HIPAA Essentials Bundle
Compliance Armor's HIPAA Essentials Bundle will not only help to defend your practice from scammers but will also help you on your journey to HIPAA compliance.
Developed by cybersecurity experts with decades of experience, this bundle is the perfect first step and includes:
- Policies and Procedures, as required by NIST SP 800-30 rev. 1
- A Risk Assessment, which is the foundation on which the Security Rule is built
- HIPAA Cybersecurity Awareness Training, which is also required under the Security Rule
Compliance Armor's Policies and Procedures were designed in compliance with the following NIST SP 800-30 rev. 1 requirements:
These guidelines are outlined in the Security Rule as the “administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” They include:
- Security Management Process
- Assigned Security Responsibility
- Workforce Security
- Information Access Management
- Security Awareness and Training
- Security Incident Procedure
- Contingency Planning
- Business Associate Contracts
These guidelines are outlined in the Security Rule as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” They include:
- Facility Access Controls
- Workstation Use
- Workstation Security
- Device and Media Control
These guidelines are outlined in the Security Rule as the “technology and the policy and procedures that protect electronic protected health information and control access to it.” They include:
- Access Control
- Audit Control
- Person or Entity Authentication
- Transmission Security
A Risk Assessment is not JUST required under the HIPAA Security Rule... It's actually considered to be the FOUNDATION of the HIPAA Security Rule under the Security Management Process standard, requiring a Covered Entity to:
- “Implement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A) states:
RISK ANALYSIS (Required).
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
In other words, if you fail to run a Risk Analysis, you are putting your organization at great risk.
The HIPAA Essentials Bundle includes a comprehensive Risk Assessment as detailed in NIST Special Publication (SP) 800-30 Revision 1 that includes:
- An Executive Summary Report: A straightforward, comprehensible snapshot of your current situation that explains the overall risks found in your systems containing ePHI, along with recommendations of actions to take that will lower the risks.
- An Itemized, Comprehensive Risk Assessment Report: This report documents the threats and vulnerabilities found in the systems containing ePHI, along with any safeguards currently in place to protect the systems. It also includes additional safeguards you can implement that will lower systemic risk to ePHI.
- Remediation & Work Plan: This plan will help you prioritize, implement, and track the recommended safeguards as you secure your systems.
We craft this Risk Assessment specifically for your organization by following the NIST 800-31 methodology listed below:
- Identify and document all ePHI repositories.
- Identify and document potential threats and vulnerabilities to each repository.
- Assess current security measures.
- Determine the likeliness of threat occurrence.
- Determine the potential impact of threat occurrence.
- Determine the level of risk.
- Determine additional security measures needed to lower the risk level.
- Document the findings of the Risk Assessment.
Once the Risk Assessment has been completed, you will have a greater understanding of the risks and vulnerabilities facing you ePHI systems, and how to combat those risks by securing the networks. After all, you can't fight the enemy without first knowing who you are fighting!
HIPAA Security Training and Compliance Testing
Did you know that one of your biggest assets is also one of your biggest liabilities?
What is this asset and liability? Your employees.
Hackers focus their attacks on tricking your employees into clicking a link or opening an attachment, and if you don't train your employees on what to look out for, how can you expect them to know?
This is why Security Training is so important; beyond important, it's also required under the HIPAA Security Rule:
"STANDARD § 164.308(a)(5) Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
Security training for all new and existing members of the covered entity’s workforce is required by the compliance date of the Security Rule. In addition, periodic retraining should be given whenever environmental or operational changes affect the security of EPHI. Changes may include: new or updated policies and procedures; new or upgraded software or hardware; new security technology; or even changes in the Security Rule."
Compliance Armor's HIPAA Essentials Bundle provides your employees with the in-depth training needed to fulfill the HIPAA Security Rule in an online format that is not only informative but also engaging and convenient. Here is just a taste of some of the topics we cover:
- What is the HIPAA Security Rule?
- Understanding, Protecting & Auditing ePHI and PII
- Best Practices for Secure Passwords
- Social Engineering Red Flags
- Hacker Tricks and Goals, including Ransomware
- Importance of Encryption
- Security Breaches and Violations
- Practical Security Steps
- HIPAA Privacy Training for Covered Entities
Training generally only takes about 2 hours and your staff can start and stop at their own pace when it is convenient for them.
Once your employees have completed their online training, there is a 15-20 question online quiz so they can test their HIPAA Security Rule knowledge. Once they reach a score of 80% or higher, they will receive a personalized HIPAA Security Training certificate. You will also receive a report listing each of your staff members once they have completed it, along with the achievement date and their highest score.
Compliance Armor's HIPAA Essentials Bundle is a great first step towards getting your organization not only HIPAA compliant, but also protecting your ePHI!