SecureGRC SB™ HIPAA and HITECH
0 likes257 views
The document outlines the SecureGRC SB (HIPAA/HiTech) solution aimed at assisting small healthcare practices in achieving and maintaining compliance with HIPAA and HiTech regulations, which is essential for legal operation and reimbursement. It describes a step-by-step process for channel partners to sell, install, and support the solution, including conducting assessments, generating compliance reports, and identifying potential upsell opportunities for related services. Additionally, it highlights the importance of Business Associate (BA) compliance and provides details on conducting assessments and managing client accounts effectively.
SecureGRC SB™ HIPAA and HITECH
- 1. SecureGRC SB™ Low end-user subscription At a low, annual end user sub- scription list price, SecureGRC SB (HIPAA / HITECH) allows to add on services and additional SecureGRC SB™ (HIPAA / HITECH) products to deliver a complete compliance and security solu- Channel Partner Step by Step process for selling, installing, and support- tion to the huge, untapped ing eGestalt’s SecureGRC SB HIPAA/ HITECH Compliance software small office Health Care market. Selling to a small medical CE. ALL medical practices, called Covered Entities (CE) must be HIPAA and HITECH compliant. It does not matter if they don’t use on-line billing or EMR (See a list of type’s of CE’s in Attachment A). If they serve patients they must be compliant or they are breaking the law. Now, if they have no technology what so ever, then they still need to be complaint, but it is much simpler process. The more technology, such as Email, on-line Complete list of all required policies applications, EMR, Off-site backup, etc, increase the complexity of becoming and and procedures available maintaining compliance and this is where SecureGRC SB comes in. Secure GRC SB is a simple WEB based assessment or questionnaire tool that leads the CE to understand what they need to do to become compliant. See example # 1 . Example # 1 The CE or BA fills out this form, and if they have evi- dence such as a policy or procedure that is required, then they attached it, and the system now catalogs and secures all the required sup- porting evidence. As an additional value add, eGestalt provides sample copies of all required polices and procedures. Elevator Pitch As I am sure you are aware HIPAA and HITECH have become front page news. Since the passing of HITECH in February 2010, both the Office of Civil Rights (OCR) and your states Attorney General have been very aggressive in pursuing non-compliant healthcare practices, regardless of size. It is also a requirement for you to get any reimbursement for implementing an EMR system. The penalties and risk have increased dramatically, although the odds of getting audited are still low, if you lose any patient data, such as losing a laptop, employee theft, outside hacking, etc, you Contact Nate @ could risk losing your practice if you cannot prove compliance. Getting and maintaining compliance in the past has been very expensive, complicated and time nate.miller@egestalt.com consuming, however we are now offering a simpler, inexpensive way to help you get into and maintain your compliance. or 408-689-2586
- 2. SecureGRC SB™ Low end-user subscription Assessment Review Once the CE has completed the assessment as best they can, normally the channel partner would review the answers with the CE and make suggestions on how to resolve the remaining open issues. SecureGRC SB has suggested ways of solving the problem or best practices. (See example # 2). Although this is not required, this is an excellent opportunity to up-sell additional services. Elevator Pitch Once this process is complete, the CE will “Submit” the completed assessment. It is now permanently stored in the system and can no longer be modified. This is where Channel Partner will take the output of SecureGRC and prepare a final report. The exact steps are in Attachment C. See sample # 3 for an example of the first output report and example # 4 for the final deliverable. The final deliverable is called a Report on Compliance or ROC. This is a standard word template and you can simply cut and paste and deliver without modification, or this is an outstanding opportunity to review the data and identify additional sales opportunities.
- 3. SecureGRC SB™ preformatted Reports on Compliance (ROC) SecureGRC SB™ Sample # 4 Additional Sales opportunities. As part of the assessment process SecureGRC SB will identify specific area within IT that the CE will need to implement. The good news is these items are required by the LAW, so you have big government on your side. As a minimum: Encryption Unified Threat Management Firewall Virus protection Secure Back up Simple Access control There will also be opportunities for many other services and technologies. Another great sales opportunity are the Business Associates or BA’s (For a list of BA types, see Attachment B). BA’s, if they have access to Patient information are required, by law, to be HIPAA and HITECH complaints. According to HITECH law, the CE must have a signed agreement and proof of compliance form the BA. SecureGRC SB specially asked the CE for a list of their BA’s, a copy of each agreement and proof of their compliancy. This is a great prospect list for you to call on. You can call on behalf of the CE to acquire a copy of the BA’s proof of compliancy, which of course they will not have. This is an opportunity for you to sell compliance services into the BA.. Once you close the BA, you can follow up with their CE’s. And the cycle continues. Sample # 3
- 4. SecureGRC SB™ preformatted Reports on Compliance (ROC) Attachment A
- 5. SecureGRC SB™ preformatted Reports on Compliance (ROC) SecureGRC SB™ Attachment B Examples of Business Associates A third party administrator that assists a health plan with claims processing. A CPA firm whose accounting services to a health care provider involve access to protected health information. An attorney whose legal services to a health plan involve access to protected health information. A consultant that performs utilization reviews for a hospital. A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. An independent medical transcriptionist that provides transcription services to a physician. A pharmacy benefits manager that manages a health plan’s pharmacist network. Remote back up facilities Transcription services Billing services Remote Managed Services IT Service provider ‘BUSINESS ASSOCIATE’ definition The term ‘business associate’ has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations. Section 160.103— (1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person who: (i) On behalf of such covered entity or of an organized health care arrangement in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of: (A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and re-pricing; or (B) Any other function or activity regulated by this subchapter; or (ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the services involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
- 6. SecureGRC SB™ preformatted Reports on Compliance (ROC) SecureGRC SB™ (HIPAA / HITECH) Installation and support procedures for Channel Partner Attachment C These instructions are available in very specific detail in hard copy and in self paced video. Channel Partner will have a master SecureGRC SB account. When a CE or BA purchases SecureGRC SB, Channel Partner will need to provision this account. You create a login ID and input other details on the customer You then load a copy of the standard assessment into the customer’s account. The system will generate an email and send the login credentials to the customer. Once the customer has completed the assessment, Channel Partner will take the output and cut and paste into an excel template provided by eGestalt. You will use this spreadsheet to quickly identify “Out of Compliance” conditions and how to help the client remediate the problem. Once the client is finally done, you will do the same process cut and paste into the same excel template. Then from this template, cut and paste into the Word ROC temple. Initial provisioning takes about 7-10 minutes. Final reporting takes about 2 minutes to create. Review and recommendations are dependent on the end user.