HIP – One

HIPAA Implementation Model One

Yearly Renewable License

Our comprehensive HIPAA solution is made possible through our partnership with ACR2 Solutions.  Experts in the field of Risk Management and IT Compliance Solutions, their tools provide state of the art automated software as a service (SaaS).

This includes leveraging vulnerability scanning technology based on the Security Content Automation Program (SCAP) developed by Homeland Security after the events of 9/11.  The SCAP scanner does as many as 600 registry and software setting checks in a few minutes and compares them to the National Institute for Standards and Technology standards (NIST).  This automation greatly improves the quality of the data used to create the Risk Assessment.

Security threats to IT systems are relentless and inevitable.  Our HIPAA automated tools enable our clients to establish their risk, remediate their threats and vulnerabilities while complying with the Health Insurance Portability and Accountability Act (HIPAA) on a real-time basis.

Our HIP ONE model provides a HIPAA Risk Assessment and HIPAA Privacy and Security policies through an automated reporting Client Portal.

Element of a Compliant Risk Assessment and Reports

  1. Scope of the Analysis
  2. Data Collection
  3. Identify Threats and Vulnerabilities
  4. Assess Current Security Measures
  5. Determine the Likelihood of Threat
  6. Determine the Potential Impact of Threat Occurence
  7. Determine the Level of Risk
  8. Finalize Documentation
  9. Periodic Review and Updates to the Risk Assessment

Learn More…

Risk Assessment Reports:

  1. Risk Assessment Baseline Report
  2. Gap Report
  3. HIPAA Security Rule Compliance Report
  4. HIPAA Privacy Rule Compliance Report
  5. NIST Security Rule Compliance Report
  6. NIST Privacy Rule Compliance

HIPAA Security and Privacy Policies and Procedures

Once the Risk Assessment is completed, the organization is required to remediate the risks and vulnerabilities identified in the Risk Analysis.

We have found that organization’s often lack HIPAA policies and procedures to enforce the HIPAA Security Rule. This is particularly true in small practices where the office manager is often the Privacy and Security Officer, and who may lack the expertise to create and enforce adequate policies.

Our HIP ONE model includes a set of HIPAA Security and Privacy policies and procedures based on guidance provided by NIST Special Publication 800-66.

Remediation of identified risks and vulnerabilities is accomplished through use of HIPAA policies and procedures.  Documentation of work is automatically logged into the Document Management folder and resides in the Client’s Portal.  

Business Associate Management

Our Privacy Safeguard policies provide templates of Business Associate Agreements that can be customized to meet our Clients’ needs

Business Associate (BA) management is an important aspect of a Covered Entities (CE) HIPAA security program. Yet many BAs are unclear about how they must comply with the HIPAA Security Rule. In addition, CEs’ find it challenging to properly manage their BA relationships as they come to terms that both parties are directly liable to comply with the HIPAA Security Rule, Breach Notification Rule, and applicable portions of the Privacy Rule.

First and foremost, it is important to identify BA relationships as stated under CFR 45, §160.103. A BA and companies that are subcontracted by a BA that create, receive, maintain, or transmit protected health information are BAs, and must comply with HIPAA Privacy and Security Rules. The work being performed, and not the contract or agreement, defines whether a BA relationship exists.

The BA contract, also known as a Business Associate Agreement, states the permitted use of protected health information and ensures a BA’s compliance with the HIPAA Rules. Pre-contract due diligence should include a security
questionnaire to the BA and include proof that the BA has completed a current and proper security risk assessment (a BA requirement as of September 23, 2013 per the HIPAA Omnibus Rule).

Optional Services

Privacy and Security Awareness Training and Testing

Our HIPAA awareness training is provided through our Client’s Portal and includes the following:

  • Course materials in an on-demand video streaming format
  • Testing that documents subject mastery
  • Course certificates, by email, to training attendees
  • Log of all tests results for all employees, temps and contractors
  • Custom training and testing options are available

Flexible security and privacy reminders tool for keeping  documentation of efforts to comply with staff training mandates

1-Year HIPAA On-line Implementation Service

We also offer a one-year (hand-holding) program where one of our consultants meets monthly with your Compliance Officer for the purpose of guiding them through HIPAA implementation. 

The meeting is a 1-hour per month session on a pre-established scheduled date to discuss and provide guidance on HIPAA policies and procedures.

Provided your Compliance Officer attends each monthly session and completes the work, within the year, most of your HIPAA policies and procedures should be implemented.

HIPAA Privacy and Security Automated Compliance Reporting Client Portal

The Risk Assessment, policies and procedures and all of the work related to HIPAA compliance are housed in our Client’s Portal. No more searching multiple files to locate HIPAA compliance related documents. Remediation of Risk Assessment documentation shows “real time” compliance, and ultimately contributes to an efficient and effect HIPAA implementation program. The portal offers the following:

  1. Saas program automates many of the processes required for real compliance all the way to “real time
    1. Utilizes state of the art Department of Defense (DOD) technology SCAP Scanners and automated syslog parsing to save time
    2. Most “tools” are just snapshots taken by consultants
  2. HIPAA Security and Privacy Compliance Automated Tools
    1. Compliant HIPAA Security Risk Assessment (meets the requirements for Meaningful Use)
    2. Security and Privacy Assessment employs NIST’s latest guidance
    3. Program is NIST based and directly traceable to Federal Standards
  3. Massively Scalable and Flexible
    1. Compliance Portal for quick management of all your risk assessment sites (Single to 1,000’s sites)
    2. Single site, Enterprise and Megaprise offerings
  4. Document Management and Logging System
    1. Program has an interface that logs all submitted activities and uploaded documents
    2. Documents your activities – proof of actions taken and by whom
    3. Tracks all training with ease
  5. Compliance Task Scheduler for managing ongoing compliance
    1. Able to send 1 email to 1 person or periodic emails to groups
    2. Annual Subscription with unlimited access for a ‘real ongoing’ Compliance program


Per HIPAA 164.308(a)(1)(ii)(A), a HIPAA Risk Assessment is the first step towards HIPAA Compliance, and is mandated for all organizations that access, store and or transmit ePHI.  The cycle of compliance requires a Risk Assessment, a determination of the risks and vulnerabilities of breach, remediation through implementation of HIPAA policies and procedures and the cycle of compliance repeated on an on-going basis.

EMR Consulting Solutions Inc., Risk Assessment tools combine the automated collection of network data with information gathered through observations, worksheets and surveys.  Our applications employ a built-in risk assessment engine that automatically generates a complete set of HIPAA gap analysis reports.

Link to Risk Analysis definition: