HIPAA Compliance / Meaningful Use Attestation

Components of a HIPAA Risk Analysis and how it maps to the HIPAA Security Rule

MainStream Technologies, Inc. will help with your Meaningful Use Attestation. Using our tools and experience, we will quickly provide you with an assessment and develop a plan to get you compliant!

Our HIPAA Gap Analysis Covers the Following Standards:

  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Organizational Safeguards
  • Policies and Procedures and Documentation Requirements


Conducting an IT Risk Analysis and mitigating security deficiencies is one of the core objectives for Meaningful Use attestation of Electronic Health Records.  All providers that choose to apply for Meaningful Use incentives need to have conducted a formal security risk analysis of their EHR system and associated processes for each stage. That security Risk Analysis must be conducted according to the Department of Health and Human Services / Office for Civil Rights “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” [Source: Center for Medicare & Medicaid Services (CMS)]

MainStream Technologies is continually improving on and developing specialized tools and procedures in order to help you meet the continual evolvement of needs required of small and medium sized healthcare providers.


Deliverables You Can Expect:

  1. Follows the required and trusted standard found in NIST SP800-30, “Risk Management Guide for Information Technology Systems” and meets/exceeds all the requirements specified in the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”

  2. Pinpoints the organization’s threats and vulnerabilities

  3. Identifies the controls and protections in place and any gaps

  4. Calculate risk ratings and where the organization should focus its remediation efforts

  5. Prioritizes the controls needed to protect highly sensitive ePHI

  6. Includes a Findings, Observations and Recommendations Report


How You Will Benefit:

  1. Obtain Meaningful Use incentive money

  2. Be prepared in the event of a Mandatory HIPAA Audit

  3. Avoid embarrassing data breaches

  4. Avoid the legal cost of unauthorized disclosure of Protected Health information

  5. If the organization is a Business Associate provide assurance to its customers

  6. Make data security a competitive advantage


HIPAA Health Insurance Portability and Accountability Act
Title II > Administrative Simplification > Security Rule

Standard Details of the Security Rule

  • Business Associate Contracts and Other Arrangements (§ 164.308(b)(1)), (§ 164.314(a)(1))
     
  • Contingency Plan (§ 164.308(a)(7))
  • Access Control (§ 164.312(a)(1))
     
  • Information Access Management (§ 164.308(a)(4))
  • Device and Media Controls (§ 164.310(d)(1))
  • Integrity (§ 164.312(c)(1))
     
  • Security Management Process (§ 164.308(a)(1))
  • Assigned Security Responsibility (§ 164.308(a)(2))
  • Security Incident Procedures (§ 164.308(a)(6))
  • Evaluation (§ 164.308(a)(8))
  • Audit Controls (§ 164.312(b))
  • Policies and Procedures (§ 164.316(a))
  • Documentation (§ 164.316(b)(1)
     
  • Access Control (§ 164.312(a)(1))
  • Audit Controls (§ 164.312(b))
  • Integrity (§ 164.312(c)(1))
  • Transmission Security (§ 164.312(e)(1))
     
  • Workforce Security (§ 164.308(a)(3))
  • Security Awareness and Training (§ 164.308(a)(5))
     
  • Facility Access Controls (§ 164.310(a)(1))
  • Workstation Use (§ 164.310(b))
  • Workstation Security (§ 164.310(c))
     
  • Access Control (§ 164.312(a)(1))
  • Audit Controls (§ 164.312(b))
  • Integrity (§ 164.312(c)(1))
  • Person or Entity Authentication (§ 164.312(d))

Functional Assessment Scope
How We Audit The Standards

  • Business Associate Oversight: Identification of Critical Vendors, Vendor Due Diligence, and Documentation Review
  • Business Continuity: Data Backup, Disaster Recovery, and Business Impact Analysis
  • Data Security: EPHI Disposal, Storage, and Transmission
  • Information Security Program: Risk Management and Incident Detection and Response
  • Network Analysis: Architecture, Access Control, Device Management, and Event Management
  • Personnel Security: Hiring Processes, Security Awareness, and Security Training
  • Physical Security: Data Center, Facilities, and Environmental Concerns
  • Systems Analysis: Patching, System Hardening, Anti-Virus, Upgrade Procedures, System Access, Logging, Password Policies, and Account Lockouts

MainStream Technologies will complete your risk analysis and assist you in planning for specific risk mitigation steps in the form of implementing security controls and/or correcting security deficiencies. We are able to assist you with the risk analysis of all brands and types of EHR systems.  We can tailor our risk analysis consulting services to meet your specific current as well as any future needs.

Contact us and one of our team will be in touch.