The Startup Path to HIPAA Compliance MATTER Workshop Jim Anfield June 8, 2016
The Startup Path to HIPAA Compliance
MATTER WorkshopJim AnfieldJune 8, 2016
2
About Me
• Finance• Strategy• M&A
• Bus dev • Prod Dev• IT• Startups
• Technology• Prod Dev• Finance• Bus Dev
Fortune 500 Dot Com Healthcare Healthcare Consulting
3
Today As Advertised
Every healthcare startup needs to comply with HIPAA and data security regulations, especially when selling to health systems. The provider chief compliance officer and the chief information security officer must agree that a solution is HIPAA compliant and does not pose a security risk. Jim Anfield will prepare entrepreneurs to partner with health systems who care about compliance and security above all. He will offer insights on HIPAA compliance for startups and walk through common pitfalls when communicating how solutions incorporate compliance and security requirements.
4
Thinking about Providers
What is the typical mindset of hospitals and providers regarding HIPAA ?
5
The Federal Government has leveled several large scale HIPAA fines…
Covered Entity Media Fine Amount Violation
Alaskan Department of Health and Social Services $1.7 million
Portable unsecured electronic storage device (USB hard drive) possibly containing PHI was stolen from the vehicle of a DHHS employee
Puerto Rican insurerTriple S Salud $6.8 million
Mailed a pamphlet displaying the Medicare Health Insurance Claim Number of approximately 70,000 of its Medicare Advantage beneficiaries.
WellPoint (aka Anthem), Blue Cross Blue Shield
plans in 14 states$1.5 million
Cyber attack data breach affecting 80 million customers resulting in account information stolen
Stanford University's Lucile Packard Children's Hospital $4.0 million
Stolen unencrypted laptop containing medical information on 13,000 pediatric patients
6
HIPAA impacts not only large entities but also much smaller organizations…
Covered Entity Media Fine Amount Violation
Skagit County, State of Washington $215,000
Electronic receipts for 1,600 patients containing their protected health information had been improperly placed online and accessed.
Massachusetts medical billing practice and four
pathology groups$140,000
Sensitive medical records and confidential billing information for tens of thousands of Massachusetts patients were improperly disposed of at a public dump
Phoenix Cardiac Surgeons, LLC $100,000
Group’s clinical and surgical appointments were available to the public on an Internet-based calendar
Cornell Prescription Pharmacy $125,000
Disposal of unshredded documents containing the protected health information of 1,610 patients in an open dumpster.
7
Several major brands have suffered bad publicity and damage…
Anthem BlueCross BlueShield – data breach affecting 80 million members
Advocate HC – stolen unencrypted laptops affecting 4 million patients
Walgreens – employee breach of customer data for personal gain
Premera BlueCross BlueShield – data breach affecting 11 million members
Sony Pictures – data breach impacting health records of 30,000 employees
BCBS TN – 57 hard drives stolen impacting 1 million members
8
Not only does HIPAA impact entitles, it reaches down to the employee level - loss of job, personal fines, and prison time.
UCLA Medical Center – 4 months in prison for illegally viewing PHI
NE Arkansas nurse fired, sentenced to probation for illegally viewing PHI
Dentist paid $12,000 for dumping files on an unsecured basis
University of Iowa Hospital – 4 employees fired for illegally viewing PHI
East TX Hospital employee sentenced to 18 months for illegally viewing PHI
Lake Health (OH) fired several employees for illegally viewing PHI
9
Your strategy for HIPAA as it pertains to selling to providers…
The best defense is a good offense.
10
Proactively address HIPAA and be ready to go
Market requirements will require you to become HIPAA compliant• If you are working with providers and their patient data, it will be mandatory that
you are compliant with HIPAA.• You will avoid lengthy hospital provider conversations, especially with the
hospital compliance office.• You will be able to take this risk off of the table in your business development
meetings.• You will have to sign a Business Associates Agreement (BAA) and agree to
Master Services Agreement (MSA) language with warranties, representations, and indemnification regarding all aspects of HIPAA.
Be prepared to talk to the following people as they will vet your solution for HIPAA• Chief Medical Officer• Chief Information Officer• Chief Medical Information Officer• Chief Information Security Officer• Chief Compliance Officer
11
High Level HIPAA Roadmap
Become compliant with HIPAA• Develop an enterprise fluent understanding of HIPAA• Embed HIPAA into your culture and operations• Develop game plan to implement HIPAA requirements• Completely document your HIPAA efforts• At this stage, you are compliant with HIPAA
Ultimately, you will need to achieve HIPAA Compliance• Conduct a HIPAA self assessment• When ready, contract out and conduct a HIPAA audit• The HIPAA audit and successful audit remediation will achieve HIPAA
Compliance• If successful, the satisfactory audit report will be your certification
12
How do you become HIPAA Compliant?
Here’s the blueprint.
13
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 was enacted by the United States Congress and signed by President Bill Clinton on August 21, 1996. It has been known as the Kassebaum-Kennedy Act after two of its leading sponsors.
Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title I also regulates the availability and breadth of group health plans and certain individual health insurance policies.
Title II of HIPAA defines policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information as well as outlining numerous offenses relating to health care and sets civil and criminal penalties for violations. It also creates several programs to control fraud and abuse within the health care system.
However, the most significant provisions of Title II are its Administrative Simplification rules. Title II requires the Department of Health and Human Services (HHS) to draft rules aimed at increasing the efficiency of the health care system by creating standards for the use and dissemination of health care information.
These rules apply to "covered entities" as defined by HIPAA and the HHS. Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA.
Per the requirements of Title II, the HHS has promulgated rules regarding Administrative Simplification: the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, the Breach Notification Rule, and the Enforcement Rule.
Source: Wikipedia,.
14
Four major rules to understand on the path to HIPAA Compliance…
HIPAA Privacy Rule
HIPAA Breach Notification Rule
HIPAA Enforcement
Rule
• HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other PHI. Requires appropriate safeguards to protect PHI privacy and sets conditions/limits/disclosures with patient authorization. Defines patients’ rights regarding access to their records.
• HIPAA Breach Notification Rule requires most healthcare providers to notify patients when there is a breach of unsecured PHI. Requires the entities to promptly notify HHS if there is any breach of unsecured PHI and notify the media/public if the breach affects more than 500 patients.
• HIPAA Enforcement Rule spells out investigations, penalties, and procedures for hearings. Penalties can include fines and/or prison time.
Overview and key points
HIPAA Security Rule
• HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure confidentiality, integrity, and security of protected health information (PHI).
15
The HIPAA Privacy Rule provides the definitions of compliance…
Privacy RuleRule Summary• The Privacy Rule addresses the use and disclosure of individual’s Protected Health Information (PHI) by organizations
subject to the Privacy Rule (Covered Entities) as well as standards for individuals privacy rights to understand and control how their PHI is used.
• A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being.
• The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services has the responsibility for promoting and enforcing the Privacy Rule.
Health PlansHealth Plan Covered Entities include individual and group health insurance plans that provide or pay the cost of medical care including health, dental, vision, prescription drug insurers, health maintenance organizations, Medicare, Medicaid, Medicare supplemental insurers, and long-term-care insurers.
Health Care ProvidersAll health care providers who provide medical or health services, regardless of size, who electronically transmit health information in connection with certain transactions. Transactions include claims, benefit eligibility, referral authorization, and other HIPAA transactions.
Health Care ClearinghousesEntities that process non-standard information they receive from another entity. Clearinghouses only receive PHI only when they are providing services to a Health Plan or Health Care Provider. Clearinghouses include billing services, community health management information systems, and repricing companies.
Who are the Covered Entities subject to the Privacy Rule?
16
Know the Privacy Rule Definitions
Term Definition
Protected Health Information (PHI)
All individually identifiable health information held or transmitted by a Covered Entity or its Business Associate in any form or media including electronic or paper. PHI includes any information that relates to the individuals’ past, present, or future physical or mental health/condition as well as the provision of past, present, or future provision or payment for health care to the individual that identifies the individual or there is a reasonable basis to identify the individual.
Business AssociatePerson or organization that performs certain functions or activities on behalf or to a covered entity that includes the use or disclosure of PHI and can include claims processing, data analysis, utilization review, legal, actuarial, consulting, accounting, data aggregation, management, administrative, accreditation, or financial services.
Business Associate Agreement (BAA)
Agreement necessary to be put in place when a Covered Entity engages a Business Associate perform functionality that requires access or exposure to PHI.
De-Identified Health Information
De-Identified Health Information neither identifies or provides a reasonable basis to identify the individual. There are two ways to de-identify PHI: 1) a formal determination by an expert; or 2) the removal of specified identifiers of the individual.
Authorization
A Covered Entity must obtain the individual’s written authorization for any use or disclosure of PHI that is not for payment, treatment, or operations. The Covered Entity may not condition payment, treatment, or operations on an individual granting authorization. Communication for treatment of the individual or care coordination for the individual to recommend treatment are not subject to Authorization.
Minimum NecessaryA Covered Entity must make reasonable efforts to use, disclose, and request only the minimum amount of PHI to accomplish the intended purpose of the use, disclosure, or request. The Covered Entity must develop/implement a Minimum Use Policy and Procedure.
17
Understand Privacy Rule – Permitted Uses and Disclosures of PHI
Permitted Uses and
Disclosures
Individual
Payment, Treatment, Operations
Permitted by Individual
Incidental Use and
Disclosure
Public Interest and
Benefit *
De-Identified Limited Data
Set
Basic PrincipleA major use of the Privacy Rule is to define and limit the circumstances in which a individual’s PHI may be used or disclosed by Covered Entities.
Required DisclosuresA Covered Entity must disclose PHI in two situations: 1) upon request by the individual; 2) to HHS when undertaking a compliance investigation.
Permitted Use and DisclosuresA Covered Entity is permitted but not required to use and disclose PHI without and individual’s authorization for the reasons listed in the diagram to the right.
* Public Interest and BenefitIncludes required by law, public health, abuse or domestic violence cases, law enforcement, research, worker’s comp, serious threat to health/safety, etc.
18
The Privacy Notice is a key component of the Privacy Rule.
Each Covered Entity must provide a copy of its Notice of Privacy Practices and it must contain the following elements:
• Describe the ways in which the Covered Entity may use and disclose PHI.
• State the Covered Entity’s duties to protect privacy
• Provide a notice of privacy practices and abide by the current notice
• Describe the individual’s rights including the right to complain to HHS and the Covered Entity if they believe their privacy rights have been violated.
• Include a point of contact for further information and for making complaints
In addition to the Privacy Notice, individuals have the following rights with regards to PHI held by a Covered Entity:
• Access – To review and obtain a copy of their PHI in the Covered Entity’s dataset
• Ability to Amend PHI – To have Covered Entities amend their PHI when they feel the information is inaccurate or incorrect
• Disclosure Accounting – Access to an accounting of the disclosures of their PHI by a Covered Entity for a maximum of six years.
• Restriction Request – To request that a Covered Entity restrict use or disclosure of PHI for payment, treatment, and operations. However, Covered Entity is under no obligation to agree to requests for restrictions.
19
Action Description ImplementationPrivacy
Policies and Procedures
Covered Entity must develop and implement written privacy policies and procedures.
Develop Policies and Procedures manual
Privacy Personnel
Covered Entity must designate a privacy official responsible for developing and implementing privacy policies and procedures and also provide a contact person for receiving complaints and inquiries.
Assign this duty to a company leader
Policies and Procedures
Workforce Training and Management
Covered Entity must train all employees on its policies and procedures which include sanctions for policy violations.
Training program Sourced Computer
Based Training
Mitigation Covered Entity must mitigate any harmful effect that was caused by use or disclosure of PHI in violation of its Policies and Procedures or the Privacy Rule.
Business/IT functional response as needed
Data Safeguards
Covered Entity must maintain administrative, technical, and physical safeguards to prevent intentional or unintentional of PHI in violation of its Policies and Procedures or the Privacy Rule.
See Security Rule for implementation.
Complaints Covered Entity must have procedures for individuals to complain about its compliance with its policies and procedures and the Privacy Rule.
Policies and Procedures
Implement at the web
HIPAA Privacy Rule – implementation
20
HIPAA Privacy – implementation continued
Action Description Implementation
Documentation and Record Retention
Covered Entity must maintain for at least six years its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions that the Privacy Rule requires to be documented.
Policies and Procedures
Store historical information on Cloud
Privacy PolicyCovered Entity must establish and publish its Privacy Policy with the elements listed per the Privacy Rule. Typically, the Privacy Policy is linked from the company website.
Policy and Procedure Post Privacy Policy on
the web.
Retaliation and Waiver
Covered Entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting with an investigation by HHS, or opposing an action that the person believes in good faith violates the Privacy Rule.
Policy and Procedure
21
HIPAA defines the way PHI breaches are handled.
Breach Notification Rule
Definition of PHI BreachUnauthorized use or disclosure of unsecured protected health information unless the HIPAA covered entity can demonstrate that the probability of the PHI being compromised is a low probability
To show low probability, a risk assessment should be completed:1. What kind of PHI was involved – identifiers and likelihood of re-identification?2. Who was the person who had the unsecured PHI?3. What was the PHI that was actually viewed?4. What is the actual risk to the PHI?
Three exceptions to the definition of Breach:5. Unintentional access to the PHI in the workplace or acting under the authority of the Covered
Entity6. Accidental disclosure of PHI by someone who is authorized to access the PHI7. Covered Entity has a good belief that the person who accessed the PHI was unauthorized
and was not able to retain the PHI
22
There are specific steps to notify those affected by a breach.
• Breach Notification should be sent to the affected individuals by first class mail or email if the individual has selected this method.
• Must be sent out within 60 days of discovery of the breach.• Notification should include:
- Description of breach- Type of information breached- Steps individuals need to take to protect themselves- Steps the Covered Entity is taking to investigate and prevent further breaches
• If the individual contact information is out of date for more than 10 individuals, then the Covered Entity is required to post a notice on its website for 90 days or send a media notice. Toll free number needs to be posted.
• Media notice is required in addition to individual notification.• Media notice takes the form of a press release within 60 days to the media outlets that serve the
areas that are affected.• Notification of the breach also needs to be sent to the office of the U.S. Secretary of Health and
Human Services (HHS).• An investigation by the Office for Civil Rights under HHS may be initiated to determine
cause as well as potential penalties under the Enforcement Rule.
More than 500 individuals
23
HIPAA defines the penalties for breaches.
Enforcement Rule
Violation Category Penalty for Each ViolationMaximum for All Violations of
an Identical Provision in a Calendar Year
Did Not Know $100 - $50,000 $1,500,000
Reasonable Cause $1,000 - $50,000 $1,500,000
Willful Neglect – Corrected $10,000 - $50,000 $1,500,000
Willful Neglect – Not Corrected $50,000 $1,500,000
• HHS is mandated to conduct HIPAA investigations if a preliminary review indicates a potential violation is due to willful neglect. Otherwise, investigations are discretionary.
• HHS will not impose the maximum penalty in all cases but will determine the fine amount on a case by case basis depending upon the nature and extent of the violation, the nature and extent of resulting harm, the history of non-compliance of the entity, and the financial condition of the entity.
• Previous history of non-compliance is major factor as HHS will use the history as either a mitigating or punitive factor.
• The Enforcement Rule prohibits the imposition of a civil monetary penalty for any violation of than willful neglect if the violation is corrected within 30 days of the entity realization of the violation.
24
The Security Rule defines requirements to protect PHI.
Security Rule
Technical Safeguards Physical Safeguards Administrative
Safeguards
1. Access Control2. Audit Controls3. Integrity4. Authentication5. Transmission Security
1. Facility Access Control2. Workstation Use3. Workstation Security4. Device and Media Controls
1. Security Management Process2. Assigned Security Responsibility3. Workforce Security4. Information Access Management5. Security Awareness and Training6. Security Incident Procedures7. Contingency Plan8. Evaluation of Business/Law
Changes9. BAA Contracts and Other
Agreements
Technical Safeguards focus on the technology that protects PHI and controls access to it. The standards of the Security Rule do not require you to us specific technologies and are designed to be “technology neutral.”
Physical Safeguards are a set of rules and guidelines that focus on the physical access to PHI.
Administrative Standards are a collection of policies and procedures that govern the conduct of the workforce and the security measures put in place to protect PHI.
25
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Technical Safeguards
Access Control
Unique User Identification
Assign a unique name and/or number for identifying and tracking user identity User authentication
Technical Safeguards
Access Control
Emergency Access
ProcedureEstablish procedure for obtaining necessary PHI during an emergency.
Policy and Procedure Business process set up to fulfill
requests
Technical Safeguards
Access Control Automatic Logoff
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity
Build timeout into technology
Technical Safeguards
Access Control
Encryption and Decryption
Implement technology to encrypt and decrypt data both at rest and in transmission Database encryption
Technical Safeguards Audit Controls Audit Controls
Implement hardware, software, and/or procedural mechanisms to corroborate that record and examine activity in information systems that contain or use PHI
Build logging and audit capability
Technical Safeguards Integrity Mechanism to
Authenticate PHIImplement electronic mechanisms to corroborate that PHI has not been altered or destroyed in an unauthorized manner.
Build tracking, logging, and audit into technology
Technical Safeguards Authentication Authentication Implement procedures to verify that a person or
entity seeking access to PHI is the one claimed Build user authentication in
technology
26
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Technical Safeguards
Transmission Security
Integrity Controls
Implement security measures to ensure that electronically transmitted PHI is not improperly modified without detection until disposed of.
Build audit, logging, and tracking in technology
Technical Safeguards
Transmission Security Encryption Implement a mechanism to encrypt PHI whenever
deemed appropriate. Encrypt data wherever needed
Physical Safeguards
Facility Access Controls
Contingency Operations
Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the Disaster Recovery Plan and emergency mode operations in the event of an emergency.
Develop and test DR/BC plan
Physical Safeguards
Facility Access Controls
Facility Security Plan
Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Alarm systems Keys policy
Physical Safeguards
Facility Access Controls
Access Control and Validation
Procedures
Implement procedures to control and validate a person’s access to facilities based upon their role or function, including visitor control, and control of access to software programs for testing and revision.
Policy and Procedure Role based access Business process to support
Physical Safeguards
Facility Access Controls
Maintenance Records
Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g., hardware, walls, doors, and locks).
Policy and Procedure Alarm system Keys policy
27
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Physical Safeguards
Workstation Use Workstation Use
Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access PHI.
Policies and Procedures
Physical Safeguards
Workstation Security
Workstation Security
Implement physical safeguards for all workstations that access PHI, to restrict access to authorized users.
Laptop encryption No laptop PHI Policy and Procedure
Physical Safeguards
Device and Media Controls Disposal
Implement policies and procedures to address the final disposition of PHI and/or the hardware or electronic media on which it is stored.
Policy and Procedure Build PHI destruction in the
database
Physical Safeguards
Device and Media Controls Media Re-Use
Implement procedures for removal of PHI from electronic media before the media are made available for re-use
Flash drive/CD destruction Policy and Procedure
Physical Safeguards
Device and Media Controls Accountability
Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
Develop record database, maintain database, and store on the network
Administrative Safeguards
Security Management
ProcessRisk Analysis
Perform and document a risk analysis to see where PHI is being used and stored in order to determine all the ways that HIPAA could be violated.
Perform Risk Analysis using Risk Analysis Tool
28
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Administrative Safeguards
Security Management
ProcessRisk
ManagementImplement sufficient measures to reduce these risks to an appropriate level. Policies and Procedures
Administrative Safeguards
Security Management
ProcessSanction Policy Implement sanction policies for employees who
fail to comply. Policy and Procedure
Administrative Safeguards
Security Management
Process
Information Systems Activity
ReviewRegularly review system activity, logs, audit trails, etc.
Business process to review logs
Administrative Safeguards
Assigned Security
ResponsibilityOfficer Designate HIPAA Security and Privacy Officers.
Assign this role to a company leader
Administrative Safeguards
Workforce Security
Employee Oversight
Implement procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees. Ensure that an employee’s access to PHI ends with termination of employment.
Policy and Procedure Business process to support
Administrative Safeguards
Information Access
ManagementMultiple
OrganizationsEnsure that PHI is not accessed by parent or partner organizations or subcontractors that are not authorized for access.
Put BAA in place for appropriate organizations
29
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Administrative Safeguards
Security Awareness and
TrainingSecurity
RemindersPeriodically send updates and reminders about security and privacy policies to employees.
Annual employee training Develop ongoing HIPAA
program for employees
Administrative Safeguards
Security Awareness and
TrainingProtection
Against MalwareHave procedures for guarding against, detecting, and reporting malicious software.
Implementation of firewalls, anti-virus, and other security protections
Administrative Safeguards
Security Awareness and
TrainingPassword
ManagementEnsure that there are procedures for creating, changing, and protecting passwords.
Create and implement password change policy
Administrative Safeguards
Security Awareness and
TrainingLogin Monitoring Institute monitoring of logins to systems and
reporting of discrepancies. Build logging and monitoring
into technology
Administrative Safeguards
Security Incident
ProceduresResponse and
ReportingIdentify, document, and respond to security incidents.
Policy and Procedure Security business process
Administrative Safeguards
Contingency Plan
Contingency Plan
Ensure that there are accessible backups of PHI and that there are procedures for restoration of any lost data.
Create frequent backups for the database
Administrative Safeguards
Contingency Plan
Contingency Plans Updates and Analysis
Have procedures for periodic testing and revision of contingency plans. Assess the relative criticality of specific applications and data in support of other contingency plans components.
Test DR/BC plans
30
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Administrative Safeguards
Contingency Plan Emergency Mode
Establish (and implement as needed) procedures to enable continuation of critical business procedures for protection of the security of PHI while operating in emergency mode.
DR/BC Plan
Administrative Safeguards Evaluations Evaluations
Perform periodic evaluations to see if any changes in your business or the law require changes to your HIPAA compliance procedures.
HIPAA seminars and education
Administrative Safeguards
Business Associate
Agreements
Business Associate
Agreements
Have special contracts with business partners who will have access to your PHI in order to ensure that they will be compliant. Choose partners that have similar agreements with any of their partners to which they are also extending access.
BAA
31
Summary - Achieving HIPAA Compliance
Key Activities• Develop HIPAA Policies and
Procedures and implement• Name Chief Compliance Officer• Implement enterprise training for Policy
and Procedures• Mandatory annual HIPAA training for
employees and onboarded new employees
• Put BAA agreements in place with both vendors and customers
• Develop security measures for laptops including encryption
• Implement ongoing HIPAA employee communication program
• Post Privacy Notice on website• Build into technology
- Database encryption – at rest and in transit
- Role Based Access to systems- Authentication – two factor - Access audit records- Documented technology
configurations- Data corroboration
•Develop Breach Notification Plan
• Conduct preliminary enterprise risk assessment and analysis using National Institute of Standards and Technology (NIST) Assessment Tool
• Remediate any issues flagged by the NIST Assessment Tool
• When ready, contract out for a HIPAA Compliance Audit.
• Remediate any issues flagged by the audit.
• Receive final Compliance Audit report showing documented HIPAA compliance
• Maintain and adhere to HIPAA Policies and Procedures
• Maintain ongoing employee HIPAA program
• Defend against PHI breaches.
• Conduct periodic Risk Assessments
• Prepare for and assist with any customer HIPAA audits
• Respond, if necessary, to any and all breaches.
• Achieve SOC 2 compliance
Become HIPAA compliant Achieve HIPAA Compliance HIPAA Maturity
32
When in doubt, go to the source
https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/index.html
Thanks