HIPAA / HiTech Compliance

how can we help you?

Contact us at info@symosis.com to get started, or request a callback by submitting the form below.

The HIPAA Security Rule introduces a variety of organizational and procedural changes that address the confidentiality, availability, integrity and overall security of Electronic Patient Health Information (eHPI) within the HealthCare and Medical Services industry. All covered entities including providers, payers and clearinghouses that creates, receives, maintains, or transmits EPHI must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. Key security standards and implementation specifications cross-referenced to HIPAA security rule sections that a covered entity must address include

  1. Administrative Safeguards – Security Management Process (§ 164.308(a)(1)), Assigned Security Responsibility (§ 164.308(a)(2)), Workforce Security (§ 164.308(a)(3)), Information Access Management (§ 164.308(a)(4)), Security Awareness and Training (§ 164.308(a)(5)), Security, Incident Procedures (§ 164.308(a)(6)), Contingency Plan (§ 164.308(a)(7)), Evaluation (§ 164.308(a)(8)), Business Associate Contracts and Other Arrangements (§ 164.308(b)(1))
  2. Physical Safeguards – Facility Access Controls (§ 164.310(a)(1)), Workstation Use (§ 164.310(b)), Workstation Security (§ 164.310(c)), Device and Media Controls (§ 164.310(d)(1))
  3. Technical Safeguards – Access Control (§ 164.312(a)(1)) – Audit Controls (§ 164.312(b)), Integrity (§ 164.312(c)(1)), Person or Entity Authentication (§ 164.312(d)), Transmission Security (§ 164.312(e)(1))
  4. Organizational Requirements – Business Associate Contracts or Other Arrangements (§ 164.314(a)(1)), Requirements for Group Health Plans (§ 164.314(b)(1))
  5. Policies and Procedures and Documentation Requirements – Policies and Procedures (§ 164.316(a)), Documentation (§ 164.316(b)(1))
  6. Security Standards General Rules – Establishes flexibility of approach, Identifies standards and implementation specifications (both required and addressable) , Outlines decisions a covered entity must make regarding addressable implementation specifications, Requires maintenance of security measures to continue reasonable and appropriate protection of ePHI

Regulatory actions including fines, lawsuits and reputation risk are possible results of not complying with the requirements.

HIPAA Gap Analysis & Risk Assessment

The principal goal of the gap analysis is to evaluate the current state of information security practices against the requirements of HIPAA and HITECH and identify areas of weakness that need to be addressed to meet business needs or regulatory and compliance requirements. Symosis will assess existing weaknesses in the broad areas of administrative procedures, technical security checks, security guidelines, security services, and physical security and develop compliance measures to adhere to regulatory standards. The assessment will

  • Identify gaps that exist in the security program and
  • Determine a priority list for the recommended remedial actions
  • Align the organization with breach notification requirements outlined in HITECH
  • Provide documentation required to demonstrate due diligence in the event of an audit by Health and Human Services (HHS)

HIPAA Compliance & Remediation

The results of a gap analysis and risk assessment play a significant role in executing an organization’s compliance and risk management strategy. In the context of the HIPAA Security Rule, the security control baseline, which consists of the standards and required implementation specifications, should be viewed as the foundation or starting point in the selection of adequate security controls necessary to protect EPHI. In many cases, additional security controls or control enhancements will be needed to protect EPHI or to satisfy the requirements of applicable laws, policies, standards, or regulations. Symosis will work with your team to identify which addressable implementation specifications should be implemented to adequately mitigate identified risks and fulfills key Administrative Safeguards for evaluation, security management, security incident procedures, training, and security assurance requirements of business associate contracts. Documentation is a primary requirement of demonstrating HIPAA compliance. Symosis will provide appropriate documentation that includes

  • Retaining written or electronic results of a risk analysis
  • Documenting the results of an audit
  • Developing and implementing comprehensive privacy and security policies and procedures
  • Documenting staff training and security incident responses

HIPAA Security & Privacy Training

Covered entities must develop a security awareness and training program as a part of their administrative safeguards. This is required for all members of the covered entity’s workforce, “as reasonable and appropriate for them to carry out their functions in the facility.” Symosis web-based HIPAA Security & Privacy Training covers HIPAA and HITECH Act training requirements and addresses all component implementation specification including security reminders, protection from malicious software, log-in monitoring, and password management. The 60-minute web-based training has the following additional features

  • Meets HIPAA / HiTECH security requirements
  • Short interactive modules
  • 24×7 web accessible, repeatable
  • Track and monitor progress
  • Training completion certificates

HIPAA Policy and Procedures Documentation

HIPAA Policies and Procedures are without question one of the most important elements of becoming compliant with today’s growing healthcare mandates, especially the Privacy and Security Rules of the Health Insurance Portability and Accountability Act. Symosis will provide critical security policy and procedure templates and coordinate with your IT and business to customize them to meet Compliance requirements

  • Account Management Policy
  • Anti-Malware Policy
  • Assigned Security Responsibility
  • Audit Trails Policy
  • Breach-Notification
  • Business Associate Agreement
  • Business Continuity Policy
  • Emergency Access Procedure
  • Encryption Policy
  • Device media Inventory Form
  • Security Incident Reporting Form
  • User Access Form
  • Vendor Access Log Form
  • Governance Policy
  • Identification and Authentication Policy
  • Incident Response Policy
  • Information System Activity Review
  • Information Security Policy
  • Maintenance Records Policy
  • Password Usage Policy
  • Physical Access Policy
  • Physical Security Policy
  • Privacy Policy
  • Remote Access Policy
  • Removable Media Policy
  • Risk Assessment Policy
  • Risk Management Policy
  • Sanction Policy
  • Security Awareness and Training
  • Transmission-Security
  • Workstation Security Policy