Regulatory compliance is a significant challenge. Most of our customers are faced with multiple compliance requirements that must be addressed with limited resources. Leveraging a third party to prepare you for an audit or an independent review of the organization's information security program can provide confidence in the program. Another advantage of working with a third party is the opportunity to determine if an organization's information security practices are in line with other organizations in their industry.
The Office for Civil Rights (OCR) has responsibility for administration and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. These Rules are designed to provide important health information privacy and security protections and rights for individuals. Through the American Recovery and Reinvestment Act of 2009 (ARRA), Congress required the Department to audit covered entity and business associate compliance with the HIPAA Rules.
Audits present an opportunity for the OCR to examine mechanisms for compliance; identify promising practices for protecting the privacy and security of health information; discover risks and vulnerabilities that may not have come to light through complaint investigations and compliance reviews, and better target the technical assistance it provides to covered entities and business associates.
Compliance, Standards, and Frameworks Experience:
- Health Insurance Portability and Accountability Act of 1996 (HIPAA Act)
- Health Information Technology for Economic and Clinical Health Act (HITECH Act), solidified by the Omnibus Rule in February 2013
- Breach Notification Rule
- NIST Cybersecurity Framework
- Meaningful Use Security Requirements
- Payment Card Industry Data Security Standard (PCI DSS)
- Joint Commission, applicable standards
- HITRUST Common Security Framework (CSF) guidelines
- SSAE 16 SOC 2, Type II audit preparation
- General Data Protection Regulation (GDPR)
- ISO/IEC 27000 - Information Security Management Systems (ISMS)
Examples of Services we can Provide:
Our consultants follow the same HIPAA Audit Program Protocol used by the Office for Civil Rights (OCR) auditors when they conduct their audits. We also rely on other industry standards and common industry practices for conducting our evaluations.
- Identifying applicable regulatory requirements and industry standards
- Evaluating HIPAA programs for compliance (Privacy, Security and the Breach Notification Rule)
- Information security program alignment with business strategy; framework mapping and gap assessment
- Preparing for an OCR investigational incident or Meaningful Use audit
- Developing an electronic ‘Book of Evidence’ of compliance documentation with the goal of being able to quickly and efficiently respond to a request for documentation in an audit
- Confirming the consistent implementation and alignment of organizational policies and standards to perception and practice
- Creating policies, procedures, and other documents, then mapping to regulatory requirements and frameworks for providing documentation of compliance
- Determining the level of compliance with regulatory requirements, frameworks, and identifying gaps
- Assessing current business associates' and potential new business associates' compliance with the HIPAA regulations and HITECH requirements
- Verifying safeguards and internal controls and evaluating their overall effectiveness
- Providing recommendations for improvement
- Creating a Prioritized Action Plan for addressing gaps
- Monitoring or managing the execution of the action plan and updating the plan as requirements change