A key requirement of the HIPAA Administrative Safeguards is a Security Management Process designed by the organization to protect the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) they collect and maintain. The Security Management Process incorporates four interrelated elements :
ACI has developed a comprehensive risk reporting methodology for analyzing information systems and business functions, to document and categorize threats and vulnerabilities, assessing the likelihood and impact of potential risk exposures or exploits. By implementing this risk model in close partnership with key contributors from each department or business unit, the analysis produces an enterprise-wide risk-scoring matrix which clearly prioritizes risk and highlights mitigation needs. From this risk model, a remediation plan is drafted for prioritizing and communicating these needs to organizational leadership, and providing guidance in planning technology projects and capital expenditures for the coming year.
In addition to the Federal regulatory requirements for performing the risk assessment, Florida healthcare businesses operate under additional privacy regulations described by the Florida Information Protection Act, defining data breaches in a more specific way and mandating breach notifications in a shorter timeframe than HIPAA regulations require.
Following the principles and processes outlined by National Institute of Standards and Technology (NIST) publications, and adapting the data collection matrix designed by the Health Information Management Systems Society (HIMSS), the risk model developed by ACI has passed actual CMS audit. Proven to meet HIPAA and HITECH requirements, this methodology qualifies the organization for the respective Meaningful Use core measures (Medicare or Medicaid) on risk assessments. More importantly, it demonstrates your organization's due diligence on regularly examining and adjusting security measures for the personally-identifiable (PII) and protected health information (PHI) processed by the organization, serving to protect you against unsecured data breaches, and providing more complete defenses against enforcement actions if a breach does occur.