HIPAA Regulations Contain…
6 Federal Regulation Subchapters…100’s of pages of Federal Regulations…
1000’s of lines of Federal Regulations…Tens of Thousands of Dollars in Avoidable Fines…
For HIPAA Compliance
Associate’s Agreement – Customizable Template
- Do not let unauthorized visitors or contractor beyond your waiting room without a properly signed Associates Agreement. This document reduces Your risk.
- Required per 45CFR164.502 / 45CFR314(a)(2)(i)
Employee Computer Policy – Completely Customized Policy
- The mandatory baseline document for outlining the security requirements of your employees. If your employees have not confirmes, in writing, their understanding, then You are at risk.
- Required per 45CFR164.308(a)(1)(i)
Data Backup Plan – Off Site Backup Service
- Fully automated HIPAA compliant backup of your critical business data,
- Full Service – Maintenance, upgrades, modification all handled for you remotely – nothing for anyone in your office to learn!
- Disaster Recover Plan included in service
- Required per 45CFR164.308(a)(7)(ii)(A) / 45CFR1643.08(a)(7)(ii)(B)
- Thorough monitoring of employee software use and online activities
- Required per 45CFR164.308(a)(5)(i)
- Security awareness training for all employees is required and smart
- Online training reduces office down time and simplifies management duties
- Annual training required per 45CFR164.308(a)(5)(i)
- Every Covered Entity should require completion of this checklist for all employees and contractors who will work from home
- As an independent contractor, you should be pro-active and get this done on your own
HIPAA Audit Self Assessment or Full Service Audit
- Similar to an annual physical, an annual HIPAA Audit measure the current “compliance health” of your office, provides recommendations and highlights risks & short-falls
- Annual assessments are required per 45CFR164.308(a)(ii)(A)
- For “at rest” data (this means storage)
- Encrypt Laptops & Mobile storage devices
- Just deleting is not enough
- When you get rid of a computer, you must properly get rid of all the PHI that may be on the computer.
- Exact plan on how your office will react & recover from a disaster
- Stage 1 Core Objectives require 45CFR164.308(a)(1) compliance
- This includes:
- Risk Analysis
- Risk Management
- Sanction Policy
- Information System Activity Review
- Also must ensure “confidentiality, integrity and availability of all ePHI” your office creates, receives, maintains or transmits.