Policy Creation

Security Policies

Past audits and investigations by OCR have repeatedly found Security policies and procedures, required by the regulations and vital as your compliance foundation guidance, to be old, out of date or missing entirely. These results produce findings that often lead to fines.

This will be true this year; especially since HIPAA celebrates its 20th birthday in 2016, and OCR is auditing 350 entities, including Covered Entities, and for the first time Business Associates. The “desk checks” will be looking specifically for these documents, and each selected will get one chance to respond with their documentation, in whatever state it’s in. The question is: “are you ready?”

Our response is “don’t panic”. We have the answers you need with our Privacy and Security Policy templates and Preparation Support. Unlike “Compliance in a Box” template packages, our templates are not the common boilerplate “cut-and-paste-from-the-web” type that does not fit the Compliance requirements or your organization’s needs.

Scope of Work for Policy Creation for HIPAA Security Rule:

Our documentation framework is complete in all respects: up to date with all the latest requirements and issuances from HHS, and ready to be custom fitted to your unique environment. Our documents have been put through experienced editorial review to ensure the highest quality plus easy readability. They have also been through a thorough legal review to ensure that we capture the true spirit and letter of the regulations so that your Management and Legal staff will find review and signoff greatly simplified.

We provide you expert support in preparing them. The writers of our framework documents are themselves experts in HIPAA as well as policy writing. They will advise you on any customizations you wish to add, or changes you need to make; saving you time and effort by always steering you in the “write” direction.

The final product will be one that contains all the necessary language to set you on the correct course to achieve compliance; and they are flexible enough to conveniently accommodate other standards that you may be subject to PCI for Payment cards standards, FTC for Red Flag rules, and Sarbanes-Oxley controls requirements for public reporting entities, to name just a few.

Final Deliverables for HIPAA Security Policies:

The requirements to be met under the HIPAA Security Rule begin with a Risk Analysis. The process is at the heart of the process each entity must perform to determine where it may be exposed to technological and non-technological mistakes, flaws, and possibly attacks.

Our documentation framework aligns completely with the OCR process and covers all the points it requires. We walk through the process with you as we conduct the analysis and prepare the documentation capturing the findings. This will include:

    • Facilities
    • Staff and workflow
    • Examination of computers and networks
  • Vulnerability testing
  • Log generation and reporting
  • Incident detection and response
  • Business Associate Contracts
  • Documentation

We then build a summary of the results, compose a Corrective Action Plan, lay out a schedule to accomplish it, roll up our sleeves and dig in! When we complete the plan, we go back through it with you and review all items so that you know everything is complete.

Risk Analysis can be a complicated process. With over 30 years of industry-leading expertise in this area, we work the process with you, teaching as we collaborate, so that when we finish you will in a position to do this vital task for yourself in the future.

Part of this effort includes the preparation of the Contingency Plan, which gets you ready in case of some form of disaster – natural and otherwise. Having information that you cannot reach means it may as well not exist. Our plan addresses each requirement HIPAA specifies to make sure that your information and your organization will survive so that your staff can continue their vital work.

Should the day ever come when you are faced with an OCR Audit or investigation, we can help get you ready. When you receive notification, we go to work to determine what steps must be taken and what is needed to answer their requests and get it all ready. We cover the process and outline potential risks so that you can plan your actions accordingly with your Legal Counsel.

When you couple this framework with the Supremus Group HIPAA Professional Certification Training, you bring everything together to equip your organization to meet any HIPAA Compliance challenge: the right documentation, the right expertise, the right program. Our professional certification program ties them all together. You can find our training program at https://www.hipaatraining.net/hipaa-for-healthcare-providers-payers/
Contact us today for no obligation consultation to give you the best solution to meet your HIPAA compliance needs.

Privacy Policies

HIPAA Consulting Services for HIPAA Privacy Policy, Procedures and Implementation

Unlike the compliance requirements under the Security Rule, which focuses on the technological security and controls to protect patient information in your computer systems, the requirements to be met under the HIPAA Privacy Rule are more method and process oriented.  These procedural controls form the basis of handling your patients’ information in a manner that assures their privacy is protected even when while it is being used for the vital tasks you perform for them and about them.

When you bring us in to assist you in evaluating your policies and methods, we begin by discussing your concerns and issues with you.  We make sure we understand your operation and your workflow before actual work begins.  With a clear understanding, we begin with a Gap Analysis to determine what you have in place and what may be lacking or in need of addition or refinement.

At this point, we analyze our findings closely in order to create a Corrective Action Plan.  As we identify areas needing attention, we bring these findings to you to ensure you are aware and that we have a full and correct understanding of the context.  Our mutual understanding and agreement provide a solid basis for moving forward to effectively address them and we create the plan together.

Our documentation framework aligns fully with the Privacy Rule and covers all the points it requires.  From it, we walk through the process, build the necessary templates, and align and integrate them with your workflow.  Examples of process and policy templates include:

    • Privacy Officer processes
    • Staff and workflow
    • Disclosure requests handling, including
  • Requests from official, external sources
  • Patient requests
  • Investigations and audits
  • De-identification processes (if applicable)
  • Information sharing and incidental disclosure
  • Incident detection and response
  • Training processes
  • Documentation management

When we complete the plan, we go back through it with you and review all items so that you know everything is complete.  We continue to work with you to ensure that your enhanced workflow hits all the necessary points and your Privacy Rule compliance achieves reliable repeatable success.

Should the day ever come when you are faced with an OCR Audit investigation, we can help get you ready.  We cover the process and outline potential risks so that you can plan your actions accordingly with your Legal Counsel.

Keeping documentation updated is a tedious, time-consuming process that is often neglected and thus poses a real risk at audit time.  We help by creating workflows that embrace this requirement and form more natural, minimum effort management to keep these documents current without unduly bogging down your normal processes.

Our goal is to make sure you achieve your compliance goals without disrupting your successful operation, and keep you running smoothly and efficiently by making HIPAA compliance “built in”.