Healthcare organizations regularly use the services of a variety of contractors and professional services. The HITECH act allows covered entities to disclose the minimum necessary of protected health information (PHI) to these “business associates.” The business associate is required to render due diligence to help protect the covered entity in complying with the covered entity’s duties. Our business associate toolkit enables the covered entity to complete the required task with due diligence:
1.1 BA Determination Chart:
This flow chart has been developed to determine if the services utilized by the covered entity are under the business associate scope-based HHS guidelines.
1.2 Business Associate Assessment Questionnaire: This business associate assessment questionnaire, which covers 13 different risk areas, has been designed to support the requirements of the Department of Health and Human Services (HHS), Office for the Civil Rights (OCR), and other applicable data privacy laws and regulations. This questionnaire needs to be completed at a minimum by all high risk business associates.
1.3 Business Associate Agreement: The provisions in the business associate agreement are designed to help covered entities more easily comply with the business associate contract requirements of the updated HIPAA and HITECH privacy, security, and breach rules.
A security risk analysis is a systematic and ongoing process of both identifying and examining potential threats and vulnerabilities to protected health information and implementing changes to make patient health information more secure. Under the HIPAA Privacy and Security Rule, health care organizations are required to perform active risk prevention and safeguarding of patient information to ensure patient privacy.
2.1 Risk Assessment Questionnaire:
This risk assessment questionnaire, consisting of eight topics areas and more than fifty questions, has been designed to support the requirements of the Department of Health and Human Services (HHS), Office for the Civil Rights (OCR), NIST, and other applicable data privacy laws and regulations.
2.2 Risk Assessment Template: This risk assessment template is designed to organize and prioritize identified risks based on probability and impact criteria. The prioritized high risks need to be mitigated first.
2.3 Best Practices List: The list of updated best practices, derived from NIST, CIS, and other authoritative organizations for different technology systems, is used as reference material to implement security controls.
All covered entities must comply with the HIPAA/HITECH privacy, security, and breach rules, which specifically focus on protecting the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI). As part of this requirement, EHR 2.0 has developed an easy-to-use HIPAA/HITECH assessment toolkit to evaluate privacy, security, and breach rule requirements. Our toolkit consists of:
3.1 ePHI Inventory Template:
Thefirst step in HIPAA/HITECH assessment is to identify the ePHI systems, processes, and people involved in creating, receiving, maintaining, and transmitting ePHI. This template helps organizations develop ePHI master inventory.
3.2 Sample Master Information Policies and Procedures: HIPPA security policies reflect the “rules” governing electronic Protected Health Information (ePHI) handling procedures. This includes physical security policy, technology security policy, sanction policy, access policy, contingency plans, security incident procedures, and a social media section, among others.
3.3 HIPAA/HITECH Assessment Checklist:
This easy-to-use HIPAA/HITECH security rules checklist covers all 28 administrative safeguards
, 12 physical safeguards
, and 12 technical safeguards
. This assessment checklist helps healthcare organizations to discover the gap areas based on the required and addressable HIPAA/HITECH security rules, in addition to the privacy and breach rule requirements.
3.4 Breach Determination Chart: This flow chart has been developed to apply a consistent approach in performing a risk assessment, to determine if the breach notifications are required to be implemented as a result of a possible breach of unsecured Protected Health Information (PHI).