The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a series of regulatory standards mandated by the Department of Health and Human Services (HHS) that outline the lawful use and disclosure of protected health information (PHI). If you are a Covered Entity or a Business Associate, as defined by HIPAA, then you are required to implement the HIPAA Rules, as well as conduct self-audits, develop plans and policies, perform incident management, and manage your business associates.

With the HITECH Act in 2009 and the final Omnibus Rule in 2013, compliance with HIPAA standards is a mandate for all covered entities and their business associates. Independent verification of your information systems is what sets you apart from your competitors and provides the executive leadership and board members confidence in your security programs. The HIPAA Privacy and Security Rules apply to all healthcare providers, health plans, healthcare clearinghouses, and to any service provider that manages electronic protected health information (ePHI).

Our expert team provides your organization access to healthcare IT security experts where we apply our proven processes and utilize a common controls framework that combines the identified HIPAA controls, along with NIST 800-66, and HITRUST to conduct a risk assessment and/or a gap analysis, providing an executive summary and detailed report on your current compliance status and recommendations for improvement. Assessment controls include:

  • Administrative Safeguards

  • Technical Safeguards

  • Physical Safeguards

  • Documentation Requirements

  • Breach Notification Requirements

What if my organization does not comply?

Enforcement is real! Penalties are steep! The real HIPAA enforcement agency is the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Complaints are filed with the OCR, and they are responsible for administering, investigating and enforcing the HIPAA privacy standards. The Centers for Medicare & Medicaid (CMS) enforce the code set and security standards.

The American Recovery and Reinvestment Act of 2009 created a tiered penalty configuration for HIPAA violations. But it is the OCR that determines the amount of each penalty, and it is dependent upon the nature and extent of harm that results from the breach. For example:

  • The fine for a first-time infringement by someone who did not know they violated HIPAA could be as low as $100 or as high as $50,000.
  • Fines for reasonable cause can range from $1000 per violation to $50,000.
  • The fine for a violation due to willful neglect, where the violation is corrected within the required time period, is a minimum of $10,000 per violation with a maximum of $50,000.
  • The fine when the willful neglect violation is not corrected increases from $10,000 to $50,000 per violation.

We know, this sounds like a lot of work. It is! Give us a call and let us help.