For most office-based practitioners, a HIPAA breach can be a catastrophic event that affects all aspects of the business for months. In most cases, the business does not have internal resources to dedicate full-time to handling the incident, since the compliance officer usually has another primary job that is critical to the business’s operations. Engaging CAEK to provide breach assistance can reduce the impact of a breach to healthcare businesses.

Incident Review & Breach Risk Assessment

During the incident review and breach risk assessment, our team will conduct an investigation into the incident in order to document the security measures that were in place prior to the incident and the likely vulnerabilities that led to the incident. We gather the information and documentation from office staff, IT staff, third party vendors and data forensics.

Utilizing the LayerCompliance software, our team prepares a final incident report for the covered entity and legal team that includes a root cause analysis for the event and may include recommendations for remediation with applicable references to NIST Privacy and Security Controls (SP 800-53) and Cyber Security Framework. The incident report team includes regulatory analysts and cyber security experts (CISSP, HCISSP).

Breach Notification Support

If an incident is determined to be a breach, the covered entity (provider) is required to follow the federal HIPAA Breach Notification Rule as well as any applicable state notification rules. Managing this process is critical to meeting the strict notification deadlines required by OCR and other regulatory agencies. Our breach notification support manager coordinates with the covered entity, office staff, IT staff or outside company, attorney, insurance carriers, data forensics, and notification vendors to assist the covered entity’s legal team in meeting the requirements of the Breach Notification Rule. Our expertise allows us to efficiently gather the supporting documentation and detailed information required* for patient notification, breach notification to HHS, and media notification.

*CAEK does not provide the actual breach notification services but assists in providing documentation and managing deadlines.

Compliance Documentation Review

CAEK utilizes its compliance software, LayerCompliance, to perform a HIPAA Risk Analysis, create tailored policies and procedures, and a monthly risk management plan. Our analyst team will gather the information and documentation from your staff and IT company and enter the information into the LayerCompliance tool. All documentation provided by CAEK will include a statement of review by our regulatory and security analysis team.

The service will provide the following documentation needed for responding to an OCR investigation:

• Security Incident Investigation Report
• Security Incident Response and Recovery Report
• HIPAA Privacy Assessment
• HIPAA Privacy Policies and Procedures
• HIPAA Security Risk Analysis
• HIPAA Security Policies and Procedures
• Contingency Plan
• Security Incident Response Plan
• Risk Management Plan

Regulatory Investigation and Response Support

Once a breach notification has been filed, OCR will open an investigation into the breach that occurred. CAEK has assisted all sizes of dental and medical organization successfully respond to regulatory investigations from OCR. Our team is experienced in assisting healthcare businesses of all sizes respond to regulatory investigation involving various types of incidents including data breaches, malware, ransomware, hacking, unauthorized email disclosure, malicious insider, lost and stolen devices, and natural disaster.

Pricing

Consulting services for incident response and Hipaa data breaches are not included in the LayerCompliance subscription. Services are provided on a project basis. Each incident is different and consulting services and pricing are dependent on type of incident and may include an hourly fee after initial project scoping.