HIPAA Compliant Solutions

Let us ensure your ePHI is protected and you are fully HIPAA compliant while you take care of the core objective of your day to day operations.

WE ARE WATCHING SO YOU CAN FOCUS ON YOUR BUSINESS

Technical Protections

✔ Encrypted ePHI (at rest and in transit)
✔ Secure Backups & Disaster Recovery
✔ Anti-Virus/Anti-Malware

Physical Protection

✔ ePHI Access Controls (release or disclosure)
✔ Authentication procedures
✔ Isolated Web Server, Database Server, Web Application Firewall

Data Security

✔ End-to-End Encryption
✔ Network segregation
✔ Intrusion Detection/Prevention

Administrative Compliance

✔ Systematic risk management
✔ Staff security training
✔ Compliance management

Contact Us Common Violations

Important HIPAA Rules

The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.

● It gives patients more control over their health information.
● It sets boundaries on the use and release of health records.
● It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
● It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
● And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals; HHS; and, in some cases, the media of a breach of unsecured PHI. Generally, a breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. The impermissible use or disclosure of PHI is presumed to be a breach unless you demonstrate there is a low probability the PHI has been compromised based on a risk assessment of at least the following factors:

● The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
● The unauthorized person who used the PHI or to whom the disclosure was made
● Whether the PHI was actually acquired or viewed
● The extent to which the risk to the PHI has been mitigated.

Most notifications must be provided without unreasonable delay and no later than 60 days following the breach discovery. Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually. The Breach Notification Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate.

The rule effectively merges four separate rule makings, which are as follows:

● Amendments to HIPAA Privacy and Security rules requirements;
● HIPAA and HIPAA HITECH under one rule now;
● Further requirements for data breach notifications and penalty enforcements;
● Approving the regulations in regards to the HITECH Act’s breach notification rule;

The Omnibus Rule includes regulations that will
● Manage the use of patient information in marketing;
● Includes a provision that requires healthcare providers to report data breaches that are deemed not harmful;
● Makes certain that business associates and subcontractors are liable for their own breaches and requires Business Associates to comply with HIPAA.
● The rule requires HIPAA privacy and security requirements to be employed by business associates and sub-contractors.

The HIPAA Omnibus Rule changed how business associates are expected to maintain PHI security.

“The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity,” HHS states on its website. “The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.”

A business associate contract, or business associate agreement, is a written arrangement that specifies each party’s responsibilities when it comes to PHI.

The contract must describe permitted and required PHI uses for the business associate, and also state that the business associate “will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.”

Step by Step Compliance

Every ePHI data should be map and identified so you know where it is at all times.

Determine who has access and what are the steps to gain access to any ePHI data. Remember to implement the least privilege and need to know models.

Monitor all access to any personal health information, this includes PHI and ePHI.

Implement system with safeguards to be alerted for any data that was wrongfully access or stored in a non-compliant repository.

Implement physical & technical controls and train your staff to avoid data breach and social engineering.

Implement security measures and controls so treats can be identify and data can be protected.