-
Categories
Surf Cloud
Access Control Backup Breach Notification Rule Business Associate CMP compliance audit DOJ EHR EMR Encryption Enforcement Facebook FERPA HIPAA HIPAA Complaint HIPAA Compliance Audit HIPAA Compliance Audits HIPAA Criminal Conviction HIPAA Security HIPAA Security Breach HITECH Hospitals JCAHO KPMG lifestyle modification malware Meaningful use mobile devices NIST 800-30 OCR Ohio OIG Policies & Procedures Policy Manual risk analysis risk assessment Security Vulnerabilities SMS social media State AG Texas HB 300 Texas House Bill 300 Texting Text messages Wireless SecurityArchives
Comprehensive Counseling Service is a dual certified ODMH/ODADAS agency in Middletown, Ohio. Specific programs are offered for Mental Health, Chemical Dependency, and Domestic Violence. This agency faced a complex regulatory challenge. Their regulatory status and program offerings required them to simultaneously comply with federal HIPAA Privacy and Security laws, the federal privacy guidelines for alcohol and drug abuse programs (42 CFR Part 2), the Ohio Department of Mental Health confidentiality guidelines, the Ohio Department of Alcohol & Drug Addiction Services, and various other Ohio laws. These regulations heavily overlap, with the requirement for Eagle Consulting Partners was engaged to assist with comprehensive confidentiality and computer security policies to comply with all of these regulations.
The engagement began with an on-site inspection of facilities and review of oral privacy procedures, followed by the creation of an inventory of paper and electronic protected health information. Subsequent steps included a review of hardware, software, and electronic communications facilities. Administrative and clinical personnel were interviewed regarding practices, concerns, and objectives. Personnel from the outside computer vendor were interviewed regarding configuration specifications. All written policies were assessed.
The risk assessment procedure was based on the NIST SP 800-30, with simplifications because of the size of the agency. Based on this risk assessment, decisions were made regarding how the 22 addressable implementation specifications of he HIPAA Security rule would be handled, and appropriate documentation was created.
The final deliverables from the engagement included
A follow-up engagement provided assistance with implementation of the remediation plan.