The deliverables comprising Intersect's HIPAA Compliance services are made up of work required to implement the HIPAA Security Rule. These standards were established by the National Institute of Standards and Technology (NIST). NIST is a division of the U. S. Department of Commerce. Upon completion of those tasks, the remaining deliverables are related to requirements associated with Intersect's strategy of completing recurring HIPAA Risk Analyses.
Deliverables are the following reports:
All of these forms are packaged to be used for auditing purposes, for Meaningful Use submissions, and foir providing the documents that you need. The Risk Analysis, which is required to be completed anually, or whenever changes are made, contains information about it as well as listing the issues,. It also gives a score. This score and the "Risk Meter" provide a measurement of the health of the network. It contains a list of the issues and recommendations about how to remediate them.
Scoring is required, not because it is required, but because it is required for prioritization. You must prioritize and and scoring help show that you have prioritized and organized about it. Once you sow that you have completed a Risk Analysis that has uncovered issues in your environment, you must show a prioritized listg and how you are addressing it. This is where the Management Plan becomes relevant. The Management Plan report shows all of the issues listed by criticality; the nature of the issue, and the recommendation. An example is for operating systems that are no longer supported. They violate the idea of defending against malicioius software beause they can not be patched. The report also lists which computers are in those catagories and which Operating Systems are on them. The report also shows a list of employees that have been terminated and are still in the Active Directory.
The next report is the most important. It is the Evidence of Compliance report. It reveals that once the Risk Analysis and the Management Plans are complete, it is necessary to prove that the information is substantiated. That report proceeds section by section describing the environment, details about generic accounts that were discovered such as those not associated with specific individuals, accounts for former vendors, and former employees. Additional information relates to an evaluation of "standards." An example is a Termination Standard. The Termination Standard should describe the proceedure for terminating access to electronic health information. Do former employees or vendors still have eanbled accounts which could potentially provide access to e-PHI? There is an evaluation of of login dates. Those accounts which haven't logged in during the past 30 days are flagged so that an investigation can be performed. The evidence report goes on further.
A sample report was 84 pages in length. It details all of the different items, linkes them back to the CFRs, so that it is possible to demonstrate in the "Former View" what an auditor would expect, and to demonstrate how this all links together.
Finally, Risk Profiles, month over month combine to create the managed service - not just for HIPAA compliance, but also for network seurity.