Stethoscope on laptop keyboard

The goal of the Health Insurance Portability and Accountability Act (HIPAA) is to simplify the administrative processes of the healthcare system and to protect patients’ privacy. Any organization maintaining or transmitting electronic Protected Health Information (ePHI) must comply with HIPAA. This now includes business associates, which are contractors and subcontractors that perform services on behalf of a covered entity.

HIPAA is comprised of three major rules related to data protection: the security rule, the privacy rule and the breach notification rule. Each one is included in the overarching Omnibus Rule, which was mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009 as part of the American Recovery and Reinvestment Act (ARRA).


This rule dictates the administrative, physical and technical controls necessary to secure ePHI, whether it is created, maintained, stored or in transit. Covered entities and business associates must conduct risk assessments and prevent against unauthorized access.
This rule institutes safeguards for the control of personal health information, no matter its format — oral, written or electronic. It sets limits for the disclosure of patient information without their consent and spells out the rights patients have over their data.
In the event of a data breach involving ePHI, this rule requires HIPAA-covered entities and their business associates to notify affected individuals, the Secretary of the U.S. Department of Health and Human Services (HHS), and in some cases, prominent media outlets — unless they can prove there is a low risk of compromise based on a risk assessment.

Since 2012, the Office of Civil Rights (OCR) has been conducting random audits to ensure covered entities and business associates are in compliance with these rules. Failure to comply can result in steep civil and criminal penalties that are based on the care and diligence your organization takes to protect your customer’s ePHI.

38North’s HIPAA compliance consultants currently support multiple healthcare and research providers, and we have significant experience measuring HIPAA compliance and implementing an arsenal of required safeguards. We take a holistic view of your compliance challenges, integrate them into your existing information security and privacy programs, while remaining sensitive to your budgetary and resourcing constraints.

Our HIPAA services include:

HIPAA Gap Analysis: This is perfect for organizations that are new to HIPAA/HITECH regulations and don’t know how to get started. Our HIPAA gap analysis educates you on the process while taking a look at your information security and privacy programs to see how they fare against the three HIPAA rules. We also advise you on how much it will cost to attain HIPAA/HITECH compliance, identify any risks and/or challenges and focus on the most critical items to get you ready for action.

HIPAA Risk Assessment: We conduct a detailed HIPAA-focused risk assessment to gain an understanding of your business and existing security and privacy controls to see how they fare against all HIPAA/HITECH requirements. We then present you with a detailed roadmap with prioritized recommendations on remediating weaknesses with existing administrative, physical and technical safeguards.

HIPAA Remediation Support: Once you’ve obtained an unbiased view of your compliance posture, it’s time to start planning, developing and implementing remedial measures. This may be in the form of new technologies, policies, plans and/or procedures or training and awareness sessions. It also may include tailoring organizational processes to squeeze a little more out of your existing investments.

Contact us for more information on achieving and maintaining HIPAA/HITECH compliance.

What is ePHI? ePHI is defined as “identifiable demographic and other information relating to the past, present or future physical or mental health or condition of an individual.”