A - There are many bona fide, professional, and qualified individuals and organizations in the market place. It is recommended that you evaluate your needs versus the services and credentials that a service provider is offering. Cmac is entering the marketplace to address a perceived gap in the healthcare information assurance arena. Our senior leaders and staff possess specialized educational and professional credentials in both healthcare and information assurance. Many organizations that offer auditing services are not healthcare or information assurance subject matter experts (SMEs). Many come from organizations whose core competency is professional auditing. Cmac methodology is geared toward offering the healthcare industry SMEs in their respective area, and not just a staff of professional auditors. Cmac also distinguishes itself from others in the marketplace by focusing on security versus passing a compliance audit. A compliance audit that passes with a score of 70% is compliant but is still vulnerable with 30% of its security parameters exposed.

A - Medication reconciliation is an effective process that was established by JCAHO to reduce errors and harm associated with loss of medication information when the patient transfers among community-based and hospital providers. The Joint commission set National Patient Safety Goals (NPSG) in an effort in improve safety to patients. Cmac created the Medication Reconciliation Assessment (MRA) to assist healthcare organizations identify areas of improvement that relate to medications and patient safety. The Cmac MRA will combine pre-assessment surveys and interviews with observational analysis that relate to medication reconciliation and sampling procedures. The protocols involved in the day-to-day operations and interactions with pharmaceutical drug representatives will also be evaluated as will procedures that involve the acceptance, storage, tracking, and distribution of drug therapies. Cmac will conduct a sample audit in an effort to quantify wasteful practices as well as provide recommendations for risk management in areas that the MRA determines to be vulnerabilities. Recommendations to minimize risk to malpractice and vicarious liability may also be provided to organizations with ordinary or inferior processes. An MRA can help you and your organization to prevent medication errors that relate to: unsafe storage and practices, incomplete procedures, omissions, duplications, dosing errors, drug interactions, and expired medications. It is the goal of the MRA to: identify high-risk processes within the healthcare setting, identify errors before they get to the patient, and develop systems to immediately mitigate the effects of any harm to a patient.

A - An information security assessment is an objective evaluation of an organization’s ability and effectiveness to protect, at minimum, the confidentiality, integrity, and/or availability of data. In the healthcare industry, this data is either protected health information (PHI) or electronically protected health information (ePHI) defined by the Health Insurance Portability and Accountability Act (HIPAA). In regards to ePHI, two additional evaluation categories are assessed: non-repudiation and authentication. The assessment impacts the day-to-day operations of a healthcare organization in both the short term and long term. In the short term, during the assessment, organization will be asked to assist in collecting and providing data to the assessment team, and providing organizational support to the assessment team in order to complete a thorough evaluation in the allotted or reasonable timeframe. Long term, depending on the outcome of the assessment, organizations will be expected to correct or mitigate vulnerabilities in order to meet compliance and security standards provided by legal and regulatory bodies and statutes (HIPAA, CMS, etc). Organizations that do not choose to periodically assess their information security program, or correct or mitigate known and identified vulnerabilities subject themselves to fines, penalties, and/or vicarious liability suits.

A - The short answers are: … it depends and … yes. The scope of an ISA conducted by Cmac will depend on many factors including: the size of the entity, the location, the number of physical locations PHI or EPHI is created, processed, or stored, the number of computing and non-computing assets that create, process, store, or transmit PHI or EPHI, among other factors. Before a timeframe can be reasonably determined, an organization should contact Cmac and discuss your needs, scope, and the various factors enumerated above. For smaller organizations, Cmac can provide a self assessment package which include hard copy checklists and instruction along with webinars that provide introductory information pertaining to: information assurance, HIPAA Security and Privacy Rules, the respective self assessment checklists, along with other educational and awareness material to improve your organization’s information assurance program. You can obtain these packages by contacting Cmac directly. Regarding non-healthcare organization, although Cmac does specialize in healthcare, the principles of security and information assurance espoused by Cmac subject matter experts (SMEs) can be applied to other industries and organizations. For a quote and a more detailed discussion about the products and services Cmac can offer your organization please contact a Cmac representative.

A - Yes. Cmac products and services encompass a holistic approach to improving an organization’s information security program. One key area that organizations will many times overlook, or do no fully fund, is training and education programs. Cmac will provide smaller organizations the ability to conduct self-assessment using the Cmac HIPAA self-assessment package. This program is designed for small organizations that do not have a large practice and would not benefit from an onsite assessment, or does not have the resources or staffing to support an onsite assessment. Self assessments are also designed for small organizations that want to assess their information security program at a slower pace rather than schedule a fixed timeframe for an onsite assessment. One feature of the self assessment program is a webinar-type of training product that accompanies the hard copy checklists and instructions. Together the information will prove very valuable to an organization’s awareness and training on HIPAA and information security program requirements or best practices.

A - This is a common question to a common problem. Unfortunately, many of the smaller practices like PCPs, dentists, PT clinics, chiropractors, University clinics, etc. are grossly underserved in this area…until now. Cmac proudly introduces a very affordable self-assessment package that allows a practice manager, owner, or designated representatives to conduct a self assessment audit on ones physical and information security program. It also provides a mechanism to analyze risk factors that may not be readily apparent to the one responsible or concerned with the safety, security, and privacy of sensitive and protected information (i.e. environmental crime prevention risks). Simply follow our one-of-a-kind self-assessment checklists and watch our DVD series to learn what you can do to improve the security of your patient’s/customer’s information. For just a few hundred dollars, you’ll be able to take one step closer to securing your practice and protecting yourself from a possible data breach which could cost thousands upon thousands of dollars to rectify. The Cmac self-assessment is comprehensive and takes a holistic approach to security; there’s simply nothing on the market like this product.

A - HIPAA stands for the Health Insurance Portability and Accountability Act. It is an Act of Congress that became effective July 1, 1997 and addresses waste, fraud, and abuse in the healthcare and health insurance industry. If you are a covered entity identified in HIPAA then its applicability is multifaceted. From an information security perspective (protecting protected health information, and electronic health information) the two primary areas of HIPAA applicability is its Security and Privacy Rules. HIPAA applies to organizations that fall into one or more of the follow three areas: Healthcare Provider, Healthcare Clearinghouse, and a Health Plan. If you are considered a covered entity, then HIPAA applies to you and you must ensure that the respective Security and Privacy Rules pertaining to PHI and ePHI are being followed.

A - The cost of a security breach, especially in the healthcare industry, can be very expensive and potentially result in loss of trust by patient/customers or business associates. According to a recent 2009 study on the financial impact of data breaches on business, the average cost of a breach is equal to $202 per compromised record. For a small healthcare provider (i.e. dentist, physical therapy practitioner, etc) that may have only 100 - 200 clients, the cost of a data breach is somewhere between $20,000 - $40,000 for just a single incident. Medium to large size healthcare providers that see thousands of clients annually, or maintain records of tens of thousands of clients could see costs in the $200,000 - $2,000,000 range from a single incident. These figures do not address business impact to loss of confidence by clients or business associates.

A - The answer to this question can be found in the recent actions of CMS after the organization was publically reprimanded by the Office of the Inspector General (OIG.) OIG came down hard on CMS for not adequately safeguarding the standards for protecting the confidentiality and the integrity of electronically-stored health information as required by HIPAA. OIG scorned CMS and recommended that the agency, “become more proactive in overseeing and enforcing implementation of the HIPAA Security Rule by focusing on compliance reviews.” Moreover, the OIG review stated the following: “CMS had taken limited actions to ensure that covered entities adequately implement the HIPAA Security Rule” and “CMS had not conducted any HIPAA Security Rule compliance review of covered entities.” CMS agreed with the OIG recommendations and CMS began conducting such reviews while the OIG was still performing its audit and before its recommendations were even issued. If your healthcare organization is audited, then you can expect a review of your ePHI safeguard system. CMS is authorized to: interpret, implement, and enforce the HIPAA Security Rule provisions; conduct compliance reviews and investigate and resolve complaints; impose civil monetary penalties for a covered entity’s failure to comply with the HIPAA Security Rule provisions. Basically, if you or your organization is not in compliance with HIPAA regulations, then substantial penalties to your practice could result.

A - The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) established a mandate for accredited organizations to implement Medication Reconciliation. The goal was to address the nearly 1.5 million iatrogenic adverse events that occur annually from medication related errors. In plain English, the Joint Commission established regulations or best practice procedures that require hospitals and amulatory clincs to conduct in order to provide medication and patient safety. These “best practices” should serve as the guidlines and/or the standard by which all healthcare organizations conduct their medication related business. The Joint Commission requires: patient-specific medication information to be available in some fashion; medication needs to be safely and properly stored; there be a written order for every medication; appropriate labeling of the medications; the ability of the healthcare provider to retrieve a sampled medication should that medication become recalled, expired, or discontinued; the effects of the medication be monitored; a complete listing of all current medications must be communicated when patients are transferred to another healthcare provider. It should be clear at this point how the Joint Commission relates to you and your practice and how neglecting to follow these standards could put you and your organization at risk for malpractice, negligence torts, and/or a vicarious liability claim. The Joint Commission created a Standards Improvement Initiative (SII) that set forth a program of National Patient Safety Goals (NPSG) that relate to both hospitals and ambulatory healthcare. Here is a quick breakdwon of what these goals are trying to achieve: improving the accuracy of patient identification; improving the effectiveness of communication among caregivers; improving the safety of using medications; completely and accurately reconciling medications across the continuum of care; encouragement of the patients’ active involvement in their own care as a patient safety issue.

A - Security and Privacy Rule requirements established by HIPAA fall into one of two categories: Addressable or Required. If a HIPAA specification is “required” then covered entities must implement the controls identified in the Security Rule. “Addressable” specifications must be assessed by the organization to determine its reasonableness and appropriateness’ of the safeguard in the respective environment, implement the specification, or document why it is not reasonable or appropriate. For addressable specifications, an entity may use industry best practices to make a risk acceptance judgment within the parameters of HIPAA to determine what is reasonable, appropriate, or applicable. Industry best practices are not requirements, but just as they state, the best practices given ones situation and environment. An organization may use the best practices as a guide or input to the decision making process. In contrast, organizations that do not use industry best practices and who become the victim of a data breach or other type of security incident may be held liable for negligence or other types of torts or legal action. Cmac suggests that organizations discuss the legal implications with a licensed attorney or your organization’s general counsel staff.