HIPAA Compliance

HIPAA compliance is ever evolving and may seem complicated. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is broken into three primary rules; Privacy 45 CFR 164. 500, Security 45 CFR 164.302 and Breach Notification 45 CFR 164.400.

The Privacy Rule established protection for protected health information whether in paper or electronic format. The rule defines patient rights that provide some control over their own health information and establishes standards regarding access, use and disclosure.

While the Security Rule established requirements for electronic protected health information. In general, the rule outlines administrative, technical and physical safeguards that must be addressed by covered entities and business associates.

Last, but certainly not least, the Breach Notification rule established detailed standards requiring covered entities to report breaches to impacted patients.

In 2009, the HITECH Act was signed and required Business Associates to implement the security rule safeguards. Additionally, it required covered entities and business associates to notify individuals of a breach. Then, in 2013, the Omnibus Rule modified the standard for a reportable breach to make breaches presumptively reported. The rule also extended requirement to Business Associates requiring them to have a privacy and security program in place and assigned direct liability for criminal and civil penalties for uses or disclosures that violate the privacy rule.  

No wonder, HIPAA seems complicated…it is!

We have experienced consults that have spent time in the trenches and offer a broad array of consulting services for healthcare organizations and business associates to meet all aspects of HIPAA compliance.

Here are some of the key components of our HIPAA Compliance Services:

• Security Risk Analysis (SRA), an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. (45 C.F.R. § 164.308(a)(1).
• Proven Office for Civil Rights investigation and corrective action support services. Whether you are in the middle of an investigation or have agreement to a corrective action plan, we can provided you with support.
• 405 (d) Audit Services that identifies and documents your implemented security best practices.
• Vendor Risk Management framework and program development.
• Information Asset Criticality/Business Impact Analysis.  
• Virtual Privacy Officer (VPO) and Virtual Chief Information Security Officer (vCISO) services.
• HIPAA Privacy, Security and Breach Notification Policy and Procedure Development.  
• Privacy Assessment consistent with the Office for Civil Rights desk audit protocol. We will evaluate the current state of your existing program to determine compliance and identify any gaps.
• Security Assessment consistent with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
• Phishing simulation.
• Privacy Officer and/or Security Officer training program designed to establish foundational knowledge for new leaders.
• Evaluate entire IT infrastructure security (servers, computers, laptops, firewalls, remote access, EHR/Practice Management systems, wireless access, etc.).
• Vulnerability Scanning provides network visibility and helps to identify risks and vulnerability that may be exploited by threat actors.
• Evaluate your business associate agreement template and process. We will also help to create a list of all business associates for tracking.
• Cyber Liability Insurance guidance.