HIPAA Security Compliance for Counties and Behavioral Health
Did you recently receive notification from your DSRIP or BHCC that you weren’t compliant with the HIPAA Security Rule based on a risk assessment? Do you have extensive remediation to complete quickly? Or, do you need a risk assessment completed, or possibly other security-related services? Do you need help with your security policies and procedures?
You are not alone. We’ve been working with HIPAA since 2003 and have found that many CBOs, County Mental Health Clinics, and even many inpatient providers are not compliant, especially with the HIPAA Security Rule (45 CFR 160, 162, 164). Although compliance with the privacy rule received a great deal of attention, compliance with the HIPAA Security Rule seems to have been missed by most IT Departments and many providers. I’m not sure why, but communications between IT and the Covered Entities they support seem to have broken down over the HIPAA Security Rule, for which compliance has been mandatory since 2005. The result is that many organizations that think they are compliant are actually not compliant at all.
The good news is you can fix it pretty easily and we have developed great processes for compliance over the last 15 years.
HIPAA Remediation Workshop for CBOs
We work with your management, IT staff, and compliance staff through a course of five web workshops to create a complete plan that will get you where you need to be fast. The outcome is a set of security policies and procedures that are 45 CFR compliant and integrated with your organization’s unique business processes and culture. We can generally deliver a complete outcome within a few weeks for smaller organizations. We can customize this service for your organization but the basic framework looks like this:
- Five team workshops of 2 hours each in order to design, write and customize policies and procedures.
- Deliverables include:
- Comprehensive Security Policy - customized for your organization
- Acceptable Use Policy
- Comprehensive Procedures Documentation that clearly defines what has to be done as well as who is responsible and accountable for all the activities, processes, and procedures.
- A detailed compliance matrix listing all required HIPAA rules with references to your security policy as well as the relevant reference in the HITECH Act and 42CFR if you treat substance abuse clients.
We have been doing HIPAA compliance for over 15 years and you will get the best outcome possible with this service -- quickly and for a fixed price with no surprises. Moreover, our process ensures that your staff members completely understand what they need to do and why they need to do it.
HIPAA For County Governments
We also work with county governments to bring the entire organization up to HIPAA Security Rule standards since many county departments such as Mental Health, Public Health, Social Services, correctional facilities, and probation must be compliant. If your county department is a covered entity and shares an IT infrastructure with other county departments, this is an option you should seriously consider. We’ll be glad to talk with key decision makers including your county commissioners, executives, and managers about this option.
Give us a call today at 607.731.4097 to discuss HIPAA for your behavioral health organization or county mental health clinic. Schedule a meeting using one of the buttons below.
For more background, read Jeff's articles on HIPAA.
- Risk assessments for local governments and SMBs. CIO.com, May 2017.
- HIPAA as an umbrella for county/municipal cybersecurity. CIO.com, April 2017.
- County and municipal cybersecurity – Part 2. CIO.com, April 2017.
- County and municipal cybersecurity – Part 1. CIO.com, March 2017.
- May I see your comprehensive security policy, please? CIO.com, October 2016.
- The ACA and the death of medical privacy. CIO.com, August 2016.
- Why should county commissioners and executives care about HIPAA? Careers in Government, February 2018.