When you first log in, you'll see a Getting Started panel with a comprehensive checklist to help you get started with your HIPAA compliance project. The checklist includes a sample Policies & Procedures document that you can use for that requirement.
As you work down the checklist, you will set up monthly tasks to make sure you stay on track, and you'll get regular reminders to complete those tasks.
When you're ready, you can work on your first Security Risk Assessment, answer HHS-approved questions as Yes/No or flag for later, assess risk level and likelihood, and generate a baseline report. As you improve your compliance you can update the SRA before finalizing it for future audits.
There is no single certifying body for HIPAA compliance. Organizations that are subject to the rules of HIPAA (for example covered entities and their business associates) must take steps to protect the PHI (Personal Health Information) that is entrusted to them, and they must perform periodic Security Risk Assessments to determinte areas of risk, how serious that risk is, and what steps they will take to remediate those risks.
BasicHIPAA is here to help with exactly that process. Assuming you have basic policies & procedures in place, you can start your first Security Risk Analysis as soon as you create your account. You can then set up monthly compliance-related activities such as checking firewall rules, user permissions, VPN accounts, etc. and be reminded once a month to enter and upload the results.
Once you've taken these steps and are updating your portal every month, you may choose to assert that your organization is compliant, assuming the risk assessment determines that there are no outstanding areas of high (and ideally even medium) risks. Ultimately the goal is set up a framework for security such that in the event of a breach you will have a documented history of a compliance program absent which you could face higher liability for the breach.
Policies are a set of rules for your organization. For example: "A password must have at least 8 characters." "All new hires with access to PHI must have a background check".
Procedures are a sequential list of actions that must be taken under certain circumstances. For example you may have a procedure for failing over to a backup if a virus is detected on the main database. There may be a procedure for terminating an employee.
Taken together, the Policies & Procedures of your organization specify exactly what you require employees to know and do in order to secure PHI. Every HIPAA-compliant organization should have a document (or set of documents) that is reviewed periodically and made public to all employees, which spells out the rules for your organization's security program. The document should be organized by subject (eg Hiring & Termination, User Roles, Anti-Virus, Disaster Recovery, etc.) and be written with a non-technical user in mind.
To get started you can run through our Security Risk Assessment and generate a report of all questions that are marked as "No" that relate to policies or procedures. You can then run down that report and create a document that addresses each of those missing pieces, after which you'll be able to run a followup assessment and answer most of those No's as Yes's.
Assuming you have the policies & procedures document in place, start by running a Security Risk Assessment through your BasicHIPAA portal. Answer Yes or No, and flag anything you'd like to come back to. In the right-hand column you have the ability to mark each item's risk likelihood and level -- those two combined will yield a risk level for that item.
For each question marked as high risk, you can enter notes regarding remediation plans. Once complete, you can generate a report which will serve as a roadmap towards reducing your risk.
Once remediation is complete, run through the SRA once more and hopefully you will be able to complete it with few or no high or medium risk items. You may add notes regarding any remaining risk items to explain why you may not be addressing them at this time.
In parallel with this process, you should go to the Continuing Compliance section of the portal and enter tasks to be done at regular intervals (monthly, quarterly, etc.) or in response to "life cycle events" (hire, termination, role change, etc.). At the preset interval, you'll receive a reminder to update performance of those tasks and upload any documentation.
One of the first things an auditer will ask for is the latest Security Risk Analysis. Luckily BasicHIPAA stores all of your SRA's, allowing you to show not just your current state of compliance but your past trajectory, how you got where you are. Being able to show that there were problems that were fixed will help your case.
An auditor will also want to see your history of compliance, to be sure you didn't just do a check and then ignore your responsibilities for a year. You can download a report of all of tasks that were done over the last year including dates of completion and any supporting documentation, which will also be important to the auditor.
BasicHIPAA cannot certify your organization as compliant, but we can help you organize your compliance requirements in a user-friendly and auditor-friendly manner.
If a 3rd-party audit is required, we can recommend auditors we've worked with who can guide you through the process. However, any auditor will ask many of the same questions that BasicHIPAA guides you through via the SRA and continuing compliance.
Taking the results of your work in BasicHIPAA to a 3rd-party vendor will likely reduce the time, cost, and complexity of an audit. You will be able to approach the vendor with confidence and ask them to double-check your internal assertions and then provide a stamp of approval. This is a different scope of engagement than saying "we're starting from scratch, please get us compliant."
Once your audit is completed, you will still need to create a continuing compliance calendar and track your tasks throughout the yeaar, which you can choose to do in BasicHIPAA. Our Security Risk Assessments are stored each time they are run so you can compare iterations and demonstrate improvements that were made.
Consider a 3rd-party audit a supplement to your regular compliance tracking handled through BasicHIPAA. Vendors like what we produce because it makes their engagement easier and more efficient.
For companies with up to 25 employees and practices with up to 5 doctors, BasicHIPAA costs $1450/year, in which all users in the organization share access to the same data. Larger companies and practices should contact us for more information. All users can try the service out for free for the first month, with the only limitation being that you can't generate a report from a Risk Assessment.
That cost includes unlimited Risk Assessments using our interactive SRA tool, your continuing compliance calendar and monthly email reminders, and our document store to track proof of ongoing compliance.
The longer you use BasicHIPAA, the more value it provides as you can point to an auditable trail of compliance activity over a period of months and years.
For organizations that don't require a 3rd-party audit, this lets you manage and assert your own compliance for a small fraction of the cost of enlisting the help of a vendor. If and when you grow to a point where that engagement is required, we can help connect you with a trusted vendor to go through that process.
BasicHIPAA is a project of MountainPass Technology, a boutique software consulting and development company that has been helping organizations of all sizes with their technology needs since 2010. We have worked with larger companies (such as NPR and Answers.com) as well as with startups and mid-sized companies, many of them in the digital health space. We have participated in several NIH SBIR grants in conjunction with the University of Maryand and the University of South Carolina. All of our employees go through background checks and HIPAA training.
MountainPass was founded by Jack Kustanowitz, who holds an MS in Computer Science from the University of Maryland and has published papers in academic journals and is named as an author on several patents.