The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act defines policies, procedures, and processes that are required for companies that store, process, or handle electronic protected health information (ePHI).
Our HIPAA Compliance Program Declaration
To ensure we are compliant with HIPAA and HITECH Act, ensure that we have the required safeguards in place to protect ePHI, and demonstrate to our clients our good faith effort toward HIPAA compliance:
- WE have developed and implemented, a comprehensive HIPAA Compliance Program following the HIPAA Privacy and HIPAA Security Rule – focusing on the administrative, physical and technical requirements of the HIPAA Security Rule as it applies to any potential risk associated with the use of PHI in our business.
- WE have a designated HIPAA Privacy and Security Compliance Officer with a background in hospital administration.
- WE have provided every member of our staff, to include new hires, both annual and refresher training on a quarterly basis, even if they don’t have access to PHI on the job, to include training on both the secure storage and disposal of PHI.
- WE have a formal established Employee Sanctions Policy should any HIPAA compliance violation occur.
- WE ensure updated technological protocols such as: tight access controls, integrity procedures, security patch, antivirus updates and firewalls, information systems activity monitoring and other audit mechanisms to record and examine access in information systems that use ePHI, use of one of the best encryption, automatic logoffs, password management procedures, and utilize a highly secure VPN tunnel.
- WE have conducted a formal HIPAA risk assessment to identify and document any area of risk associated with the storage, transmission, and processing of ePHI and have analyzed the use of our administrative, physical, and technical controls to eliminate or manage vulnerabilities that could be exploited by internal or external threats.
- WE have taken the concept of “minimum necessity” to a whole other level and limited access to ePHI to the barest minimum, reviewing each and every employees’ specific job tasks during our risk assessment so only an extremely limited number of employees possess access to PHI.
- WE maintain limited physical access to our facilities and employ the use of continuous monitoring with on premises camera recordings.
We are Dedicated to:
- Ensuring we are compliant with the regulatory requirements of HIPAA/HITECH
- Continuing to develop our safeguards to prevent unauthorized access to PHI.
- Adhering to the requirement to encrypt PHI
- Maintaining PHI in a secure environment
- Monitoring access to both the secure environment and the data
We have implemented our HIPAA Compliance Program in order to protect the sensitive ePHI our clients share with us.
We take this responsibility very seriously and have dedicated both the financial resources and time to train our workforce and develop and implement all of the components of our HIPAA Compliance Program.
Our Comprehensive HIPAA Compliance Program addresses, but is not limited to, the following key areas:
- Security Management Policy
- Risk Analysis Policy
- Risk Management Policy
- Information Systems Activity Review Policy and Procedure
- HIPPA Compliance Officer Job Description
- Workforce Security Policy
- Authorization and Supervision of Staff Procedure
- Workforce ePHI Access Authorization Procedure
- Termination Procedure
- Business Associate Policy
- Information Access Management
- Access to ePHI Modification
- Security Awareness Training
- Security Training
- Security Reminders
- Password Management
- Password Changes
- Oral Disclosures of PHI
- Security Incident Procedures
- Incident Investigation Procedure
- Contingency Plan
- Backup Plan
- Disaster Recovery Plan
- Emergency Evacuation Plan
- Emergency Mode Operation
- Testing and Revision of Procedures
- Applications and Criticality Analysis
- Evaluation of the HIPAA Compliance Program
- Business Associates
- Physical Safeguards Standards and Policy
- Facility Access Control
- Facility Security Plan
- Visitors
- Access to Equipment, Devices Containing ePHI
- Remote Access Security
- Theft Prevention
- Cameras
- Document Control and Maintenance Records
- Workstation Use
- Device and Media Controls
- Disposal of ePHI
- Copy Machine Disposition or Replacement
- Disposal of PHI
- Disposal of Client Training Recordings
- Media Re-Use
- Accountability
- Data Backup and Storage
- Technical Safeguards Standards Policy
- Access Control
- Unique User Identification
- Emergency Access Procedure
- Automatic Logoff
- Encryption
- Antivirus and Security Patch Updates, Firewalls
- VPN Protocol
- Additional Safeguards Employed
- Audit Controls
- Integrity
- Mechanisms to Authenticate ePHI
- Annual Review
- Sanctions Policy
- Access Control
We are Confident that Our Comprehensive HIPAA Compliance Program Will:
- Ensure the confidentiality, integrity, and availability of all e-PHI we receive, maintain or transmit
- Identify and protect against reasonably anticipated threats to the security or integrity of the information
- Protect against reasonably anticipated, impermissible uses or disclosures
- Ensure compliance of our workforce.
Questions, Concerns, or Issues…
We welcome your questions, concerns or issues regarding our HIPAA Compliance Program. Feel free to direct them to your Sales Rep.