We offer affordable HIPAA Compliance Services on a flat fee basis to a variety of covered entities and business associates, specializing in servicing solo and small practices.
Pre-packaged services
À la carte services
Our comprehensive HIPAA Compliance-as-a-Service is built on top of our OfficeFLO® Framework.
We’ve designed and built our FRAMEWORK end-to-end, from the ground up leveraging the best available technologies to enable our clients to operate their offices with LOW OVERHEAD (FLO) – in highly secure, productive, flexible and effective way – while providing peace of mind about maintaining full compliance.
Our design point was to ensure that each process automatically captures and maintains the necessary information and records required for HIPAA Compliance. This minimizes involvement from the healthcare providers and staff reducing impact on day-to-day activities, and it makes the patient experience as friendly as possible and enhances the overall healthcare provider experience.
As an example, the framework automatically captures the records when
- the patient submits a request to obtain or share their medical records,
- the patient updates their contact information or medical history,
- the staff member completes required HIPAA training,
- any security or privacy incidents are identified and reported.
A breach, or unauthorized access, use or disclosure of Protected Health Information (PHI), can happen due to the following types of incidents:
-
- Lost mobile device or laptop
- Systems or the network getting hacked or infected by a virus
- Malware or a ransomware attack
- PHI data not properly protected or backed up
- Improper disposal of devices or records that contain PHI
A breach does NOT necessarily imply noncompliance. However, a breach may trigger an investigation by the authorities. As of August 2016, the Office for Civil Rights of the US Dept. of Health and Human Services will reportedly investigate data breaches regardless of size.
-
- A practice may be fined if issues are discovered with HIPAA compliance within 6 years, even if noncompliance is not related to the cause of the breach
- If the practice is found to be fully compliant, no fines for noncompliance are expected
For more information, please see our disclaimer.
- A Designated Privacy & Security Official (HIPAA compliance officer for self-certification)
- HIPAA Policies & Procedures customized and optimized for your practice
- The staff annually trained on your HIPAA Policies and Procedures
- HIPAA compliance records retained for 6 years
- Compliant Notice of Privacy Policies and copies of Patient Acknowledgements
- Compliant Business Associate Agreements (BAAs) with each of the vendors with access to PHI
- Up-to-date Risk Assessment & Risk Management Plan
- Records of audit logs and periodic system reviews
- Records of designated sets of PHI, access control matrices, sanctions, etc.
- HIPAA-Compliant IT environment
- HIPAA-compliant e-mail & messaging
- User IDs and Passwords for every healthcare professional with access to PHI
- PHI Data protected at rest and in transmission (Access Control, Anti-Virus, Anti-Malware, Firewall, Backup/Recovery, etc). PHI retention requirements are governed by the State Laws.
- PHI Data accessible in a controlled way only by authorized individuals
- Lack of proper BAAs with required vendors
- PHI included in unprotected e-mail or text messages (without explicit patient authorization)
- Unprotected PHI on a memory card or USB drive
- Lack of proper controls and safeguards to protect PHI on smartphones or computers with access to PHI
- Failure to fulfill patients’ rights guaranteed by HIPAA, e.g., failure to provide medical records within the time allowed; or failure to restrict disclosure to a health plan
- Corruption of a hard-disk, OS or software that resulted in unrecoverable loss of the PHI
- We’ve decided to develop a new type of repository for storing and maintaining Policies and Procedures to meet the compliance requirements
- This repository is build on top of the same platform as the popular and widely used Wikipedia, which contains an enormous amount of information on wide variety of topics
- In our online encyclopedia, which is called Entrepedia®, it’s quick and easy to navigate, search and find the needed details. A user can quickly find a specific piece of information right when the information is needed (like when a patient calls on the phone and makes a request that the staff member is not sure how to handle)
- Entrepedia® includes content on HIPAA regulations with custom-tailored HIPAA Policies and Procedures, as well as policies and procedures for other Federal and State laws applicable to health care organizations
- Entrepedia® (entrepedia.officeflo.com) is available exclusively for premium members of the Entrespace® Network
- One of the key advantages is that Entrepedia® reduces the dependency on memorizing all the details from policies and procedures
- And like many other of our capabilities, it doesn’t require you to remember an additional password (as long as your practice uses Google’s G-Suite for e-mail services). Premium members of the Entrespace network can login with their primary work e-mail ID to access the content
- The Entrepedia® online encyclopedia includes decisions, definitions, guidance and recommendations that have been customized and optimized for the members of the Entrespace® Network, to help them achieve and maintain compliance
- The content is defined both on a policy level to describe the overall intent, rationale, principles and rules, as well as on a procedure level with specific step-by-step instructions how to implement the defined policies
- The policies and procedures generally do NOT require figuring out what each regulation means. They document explicitly how to meet a specific requirement with a crisp, clear and concrete set of instructions, intended to be fully executable (meaning prescriptive enough that a person can execute them end-to-end) using recommended templates, tools and utilities
- Addressing real-time questions about handling specific situations or 3rd party requests
- On-demand guidance on how to follow and execute the HIPAA Policies & Procedures
- Guidance & recommendations for IT tools and services (e.g., HIPAA-compliant Email, HIPAA-compliant messaging, Patient & EntreUpload® forms etc.)
- Real-time support during the normal business hours via phone, text, live chat, instant messaging or email
We provide the following services to help achieve HIPAA compliance:
- Create Custom Tailored HIPAA Policies & Procedures
- Conduct HIPAA Risk Assessment & Identify Gaps for your organization
- Develop Initial Risk Management Action Plan for your organization
- Collect, verify and validate Business Associate Agreements
- Document designated record sets & PHI access control matrix
- Conduct HIPAA Training for your staff
- Implement HIPAA-compliant IT environment
- Implement formal documents and controls to protect/safeguard PHI
As a part of the service we will
- Perform ongoing audit log monitoring and system review
- Execute the risk management action plan
- Conduct periodic risk assessments
- Update and Maintain HIPAA Policies & Procedures on an ongoing basis
- Conduct periodic HIPAA Training for you and you staff
- Maintain the HIPAA documentation and records
- Maintain the HIPAA-compliant IT environment & Business Processes
- Ongoing Remote Support
