Compliance Management Services & Training We offer affordable HIPAA Compliance Services on a flat fee basis to a variety of covered entities and business associates, specializing in servicing solo and small practices. Pre-packaged services Premium Subscription Service Prepackaged Ready-to-use HIPAA Policies & Procedures Entrepedia™ – The Entrespace® Online Encyclopedia HIPAA Training Real-time Live Support À la carte services Jump Start to help achieve HIPAA Compliance Check what is required to achieve HIPAA Compliance Typical Examples of HIPAA non-compliance Ongoing Compliance Management (to maintain HIPAA Compliance) Request a Quote About our OfficeFLO™ Framework Our comprehensive HIPAA Compliance-as-a-Service is built on top of our OfficeFLO™ Framework. We’ve designed and built our FRAMEWORK end-to-end, from the ground up leveraging the best available technologies to enable our clients to operate their offices with LOW OVERHEAD (FLO) – in highly secure, productive, flexible and effective way – while providing peace of mind about maintaining full compliance. Our design point was to ensure that each process automatically captures and maintains the necessary information and records required for HIPAA Compliance. This minimizes involvement from the healthcare providers and staff reducing impact on day-to-day activities, and it makes the patient experience as friendly as possible and enhances the overall healthcare provider experience. As an example, the framework automatically captures the records when the patient submits a request to obtain or share their medical records, the patient updates their contact information or medical history, the staff member completes required HIPAA training, any security or privacy incidents are identified and reported. Concerned about possible breach? A breach, or unauthorized access, use or disclosure of Protected Health Information (PHI), can happen due to the following types of incidents: Lost mobile device or laptop Systems or the network getting hacked or infected by a virus Malware or a ransomware attack PHI data not properly protected or backed up Improper disposal of devices or records that contain PHI A breach does NOT necessarily imply noncompliance. However, a breach may trigger an investigation by the authorities. As of August 2016, the Office for Civil Rights of the US Dept. of Health and Human Services will reportedly investigate data breaches regardless of size. A practice may be fined if issues are discovered with HIPAA compliance within 6 years, even if noncompliance is not related to the cause of the breach If the practice is found to be fully compliant, no fines for noncompliance are expected For more information, please see our disclaimer. What is required to achieve & maintain HIPAA compliance? A Designated Privacy & Security Official (HIPAA compliance officer for self-certification) HIPAA Policies & Procedures customized and optimized for your practice The staff annually trained on your HIPAA Policies and Procedures HIPAA compliance records retained for 6 years Compliant Notice of Privacy Policies and copies of Patient Acknowledgements Compliant Business Associate Agreements (BAAs) with each of the vendors with access to PHI Up-to-date Risk Assessment & Risk Management Plan Records of audit logs and periodic system reviews Records of designated sets of PHI, access control matrices, sanctions, etc. HIPAA-Compliant IT environment HIPAA-compliant e-mail & messaging User IDs and Passwords for every healthcare professional with access to PHI PHI Data protected at rest and in transmission (Access Control, Anti-Virus, Anti-Malware, Firewall, Backup/Recovery, etc). PHI retention requirements are governed by the State Laws. PHI Data accessible in a controlled way only by authorized individuals Typical examples of HIPAA noncompliance Lack of proper BAAs with required vendors PHI included in unprotected e-mail or text messages (without explicit patient authorization) Unprotected PHI on a memory card or USB drive Lack of proper controls and safeguards to protect PHI on smartphones or computers with access to PHI Failure to fulfill patients’ rights guaranteed by HIPAA, e.g., failure to provide medical records within the time allowed; or failure to restrict disclosure to a health plan Corruption of a hard-disk, OS or software that resulted in unrecoverable loss of the PHI HIPAA Premium Subscription Service(Starting from $500/year per practice) Request a Quote Custom Ready-to-Use Policies & ProceduresPolicies & procedures documentation in a paperback format: Easy to understand Ready to execute Optimized for solo and small healthcare practices with up to 50 providers Do NOT require figuring out what each of the regulation means and how to address it Document explicitly how to meet each requirement with a concrete, easy to understand and follow step-by-step executable set of instructions Unlimited access to Entrepedia™ Policies & procedures as an Online Encyclopedia – online version of the custom-tailored policies & procedures for HIPAA, HR and other regulations: A quick and easy way to navigate, search and find the needed details One (typically short) web page for each unique topic Unlimited On-Demand Training Short video lectures Quizzes Reference materials Role-specific training roadmaps Unlimited Remote SupportLive support on the pre-packaged HIPAA policies & procedures as well as the HIPAA recommended practices During normal business hours Via online chat, phone, text or e-mail Prepackaged HIPAA Policies and Procedures HIPAA Regulations The HIPAA regulations are not prescriptive by design There are HIPAA rules, standards, specifications, implementation requirements Some regulations are required, some are addressable (but not optional) To achieve HIPAA compliance each health care practice must put together a set of HIPAA policies and procedures that would properly fit it’s structure, size and environment, ensure that their staff is trained and that HIPAA documentation is maintained and retained as required What HIPAA means for a small health care practice? The HIPAA regulations must be translated into an executable set of policies and procedures, practices and processes that the staff can easily understand and follow. It requires analysis of each of the HIPAA regulation, figuring out what it would mean in a context of a small health care practice evaluation of different options to properly address the requirement designing the approach, procedures and processes that can be implemented, deployed, followed, managed and tracked to be able to verify, validate and demonstrate the required level of compliance IT Tools & Services to address HIPAA requirements? Once the HIPAA regulations are translated into a clear and crisp set of requirements, the next step would be to identify which IT tools and services to rely on, and how to translate the requirements into an IT architecture, an IT environment and IT Processes Please note, that properly addressing HIPAA regulations is necessary but may not be sufficient to be successful in a health care business, as many important factors related to the patient and staff experience need to be taken into account, not to mention the cost factor As an example, a requirement to protect PHI (Protected Health Information) at rest and in transmission – can be met in a number of different ways. Figuring out the best way to do it often it’s not trivial especially for a small health care practice What do we offer?A set of prepackaged HIPAA policies and procedures that are by design custom-tailored to fit small health care practices, as small as solo practices with a single provider while suitable for private practices with up to 50 providers The documentation is ready-to-use out-of-the-box. It includes A “cookbook” with recommended practices and step-by-step instructions on how to deploy and implement the Policies & Procedures Recommendations for specific IT services and Tools that can be used to achieve and maintain the compliance, while ensuring high level of patient experience and employee satisfaction Even templates that can be used for managing and tracking HIPAA compliance activities Request a Quote Entrepedia™ - The Entrespace® Online Encyclopedia We’ve decided to develop a new type of repository for storing and maintaining Policies and Procedures to meet the compliance requirements This repository is build on top of the same platform as the popular and widely used Wikipedia, which contains an enormous amount of information on wide variety of topics In our online encyclopedia, which is called Entrepedia™, it’s quick and easy to navigate, search and find the needed details. A user can quickly find a specific piece of information right when the information is needed (like when a patient calls on the phone and makes a request that the staff member is not sure how to handle) Entrepedia™ includes content on HIPAA regulations with custom-tailored HIPAA Policies and Procedures (HIPAApedia™), as well as policies and procedures for other Federal and State laws applicable to health care organizations Entrepedia™ (entrepedia.officeflo.com) is available exclusively for premium members of the Entrespace® Network One of the key advantages is that Entrepedia™ reduces the dependency on memorizing all the details from policies and procedures And like many other of our capabilities, it doesn’t require you to remember an additional password (as long as your practice uses Google’s G-Suite for e-mail services). Premium members of the Entrespace network can login with their primary work e-mail ID to access the content The Entrepedia™ online encyclopedia includes decisions, definitions, guidance and recommendations that have been customized and optimized for the members of the Entrespace® Network, to help them achieve and maintain compliance The content is defined both on a policy level to describe the overall intent, rationale, principles and rules, as well as on a procedure level with specific step-by-step instructions how to implement the defined policies The policies and procedures generally do NOT require figuring out what each regulation means. They document explicitly how to meet a specific requirement with a crisp, clear and concrete set of instructions, intended to be fully executable (meaning prescriptive enough that a person can execute them end-to-end) using recommended templates, tools and utilities Request a Quote HIPAA Training HIPAA Training for Clinical StaffTraining for doctors, nurses, hygienists, or other members of healthcare organizations responsible to: Provide care to patients, or assist in providing care Create, update, or modify Protected Health Information (PHI) of their patients, or get exposed to PHI Communicate with patients, other providers, and other parties about health, treatment or billing related to their patients HIPAA Training for Front-Desk StaffTraining for members of healthcare organizations responsible to: Interact with patients, prospective patients, other providers, and visitors Schedule & manage appointments (including reminders, notifications etc.) Review and process correspondence (envelopes, packages, e-mail, voicemail, fax etc.) Register new patients Access, create, update, or modify PHI of the patients Communicate with clinical staff about patients’ appointments and activities Manage and maintain office supplies, documentation and patient materials HIPAA Training for HR Leaders & Practice OwnersHIPAA Training related to HR (human resources) policies and procedures, such as sanction policy, hiring/onboarding, offboarding, compliance with state and federal labor laws and regulations HIPAA Training for Privacy & Security OfficialTraining on Role & Responsibilities of HIPAA Privacy and Security Official How to ensure compliance of the covered entity with the HIPAA rules and requirements, and that the practice is audit-ready Risk Assessment & Risk Management How to Handle a Breach HIPAA Documentation & Records Staff Training & Enablement Request a Quote HIPAA Support Addressing real-time questions about handling specific situations or 3rd party requests On-demand guidance on how to follow and execute the HIPAA Policies & Procedures Guidance & recommendations for IT tools and services (e.g., HIPAA-compliant Email, HIPAA-compliant messaging, Patient & SecureUpload™ forms etc.) Real-time support during the normal business hours via phone, text, live chat, instant messaging or email firstname.lastname@example.org Live Chat Call us at 860-470-8052 Text us at 617.855.8208 Jump-Start To Achieve HIPAA Compliance We provide the following services to help achieve HIPAA compliance: Create Custom Tailored HIPAA Policies & Procedures Conduct HIPAA Risk Assessment & Identify Gaps for your organization Develop Initial Risk Management Action Plan for your organization Collect, verify and validate Business Associate Agreements Document designated record sets & PHI access control matrix Conduct HIPAA Training for your staff Implement HIPAA-compliant IT environment Implement formal documents and controls to protect/safeguard PHI Deliverables HIPAA Compliant IT EnvironmentHIPAA-Compliant Websites Public website and Intranet/Internal-use website HIPAA-Compliant Online forms (for patients and staff) HIPAA-Compliant IT capabilities (Email, Document Management) Required HIPAA Audit-Ready DocumentationCustomized HIPAA Policies and Procedures, Risk Analysis and Risk Management Plan, Business Associate Agreements (BAAs), Audit Logs, HIPAA Records (e.g., NPPs, designated record sets, PHI access matrix), Records of HIPAA related requests and HIPAA activities (e.g, training, breach incident reports, disclosures of PHI, patient requests) We offer 30-Day Money Back Guarantee for our HIPAA Jump-Start Service! Ongoing HIPAA Compliance Management As a part of the service we will Perform ongoing audit log monitoring and system review Execute the risk management action plan Conduct periodic risk assessments Update and Maintain HIPAA Policies & Procedures on an ongoing basis Conduct periodic HIPAA Training for you and you staff Maintain the HIPAA documentation and records Maintain the HIPAA-compliant IT environment & Business Processes Ongoing Remote Support No Long-Term Contracts! No Commitments!Flexible Month-To-Month Plan. Cancel Any Time! Disclaimer Can we estimate the risk? We’re NOT in a position to fully assess the RISK of being fined for HIPAA non-compliance. Unlike in case of PCI compliance regulations where each practice must fill out an annual self-assessment questionnaire (SAQ), submit self-attestation and schedule quarterly scans, there is no such requirement for HIPAA. It could be that a small practice never gets fined for HIPAA non-compliance issues. Are you at risk? Heuristically a practice can be fined as a result of either (1) a breach, (2) a HIPAA complaint, or (3) a random audit by the Office for Civil Rights of US Dept. of HHS. But then again, it may not be possible to even estimate that risk. Would you really need our service? We offer an affordable, competitive service for those who are interested in achieving and maintaining HIPAA compliance (i.e., for peace of mind, for additional security, or any other reason). Our intent is to make our service as friendly and with the least overhead required for the doctor’s office, as possible. We chose to focus on solo and small healthcare practices, given that they are somewhat under-served. For a practice with 20-30 providers, it would probably be quite feasible to hire a full time practice manager and an IT person to oversee and manage the compliance issues. With that in mind, our calculation is that a solo practice should be able to afford an equivalent service, paying 1/20th or 1/30th of the cost of the in-house team.