HomeProductsInfo Security & Compliance MgmtSecureGRC SB-Small Biz Security & Compliance

SecureGRC^TM SB HIPAA/HITECH

securegrc sb hipaa hipaa compliance SecureGRC SB is an innovative and unified security monitoring and HIPAA/HITECH compliance management software service delivered from the cloud and constantly kept completely up-to-date—with the latest versions and revisions of relevant regulations/standards. Cloud delivery also means no custom hardware investments and the assurance that the compliance solution is future-proof.

healthcare compliance The opening dashboard view presents the status of progress towards compliance at any moment. This keeps organizations fully informed as to what tasks still need to be performed towards remediation and provides support with immediate access to tools to help the progression towards compliance.

"Healthcare IT solution providers need a tool to help their medical practice clients with conforming to HIPAA and other compliance standards. eGestalt takes the mystery out of the compliance process. eGestalt allows us to automate the audit process and provide tangible evidence of what needs to be addressed and how to address it within a medical practice."
Chris Johnson
CEO/Untangled Solutions,
Los Angeles CA

A cost-effective health care solution, SecureGRC SB is a self-assessment tool that helps healthcare providers (Covered Entities) and their Business Associates (as defined in the regulations) comply with the latest HIPAA and HITECH security and compliance regulations. The technology allows organizations to gain control and improve compliance levels across more than 400+ regulations—before they are flagged as problems by federal agencies.

The Need and the Reward for HIPAA and HITECH Compliance

HIPAA, the Health Insurance Portability & Accountability Act of 1996, was created to realize the following objectives:

Improve portability and continuity of health insurance coverage.
Reduce costs through improved efficiency, effectiveness and standardization.
Enable easy interchange of electronic data.
Ensure that personal health record privacy is well protected.

"TIR considers eGestalt's US market entry strategy fairly prescient. By teaming up with managed service providers and managed security providers, eGestalt is able to deliver an end-to-end service in the SMB segment while empowering channel partners to move up the value stack, monetizing from added value and service support. Since the SaaS-based compliance offering meshes well with managed service providers' existing portfolios, it should thus be viewed quite favorably by business customers that are looking for a flexible service model to meet heightened demand for security and compliance requirements in their operational environments. The on-demand subscription model should garner a fair amount of acceptance, especially as SaaS technology is growing in maturity and the delivery model is viewed as a viable option to keep operating costs down."
Agatha Poon
Tier1Research
Read More

HITECH (Health Information Technology for Economic and Clinical Health Act), created in 2009, made significant modifications to HIPAA. HITECH provides incentives for use of electronic health records, creates stricter notification standards, tightens enforcement, raises penalties, and changes the liability as well as responsibilities of Business Associates. HITECH also redefines the definition of a breach: The unauthorized acquisition, access, use, or disclosure of protected health information, which compromises the security or privacy of protected health information— except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

All medical practices and their Business Associates—including doctors, dentists, chiropractors, nurses, psychologists and other professionals that handle Patient Health Information (PHI)—are required to achieve and maintain security and compliance with the regulations set forth by the HIPAA and HITECH Acts. Security and compliance proof must be made available for review by auditors, and non-compliance can result in criminal penalties, fines, and even imprisonment for individual owners, employees, and Business Associates of any Covered Entity. In addition to their own practices, Covered Entities are also responsible for their Business Associates.

To comply with HIPAA and HITECH regulations, Covered Entities and Business Associates must prove they have appropriate PHI-handling processes in use. Likewise, Covered Entities must have written agreements and proof-of-compliance documentation from all Business Associates and subcontractors with access to PHI. When conducting audits, federal officials will check to see if organizations have implemented appropriate controls and safeguards to prevent unauthorized access and disclosure of sensitive patient data.

In addition to the requirements, the federal government also offers incentives to Covered Entities. Reimbursements totaling as much as $44,000 can be awarded to those that meet the Meaningful Use criteria, which include 15 Core-set requirements.

How eGestalt SecureGRC^TM SB Solves the Security and Compliance Challenge

SecureGRC SB provides detailed risk analysis with complete security and guidance on all relevant aspects of medical practices. The solution also helps track and manage Business Associate compliance documentation. Delivered via the cloud, eGestalt constantly updates SecureGRC SB with the latest compliance requirements.

The solution requires no hardware or software investments and can be implemented quickly. Users do not have to worry about technical support or backup requirements while also receiving the benefit of a future-proof compliance solution. SecureGRC SB also includes built-in HIPAA and HITECH support that can be easily extended and automatically kept up-to-date. All data is stored in a SaS 70 Type II secure data center, and no electronic patient information is removed from client sites.

SecureGRC SB also delivers the necessary risk analysis and compliance reports required for demonstrating the appropriate level of Meaningful Use so that Covered Entities can receive reimbursements from the federal government as soon as possible.

Streamlined Processes: Complying with HIPAA and HITECH can be a complex, time-consuming process. But with SecureGRC SB, users simply answer a series of questions. The unique risk calculator created by eGestalt then prioritizes the areas to focus on. It's that simple. And with a built-in a best-practices library, policy templates and implementation procedures that can be easily customized, SecureGRC SB also explains how to resolve every open issue with common-sense approaches.

Deployment and Support Through Managed Compliance Partners: SecureGRC SB is delivered by eGestalt channel partners who quickly and professionally implement automated solutions and help customers quickly learn to take rapid action to resolve any processes or systems that are out of compliance. The eGestalt channel program, called Managed Compliance providers (MCP), offers solution providers an effective way to easily expand their service offerings and revenue by tapping into the lucrative IT healthcare market. eGestalt offers private branding and provides all the required training as well as marketing and sales collateral along with access to demo versions that help solution providers identify prospects and generate sales.

Looking for Federal Reimbursement for Electronic medical records (EMR) implementation?

You must prove "Meaningful use" if you want to get your federal grant / reimbursement (up to $44,000). The "meaningful use" criteria include a set of 15 "core" requirements - #15 requires a Security Risk and a Gap analysis of your practice. SecureGRC^TM SB delivers this risk analysis and the reports required for demonstrating Meaningful use.

SecureGRC SB Features/Advantages

Offers a simple, menu-driven, framework-based assessment, supporting HIPAA/HITECH regulations, and harmonizing multiple regulations–now and in the future with automatic updates to changes in regulatory requirements.
Complies with requirements for Covered Entities (CE's) and Business Associate (BA's).
Cloud-based, turnkey service with no additional hardware/software investments required.
Support for both HIPAA and HITECH regulations—including privacy and security rules.
Provides real-time dashboards for quick views of compliance status by customers, risks, regulations, assesses, and many more—supported by extensive on-demand report-generation feature covering risk and compliance.
Creates a finished document, Report on Compliance and Risk Reports, that can be used to show compliancy to other organizations and auditors.
Offers, built-in, configurable policy-based risk model with real-time risk status.
Single centralized repository for all compliance related evidence.
Includes easy plug-in for PCI-DSS compliance if required.
Meets and/or exceeds Stage 1 requirements for Security Risk Analysis required for Federal EMR grants.
Tracking and managing of Business Associate compliance documentation.
Offers extensive library of updated ready-to-use, free, pre-packaged, and customizable templates of policies, best procedural practices, and recommendations supported by extensive online help, context-sensitive guides.
Generates updates as new and revised policies, procedures, and forms are released.
Automatic updates to changes in regulatory requirements.
Automates email reminders on various compliance-related workflow activities.
Creates single, centralized repository for all compliance-related documentation to meet the evidence requirements.
Facilitates exclusive and secure instance of SecureGRC interface for each customer while tracking and managing their Business Associates' and vendors' compliance documentation.
And ultimately creates Peace-of-Mind with continuous security and compliance.

The eGestalt SecureGRC SB Process

1.	Cloud-Based Self-Assessment – when authorized users receive access to the SecureGRC SB cloud-based self-assessment survey, they simply login and answer a small number of questions that cover topics such as privacy, security and procedures. While undertaking the survey, users can access extensive online help and best practices that make answering questions easy. As the survey is completed, the software analyzes responses and gathers strong as well as weak practice segments. Organizations then receive a complete snapshot of their compliance and risk status that can be viewed online at any time.
2.	Upload Compliance Documents Into Secure Online Repository - As organizations complete the assessment, users may be asked to attach evidence in the form of policies or procedures. If an organization does not have these documents, eGestalt supplies samples at no charge. For compliance documents collected from Business Associates or other subcontractors, users will be prompted to upload them into the Secure GRC SB document repository. These will be logged into the compliance documentation as proof of vendor HIPAA and HITECH compliance.
3.	Risk and Compliance Report Generates Action Roadmap – After the survey is completed, eGestalt generates an action roadmap that lists all of the "Do's" to achieve HIPAA and HITECH compliance. Urgent matters are highlighted, and a suggested course of action is explained in detail. eGestalt also schedules a live one-on-one phone call to explain any open questions and provide assistance on how to resolve issues.
4.	Complete Compliance Roadmap Action Items – Organizations can attack the "To-Do" items at their own pace while remembering that completing the compliance report is required for incentive-fund distribution. If difficulties occur at any point during the process, users can contact eGestalt for assistance. This may include process/procedure modifications within the practice, personnel adjustments, training and hardware/software upgrades.
5.	Achieve and Prove HIPAA/HITECH Compliance – After completing this process, the organization is now in compliance with current HIPAA and HITECH regulations. Print the HIPAA report and keep it in a prominent location. When applying for stimulus funding, this report will be required as part of the application process.