There are more than 700,000 HIPAA Covered Entities (CE) required by law to conduct a HIPAA Risk Assessment, including:
In addition to the covered entities listed above, an estimated 2,000,000 “Business Associates” have access to Protected Health Information, making them subject to HIPAA regulations, as well.
Legally, every Business Associate and their subcontractors must comply with HIPAA reporting requirements too.
The Network Detective HIPAA Assessment module goes well beyond just providing the HIPAA Risk Analysis. It also includes a detailed remediation plan for addressing discovered issues, along with a complete package of HIPAA-mandated documents, including HIPAA policies and procedures. When combined with our Audit Guru for HIPAA compliance process automation tool, you can expand your offerings to include profitable, ongoing Managed Compliance services.
The first step for any client subject to HIPAA is conducting a comprehensive Risk Assessment to determine whether or not they are in compliance with the regulation and, if not, what needs to be done. Of course, the Risk Assessment is just the first step and should be the “means” to the end. Your risk assessment is likely to uncover a number of issues that need to be addressed. Some of these issues may be no more difficult than training an employee to update passwords. Others could be much more serious and involved, like changing the data backup and recovery program.
Your Network Detective HIPAA Assessment tool will provide a Risk Score Matrix helping you and the client to prioritize the work that should be done based upon potential impact to the business and likelihood of occurrence. Ask your client to take the next step and have you create a Management Plan (using the tool) and a Remediation Project to address the issues that carry the highest risk (and highest fines).
This HIPAA Risk Assessment should be considered your “prospecting” offering, and may be worth offering to do at no cost for a potential new client to get in the door and demonstrate the need.
Not every Covered Entity or Business Associate knows that, in addition to the HIPAA risk assessment, they also need to produce and maintain a number of important documents that demonstrate compliance. For these organizations, you can offer to perform a full one-time HIPAA Assessment. The assessment will include your review of their network and office environments, creation of a HIPAA Risk Analysis based on results of the review, a HIPAA Management Plan to resolve the issues, and a HIPAA Policy and Procedures document. Assuming that the client has you handle any necessary remediation resulting from the analysis, you can also provide the Evidence of Compliance document that is needed in the event of a breach or audit.
This one-time full assessment should be considered your “basic” offering, and will help your client meet their responsibility of having the audit conducted.
Organizations are not static, nor are their networks or staff. New computers, software, mobile devices, equipment, and files are continually being added and removed from the network over time. Employees come and go, or change positions within the organization. The HIPAA assessment you perform today has a shelf-life. In addition, you should continually be scanning the network for ePHI to prevent a breach.
Best practice is to have a HIPAA Assessment performed regularly to ensure the organization remains compliant at all times. After your initial assessment and remediation project is complete, present your clients with a proposal to set them up with a schedule of periodic reassessments, which we call Monthly Risk Profiles, to ensure continued on-going compliance. And, with the Audit Guru Compliance Process Automation (CPA) platform, you can deliver the additional services efficiently and generate higher profits. Click here to learn more about Audit Guru for HIPAA.
If you are a Managed Service Provider and already have a practice that focuses on the Healthcare Vertical, you might be better off integrating an ongoing HIPAA Compliance offering as a value-added component of your comprehensive managed services contract. Let’s face it, it takes a lot of time and effort to start from ground zero and take a client through the full process of becoming HIPAA compliant. But as with most other IT services, it is much easier to maintain an on-going review and remediation process as part of your monthly routine service.
Adding a compliance component to your standard offering will help differentiate you from other MSPs and also justify you charging a premium for your services. And, with Audit Guru compliance process automation platform, you can deliver the additional services efficiently and generate higher profits. Click here to learn more about Audit Guru for HIPAA.
If you work for an organization subject to HIPAA, or you are an IT Service Provider or Business Associate, performing a HIPAA Risk Assessment with the Network Detective HIPAA Compliance Module is the best way to protect yourself from a costly violation of the HIPAA Security Rule.