The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) require the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and national identifiers for providers, health plans, and employers.
Electronic protected health information (ePHI) refers to any protected health information that is covered under Health Insurance Portability and Accountability Act of 1996 and is produced, saved, transferred or received in an electronic form.
Any organization transmitting or storing electronic protected health information, known commonly as ePHI, must comply with HIPAA, Title II. This includes business associates, which are contractors and subcontractors that perform services on behalf of a health care provider. Regardless of the type of electronic device — PC, tablet PC or smartphone — used to access electronic protected health information, users must abide by HIPAA Security Rule guidelines when handling both information at rest and that which is being transferred electronically, via email or file transfer.
The Act provides for substantial penalties for failures to certify or comply with the new standards and operating rules.
Health care organizations are custodians of sensitive information in the form of individuals’ Protected Health Information (PHI). The Health Information Technology for Economic and Clinical Health Act (HITECH Act or “The Act” mandates healthcare organizations and their business associates, to comply with the HIPAA Security and Privacy Rule requirements along with the new Data Breach Notification law. Compliance with the rules requires every organization, regardless of size, to exercise due diligence and implement robust information security and privacy controls whose effectiveness must be assured at all times.
Small, and many medium providers (e.g. physician practices, group practices and small to medium hospitals) cannot afford to hire full time security personnel. This could force them to consider hiring outside external HIPAA-HITECH consultants to assist them in implementing the required safeguards to protect their data.
CKSS has adopted a strategic approach to security by establishing an enterprise-wide Corporate Risk, Information Security, and Privacy Function program that can help organizations of any size respond to HIPAA regulations. We are ideally suited to help support a compliance program centered on the administrative, physical, and technical requirements of HIPAA.
Our team of specialists have extensive experience in helping healthcare and other industry organizations implement and maintain robust information security and privacy programs in addition to helping them achieve and maintain compliance with HIPAA/HITECH and other state-level and national regulations.
- HIPAA Security Risks Analysis Services
- HIPAA policies and procedures development and implementation
- Security Awareness & Training services and program development
- Business Resumption Services: We develop process guidelines and deliverables based on industry standards such as NIST SP 800-34, Contingency Planning Guide for Information Technology Systems; Conduct Business Impact Analysis (BIA); develop Continuity of Operations Plans (COOP)/Business Continuity Plan (BCP); Contingency Plans / Disaster Recovery Plans (DRP); Test your business resumption process to include test plans and lessons-learned reports. Our testing includes: table top exercises, simulated exercises and operational exercises.
- Incident Response plan and testing plans: Our security consultants’ work with you to develop an effective Incident Response Plan based on best practices. Our Security Incident Response services to include breach notification requirements.
- Implementing strong identity management technologies
- Implementing encryption and mobile security solutions
- Developing strategy and Road Maps for securing and hardening Mobile Devices, Laptops, Workstations, and Servers
- Creating Mobile Strategy and Governance