96% of practices “suffered a data breach involving the loss of theft of patient data… in the past 24 months, 46% had 5 or more!” Ponemon Institute, llc “7th annual benchmark survey on Patient Privacy / Data Security” 2017.
Carosh Compliance Solutions is here to deliver solutions customized for your specific needs. As your trusted advisor, we assist your organization in achieving privacy and security goals, more cost efficiently, requiring less time from your employees; thereby saving your organization time and money.
When selecting a level of service that’s right for you, you will achieve the confidence in knowing that your program will protect you from financial risk of those inevitable privacy and security incidents.
* Activities are conducted in a group setting
When considering the best privacy and security strategy for your organization, you should consider:
Our custom packages are designed to give you complete control as you choose the level of risk you are comfortable with, the amount of cost you will save, and manage employee productivity. The level of service depends on what you want to devote to your program in order to protect your business from financial loss. Loss that comes from fines and penalties, civil suits, and patient dissatisfaction.
Each of the services included in our bundled packages are also available a-la-carte, providing you with even more control over the creation of your security program.
Have peace of mind knowing that all of your required documentation is available by regulation and accessible in the time frame provided by OCR when a breach occurs.
HIPAA Suite® functions include:
With Cybercrime growing at an exponential rate, Carosh Compliance Solutions has partnered with KnowBe4, an industry leader in cybersecurity assessments and training.
The number one-way criminals gain access to your system is through phishing or spear phishing emails. To lessen the likelihood of a successful cyber-attack on your system:
– Employees will be sent a quarterly email to test their cybersecurity knowledge
– Responses to a potentially infected email is tracked
– Employees receive training on how to identify potential attacks
– Employees receive required periodic security reminders
– Quarterly management reports on the state of your cybersecurity posture are delivered to your desktop
Gain peace of mind knowing you have identified the level of risk from vulnerabilities your organization has, which will lead to an improper disclosure of private information.
The Privacy Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the use and disclosure of the information without patient authorization. The rule also gives patients personal rights over their health information, including rights to examine and obtain copies of their health records, and to request corrections to their medical record.
Minimize the risk from your business associates mishandling your information. Protect your financial position and reputation by vetting your business associates in a proactive manner.
Under the new rules the “satisfactory assurances” of a Business Associate’s compliance with HIPAA regulations, as contained in their BA Agreement, is no longer sufficient to achieve HIPAA compliance. Going beyond the obligatory signing of the BA Agreement, you have a requirement to conduct a new level of due diligence to manage your risk.
Carosh will review all entities working with you to determine which ones are Business Associates and therefore require updated Business Associate Agreements. We will also assess each Business Associate to assure their compliance with HIPAA regulations. Carosh will review and update the standard BA agreement and define a phase-in schedule to bring all BAs and BA agreements into compliance with the Final Omnibus Rules.
This regulatory requirement is turned into an easy-to-use roadmap that will help you remediate the vulnerabilities identified in the Risk Assessments while empowering yourself to show meaningful progress in gaining compliance.
Carosh Compliance Solutions works with you to determine the appropriate remediation strategy for each identified deficiency, design a remediation plan, which includes the risk, the proposed remediation, and the responsible party assigned for mitigating each risk; A completion date is also assigned. The plan is codified and tasks distributed to responsible parties.
Build confidence and gain peace of mind knowing your policies and procedures meet regulatory requirements while customizing your policies in a manner that fits your organization.
Carosh will review existing policies and procedures to assess appropriateness in addressing risk and security threats. For those deficiencies addressed in the Security and Privacy Risk Assessment(s), we will develop the policies and procedures necessary to address these deficiencies tailored to your workflow and personnel. Outsourcing the documentation development and preparation, especially when combined with the Security Risk Assessment, ensures a complete “Master Manual” that can be used by anyone in the practice to find procedures and forms to manage all aspects of HIPAA compliance.
Gives you confidence that you have complied with this critical regulation. Know the level of vulnerabilities your company carries in regards to keeping your patients’ information private, safe and secure.
These Security Rules identify over 78 controls to include “required” and “addressable” controls; each is evaluated, and included in the delivered Gap Analysis, as the first step in the compliance process.
Achieve peace of mind knowing that you have an industry recognized expert available to answer your individual questions in a sound, accurate and personalized manner.
Many organizations do not need a chief security and/or privacy officer on a full time basis. While you will need to identify and designate someone for the role of chief security and/or privacy officer, Carosh can fulfill the knowledge requirement to assist these individuals to effectively fill their obligations in these roles.
In part, Carosh will routinely review and provide training within the contest of the HIPAA/HITECH compliance program. This routine review and on-going training are at the core of maintaining HIPAA/HITECH compliance When a suspected breach occurs, you, under the Final Omnibus Rules which went into effect in January 2013, obligated to assess the extent and impact of the breach. Depending on the result of this assessment, different reporting requirements are triggered.
In the event an actual breach has occurred, or you are audited as part of the Office of Civil Rights’ (“OCR”) ongoing random audit program, specific protocols will be triggered to demonstrate to OCR, your compliance with the requirements of HIPAA/HITECH. As part of Carosh’s Program, Carosh will stand by you, guiding you through the process of working with both suspected breaches and with OCR during a breach investigation.
Save time, money, and reduce loss of employee productivity while being confident that your employees are being properly trained on your own policies and procedures as required by regulation.
All staff, whether salaried or non-salaried, are required to complete HIPAA privacy and information security training on a periodic basis. Contrary to generally accepted practice, training is required to include materials related to the practice’s specific policies and procedures. Though not specified in the Regulations, best practices have you conducting this training continually throughout the year, or when a change to the Regulations occur. Training needs to include faculty, staff, students, volunteers, as well as visitors who may have either direct or indirect access to patients or their health information.
Carosh provides you with several levels of training depending upon employees’ level of access to patients and patient information including basic (staff) and advanced (management). Training is designed for your specific type of practice. Training is delivered in the form most suited for your individual staff.
Gain peace of mind and confidence that you have a trusted advisor to help you investigate and remediate any security and/or privacy incidents, completed in a timely, organized manner.
Gain peace of mind and confidence that your program continues to meet this little-known regulation. Gain the understanding of whether your policies and procedures reflect the way you operate.
Show the world you’re in compliance, by an industry recognized expert, attesting your company has achieved compliance under all the regulatory requirements. Build a culture of compliance to protect the patient information under your care.
During the Attestation Service, additional time is spent on-site to validate components of the Security Risk Assessment. Additional activities include: a) the required Vulnerability Assessment, b) Business Associate Management, and c) implementing an effective Training Program.
Upon completion of the Attestation phase, Carosh will generate an opinion letter as to the entities compliance with all the relevant regulations. Successful attestation will include a “seal of approval” for use on your website and promotional materials, and certificate of attestation, documenting your organizations’ successful implementation of a security and privacy program.
Take comfort in your access to a trusted advisor when you need sound, accurate, and custom guidance on a specific question or issue. We’ll always be around to help you out.
Professional health care privacy and security officers classify the HIPAA regulations as complex and difficult to understand, overly complex, vague or confusing. The result is compliance becomes difficult to maintain, even for those explicitly trained in the discipline. With the enormous financial impact a security and/or privacy breach will cost you and your practice, guidance from industry experts is a necessity in today’s complex environment.
Carosh can provide a professional to work directly with your Chief Privacy Officer and/or Chief Security Officer and administrative manager(s) on an as needed basis. We start with the required Risk Assessments, through remediation, and including assistance in assessing suspected breaches. In addition, when needed we continue our support through the reporting of breaches and working with regulatory agencies to mitigate the damages, fines and penalties.
Realize a new level of security and comfort that you have a trained, trusted advisor to handle the regulatory duties of the Chief Privacy/Security Officer while saving you time and loss of employee productivity.
This planning and facilitation service level begins the process and is therefore the most important to a successful implementation. Careful thought must be put into which operational areas, and service offerings need to comply with the requirements of HIPAA/HITECH. The goal is to identify those areas that will be impacted, and those, if any, that need not comply with the requirements of HIPAA/HITECH. Care must be taken to assure that these two areas do not bleed together, resulting in a weakened defense when you experience a breach of client PHI. Carosh has substantial experience with the processes involved in planning successful HIPAA/HITECH compliance programs, in complex organizations.
Carosh will facilitate meetings to determine and clarify:
– What are your obligations under HIPAA/HITECH,
– Business Processes, Product and Service Lines that may require compliance with HIPAA/HITECH regulations,
– Extent and function of Business Associate relationships, including specific services provided,
– Training needs across multiple functional groups,
– Extent of internal assets to develop launch and manage training requirements under HIPAA/HITECH,
– Extent of internal assets and configuration to comply with document management requirements under HIPAA/HITECH, and
– Development of timeline and tasks to develop and implement HIPAA/HITECH compliance program.
The subsequent phase is the Security Risk Assessment phase, we will update the security and risk assessment required under HIPAA/HITECH. This risk assessment needs to be conducted under a protocol similar to that described in the NIST’ (National Institute of Standards and Technology) Special Paper 800-30.
The results of the Security Risk Assessment are used to generate a new and required Remediation Plan. Following the approval of the remediation plan, you will need to implement the Remediation Plan, making “meaningful progress” towards compliance.
Carosh will conduct the Security Risk Assessment, auditing business processes, policies and procedures, document retention programs, and training programs to assess compliance with the requirements of HIPAA/HITECH. With the completed Risk Assessment, Carosh will construct the prioritized remediation plan, and present it to management for approval.
Carosh will work with you to achieve compliance under HIPAA/HITECH and will attest that you have conducted the required Security Risk assessment, has constructed the required Remediation Plan, and is making “meaningful progress” in remediating any identified deficiencies. To do so, Carosh will work on the remediation of deficiencies and implementation of all policies and procedures, business processes document management and training.
As part of this service, Carosh will conduct quarterly reviews and updates to all aspects of the compliance program to ensure continued compliance and continued attestation to compliance of your obligations under the HIPAA/HITECH regulations.
Carosh will routinely review and provide training within the contest of the HIPAA/HITECH compliance program. This routine review and on-going training are at the core of a maintaining HIPAA/HITECH compliance. When a suspected breach occurs, you, under the Final Omnibus Rules which went into effect in January 2013, obligated to assess the extent and impact of the breach. Depending on the result of this assessment, different reporting requirements are triggered.
In the event an actual breach has occurred, or you are audited as part of the Office of Civil Rights’ (“OCR”) ongoing random audit program, specific protocols will be triggered to demonstrate to OCR, your compliance with the requirements of HIPAA/HITECH. As part of Carosh’s Program, Carosh will stand by you, guiding you through the process of working with both suspected breaches and with OCR during a breach investigation.
To assure continued compliance with the requirements under HIPAA/HITECH, the tasks presented above need to be reviewed and updated on a routine basis. The Security Risk Assessment and Remediation Plan need to be reviewed and updated; (i) periodically, (ii) after a move to a different physical location, and (iii) when a material change in operation or operating procedures occurs.
Gain peace of mind and self-assurance with an Advisor that you trust, one you can count on. One to shield you from the rapidly changing risks you face. One to help you survive your inevitable breaches and investigations.
Privacy and Security of your clients protected data (private and/or health) is a reality that your organization can no longer afford to ignore. Compliance with the detailed requirements of the federal and state regulations you face is a challenging and time-consuming task. These regulations are in place to protect the personal information of patients and clients. Compliance is mandatory; however, you may be short on staff or simply don’t have the resources with the appropriate knowledge to manage the required compliance demands and address data security concerns. This can make implementing and managing a privacy and security program a grinding and a frustrating experience. The good news is that it doesn’t have to be the same way now. With expert guidance at every step, designing and implementing a successful program, one you can count on is within reach.
At Carosh, we take the time to understand your operation and the technical and people issues and challenges you are facing. Then we use our knowledge of the unique regulatory challenges your organization faces to help guide you through compliance with existing requirements. Our consultants have the expertise and experience to become your trusted advisor.
Contact one of our Privacy Advocates for more information about customizing a HIPAA strategy for your organization..