The goal of the Health Insurance Portability and Accountability Act (HIPAA) is to simplify the administrative processes of the healthcare system and to protect patients’ privacy. Any organization maintaining or transmitting electronic Protected Health Information (ePHI) must comply with HIPAA. This now includes business associates, which are contractors and subcontractors that perform services on behalf of a covered entity.
HIPAA is comprised of three major rules related to data protection: the security rule, the privacy rule and the breach notification rule. Each one is included in the overarching Omnibus Rule, which was mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009 as part of the American Recovery and Reinvestment Act (ARRA).
Core HIPAA / HITECH Rules
Since 2012, the Office of Civil Rights (OCR) has been conducting random audits to ensure covered entities and business associates are in compliance with these rules. Failure to comply can result in steep civil and criminal penalties that are based on the care and diligence your organization takes to protect your customer’s ePHI.
38North’s HIPAA compliance consultants currently support multiple healthcare and research providers, and we have significant experience measuring HIPAA compliance and implementing an arsenal of required safeguards. We take a holistic view of your compliance challenges, integrate them into your existing information security and privacy programs, while remaining sensitive to your budgetary and resourcing constraints.
Our HIPAA services include:
HIPAA Gap Analysis: This is perfect for organizations that are new to HIPAA/HITECH regulations and don’t know how to get started. Our HIPAA gap analysis educates you on the process while taking a look at your information security and privacy programs to see how they fare against the three HIPAA rules. We also advise you on how much it will cost to attain HIPAA/HITECH compliance, identify any risks and/or challenges and focus on the most critical items to get you ready for action.
HIPAA Risk Assessment: We conduct a detailed HIPAA-focused risk assessment to gain an understanding of your business and existing security and privacy controls to see how they fare against all HIPAA/HITECH requirements. We then present you with a detailed roadmap with prioritized recommendations on remediating weaknesses with existing administrative, physical and technical safeguards.
HIPAA Remediation Support: Once you’ve obtained an unbiased view of your compliance posture, it’s time to start planning, developing and implementing remedial measures. This may be in the form of new technologies, policies, plans and/or procedures or training and awareness sessions. It also may include tailoring organizational processes to squeeze a little more out of your existing investments.