skip to Main Content

Compliance Management Services & Training

About our OfficeFLO™ Framework

Our comprehensive HIPAA Compliance-as-a-Service is built on top of our OfficeFLO™ Framework.

We’ve designed and built our FRAMEWORK end-to-end, from the ground up leveraging the best available technologies to enable our clients to operate their offices with LOW OVERHEAD (FLO) – in highly secure, productive, flexible and effective way – while providing peace of mind about maintaining full compliance.

Our design point was to ensure that each process automatically captures and maintains the necessary information and records required for HIPAA Compliance. This minimizes involvement from the healthcare providers and staff reducing impact on day-to-day activities, and it makes the patient experience as friendly as possible and enhances the overall healthcare provider experience.

As an example, the framework automatically captures the records when

  • the patient submits a request to obtain or share their medical records,
  • the patient updates their contact information or medical history,
  • the staff member completes required HIPAA training,
  • any security or privacy incidents are identified and reported.

Concerned about possible breach?

A breach, or unauthorized access, use or disclosure of Protected Health Information (PHI), can happen due to the following types of incidents:

    • Lost mobile device or laptop
    • Systems or the network getting hacked or infected by a virus
    • Malware or a ransomware attack
    • PHI data not properly protected or backed up
    • Improper disposal of devices or records that contain PHI

A breach does NOT necessarily imply noncompliance. However, a breach may trigger an investigation by the authorities. As of August 2016, the Office for Civil Rights of the US Dept. of Health and Human Services will reportedly investigate data breaches regardless of size.

    • A practice may be fined if issues are discovered with HIPAA compliance within 6 years, even if noncompliance is not related to the cause of the breach
    • If the practice is found to be fully compliant, no fines for noncompliance are expected

For more information, please see our disclaimer.

What is required to achieve & maintain HIPAA compliance?

  • A Designated Privacy & Security Official (HIPAA compliance officer for self-certification)
  • HIPAA Policies & Procedures customized and optimized for your practice
  • The staff annually trained on your HIPAA Policies and Procedures
  • HIPAA compliance records retained for 6 years
    • Compliant Notice of Privacy Policies and copies of Patient Acknowledgements
    • Compliant Business Associate Agreements (BAAs) with each of the vendors with access to PHI
    • Up-to-date Risk Assessment & Risk Management Plan
    • Records of audit logs and periodic system reviews
    • Records of designated sets of PHI, access control matrices, sanctions, etc.
  • HIPAA-Compliant IT environment
    • HIPAA-compliant e-mail & messaging
    • User IDs and Passwords for every healthcare professional with access to PHI
    • PHI Data protected at rest and in transmission (Access Control, Anti-Virus, Anti-Malware, Firewall, Backup/Recovery, etc). PHI retention requirements are governed by the State Laws.
    • PHI Data accessible in a controlled way only by authorized individuals

Typical examples of HIPAA noncompliance

  • Lack of proper BAAs with required vendors
  • PHI included in unprotected e-mail or text messages (without explicit patient authorization)
  • Unprotected PHI on a memory card or USB drive
  • Lack of proper controls and safeguards to protect PHI on smartphones or computers with access to PHI
  • Failure to fulfill patients’ rights guaranteed by HIPAA, e.g., failure to provide medical records within the time allowed; or failure to restrict disclosure to a health plan
  • Corruption of a hard-disk, OS or software that resulted in unrecoverable loss of the PHI

HIPAA Premium Subscription Service

(Starting from $500/year per practice)

Custom Ready-to-Use Policies & Procedures

Policies & procedures documentation in hard cover binders:

  • Easy to understand
  • Ready to execute
  • Optimized for solo and small healthcare practices with up to 50 providers
  • Do NOT require figuring out what each of the regulation means and how to address it
  • Document explicitly how to meet each requirement with a concrete, easy to understand and follow step-by-step executable set of instructions

Unlimited access to Entrepedia™

Policies & procedures as an Online Encyclopediaonline version of the custom-tailored policies & procedures for HIPAA, HR and other regulations:

  • A quick and easy way to navigate, search and find the needed details
  • One (typically short) web page for each unique topic

Unlimited On-Demand Training

Unlimited Remote Support

Live support on the pre-packaged HIPAA policies & procedures as well as the HIPAA recommended practices

  • During normal business hours
  • Via online chat, phone, text or e-mail

Prepackaged HIPAA Policies and Procedures

HIPAA Regulations

  • The HIPAA regulations are not prescriptive by design
  • There are HIPAA rules, standards, specifications, implementation requirements
  • Some regulations are required, some are addressable (but not optional)
  • To achieve HIPAA compliance each health care practice must put together a set of HIPAA policies and procedures that would properly fit it’s structure, size and environment, ensure that their staff is trained and that HIPAA documentation is maintained and retained as required

What HIPAA means for a small health care practice?

The HIPAA regulations must be translated into an executable set of policies and procedures, practices and processes that the staff can easily understand and follow.
It requires
  • analysis of each of the HIPAA regulation, figuring out what it would mean in a context of a small health care practice
  • evaluation of different options to properly address the requirement
  • designing the approach, procedures and processes that can be implemented, deployed, followed, managed and tracked to be able to verify, validate and demonstrate the required level of compliance

IT Tools & Services to address HIPAA requirements?

  • Once the HIPAA regulations are translated into a clear and crisp set of requirements, the next step would be to identify which IT tools and services to rely on, and how to translate the requirements into an IT architecture, an IT environment and IT Processes
  • Please note, that properly addressing HIPAA regulations is necessary but may not be sufficient to be successful in a health care business, as many important factors related to the patient and staff experience need to be taken into account, not to mention the cost factor
As an example, a requirement to protect PHI (Protected Health Information) at rest and in transmission – can be met in a number of different ways. Figuring out the best way to do it often it’s not trivial especially for a small health care practice

What do we offer?

A set of prepackaged HIPAA policies and procedures that are by design custom-tailored to fit small health care practices, as small as solo practices with a single provider while suitable for private practices with up to 50 providers

The documentation is ready-to-use out-of-the-box. It includes

  • A “cookbook” with recommended practices and step-by-step instructions on how to deploy and implement the Policies & Procedures
  • Recommendations for specific IT services and Tools that can be used to achieve and maintain the compliance, while ensuring high level of patient experience and employee satisfaction
  • Even templates that can be used for managing and tracking HIPAA compliance activities

Entrepedia™ - The Entrespace® Online Encyclopedia

  • We’ve decided to develop a new type of repository for storing and maintaining Policies and Procedures to meet the compliance requirements
  • This repository is build on top of the same platform as the popular and widely used Wikipedia, which contains an enormous amount of information on wide variety of topics
  • In our online encyclopedia, which is called Entrepedia™,  it’s quick and easy to navigate, search and find the needed details.  A user can quickly find a specific piece of information right when the information is needed (like when a patient calls on the phone and makes a request that the staff member is not sure how to handle)
    • Entrepedia™ includes content on HIPAA regulations with custom-tailored HIPAA Policies and Procedures (HIPAApedia™), as well as policies and procedures for other Federal and State laws applicable to health care organizations
  • Entrepedia™ (entrepedia.officeflo.com) is available exclusively for premium members of the Entrespace® Network 
  • One of the key advantages is that Entrepedia™ reduces the dependency on memorizing all the details from policies and procedures
  • And like many other of our capabilities, it doesn’t require you to remember an additional password (as long as your practice uses Google’s G-Suite for e-mail services). Premium members of the Entrespace network can login with their primary work e-mail ID to access the content
  • The Entrepedia™ online encyclopedia includes decisions, definitions, guidance and recommendations that have been customized and optimized for the members of the Entrespace® Network, to help them achieve and maintain compliance
  • The content is defined both on a policy level to describe the overall intent, rationale, principles and rules, as well as on a procedure level with specific step-by-step instructions how to implement the defined policies
  • The policies and procedures generally do NOT require figuring out what each regulation means.  They document explicitly how to meet a specific requirement with a crisp, clear and concrete set of instructions, intended to be fully executable (meaning prescriptive enough that a person can execute them end-to-end) using recommended templates, tools and utilities

HIPAA Training

HIPAA Training for Clinical Staff

Training for doctors, nurses, hygienists, or other members of healthcare organizations responsible to:

  • Provide care to patients, or assist in providing care
  • Create, update, or modify Protected Health Information (PHI) of their patients, or get exposed to PHI
  • Communicate with patients, other providers, and other parties about health, treatment or billing related to their patients

HIPAA Training for Front-Desk Staff

Training for members of healthcare organizations responsible to:

  • Interact with patients, prospective patients, other providers, and visitors
  • Schedule & manage appointments (including reminders, notifications etc.)
  • Review and process correspondence (envelopes, packages, e-mail, voicemail, fax etc.)
  • Register new patients
  • Access, create, update, or modify PHI of the patients
  • Communicate with clinical staff about patients’ appointments and activities
  • Manage and maintain office supplies, documentation and patient materials

HIPAA Training for HR Leaders & Practice Owners

HIPAA Training related to HR (human resources) policies and procedures, such as sanction policy, hiring/onboarding, offboarding, compliance with state and federal labor laws and regulations

 

HIPAA Training for Privacy & Security Official

Training on Role & Responsibilities of HIPAA Privacy and Security Official

How to ensure compliance of the covered entity with the HIPAA rules and requirements, and that the practice is audit-ready

Risk Assessment & Risk Management

How to Handle a Breach

HIPAA Documentation & Records

Staff Training & Enablement

HIPAA Support

  • Addressing real-time questions about handling specific situations or 3rd party requests
  • On-demand guidance on how to follow and execute the HIPAA Policies & Procedures
  • Guidance & recommendations for IT tools and services (e.g., HIPAA-compliant Email, HIPAA-compliant messaging, Patient & SecureUpload forms etc.)
  • Real-time support during the normal business hours via phone, text, live chat, instant messaging or email

Jump-Start To Achieve HIPAA Compliance

We provide the following services to help achieve HIPAA compliance:

  1. Create Custom Tailored HIPAA Policies & Procedures
  2. Conduct HIPAA Risk Assessment & Identify Gaps for your organization
  3. Develop Initial Risk Management Action Plan for your organization
  4. Collect, verify and validate Business Associate Agreements
  5. Document designated record sets & PHI access control matrix
  6. Conduct HIPAA Training for your staff
  7. Implement HIPAA-compliant IT environment
  8. Implement formal documents and controls to protect/safeguard PHI
Deliverables
HIPAA Compliant IT Environment

HIPAA-Compliant Websites
Public website and Intranet/Internal-use website

HIPAA-Compliant Online forms (for patients and staff)

HIPAA-Compliant IT capabilities (Email, Document Management)

Required HIPAA Audit-Ready Documentation

Customized HIPAA Policies and Procedures, Risk Analysis and Risk Management Plan, Business Associate Agreements (BAAs), Audit Logs,
HIPAA Records (e.g., NPPs, designated record sets, PHI access matrix),
Records of HIPAA related requests and HIPAA activities (e.g, training, breach incident reports, disclosures of PHI, patient requests)

We offer 30-Day Money Back Guarantee for our HIPAA Jump-Start Service!

Ongoing HIPAA Compliance Management

As a part of the service we will

  1. Perform ongoing audit log monitoring and system review
  2. Execute the risk management action plan
  3. Conduct periodic risk assessments
  4. Update and Maintain HIPAA Policies & Procedures on an ongoing basis
  5. Conduct periodic HIPAA Training for you and you staff
  6. Maintain the HIPAA documentation and records
  7. Maintain the HIPAA-compliant IT environment & Business Processes
  8. Ongoing Remote Support
No Long-Term Contracts! No Commitments!
Flexible Month-To-Month Plan. Cancel Any Time!

Disclaimer

Can we estimate the risk?

We’re NOT in a position to fully assess the RISK of being fined for HIPAA non-compliance.

Unlike in case of PCI compliance regulations where each practice must fill out an annual self-assessment questionnaire (SAQ), submit self-attestation and schedule quarterly scans, there is no such requirement for HIPAA.

It could be that a small practice never gets fined for HIPAA non-compliance issues.

Are you at risk?

Heuristically a practice can be fined as a result of either (1) a breach, (2) a HIPAA complaint, or (3) a random audit by the Office for Civil Rights of US Dept. of HHS.

But then again, it may not be possible to even estimate that risk.

Would you really need our service?

We offer an affordable, competitive service for those who are interested in achieving and maintaining HIPAA compliance (i.e., for peace of mind, for additional security, or any other reason).

Our intent is to make our service as friendly and with the least overhead required for the doctor’s office, as possible.

We chose to focus on solo and small healthcare practices, given that they are somewhat under-served.

For a practice with 20-30 providers, it would probably be quite feasible to hire a full time practice manager and an IT person to oversee and manage the compliance issues.

With that in mind, our calculation is that a solo practice should be able to afford an equivalent service, paying 1/20th or 1/30th of the cost of the in-house team.

Back To Top