HIPAA Compliance

HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.

The use of Health information technology is widespread as more and more companies are developing solutions that leverage health related technologies. However, one of the greatest risks in these products is consumer privacy. the HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Audit Process

HIPAA Compliance does not require any certification. Covered companies have to self assess and implement practices to secure protected health information (PHI) under their control or custody. The HIPAA evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered company or by an external organization that provides evaluations or “certification” services. US HHS does not endorse or otherwise recognize any private organizations’ “certifications” regarding the Security Rule.

Riskpro's Implementation methodology for HIPAA

We create an implementation plan for a business associate located in India. Business associates have to comply with security rules and breach reporting rule. Privacy rule may be applicable depending on the BAA agreement with the client (another BA or covered entity).

Summary of implementation steps are given below.
• Execute business associate agreements with the client
• Execute valid subcontractor agreements
• Comply with privacy rules
• Perform a Security Rule risk analysis/assessment
• Implement Security Rule safeguards (administrative safeguards, physical and technical safeguards),
• Adopt written policies supporting Security Rule
• Train employees
• Have an incident reporting and response procedure for security incidents and breaches
• Maintain Required Documentation. maintain the documents required by the Security Rule for six years from the document’s last effective date

HIPAA Certifications

The HIPAA Security Rule applies to all health plans, healthcare clearinghouses, and to any healthcare provider who transmits protected health information (PHI) in electronic form, or electronic protected health information (ePHI). Therefore, any organization or person who works in or with the healthcare industry or who has access to protected health information is covered by HIPAA regulations. The HIPAA Certified is different from as HIPAA Compliant.

HIPAA Domains

Basically HIPAA compliance is around following 4 sets of rules. These are very similar to the usual frameworks such as SOC, ISO etc.

The four main domains are
HIPAA Privacy Rule
HIPAA Security Rule
HIPAA Enforcement Rule
HIPAA Breach Notification Rule

Contact for HIPAA related audit, certification and trainings

For more information, please send an email to info@riskpro.in

Focus areas for HIPAA

Administrative Safeguards

Security Management Process
Assigned Security Responsibility
Workforce Security
Information Access Management
Security Awareness and Training
Security Incident Procedures
Contingency Plan
Business Associate Contracts and Other Arrangements

Physical Safeguards

Facility Access Controls
Workstation Use
Workstation Security
Device and Media Controls

Technical Safeguards

Access Control
Audit Controls
Person or Entity Authentication
Transmission Security

Organizational Requirements

Business Associate Contracts or Other Arrangements
Requirements for Group Health Plans



More Info: 
Manoj Jain: 9833767114, manoj.jain@riskpro.in

Other Services of Interest

  • Cloud Security - Knowledge Snippets

    Riskpro presents a series of 5 articles / newsletters on cloud security. Cloud computing is attractive because it offers agility, resiliency and economy to organisations which adopt it. What is less...
  • Corporate Training Ideas - Risk Management and Compliance

    The following training options are appropriate for Banks, NBFC and small banks. • Basic fundamentals of Risk Management (half day) o Including Fraud, Reputational Risk issues also apart from...
  • Third Party Risk Management (TPRM) - Webinar

    EVENT OVERVIEW: TPRM or Third Party Risk Management is not a new concept, but something that needs to be addressed today. With Cybersecurity, Privacy issues emerging every day, often we find that...
  • Global Compliances - Free Webinar on key Global Regulations

    EVENT OVERVIEW: Riskpro India is conducting a free webinar on how to be future ready with respect to Global Compliances. Alleviate risk and strengthen your control on global compliance with this...
  • Sarbanes Oxley (SOX) Compliance - Free Webinar

    EVENT OVERVIEW: Riskpro India is conducting a free webinar on SOX (Sarbanes Oxley) Compliance which will take you through the applicability and requirements of the SOX 404 and 302 Act. The...
  • Internal Audit and IT Audit on Temporary Basis

    Due to the importance of regulatory compliances, it has become essential that companies are able to audit the business operations effectively. To meet this growing demand, Riskpro India offers...
  • India: Data Protection Services

    The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. Now India has its own version of Data protection regulation that will change...
  • Fire Safety Assessments and Training

    Some of our features of Fire Safety Assessments and Training • Fire Science • The common causes of fire • Identify fire hazards • Types of fires and extinguishers • Fire...
  • Go to top