HIPAA Compliance

What is HIPAA?

Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule that address administrative, physical, and technical safeguards that healthcare organizations must put in place to secure individuals’ electronic protected health information (e-PHI).

  • The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information.

  • The Security Rule, or Security Standards for the Protection of Electronic Protected Health Information, establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.

  • The Enforcement Rule, establishes provisions relating to compliance and investigations, impositions civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings. The Health Information Technology for Economic and Clinical Health Act (the HITECH Act) of 2009 strengthens enforcement of HIPAA rules.

  • The Breach Notification Rule, establishes requirements for HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.

HIPAA Main Components

Enforcement Rule establishes:

  • Four categories of violations that reflect increasing levels of culpability;

  • Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and

  • A maximum penalty amount of $1.5 million for all violations of an identical provision.

Given the diverse nature of healthcare organizations, the HIPAA Administrative Requirements are designed to be flexible and scalable so the organization can implement policies, procedures, and technologies that are appropriate to it’s size, organizational structure, and risks to e-PHI.

Who must comply with the HIPAA Rules?

Health care providers, health plans, health care clearing houses, and their business associates must comply with HIPAA Rules. HIPAA rules provide a floor for federal protections for PHI and does not override state laws that offer greater protections or do not create a conflict - and vice versa.

Who enforces the HIPAA Rules?

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has responsibility for enforcing HIPAA with compliance activities and civil money penalties.

Contact us to get started!

Secliance cybersecurity and controls specialists can help you objectively navigate and implement HIPAA compliance requirements. Our HIPAA Compliance services include:

  1. Develop a HIPAA awareness program

  2. Document current processes; including HIPAA-related policies, procedures, reports, and activities

  3. Perform a Security Risk Analysis to assess the potential threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI

  4. Develop Action Plans to mitigate the identified risks. The action plans incorporate all 5 components (i.e., administrative safeguards, physical safeguards, technical safeguards, organizational standards, and policies and procedures) when developing appropriate action plans.

  5. Establish a continuously monitoring program

  6. Continuously audit and update security practices, as applicable

Do you have questions about HIPAA Compliance? Contact Stella Bridges directly at stella.bridges@secliance.com.