Home
 
Who We AreServicesContactPortal
Technical servicesProfessional ServicesHIPAA ComplianceAlliances and Partnerships

HIPAA Security Regulation Compliance Services

Background
The proposed HIPAA Security Regulations are expected to be finalized in the fall of 2002, with a compliance deadline set for the fall of 2004. However, when the Privacy Regulations reach their compliance deadline in April 2003 covered entities will be required to take "reasonable precautions" such as those described in the proposed Security Regulations to safeguard personal health information.

Will your organization be ready to meet the spirit of the HIPAA Security Regulations by April 2003, and the letter of the HIPAA Security Regulations by the fall of 2004?

With Thaumaturgix HIPAA Security Regulation Compliance Services, your organization can be ready to meet both the spirit and the letter of the proposed regulations on time.

What Is Required for Compliance?
The proposed HIPAA Security Regulations require a number of actions to be taken, policies and procedures to be established, and technologies to be implemented. There are at least 79 high-level HIPAA Security Regulation details to be considered and acted upon to achieve compliance, and many of those details have multiple components which must all be satisfied.

In addition, proper implementation of the Security Regulations requires that you consider details beyond the regulations, as described in other security standards such as British Standard 7799.

For instance, CFR §142.308(a)(4), a single detail regulation concerning having a Formal Mechanism for Processing Records requires that:

  • There must be documented policies and procedures for the routine and non-routine receipt, manipulation, storage, dissemination, transmission, and/or disposal of health information.
However, even this standard, loaded with details as it is, implies a number of related requirements that must be satisfied in order to fully meet the standard, including (but not limited to):
  • There should be a defined process governing the creation of health information and the validation of that information.
  • There should be documented procedures or other means to resolve differences in data among separate, multiple systems.
  • There should be documented processes for changing data once created and for the prevention of unauthorized manipulation of data, and audit trails should log unauthorized access and changes.
  • There should be documented storage processes and mechanisms; parameters defining when data should be destroyed or archived should be documented; and data disposal procedures, including hardware disposal, should be documented.
  • And many, many other related details.
When you consider the level of detail required in meeting the regulation requirements, it becomes clear that there are literally hundreds of details to be checked and satisfied, each of which requiring some measure of technical remediation for compliance. The full range of requirements includes all of the regulations and related details pertaining to such issues as:
  • Certification
  • Chain-of-Trust Agreements
  • Contingency Planning
  • Records Processing
  • Information Access Control
  • Internal Audit
  • Personnel Security
  • Security Configuration Management
  • Security Incident Procedures
  • Security Management Process
  • Termination Procedures
  • Training (under several regulations)
  • Media Controls
  • Physical Access Controls
  • Access, Audit, Authorization, and Authentication Controls
  • Communications and Network Controls
  • Electronic/Digital Signature

How Does Your Organization Become Compliant?
1. Gap Assessment and Planning
The first activities to be undertaken in the quest for HIPAA compliance include determining how closely your current policies, procedures, and systems meet the regulatory requirements through a Gap Assessment, and devising a plan to attain compliance in the areas that are deficient.

Thaumaturgix can perform a complete Security Regulation Gap Assessment, identify the areas needing remediation, and assist you in your planning for reaching compliance.

See our case study of a HIPAA Gap Assessment engagement.

2. Education and Awareness
All HIPAA compliance efforts have an education component, and the Security Regulations refer to education and training in several sections. Your staff must be educated on certain aspects of the regulations and your organization's policies and procedures in order to be in compliance with the HIPAA Regulations and to instill the proper institutional culture of privacy and security.

Some of the areas requiring training under the Security Regulations include: physical security of the facility, its records, and patient communications; computer and systems security; correct password management; dangers of viruses and unauthorized software; and awareness of login problems, what they may mean, and the reporting procedure. Education is an on-going process, with training required for any new hires and for anyone whose job role changes, and periodic refresher courses for all employees.

Thaumaturgix can prepare and deliver HIPAA training using a wide variety of tools and methods in order to meet any entity's HIPAA education needs.

3. Policy and Procedure Development and Documentation
The HIPAA Security Regulations require that a wide variety of information security-related policies and procedures be developed and fully documented. Many organizations may have many of these policies and procedures in place, but may lack the formal documentation and adoption of the policies and procedures that is required under HIPAA Security Regulations.

Thaumaturgix can help design and implement HIPAA-required, Security-related policies and procedures for such procedures as backups, contingency plans, disaster recovery, and all other required areas within the Security Regulations.

4. Technical Remediation
Technical remediation for compliance with the HIPAA Security Regulations most often requires action in two areas: security and vulnerability testing and remediation, and technical access control and access logging solutions.

Thaumaturgix's networks and security team has years of experience in the art and science of finding and correcting information security weaknesses, and our systems integration specialists are fully capable of implementing access control and logging, even on top of legacy systems, using state-of-the-art authentication and authorization tools.

See our white paper on Access Control, Logging, Audit, and Single Sign-On.

5. Compliance Management
Once your organization has achieved compliance, you need to remain in compliance and conduct periodic reviews of your security compliance status. According to generally accepted practices, reassessments of computer systems security should take place at least every one to two years.

Thaumaturgix can establish a set of security management and preservation procedures known as TSEC™ (Thaumaturgix Security Enhancement and Control) to ensure that your security is properly maintained and tested on a regular basis, and periodically reassessed in its entirety.

See more information about our TSEC service offering.

For More Information
For more information about Thaumaturgix and its various HIPAA compliance services, please e-mail hipaa@tgix.com, or call Peter Dolch at 212-918-5025.

Copyright © 2009 Thaumaturgix, Inc. All rights reserved.
Privacy Policy