Intro

    Every organization that stores, processes or transmits personal health information (PHI) must comply with the Health Insurance Portability and Accountability Act in order to ensure the safety of all protected personal data. Ensure that your organization meets HIPAA compliance and  HITECH security requirements with a comprehensive audit of your organization’s security controls or validate  internal HIPAA audit or risk assessment.

    A thorough HIPAA audit with a compliance focused security analysis affords the least impact to the organization for validation with nearly 60 unique security provisions within the HIPAA Security Rule (45 CFR Parts 160, 162, 164).  Many organizations are concerned about how to demonstrate conformity with the least amount of impact to the organization; our audit process helps organizations meet HIPAA Regulatory requirements as well as the HITECH Act’s ” Meaningful Use ” phase 1 and phase 2. Get your compliance validation process started with our HIPAA Security Risk Assessment, get a quote or read below for more information.

    Health Insurance Portability and Accountability Act of 1996 (HIPAA)

    The Health Insurance Portability and Accountability Act of 1996 (HIPAA) attempts to answer this concern by placing requirements for assessment into the Rule: Sec. 164.308 Administrative Safeguards. A covered entity must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information held by the entity. Where is electronic protected health information stored and how does it move through your organization? What risks and foreseeable threats exist today to your information, systems, and facilities? Where are your weaknesses, vulnerabilities, and misconfigurations? Are you HIPAA Compliant? Do you conform to the HIPAA Security and Privacy Rules? What is HIPAA Compliance anyway?

    Do you need a road map to HIPAA security? Do you need to know how to be HIPAA compliant?

    There are 77 audit protocol provisions of the Security Rule that covered entities must consider for implementation. These are in addition to the 88 required audit provisions of the Privacy Rule. Each of these provisions is frequently referenced as a separate rule even though there is only a single HIPAA Rule for each privacy and security. You must have documentation indicating whether each audit provision or protocol was considered reasonable and appropriate, was implemented, whether it was implemented through an alternate solution, and why.

    How much security is enough for your organization? What is reasonable and appropriate? What proof do you have to support your decisions? Is addressable really required in order to pass a HIPAA Audit? Do you need to know how to be HIPAA compliant?

    HiPAA Regularoty Security Assessments or HIPAA Audit

    A HIPAA Regulatory Security Assessment or Audit provides the unbiased analysis and documentation of your security measures and delivers the detailed information you need to design, plan, and implement improvements.

    Diagram showing HIPAA security assessment components

    • On-site Assessment — Inspects the state of your administrative, physical, and
      technical security policies, plans, procedures, systems, and networks.
    • Risk Assessment — Identifies assets, potential threats, and operational risks
    • Internal & External Vulnerability Assessment — Identifies technical weaknesses and vulnerabilities.
    • Gap Analysis — Identifies areas that conform and those that do not to the Security Rule provisions and is used for planning of any remediation efforts and proof of due-diligence.
    • Remedy Recommendation —Documents reasonable and appropriate recommendations to support your rationale in designing and implementing any Required and Addressable safeguards.

    Subject Matter Experts (SMEs) in HIPAA Compliance

    We are subject matter experts (SMEs) in HIPAA Compliance, HITECH Audits and security assessment – our  skilled and experienced security consultants deploy with all the tools necessary to assess your organization’s security controls within a process specifically designed for HIPAA Security and Privacy Rules compliance. The result is an in-depth documented assessment and recommendation/remediation package. Findings are reviewed in detail with your staff.

    Offset the Cost of HIPAA Compliance

    Offset the cost of compliance with outsourced efficiency. An investment is required to acquire the security expertise, planning, implementation processes and tools to accurately and thoroughly audit for compliance. Spohn’s HIPAA Audit offsets the total cost of periodic auditing through lower cost on demand services .

    External References

    Do you conform to the HIPAA Security and Privacy Rules?

    Texas Medical Privacy Law , California Medical Privacy Law (laws) and Florida’s FIPA are already in affect, with other states like New York,  Colorado and Alaska looking to follow suit soon.   Compliance was required within 60 days – Did you make the deadline? Could you?? Are you ready to be audited today? Settlements from this year’s and last year’s HIPAA compliance audits are ear marked for next additional enforcement efforts – more audits. There are substantial penalties for non-compliance and new training requirements – don’t be one of the unprepared funding the next round of compliance audits!

    HIPAA Audit Protocols

    HIPAA Emblem

    The most significant piece of heath care regulatory requirements coming from the HIPAA Act -The HIPAA Security Rule and HIPAA Privacy Rule were announced and adopted on 13 February, 2003, by then HHS Secretary Tommy Thompson. The final standards were published in the 20 February Federal Register with an effective date of 21 April, 2005.

    The deadline for compliance with the HIPAA Security Rule and HIPAA Privacy Rule were set for 20 April, 2005  – at that point is was mandated that health care providers and “covered entities” comply with the 77 provisions or audit protocols of the HIPAA Security Rule and 88 provisions for Privacy and Breach alone.

    The “HIPAA Rule” – the following is the overall guiding standard within the Rules (Security and Privacy), mandating the levels of physical, electronic and policy security to ensure the confidentiality, integrity and availability of ePHI, electronic protected health information or official audit protocols:

    • Sec. 164.306 Security standards: General rules.(a) General requirements. Covered entities must do the following:
      (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.

      (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

      (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.

      (4) Ensure compliance with this subpart by its workforce

    The following five sections of security safeguards include many of the 77 audit protocols or provisions for meeting the guiding standard above:

    • Sec. 164.308 – Administrative safeguards
    • Sec. 164.310 – Physical safeguards
    • Sec. 164.312 – Technical safeguards
    • Sec. 164.314 – Organizational requirements
    • Sec. 164.316 – Policies and procedures and documentation requirements

    Section 164.316 of the Security Rule requires that covered entities must conduct an accurate and thorough assessment as part of their compliance effort

    • Sec. 164.308 Administrative Safeguards’
    • (a) A covered entity must:
      • (1)(i) Implement policies and procedures to prevent, detect, contain, and correct security violations.
      • (1)(ii)(A) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
      • (1)(ii)(B) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec. 164.306(a).

    The official HIPAA Security audit protocols – the 77 provisions – were just official published in July of 2012 along with the provisions for privacy and 8reach alone – 88 of those – prior to that, it was only suggested and draft protocols.

    HITECH Act is part of the American Recovery and Reinvestment Act of 2009 (ARRA). ARRA contains incentives related to health care information technology in general containing significant incentives designed to increase the use of Electronic Health Record (EHR) systems among health care system providers and their partners.  The Most signification parts  – from a HIPAA rule perspective, it provides for enforcement and over site to HIPAA and expanded the definition of covered entities.

    HB300 became the Texas Medical Privacy Law in September 1st of 2012 significantly expanding the definition of covered entities and provided state level enforcement and over site of the HIPAA rule above and beyond Federal requirements.

    External Links:

    HHS.Gov – HIPAA Audit Protocol
    HHS.Gov “Wall of Shame” Reported Breaches 

    Spohn has experienced, professional security consultants, and auditors to help your organization avoid the penalties for non-compliance law the HIPAA rule and the 77 security audit protocols as well as the 88 provisions for privacy and breach. Did you you know “Addressable” was as much pass/fail criteria for a audit is “Required”? We have years of experience and a proven track record of success! Contact Spohn for more information on HIPAA, HITECH or Texas Medical Privacy Law Audits Call 512-685-1837.

    Have Questions?
    Let Us Help

    Contact Us

     

    What is HIPAA Compliance?

    HIPAA Compliance is not HIPPA Compliance – the acronym is Health Insurance Portability and Accountability Act (HIPAA) but if you got it wrong don’t feel bad, many miss type it and we have even gotten calls from those looking for a HIPPO Audit as in hippopotamus!

    Compliance is not a certification you can hang on a wall – there is no gold or silver sealed document proclaiming “ABC Hospital, San Antonio, Texas has been awarded HIPAA Certification number 1234567890” such a thing does not exist. Its not like PCI where you can go to a site, pay $200, click a button that will scan your external IP addresses and send you a report and document declaring you are safe to engage in business.

    HIPAA Compliance does not equal network or data security. Both network and data security by most definitions focus on technical countermeasure and tools; HIPAA is much more policy and procedure based.

    Compliance does not mean you automatically comply with Texas HB 300 (Texas Medical Privacy Law) or California Medical Privacy Laws and comes nowhere near addressing Florida’s FIPA Privacy Law; all three make the question of who needs to be; what it takes to be HIPAA compliant more complex; and more costly should you fail to meet compliance requirements and/or expands who is a BAA or changes reporting requirements or time tables.

    HIPAA compliance is generally considered and refers to the adherence to or conforming to the provisions of the HIPAA Security Rule…77 sections of language that provide little clarification –  Sec. 164.308 – Administrative safeguards, Sec. 164.310 – Physical safeguards Sec. 164.312 – Technical safeguards…with ambiguous language like “Protect against any reasonably anticipated uses or disclosures” or “Ensure compliance with this subpart by its workforce” or “Take all reasonable measure to ensure the security of data in transit” and terms like addressable which sounds optional but is mandatory.

    Compliance is tricky and very complex – that is why we employ a team of experienced auditors and security consultants to produce a HIPAA Compliance Assessment report and detailed Opinion report mapping out your adherence to the HIPAA Security rule, to what level and how to achieve complete compliance (remediation) or the likelihood of compromise should you choose to accept the risk.

    Our reports will not have a gold or silver emblem of “HIPAA Compliance”, but they do contain detailed actionable information about your compliance level and the road map to reach you compliance goals.

    External resources: