HITECH Data Security Consulting

Our HITECH data security consulting is designed to mitigate the many risks of compliance associated with the ARRA legislation that was signed into law February 2009. Many organizations are unaware of the stiff penalties that non-compliance will bring. As a result, Manage-Trak has developed a process for reviewing an organization’s current infrastructure and providing a report with detailed information on the areas where attention is necessary.

Manage-Trak understands the frustration regarding HITECH compliance. We built our business to mitigate the large risk many organizations simply cannot address. As we meet with clients and perform various workshops and seminars across the country, it is apparent that covered entities and business associates alike have nowhere to turn to get solid answers on these new HIPAA laws. Manage-Trak has built proven methodologies around data security for HITECH compliance. Our process will go through each state of data as defined by the National Institute of Technology and Standards (NIST) and address the following areas:

  • Technology- we will review each system your organization has in place today and determine how it fits into the overall model for compliance. Our engagement allows us to quickly determine the gaps in your current technology/data security that would lead to big fines in the event of a breach.
  • Processes- this is the core of HITECH compliance. Our consultants will interview the appropriate staff to not only determine what process you have in place today but also which ones need to be implemented. Often times this is the biggest area in regards to noncompliance. Even with the best technology in place, it is paramount to have the right processes to insure your organization is “audit ready”.
  • Education- once the proper systems and process have been implemented, all staff should be educated as to how HITECH will affect their everyday interaction with protected health information (PHI). Manage-Trak has developed a deep curriculum that will assist in this process. Data shows us that many breaches occur not because the right systems were not in place but those using them had little understanding of HITECH.
  • Policies- HITECH changed the landscape in regards to policies that need to be in place to achieve compliance. Our approach is to review all of your current procedures and determine what needs to be modified. This would include employee contracts, confidentially clauses and user policies that relate to data security.

Once our initial engagement is complete, your organization will have a complete blueprint of what needs to happen in order to achieve compliancy. Our goal is to get your organization “audit ready” in the event the Office of Civil Rights wants to review your policies around data security. Once we have covered the basic areas we would then look toward the “Safe Harbor Rule”. Under these guidelines, your organization would not have to report breaches if/when they occur. While the process to Safe Harbor can be a confusing one, our knowledge of HITECH and data security will remove many of the roadblocks you may be facing today.

Example of services performed in HITECH Data Security Assessment:

  • Understand topography of IT infrastructure
    • Email Systems
    • Firewalls
    • Existing encryption technology
    • Other technology used in protection of PHI
  • Flow chart current process as they relate to emails, faxes or other mechanisms to relay PHI to appropriate stake holders
  • Determine what processes are documented versus which ones are not
  • Interview existing staff to determine level of understanding as it relates to HITECH compliance
  • Perform intrusion tests to determine if anyone in the organization will release PHI in an unsecure manner (required written authorization from decision maker before this can be done)
  • Produce report of findings that includes outline of work required to bring organization up to HITECH standards.
  • The report will outline all areas of the HITECH act where technology is a factor