Policy & Procedures describe the best practices to comply with the requirements of the HIPAA Security Rule. The policies spell out what your organization does. The procedures detail how you do it referencing HIPAA code sections.
The Management Plan prioritizes issues resolution based upon risk score with tasks required to minimize, avoid, or respond to risks. The Risk Management plan defines the strategies and tactics the organization uses to address its risks.
Crucial Evidence of Compliance includes log-in files, patch analysis, user & computer information, and other source material to support your compliance activities. The details included in this report are necessary to satisfy an auditor or investigator.
The On-site Survey is an extensive list of questions about physical and technical security that cannot be gathered automatically. The survey ranges from how facility doors are locked to firewall information, and whether servers are on-site, in a data center, or in the Cloud and more.
Encryption is so effective at protecting data that if an encrypted device is lost, it does not have to be reported as a data breach. The Disk Encryption Report identifies each drive and volume across the network, whether it is fixed or removable, and if Encryption is active.
This report is useful to identify local data files that may not be protected. Based on this information, the risk of a breach could be avoided if the data was moved to a more secure location, or mitigated by encrypting the device to protect the data and avoid a data breach investigation.
The User Identification Worksheet takes the list of users gathered by the Data Collector and lets you identify whether they are an employee or vendor. Users who are terminated, should have their access terminated. Also, identify generic logins, such as Nurse@ or Billing@ which are not permitted by HIPAA.
The Computer Identification Worksheet takes the list of computers gathered by the Data Collector and lets you identify those that store or access ePHI. This is an effective tool in developing data management strategies including secure storage and encryption.
The Network Share Identification Worksheet takes the list of network shares gathered by the Data Collector and lets you identify those that store or access ePHI. This is an effective tool in developing data management strategies including secure storage and encryption.
A set of additional documents provides detailed information and the raw data that backs up the Evidence of Compliance. These includes the various interviews and worksheets, as well as detailed data collections on shares and login analysis.
This report present user login history by computer to enable workforce members responsible for IT Security and HIPAA Compliance to audit access to computers connected to the covered entity’s network.. Quite useful, in particular, for looking at a commonly accessed machines (file server, domain controller, etc.) – or a particularly sensitive “ePHI” computers that are used to collect, process, transmit, or store ePHI for failed login attempts. An example would be a physician’s workstation computer – or the billing department’s computer where IT security team members and internal auditors want to be extra diligent in checking for users trying to get in.