Our HIPAA Jumpstart™ engagement focuses on setting the tone and direction of your HIPAA Compliance Initiative so that you meet the most requirements in the shortest period of time. This service reviews your Expresso® Subscription Plan and helps guide your named Privacy Officer or Security Officer (could be the same person) so you can jump-start your HIPAA compliance initiative ("HCI"). If you don't have a named Privacy Officer or Security Officer that we will function as your virtual Officers going forward (i.e. after completing the Jumpstart).
Most covered entities and business associates are simply overwhelmed by the amount of work required. As such, analysis/paralysis sets in with busy work replaced progress on important delivers. Our partner, 3Lions Publishing, Inc., via Expresso® Subscription Plan has already done the heavy lifting. Our law firm guides you to the quickest path to launch your compliance program.
What does it cover?
- Discusses your policies, procedures, and tracking mechanisms pertinent to all of the HIPAA Rules' requirements (i.e. Security Rule, Privacy Rule, and Breach Notification Rule) as they pertain to regulatory compliance and/or industry best practices. These steps ensure that from a legal perspective the Organization could, at a minimum, survive a security audit by a regulatory agency. Moreover, these steps protect an Organization’s Operational Environment in a manner that preserves the Organization’s brand and good will.
- Ensure that Organization has a named Security Officer and a name Privacy Officer.
- Discuss Risk Management Program.
- Discuss/perform baseline Risk Assessment using Expresso®.
- Discuss Sanction Policy.
- Discuss Tracking of Security Incident and Plan collateral regarding same.
- Discuss Information System Logging Capabilities and Responsibility
- Discuss policies and processes for workforce clearance.
- Discuss policies and processes for workforce termination.
- Discuss policies and processes for establishing access to Information.
- Discuss policies and processes for reminding your workforce of Security issues.
- Discuss policies and processes for protecting against malicious software.
- Discuss policies and processes pursuant to data backups and disaster recovery plan.
- Discuss policies and processes pursuant to the encryption of Information.
- Discuss policies and processes pursuant to authentication.
- Discuss policies and processes pursuant to the physical security of facility, plant and equipment.
- Discuss policies and processes pursuant to the destruction of Information (i.e. disposal).
- Discuss Privacy Rule violations.
- Discuss Privacy Rule's Patient's Bill of Rights
- Discuss Privacy Rule's Administrative Requirements
- Discuss Breach Notification Rule's Preparedness Requirements
- Prepare for Risk Assessment by training staff and gathering the necessary information Expresso® requires to conduct its baseline Risk Assessment (this does not presuppose that it is the Organization’s baseline Risk Assessment).
- Conduct Expresso® overview training.
- Identify applications (where available) from which the Expresso® Security Objects table will be populated. This is the table within Expresso® that Security Controls (“Controls”) are applied to. In general, the Security Object table requires the following types of information:
- Hardware (Servers, PCs, laptops, phones, pads, etc.).
- Create csv files (where applicable) to import into the Security Objects table.
- Assist the client in identifying Threat/Vulnerability pairs pertinent to the Organization’s Operational Environment.
- Assist the client in determining the business Impact (I) that would result from a Threat (T) exploiting a specific Vulnerability (V).
- Assist the client in calculating the Risk (R) related to a specific Threat/Vulnerability pair calculated as a function of the probability that a Threat (T) will exploit a specific Vulnerability (V) times the Impact (I) to the Organization (i.e. R = T x V x I).
- Assist the client in identifying a subset of Risks that will be attacked during this Risk Assessment (i.e. assuming resource/budget constraints do not allow for attacking ALL Risks identified).
- Assist the client in identifying Controls that reduce identified Risks to levels that are “reasonable and appropriate”.
- Assist the client in producing Risk Assessment reports that can be used to report to internal stakeholders (and external stakeholders if required). These reports will also “feed” the Remediation Plan.
- Define the Remediation Plan to actually implement the Controls that will reduce identified Risks to levels that are “reasonable and appropriate” using our Jumpstart™ Scorecards.
What does it cost?
The cost of our Fixed Fee package is $3,500.00 USD and time boxed at fifteen (25) hours, plus the cost of the Subscription Plan at either a (Platinum or Silver) leval.
What are the deliverables?
As stated above, the deliverables (in part) are: (1) the policies and procedures enumerated above fully discussed and understood within your organization; (2) a complete and actionable Risk Assessment implemented with the assistance of Expresso®; and (3) a Remediation Plan based on our Scorecards.
Why should an organization audit their Operational Environment?
Think of it as a kind of insurance policy. It is now widely understood that a significant breach of protected Information will cause large scale financial and reputational damage to your Organization (think Target). Our Cybersecurity Audit helps you reduce identified Risks to levels that are "reasonable and appropriate" for an Organization of your size and complexity.
What parts of your Organization are reviewed?
Our HIPAA Jumpstart™ reviews one Profit & Loss center within your Organization.
What is not covered?
Our HIPAA Jumpstart™ produces a Remediation Plan as one of its deliverables. However, actual remediation can be an open-ended project whose cost is NOT included in the Fixed Fee offering.