HIPAA Compliance Services
We aim to protect YOU (the healthcare organization) so that you can focus on your patients and business.The Health Information Technology for Economic and Clinical Health Act (HITECH Act) legislation was created in 2009 to stimulate the adoption of electronic health records (EHR) and supporting technology in the United States. It introduced the Meaningful Use program incentivizing healthcare organizations to maintain the Protected Health Information of patients in electronic format, rather than in paper files.
Health Insurance Portability and Accountability Act (HIPAA), a Federal legislation that promulgated in 1996 requires the US Department of Health and Human Services (HHS) to develop national standards to protect the privacy and security of patients’ medical records and other personal health information. It got ratified in 2013 calling as the “Final Omnibus” rule, to include Enforcement and Civil Penalties.
HITECH and HIPAA, are separate and unrelated laws, but they do reinforce each other in certain ways. For example, HITECH requires that any physician and hospital that attests to meaningful use must also have performed a HIPAA security risk assessment as outlined in the Omnibus rule.
What can we do?
- If you are a Covered Entity or a Business Associate, ensure that you comply with HIPAA regulations if your organization has access to electronic Protected Health Information (ePHI) by:
- Helping you create and publish HIPAA Privacy and Security Policy Manual,
- Train your workforce in understanding HIPAA and also the Privacy and Security Policies,
- Conduct the annual Enterprise wide HIPAA Security Risk Assessment;
Schedule a Call
Who does HIPAA affect?
According to HIPAA, if you belong to the category of “covered entities” or “business associates,” and you handle “protected health information (PHI),” you are required to be HIPAA-compliant.
- Health Care Providers like Doctors, Surgeons, Dentists, Psychologists, Podiatrists, Laboratory technicians, Optometrists, Hospitals, Clinics, Nursing homes, organizations in the life sciences field such as medical devices, biotechnology, Pharmacies, schools when they enroll students in health plans, nonprofit organizations that provide some healthcare services, and even government agencies.
- Health Plans like Health Insurance Companies, HMOs, Employer-Sponsored Health Plans, Government Programs like Medicare, Medicaid, Military and Veterans’ health programs.
- Healthcare Clearing Houses. These are organizations that collect information from a healthcare entity, processes the data in an industry-standard format and delivers it to another entity. Examples of clearinghouses include: Billing services, Community health management information system.
2. Business Associates:
- "Business associate” refers to any organization or individual who acts as a vendor or subcontractor with access to PHI.
- Examples of business associates include: Data transmission providers, Data processing firms, Data storage or document shredding companies, Medical equipment companies, Consultants hired for audits, Electronic health information exchanges, External auditors or accountants, Medical transcription companies, Answering services, Data conversion and data analysis service providers, Law firms, Software vendors and consultants, Financial institutions (if engaging in accounts receivable or other functions extending beyond payment processing), ISPs, ASPs, Cloud vendors, Researchers (if performing HIPAA functions for a covered entity), etc.
HIPAA Enforcement Rule has penalty structure, where penalties can range from $100 to $50,000 per violation depending on culpability, up to an annual maximum cap of $1.5 million on a per provision basis. Business associates and subcontractors are directly liable for their violations, but covered entities also can be penalized for their violations. Look at some of the biggest HIPAA penalties enforced by the Office for Civil Rights:
- A Judge ruled in June 2018 that MD Anderson Cancer Center has to pay $4,348,000 in civil money penalties to OCR following an investigation of the theft of 3 unencrypted devices that resulted in a breach of ePHI of over 33,500 individuals.
- Fresenius Medical Care North America (FMCNA) is paying 3.5 million dollars with a corrective action plan after 5 separate data breaches in 2012 because they failed to implement policies and procedures and to implement proper protection of PHI.
- CardioNet has been fined 2.5 million with a corrective action plan after a laptop was stolen from an employee's vehicle. Further investigation revealed insufficient risk analysis and risk management at the company. Their policies and procedures were in draft and had not been implemented.
You can read more about enforcement by OCR in our blog on enforcement actions here.
Our Services include:How prepared are you for your organization? 24By7Security’s IT experts with experience of over 25 years, can help you strengthen your cybersecurity program and ensure that all aspects of your organization are secure and operating effectively, while simultaneously meeting industry requirements.
- Assessing Compliance With HIPAA Standards
- Security Risk Assessment
- Medical Device Risk Assessment
- Risk management and Corrective Action Plans
- Policy and Procedures
- Incident Response
- Internal and External Penetration Testing
- Training staff on HIPAA Security Rule, Privacy Rule and the Breach Notification Rule
- Insider Threat and Advanced Persistent Threat Assessment
- PCI-DSS compliance
- Part-time CISO Services
- Part-time Privacy Officer Services
- Web Application Testing
- Social Engineering Testing
- Physical Security Testing
How prepared are you for your organization? 24By7Security’s IT experts with experience of over 25 years, can help you strengthen your cybersecurity program and ensure that all aspects of your organization are secure and operating effectively, while simultaneously meeting industry requirements.