ALL medical practices, called Covered Entities (CE) must be HIPAA and HITECH compliant. It does not matter if they don’t use on-line billing or EMR (See a list of type’s of CE’s in Attachment A). If they serve patients they must be compliant or they are breaking the law.
Exploring the Future Potential of AI-Enabled Smartphone Processors
SecureGRC SB™ HIPAA and HITECH
1. SecureGRC SB™
Low end-user subscription
At a low, annual end user sub-
scription list price, SecureGRC
SB (HIPAA / HITECH) allows to
add on services and additional
SecureGRC SB™ (HIPAA / HITECH) products to deliver a complete
compliance and security solu-
Channel Partner Step by Step process for selling, installing, and support- tion to the huge, untapped
ing eGestalt’s SecureGRC SB HIPAA/ HITECH Compliance software small office Health Care market.
Selling to a small medical CE.
ALL medical practices, called Covered Entities (CE) must be HIPAA and HITECH
compliant. It does not matter if they don’t use on-line billing or EMR (See a list of type’s
of CE’s in Attachment A). If they serve patients they must be compliant or they are
breaking the law. Now, if they have no technology what so ever, then they still need to
be complaint, but it is much simpler process. The more technology, such as Email, on-line Complete list of all required policies
applications, EMR, Off-site backup, etc, increase the complexity of becoming and and procedures available
maintaining compliance and this is where SecureGRC SB comes in.
Secure GRC SB is a simple WEB based assessment or questionnaire tool that leads the CE
to understand what they need to do to become compliant. See example # 1 .
Example # 1
The CE or BA fills out this
form, and if they have evi-
dence such as a policy or
procedure that is required,
then they attached it, and
the system now catalogs and
secures all the required sup-
porting evidence.
As an additional value add,
eGestalt provides sample
copies of all required polices
and procedures.
Elevator Pitch
As I am sure you are aware HIPAA and HITECH have become front page news. Since
the passing of HITECH in February 2010, both the Office of Civil Rights (OCR) and your
states Attorney General have been very aggressive in pursuing non-compliant
healthcare practices, regardless of size. It is also a requirement for you to get any
reimbursement for implementing an EMR system. The penalties and risk have
increased dramatically, although the odds of getting audited are still low, if you lose
any patient data, such as losing a laptop, employee theft, outside hacking, etc, you Contact Nate @
could risk losing your practice if you cannot prove compliance. Getting and
maintaining compliance in the past has been very expensive, complicated and time nate.miller@egestalt.com
consuming, however we are now offering a simpler, inexpensive way to help you get
into and maintain your compliance. or 408-689-2586
2. SecureGRC SB™
Low end-user subscription
Assessment Review
Once the CE has completed the assessment as best they can, normally the channel partner would review the answers with the CE
and make suggestions on how to resolve the remaining open issues. SecureGRC SB has suggested ways of solving the problem or
best practices. (See example # 2). Although this is not required, this is an excellent opportunity to up-sell additional services.
Elevator Pitch
Once this process is complete, the CE will “Submit” the completed assessment. It is now permanently stored in the system and can no longer be
modified.
This is where Channel Partner will take the output of SecureGRC and prepare a final report. The exact steps are in Attachment C.
See sample # 3 for an example of the first output report and example # 4 for the final deliverable. The final deliverable is called
a Report on Compliance or ROC. This is a standard word template and you can simply cut and paste and deliver without
modification, or this is an outstanding opportunity to review the data and identify additional sales opportunities.
3. SecureGRC SB™
preformatted Reports
on Compliance (ROC)
SecureGRC SB™
Sample # 4
Additional Sales opportunities.
As part of the assessment process SecureGRC SB will identify specific area within
IT that the CE will need to implement. The good news is these items are required
by the LAW, so you have big government on your side. As a minimum:
Encryption
Unified Threat Management Firewall
Virus protection
Secure Back up
Simple Access control
There will also be opportunities for many other services and technologies.
Another great sales opportunity are the Business Associates or BA’s
(For a list of BA types, see Attachment B). BA’s, if they have access to
Patient information are required, by law, to be HIPAA and HITECH
complaints. According to HITECH law, the CE must have a signed
agreement and proof of compliance form the BA. SecureGRC SB
specially asked the CE for a list of their BA’s, a copy of each agreement
and proof of their compliancy. This is a great prospect list for you to
call on. You can call on behalf of the CE to acquire a copy of the BA’s
proof of compliancy, which of course they will not have. This is an
opportunity for you to sell compliance services into the BA.. Once you
close the BA, you can follow up with their CE’s. And the cycle
continues.
Sample # 3
5. SecureGRC SB™
preformatted Reports
on Compliance (ROC)
SecureGRC SB™
Attachment B
Examples of Business Associates
A third party administrator that assists a health plan with claims processing.
A CPA firm whose accounting services to a health care provider involve access to protected health information.
An attorney whose legal services to a health plan involve access to protected health information.
A consultant that performs utilization reviews for a hospital.
A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on
behalf of a health care provider and forwards the processed transaction to a payer.
An independent medical transcriptionist that provides transcription services to a physician.
A pharmacy benefits manager that manages a health plan’s pharmacist network.
Remote back up facilities
Transcription services
Billing services
Remote Managed Services
IT Service provider
‘BUSINESS ASSOCIATE’ definition
The term ‘business associate’ has the meaning given such term in section 160.103 of title 45, Code of Federal
Regulations.
Section 160.103—
(1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered
entity, a person who:
(i) On behalf of such covered entity or of an organized health care arrangement in which the covered entity
participates, but other than in the capacity of a member of the workforce of such covered entity or
arrangement, performs, or assists in the performance of:
(A) A function or activity involving the use or disclosure of individually identifiable health information,
including claims processing or administration, data analysis, processing or administration, utilization
review, quality assurance, billing, benefit management, practice management, and re-pricing; or
(B) Any other function or activity regulated by this subchapter; or
(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial,
accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to
or for such covered entity, or to or for an organized health care arrangement in which the covered entity
participates, where the provision of the services involves the disclosure of individually identifiable health
information from such covered entity or arrangement, or from another business associate of such covered
entity or arrangement, to the person.
6. SecureGRC SB™
preformatted Reports
on Compliance (ROC)
SecureGRC SB™ (HIPAA / HITECH)
Installation and support procedures for Channel Partner Attachment C
These instructions are available in very specific detail in hard copy and in self paced video.
Channel Partner will have a master SecureGRC SB account.
When a CE or BA purchases SecureGRC SB, Channel Partner will need to provision this account.
You create a login ID and input other details on the customer
You then load a copy of the standard assessment into the customer’s account. The system will generate an email and
send the login credentials to the customer.
Once the customer has completed the assessment, Channel Partner will take the output and cut and paste into an excel
template provided by eGestalt. You will use this spreadsheet to quickly identify “Out of Compliance” conditions and how
to help the client remediate the problem. Once the client is finally done, you will do the same process cut and paste into
the same excel template. Then from this template, cut and paste into the Word ROC temple.
Initial provisioning takes about 7-10 minutes. Final reporting takes about 2 minutes to create. Review and
recommendations are dependent on the end user.