As you have migrated a lot of your data to more, fluid, solutions that allow your employees and contractors to work remotely for compliance and regulations with CDC COVID-19 guidelines you may have had some help to ensure things are transitioned correctly, but if you're here, chances are you understand the importance of making sure your solutions are compliant as we both know that IT friend or your current provider isn't going to assume any liability and any fines would rest on your head. So what do you look for?
HiPAA compliance summarized is, who has access, what they can do with it, where is the data, when is it accessed and how are they able to get ahold of it.
Under the HIPAA Security Rule, covered entities and business associates have an obligation to have policies and procedures in place to prevent, detect, contain and correct security violations. 45 CFR 164.308(a)(1)(i).
So before we go any further, do you have a business associate agreement (BAA) with all of your vendors, contractors and IT service providers such as phones, cloud, servers, etc? If not, stop now and get that done, that's a huge liability and often first compliance fine we see during an audit.
As far as your technology goes, it can be difficult to know, and you're often left to assume and hope or play ignorant whether or not it's in compliance. As we know, that's often like driving around without car insurance, sure, you can get away with it, until you don't and it leads to a severely costly learning experience.
Because of this we offer, no hassle evaluation of your current compliance with both facility and technology which will help you meet typical expectations of an "internal review" of compliance standard. Most of our clients do this on a semi-annual basis, even if they have another IT company or internal team, to ensure as business grows and changes that a vulnerability does not open up.
The regulations also require covered entities and business associates to “Implement procedures to regularly review records of information security system activity, such as audit logs, access reports and security incident tracking reports.” 45 CFR 164.308(a)(1)(ii)(D) It also requires the covered entity to implement hardware, software and/or procedural processes that record and examine activity in information systems containing electronic protected health information (ePHI). 45 CFR 164.312(b)
If you're not getting a quarterly or semi annual report on this, request it, if they cannot provide it then walk away from them quickly, it'll bite you just as bad, if not worse, than a bad bookkeeper.
Book a consult now!
Get a clear cut, no BS answer if you have some clear violations or security issues that need to be addressed to avoid compliancy fines for FREE. Get a indepth report and policy, systems review for only $799