HIPAA Implementation Support
HIPAA Business Associates, with the release of the so-called Omnibus rule published in January of 2013, are directly regulated and subject to enforcement actions by both Federal Health and Human Services and State Attorneys General. These organizations may just now be addressing these compliance obligations. Further, while the HIPAA regulations have been in place for more than a decade, many covered entities are only now fully implementing their compliance efforts.
Organizations will likely start with a computer security risk analysis and/or a set of HIPAA Policies and Procedures. What becomes quickly apparent after these are completed are the vast deficiencies that need to be corrected to implement these policies. Examples of implementation items include:
- Implementing encryption of mobile devices, workstations and databases
- Selecting and implementing a secure email solution
- Updating custom applications to include appropriate access controls and audit trails
- Auditing vendors and contractors
- Creating an internal audit program to monitor employee use of electronic record software
- Conducting a technical vulnerability analysis and/or penetration test of the computer network
- Implementing an effective employee training program, including initial training and ongoing security awareness training
- Upgrading the system backup and conducting recovery testing
- Implementing a System Information and Event Monitoring System and/or audit log monitoring system
- Implementing a mobile device management system
For organizations that are taking compliance seriously for the first time, the list of projects can be overwhelming. Because of the costs involved, simply achieving basic compliance may require a multi-year effort. Eagle provides HIPAA implementation support including both project management and/or project support for any of the above projects. Implementation Services pick up where policy and procedure development and/or a risk analysis are completed.
First of all, we can provide project management. We start by creating a project plan that prioritizes projects based on security risk reduction. We can provide overall management of the implementation effort with regular reporting to management and making plan adjustments. Various individuals in the organization will complete the tasks.
In addition, we can assist with specific projects. Examples include providing initial staff training, providing an ongoing security awareness training program, conducting a technical vulnerability analysis or conducting a penetration test.