, GA 30097