HIPAA / HITECH Compliant
Health Insurance Portability and Accountability Act (HIPAA) was signed in 1996 with the goal to modernize the flow of healthcare information. It consists of 5 titles, and in the Cyber Security context, Title II is the most relevant.
HIPAA Title II establishes national standards for healthcare providers, healthcare insurance providers, and employers on handling the personal and health information. It addresses Security, Privacy, and Right to Access aspects of protected health information (PHI).
The HIPAA rules are being enforced by civil money penalties for HIPAA violations.
Health Information Technology for Economic and Clinical Health Act (HITECH Act) is a 2009 addition to HIPAA that incentivized adoption of Electronic Health Records (EHR). In addition it expanded the requirements to Business Associates that provide services for HIPAA Covered Entities.
HITECH also extended and updated the civil and criminal penalties for HIPAA violations.
What does being HIPAA Compliant mean?
The HIPAA Privacy & Security rules regulate the use and disclosure of Protected Health Information (PHI), paper and electronic (ePHI).
Being HIPAA compliant means demonstrably meeting the compliance guidelines in the three safeguard categories: Administrative, Physical, and Technical.
What are the HIPAA Privacy & Security Rules?
Administrative Safeguards – policies and procedures that define and show how the entity complies with the act. Third party compliance reviews, contingency plan, access controls, internal audits, and documentation are some of the domains that need to be covered.
Physical Safeguards – control of physical access to protected information. These include network access, hardware and software, building security, visitors escorts, workstation security.
Technical Safeguards – control of access to computer systems containing and transmitting PHI. These should cover encryption, intrusion protection, data integrity, authentication, configuration management, risk analysis.
Who does it apply to?
HIPAA and HITECH define two categories of entities that need to comply with the Acts:
HIPAA Covered Entities – Healthcare providers and health plans administrators that store or transmit Protected Health Information.
HIPAA Business Associate – Entities that have access to Protected Health Information to perform services for a HIPAA covered entity. These include software providers, cloud service providers, data storage facilities and others. According to HITECH every entity, individual or business, that has that has access to PHI needs to comply with the Act’s rules.
How can GoldSky Security Support your HIPAA Compliance needs?
HIPAA Security Risk Assessment – As required by HIPAA, risk analysis and risk management programs need to be in place and well documented. These documents demonstrate that the organization took all reasonable precautions to protect the data.
HIPAA Security & Privacy Compliance Assessments – Compliance and gap assessments are designed to unveil areas of high risk for data or compliance. GoldSky will assess the design, implementation, and effectiveness of required controls. If deficiencies are identified, remediation steps will be outlined.
Training, Workshops, and Advisory – Depending on your unique challenges, we will assist with HIPAA compliance needs for the organization.
Our GoldSky Security resources in Orlando, Denver, Nashville, Tampa & Phoenix can help support your HIPPA compliance requirements. Please reach out [email protected].