What does it really mean to be compliant?
Protecting the privacy of patients’ information is a key part of our service.
In accordance with regulations MASS 201 CMR 17.00, HIPAA and HITECH, we first comprehensively assess your Information Security risks and develop our proposals around that to ensure you are fully compliant. We help you set up proper procedures to ensure an ongoing culture of compliance by developing Information Security Policies, including WISP and BAA.
MASS 201 CMR 17.00
On September 19, 2008 with the help of Governor Patrick the Massachusetts Office of Consumer Affairs and Business Regulation established new identity-theft regulations, 201 CMR 17.00: Standards for The Protection of Personal Information, which requires all Massachusetts businesses to protect personal information of the citizens of the Commonwealth.
HIPAA
The HIPAA Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
HITECH
The primary goal of the security risk analysis for meaningful use is to identify the key technical risks by conducting end-to-end risk assessment, developing a program to mitigate the risks identified and document required risk management plan.
HOW WE CAN HELP
We will help you develop a best practices based Written Information Security Program (WISP), which includes administrative, technical, and physical safeguards in compliance with Massachusetts General Laws 201 CMR 17 “Standards for the Protection of Personal Information of Residents of the Commonwealth.”
A security policy is a document that outlines the rules, laws and practices for computer network access for your practice. This document will set expectations for your staff to regulate how sensitive information (patient information and practice business data) will be managed technologically. Our team has years of experience across a wide number of practices of varying size and is therefore best positioned to advise you on the best practices in your sector.
A HIPAA business associate agreement (BAA) is a contract between a HIPAA covered entity and a HIPAA business associate (BA) that is used to protect personal health information (PHI) in accordance with HIPAA guidelines. Our team will support you throughout the signing process to ensure this requirement is addressed and we will strictly follow the BAA throughout our service agreement.
All of our backup solutions are fully designed to be HIPAA-compliant while protecting your systems. There are three required safeguards, under HIPAA, that are necessary for a backup to be compliant.
First are the technical requirements, including a minimum of 128-bit encryption, deletion and destruction of data, which can be done according to the Department of Defense’s standards, set forth in the National Industrial Security Program Operating Manual. And if you don’t encrypt data at rest, then it must be destroyed.
Second are the physical requirements, or issues related to physical infrastructure such as locks and secure access areas. The Physical Safeguards in the HIPAA Security Rule include standards for facility access controls, workstation use and security and device and media controls.
Third, a number of administrative requirements must be observed in order to meet HIPAA compliance. The standards cited in the Security Rule include a provider’s security management process, assigned security responsibilities, workforce security, information access management, security awareness training and contingency planning.
MASS 201 CMR 17 State Law requires encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted trough wireless network. Our team will ensure your devices are up to standard and fully encrypted.