The healthcare industry is a major target for hackers and every medical practice must do more than merely meet HIPAA compliancy standards. They must apply superior security technologies and risk management techniques to provide the highest level of data protection and risk reduction to safe guard their patient’s data.  Here at AIM Services we guide covered entities and business associates on how to secure their environments and protect their data.

AIM’s HIPAA Risk Assessment Service is an all-in-one package with a dedicated AIM team member. Together the practice Compliancy Officer and AIM team member will review and complete the Risk Analysis questions, an organization profile, customizable policies and procedures. The online tool includes interactive and engaging multi-media training videos to allow staff to complete HIPAA Privacy training.  The risk assessment process will include review of administrative, physical and technical safeguards, and also take into consideration criticality, impact and creation of recommendations identifying mitigation strategies.

The regulatory requirements of the HIPAA Privacy, Security, and Breach Notification Rules mandate organizations that create, receive, maintain, or transmit protected health information (PHI) must offer the highest level of data protection.   This data could exist on patient intake forms, medical devices, or in the cloud.  We can help deliver the highest level of data protection in the healthcare industry and offer solutions that will withstand an OCR audit.

AIM Services HIPAA Security Service offers:

  1. Access to the HIPAA Compliance Portal (12 months)
  2. A detailed HIPAA Security Risk Assessment
  3. Customized HIPAA Security Policies and Procedures
  4. Online training covering Security and Privacy, and compliance testing for all employees

HIPAA Compliance Portal

HIPAA regulations are complex and confusing but with our robust, easy-to-use, secure portal complying are made easy. The HIPAA Compliance Portal offers:

  • easy to understand, interactive, and engaging multi-media training tools that teach employees best practices to protect patient health information. After passing the quizzes employees can print out their training certificate.  Administrators can access the training reports to view when employee completed the training and their scores.
  • clear customized HIPAA policies and procedures that align to all HIPAA Security and Breach Notification Rule requirements.  Employees will be able to access the policies and procedures, read summaries of each of the policies and procedures, and watch short entertaining videos that describe each policy and procedure
  • guidance through the risk assessment questions that follow the methodology described in NIST Special Publication (S) 800-30 Rev 1
  • straightforward incident reporting  module that will help you to respond to suspected data breaches
  • the ability to track and maintain all business associates including uploading any business associate agreements
  • the ability to track repairs or maintenance to critical area such as server rooms and other areas that store sensitive ePHI

HIPAA Security Risk Assessment

A Risk Assessment is a requirement of the HIPAA Security Rule and required for MIPS attestation, but unfortunately time and again the Risk Assessment is inadequate or not done at all.

The Security Management Process standard in the Security Rule requires organizations to “implement policies and procedures to prevent, detect, contain, and correct security violations.”  (45 C.F.R. § 164.308(a) (1).) “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI)”

AIM Services can conduct an accurate and thorough assessment of the potential threats and vulnerabilities to the confidentiality, integrity and availability of ePHI at your practice.  This risk assessment will be performed following industry best practice standards as described by HHS, NIST, ISACA, HIMSS and AHIMA organizations.   It should be completed at least once a year or after successful implementation of any major system change, such as office relocation, replacement of EHR system containing PHI, etc. 

AIM Services will provide a detailed report of the practice’s vulnerability gaps, non-compliance and heightened risk.  Risk prioritization and mitigation decisions will be determined by answering which controls and measures should be implemented and the priority in which they should be addressed.

The implementation components of the plan include:

  • Risk score (threat and vulnerability combinations) assigned to a particular issue being addressed
  • Recommendation(s) of measures and controls selected to reduce the risk of an issue
  • Ongoing evaluation and monitoring of the risk mitigation measures

Risk Assessment Process includes:

  • Identifying and documenting all electronic protected health information (ePHI) repositories
  • Identify and document potential threats and vulnerabilities to each repository
  • Assess current security measures
  • Determine the likeliness of threat occurrence
  • Determine the potential impact of threat occurrence
  • Determine the level of risk
  • Determine additional security measures needed to lower level of risk
  • Document the findings of the Risk Assessment

The Risk Assessment report will give a good understanding of the risks to ePHI and provide specific steps and actions that should be taken to lower the risk.

Policies and Procedures

AIM Services offers policies and procedures that address the HIPAA security administrative, physical, and technical safeguards.  Each policy and procedure is a separate Microsoft Word document making it easy to customize. 

Administrative policies and procedures include:

  • Security Management Process
  • Assigned Security Responsibility
  • Workforce Security
  • Information Access Management
  • Security Awareness and Training
  • Security Incident Procedure
  • Contingency Planning
  • Evaluation
  • Business Associate Contracts

Physical policies and procedures include:

  • Facility Access Controls
  • Workstation Use
  • Workstation Security
  • Device and Media Control

Technical policies and procedures include:

  • Access Control
  • Audit Control
  • Person or Entity Authentication
  • Transmission Security

Employee HIPAA Training

Employee training on security and protecting patient information is a requirement under HIPAA regulations.

STANDARD § 164.308(a) (5) Security awareness and training.  Implement a security awareness and training program for all members of its workforce (including management).

Security training for all new and existing members of the covered entity’s workforce is required.  In addition, periodic retraining should be given whenever environmental or operational changes affect the security of EPHI.  Changes may include: new or updated policies and procedures; new or upgraded software or hardware; new security technology; or even changes in the Security Rule.

AIM Services Compliance Portal provides in-depth practical training on the HIPAA Security and Privacy Rules as well as advice for best practices in protecting ePHI and patient information.  The training is provided in an online format which is both engaging and convenient to staff members.

Training requires 60 – 90 minutes to complete.  Staff members can begin a training session stop and resume the session from where they left off.  They can take the training during work hours or complete the training at home after hours – from anywhere with internet access.

Once staff members have completed the online training, they will take a 25 question online quiz to demonstrate their knowledge regarding the HIPAA Security and Privacy Rules.  If they receive a score of 80% or higher, they will receive a certificate with their name that acknowledges that they have successfully completed the HIPAA Security and Privacy Training.  If they do not receive an 80% score on the quiz they can retake it as many times as they need to.

A Training Report is provided that lists each of the staff members who have completed training, the date/time they took the training and the highest score they received on the training quiz.  The report can be easily exported to MS Excel for comparison to an employee roster.