Home    About Us    Services    Resources    Careers    Contact Us

HIPPA Compliance
The Health Insurance Portability and Accountability Act (HIPAA Act) was effective in 1996, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) in 2009, and the Final Omnibus Rule in 2013 and despite years passed by, HIPAA Privacy compliance is still a challenge for many health care organizations. We have several breach incidents relating to PII and specifically PHI.

New technologies are evolving, and the health care industry has moved away from paper processes and now relies heavily on the use of electronic information systems to store and process the data. The cloud movement has an impact on the healthcare industry challenges too as the majority of organizations have moved to the cloud for its various benefits.

Today, healthcare providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems majority hosted in some sort of cloud environment. One of the top cloud risks is the misconfigured servers that can lead to data breaches. Another major risk is insecure APIs. Organizations use API’s to transfer data to the business partners without a secure architecture in place and without conducting a proper vendor due diligence and evaluating the data flow lifecycle risks.

Organizations are still facing challenges in compliance and most findings relate to basic security hygiene such as risk management, policies, data minimization, and encryption. Organizations are being fined in millions and their names appear in the Wall of Shame by HHS.


HIPAA Overview

HIPAA is United States legislation, which provides data privacy and security provisions to safeguard medical information. HIPAA is applicable for any medical practice, health insurance plan, third-party clearinghouse, or any businesses involved with healthcare abiding by all the mandates of HIPAA, ensuring that patient information is kept confidential and secure and has a number of components to consider for an entity that lawfully must be compliant. These entities are also referred to as "covered entities."

HIPAA is divided into 5 Titles out of which Title 2 defines the requirements for data security and privacy of personally identifiable health care information (PHI). Title 2 defines the policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information as well as outlining numerous offenses relating to health care and sets civil and criminal penalties for violations.

The HIPAA Title 2 is primely divided into following parts:

  • Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information.
  • Security Rule, or Security Standards for the Protection of Electronic Protected Health Information establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.
  • Breach Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.


HIPAA Compliance Requirements

Health care entities and related business associates (BA e.g., health plans, health care clearinghouses, exchanges, health care providers, and organizations that conduct certain financial, research, and administrative functions) are being asked with increased frequency to demonstrate that they meet the common security and privacy requirements of HIPAA that they have taken appropriate measures to:

  • Secure their environment.
  • Be vigilant in anticipating what might occur in the evolving security landscape.
  • Implement appropriate measures to detect and react to existing and emerging threats.
  • Be resilient in their ability to recover operations when a security incident does occur.
  • Use encryption technologies to de-identify PII data.

 

As required under the HIPAA rules the healthcare organizations are required to have a Business Associate Agreement with their vendors or the third-parties. It is equally important to understand the data security controls with their business associates. HIPPA provides rules and regulations for protecting privacy of Patient Health Information (PHI - Protected Health Information) and security of Electronic records stored or transmitted by a Covered Entity or their Business Associates. This includes PHI in any form - physical copy, electronic or oral. PHI constitutes of individually identifiable patient information such Name, health records, demographic information, contact information, Social Security Number etc. Any company, whether it’s a Covered Entity (CE) or Business Associate (BA), that deals with Protected Health Information (PHI) should have all the security measures - Physical, Network and Processes to ensure compliance with HIPAA guidelines.



What is SecurWires Offering?

SecurWires Technologies and Services LLP is a PCI SSC Authorized Qualified Security Assessor (QSA) CompanyCIS SecureSuite Member Company and a Member of Data Security Council of India (DSCI). SecurWires is a pure-play Cyber Security and Information Security Company which is dedicated to help businesses run Cyber Security and Information Security Programs more effectively. SecurWires is vendor neutral; we do not resell any software or hardware and will always recommend the best solution for the organization. Our professionals provide industry-leading expertise to help organizations meet their evolving Data Security and Privacy needs.

 

HIPAA Compliance Audit and Report

An attested report from an independent auditor is the best way to demonstrate HIPAA Compliance. SecurWires follows a five-step approach to get you compliant with HIPAA

  • Gap Assessment: Identify gaps with regard to Physical, Network and Processes
  • Risk Assessment: Assessment and documentation of risk scenarios, risk scores and prepare a risk treatment plan to reduce risks to acceptable levels
  • Controls Implementation: SecurWires consultants will handhold you in implementing the right set of controls to fix the gaps.
  • HIPAA Compliance Audit: These will be phase where our HIPAA Consultants validate if all the gaps are fixed and also do a risk re-evaluation to ensure acceptance
  • HIPAA Compliance Report: On successful completion of audit we will issue a comprehensive report which you can share it with your customers or business partners to showcase compliance with HIPAA.

 

Risk Management is one of the critical steps in getting compliant with HIPAA guidelines. HIPAA requires Covered Entities and Business Associates to “conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI)”. SecurWires can help you in identifying the risk scenarios and implement adequate security controls to mitigate risks. Once the controls are implemented, we will do a risk re-evaluation to ensure the controls are implemented in the right manner.



Talk to our experts to know more about our Data Security and Privacy offerings

Speak to our Security Expert






  Offline: Leave Message