MainNerve has assisted numerous companies in mapping out their road to HIPAA compliance.
The Healthcare Insurance Portability and Accountability Act or HIPAA as signed into law in 1996 with the primary of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of Personal Healthcare Information (PHI) and electronic Health Care Information (ePHI) and help the healthcare industry control administrative costs. The law has three rules that impact any healthcare provider or entity that uses, stores or transfers PHI or ePHI in their business.
The Privacy Rule: establishes a set of national standards for the protection of PHI by identifying what is PHI and limiting the use and disclosure of an individual’s health care information
The Security Rule: The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.
The Enforcement Rule: The enforcement rule was contained in the Health Information Technology for Economic and Clinical Health (HITECH) Act to promote the adoption and meaningful use of health information technology. The HITECH act outlined four categories of violations that reflect increasing levels of culpability up to $1.5M for all violations of an identical provision.
Companies must demonstrate that they are compliant with all three of these rules by conducting risk assessments, security gap assessments and ensuring that they can demonstrate a “roadmap” to compliance by addressing the vulnerabilities identified.
What does this mean?
If your company can be identified as a Covered Entity (CE) or Business Associate (BA) and creates, stores or transfers PHI or ePHI, you are subject to be compliant under HIPAA/HITECH and subject to audits from the Office of Civil Rights (OCR) who has regulatory enforcement action. Non-compliance with HIPAA/HITECH can lead to significant fines and clawback of “meaningful use” dollars.
How do I Become Compliant?
By conducting security risk and gap assessments to identify the administrative, physical and technical controls as defined by CFR Part 45, 164.308, 164.310 and 164.312 and as outlined by NIST 800-30 Guide for Conducting Risk Assessments, NIST SP 800-66, An Introductory Guide to the HIPAA Security Rule, and road mapped to the security controls in NIST 800-53, Recommended Security Controls for Federal Information Systems. These assessments can be done by experienced HIPAA assessment companies such as MainNerve or other third parties.
Security Gap Assessments: MainNerve’s HIPAA Security Gap Analysis provides a full report on identified gaps and remediation recommendations to help clients move forward with implementing safeguards for ePHI. The Gap analysis can be done off site to save time and money. Our Gap Analyses follow NIST SP 800-14, 800-30, 800-66, and specifically address all items set forth in the HIPAA standards, 45 CFR Part 164, Subpart C – Security Standards for the Protection of Electronic Protected Health Information (ePHI).
Comprehensive Risk Assessments: MainNerve’s Comprehensive Risk Assessment provides a detailed report on findings and remediation recommendations, as well as a crosswalk to compliance that links each finding to specific HIPAA standards, so clients have a clear understanding of what should be addressed for HIPAA compliance. Our Gap Analysis and Comprehensive Risk Assessments follow NIST SP 800-14, 800-30, 800-66, and specifically address all items set forth in the HIPAA standards, 45 CFR Part 164, Subpart C – Security Standards for the Protection of Electronic Protected Health Information (ePHI).
On-line HIPAA Compliance Website: MainNerve highly recommends HIPAAgps (www.hipaagps.com) as a site for smaller companies to ensure their compliance with all HIPAA security rules. The site has training videos, access to the industries best HIPAA Comprehensive Risk Assessment, encrypted storage for sensitive HIPAA documents, ensuring that compliance will be maintained in the future.
Penetration Testing and Scanning: MainNerve is one of the leading penetration testers in the U.S. with hundreds of customers and highly trained, accredited and experienced penetration testers. While penetration testing is not mandated under HIPAA, it is a recommended practice and annual penetration tests and quarterly scans are encouraged to demonstrate “best practice” cybersecurity principles in case of an OCR audit as well as heighten your cybersecurity posture.
Health and Human Services HIPAA Webpage: https://www.hhs.gov/hipaa