HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.
The use of Health information technology is widespread as more and more companies are developing solutions that leverage health related technologies. However, one of the greatest risks in these products is consumer privacy. the HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH)
HIPAA Audit Process
HIPAA Compliance does not require any certification. Covered companies have to self assess and implement practices to secure protected health information (PHI) under their control or custody. The HIPAA evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered company or by an external organization that provides evaluations or “certification” services. US HHS does not endorse or otherwise recognize any private organizations’ “certifications” regarding the Security Rule.
Riskpro's Implementation methodology for HIPAA
We create an implementation plan for a business associate located in India. Business associates have to comply with security rules and breach reporting rule. Privacy rule may be applicable depending on the BAA agreement with the client (another BA or covered entity).
Summary of implementation steps are given below.
• Execute business associate agreements with the client
• Execute valid subcontractor agreements
• Comply with privacy rules
• Perform a Security Rule risk analysis/assessment
• Implement Security Rule safeguards (administrative safeguards, physical and technical safeguards),
• Adopt written policies supporting Security Rule
• Train employees
• Have an incident reporting and response procedure for security incidents and breaches
• Maintain Required Documentation. maintain the documents required by the Security Rule for six years from the document’s last effective date
The HIPAA Security Rule applies to all health plans, healthcare clearinghouses, and to any healthcare provider who transmits protected health information (PHI) in electronic form, or electronic protected health information (ePHI). Therefore, any organization or person who works in or with the healthcare industry or who has access to protected health information is covered by HIPAA regulations. The HIPAA Certified is different from as HIPAA Compliant.
Basically HIPAA compliance is around following 4 sets of rules. These are very similar to the usual frameworks such as SOC, ISO etc.
The four main domains are
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Enforcement Rule
- HIPAA Breach Notification Rule
Contact for HIPAA related audit, certification and trainings
For more information, please send an email to firstname.lastname@example.org
Focus areas for HIPAA
- Security Management Process
- Assigned Security Responsibility
- Workforce Security
- Information Access Management
- Security Awareness and Training
- Security Incident Procedures
- Contingency Plan
- Business Associate Contracts and Other Arrangements
- Facility Access Controls
- Workstation Use
- Workstation Security
- Device and Media Controls
- Access Control
- Audit Controls
- Person or Entity Authentication
- Transmission Security
- Business Associate Contracts or Other Arrangements
- Requirements for Group Health Plans