Outsourced HIPAA Security and Privacy Officer
Let RISC manage your HIPAA Privacy & Security Programs
The Security Rule (45 CFR 160, 162, and 164) establishes national standards for the protection of electronic personal health information (ePHI) that is created, received, transmitted, or maintained by a covered entity (CE). All Covered Entities (CEs) and Business Associates (BAs) must comply with the Privacy and Security Rules. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. These safeguards include the designation of a HIPAA Security Officer at § 164.308(a)(2), Assigned Security Responsibility.
​
RISC management has the capability and experience to assist clients in areas related to the completion of the duties relegated to a designated HIPAA Privacy and Security Officer. While the duties may occasionally shift and must adapt to address current issues, changes to the environment, and potential security incidents, many obligations are relatively static and must be minimally met by all organizations encountering PHI and ePHI.
​
HIPAA Security Rule areas where RISC can assist:
-
Developing appropriate policies and supporting procedures that demonstrates effective compliance with the HIPAA Security Rule;
-
Developing supporting control mechanisms to ensure compliance with all approved policies and supporting procedures;
-
Overseeing the security of ePHI across the entire organization;
-
Monitoring systems, applications, and members of the workforce for compliance with ePHI security policies, procedures, and implemented control mechanisms;
-
Identifying and evaluating threats to the confidentiality, integrity, and availability of ePHI;
-
Responding to actual or suspected breaches of PHI, or real or suspected security incidents;
-
Providing guidelines on best practices for adhering to HIPAA requirements, and acting as an internal consultant to the workforce;
-
Training members of the workforce on HIPAA requirements;
-
Performing a periodic risk analysis;
-
Creating and updating a risk management plan;
-
Managing or securing the performance of, a technical assessment of the security of infrastructure, systems, and applications;
-
Developing and testing of a Business Continuity Plan and Disaster Recovery Plan;
-
and many more, customized to your organization's needs.
​
HIPAA Privacy Rule areas where RISC can assist:
-
Training members of the workforce;
-
Determining required, authorized, and incidental disclosures of PHI;
-
Defining Treatment, Payment, and Operations (TPO);
-
Working with law enforcement and officers of the court, and the Department of Health and Human Services, as required, to respond to legal requests to access PHI;
-
Developing authorization templates and forms;
-
Developing patient representative templates and forms;
-
Defining the Designated Record Set;
-
Ensuring personnel and systems track all disclosures of PHI;
-
Tracking requests for secure communications;
-
Responding to requests to amend PHI;
-
Ensuring the organization provides PHI to authorized Patients, or their representatives, in a timely manner;
-
Ensuring that incidents and breaches are remediated in a timely manner, and providing notification in the event that a data breach occurs;
-
Ensuring protections for “Whistleblowers” making notification in good faith;
-
Responding to requests from the Office for Civil Rights (OCR) to access PHI or to review records in the event of a complaint or investigation; and
-
All other tasks as required or emerging directly related to the access or disclosure of PHI.
​