Compliance Assessment Offerings
Whether you’re a Covered Entity or a Business Associate working to meet the requirements of HIPAA/HITECH, The Vantage Group has a program to meet your needs.
SCOPED RISK ASSESSMENT (Covered Entity or Business Associate)
Based on the HIPAA/HITECH framework and proven practices for a comprehensive information security management program, Vantage will assess a portion of your information technology environment including people, process and technology to provide visibility into your current control implementations and the associated level of risk to sensitive data exposure, loss or theft. Using a customizable toolset that requires no infrastructure adjustments, is cloud-based, and is available for use by the company after the assessment is completed, compliance officers and security officers in addition to upper level management are provided with a snapshot in time that identifies currents gaps, and can be easily used to prioritize remediation activities and future compliance management initiatives. Once an assessment is complete, there is the opportunity to maintain the access and track remediation activities as well as conduct future risk assessments.
QUANTIFYING BUSINESS ASSOCIATE RISK (Covered Entity)
More than a quarter of the major security and privacy breaches since the overhaul of HIPAA in 2009 up to mid 2014 were due to potential negligence or oversight of a business associate not the covered entity. To make matters worse, these breaches also represent more than 50% of the records compromised. Even after this date, business associates continue to be a weak link in the security chain for ePHI. Several HHS/OCR actions for non-compliance have also involved compliance action plans that highlighted the need for the covered entity to get a better handle on what their business associates were doing to safeguard PHI. In our experience we have found that covered entities tend to fall into three thought processes as to how they should address business associate risk management. We’ve highlighted these in our “What you don’t know can HURT you!” brochure Download now!
No matter the perspective of the covered entity, Vantage provides a phased approach that provides covered entities with increased visibility into business associate risk which is then quantified in order to take proactive steps to mitigate potential shortcomings. You can use this approach on your own, set-up a guided relationship, or give full program management to Vantage to take advantage of the additional resource.
INFORMATION SECURITY POLICY EVALUATION OR DEVELOPMENT (Covered Entity or Business Associate)
Maybe you’re not ready for a comprehensive risk assessment and want to start with the foundational pieces that should be the core of every organization: policy and procedure. Vantage offers a reasonable and measurable approach to assess your current Information Security Policies in order to determine gaps, adjust to changing threats and/or compliance requirements while providing visibility into the key components that make up an effective policy: focus-area, development, awareness, and enforcement. Check Out a Sample Dashboard as well as the sample evaluation framework that develops the findings reported on the dashboard. Check Out Evaluation Framework.
Not happy with your policies as they stand today? Not a problem. Vantage offers a quarterly development process that can take one year or just one quarter resulting in the appropriate policies that consider your business needs and compliance requirements by implementing a policy management program. We have found this to be much more effective and successful then providing templates that are rarely adequately modified, managed, or incorporated as “living” documents that foster a truly security conscious culture. Contact Us to get started!
MANAGED SECURITY TESTING (Covered Entity or Business Associate)
Auditing and monitoring requirements established by HIPAA and part of an effective security management program can be resource intensive and time consuming. Vantage offers a manageable approach that will allow your organization to scan the network, applications, and even databases monthly, quarterly, semi-annually or just annually depending on your risk threshold at a fraction of the cost. Contact us for more information!