What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 by the US government and provides the rules and regulations for protecting privacy of Patient Health Information (PHI - Protected Health Information) and security of Electronic records stored or transmitted by a Covered Entity or their Business Associates. This includes PHI in any form - physical copy, electronic or oral. PHI constitutes of individually identifiable patient information such Name, health records, demographic information, contact information, Social Security Number etc.
Any company, whether you are a Covered Entity (CE) or a Business Associate (BA), dealing with Protected Health Information (PHI) should have all the security measures - Physical, Network and Processes, to ensure compliance with HIPAA guidelines. A Denver based public health clinic paid $400,000 as HIPAA breach penalty when a phishing attack led to data compromise of 3200 patients. This could have easily been avoided with a compliance program which also includes cyber security awareness training for employees.
What is HITECH?
To keep the security upright in the face of evolving health technology and increased use, storage, and transmittal of ePHI, the HITECH (Health Information Technology for Economic and Clinical Health) Act was formed. It enforces HIPAA requirements by raising penalties against violator health organizations.
HIPAA Risk Analysis
Risk Management is one of the critical steps in getting compliant with HIPAA guidelines. HIPAA requires Covered Entities and Business Associates to “conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI)”. When doing risk analysis, there are 8 important steps to be taken care of – which are:
- Scope Identification: Determining potential risks affecting the confidentiality, availability, and integrity of all ePHI. This includes ePHI that a covered entity creates, receives, maintains, or transmits.
- Data Gathering : Finding where PHI data is being stored, received, maintained or transmitted.
- Threat Identification : Finding and documenting any possible threats to ePHI and any vulnerabilities that may lead to a data breach. Identifying and assessing gaps can help organizations effectively avoid non-compliance.
- Security Assessment: Evaluating current security posture of the organisation to deal with risks associated with ePHI. Technical measures usually include access controls, encryption methods, automatic logoff and audit controls. Non-technical measures include policies, procedures, accountability, and physical and environmental security measures.
- Determining the Likelihood of Threat Occurrence: Checking the probability of possible threats to manifest themselves into data breaches.
- Determining the Potential Impact of Threat Occurrence: On similar lines as above, calculating the potential loss incurred in case if a threat materializes itself.
- Determining the Level of Risk: Taking into consideration both impact levels as well as the likelihood of occurrence of a threat to determine the level of risk.
- Implementation of Security Measures and Documentation: Implementing and documenting the corrective actions for mitigating the risks identified.
HIPAA – Compliance Assessment
An attested report from an independent auditor is the best way to demonstrate HIPAA Compliance. We, at Crossbow Labs, follow a 5 step approach to get you compliant with HIPAA
- Gap Assessment
Identify gaps concerning Physical, Network, and Processes safeguards
- Risk Assessment
Assessment and documentation of risk scenarios, risk scores and prepare a risk treatment plan to reduce risks to acceptable levels
- Controls Implementation
Crossbow Labs consultants will handhold you in implementing the right set of controls to fix the gaps.
- HIPAA Compliance Audit
This is where our HIPAA Consultants validate if all the gaps are fixed and also do a risk re-evaluation to ensure acceptance
- HIPAA Compliance Report
On successful completion of audit we will issue a comprehensive report which you can share it with your customers or business partners to showcase compliance with HIPAA
Get in touch, let’s evaluate your risks.