Menu

HIPAA

HIPAA Compliance

HIPAA compliance can be challenging. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) helps define the following:

  • How to secure and safely manage consumers’ electronic protected health information (ePHI) 
  • Guarantee that the information is recorded, accessed, transmitted, and processed in ways that prevent it from falling into the wrong hands
  • Ensure that a security risk assessment be conducted and managed through an organization’s formal Risk Management Program.

Whether you are a Covered Entity (CE) or a Business Associate (BA) there are policies, procedures, and processes you must have in place in order to meet the requirements of the rule. 

The healthcare industry continues to be plagued by hackers and ransomware demands because ePHI is very valuable on the black market.  Understandably, healthcare organizations and their patients are increasingly anxious about the security of their data. Healthcare organizations and the third-party providers whose services they rely on, run the risk of incurring high monetary penalties as well as a tarnished reputation without a well-run risk management program and robust cybersecurity controls.

Request a Quote

Why Choose Accorian?

Accorian was founded so organizations can stop compromising between technology necessities and technology budgets. Formed by technology and cybersecurity leaders, Accorian strives to be your full-service technology partner. Our hands-on approach combined with a goal-oriented, proven methodology brings both fiscal value and expertise to each of our clients.

Accorian’s Easy Answers To HIPAA Compliance

Accorian can help you maintain HIPAA compliance. If you have ePHI data you are creating, receiving, maintaining, or transmitting, HIPAA rules apply to you. As HITRUST Assessors,

We have a wealth of experience in helping our customers become and remain compliant with the HIPAA Privacy, Security, and Breach notification rules.

Whether you need a partner to help create the policies and procedures, develop awareness training, or conduct a security risk assessment, Accorian can help you today.

We are not merely compliance box checkers. Our team will work with you to develop creative solutions to accomplish compliance without disrupting your present business procedures.

Avoid Fines And Penalties

The penalty for violation with HIPAA requirements is severe. A single infraction might cost anything from $100 to $50,000, depending on the extent of recklessness. In addition, a maximum fine of $1.5 million annually might be imposed for infractions of a similar provision.

This implies that firms who continue to keep or handle ePHI in a non-compliant manner risk losing millions of dollars in damages. High penalties might force you to close your doors forever.

Assess Third-Party Business Associates

Accorian provides comprehensive managed security HIPAA audits to guarantee that your business associates are up to date, and do not expose your firm to unnecessary risk. When a business partner has never worked to comply with HIPAA, we assist with them to develop rules and procedures that assure they are not only compliant, but will stay so in the coming years.

Almost a quarter of all cybersecurity threats are caused by data maintained by third parties. This is a big issue for firms who must be HIPAA compliant. These violations may have an impact not just on your compliance, but also on consumer trust in your firm and your credibility.

It is critical that you do a thorough audit of any business partner who will be holding your customer data to confirm that they are HIPAA compliant and follow best practices for storing customer data.

Checklist To Evaluate If You Need Help With HIPAA Compliance

Has your organization identified and documented where all protected health information (PHI) and electronic PHI (ePHI) is created, processed, stored and transmitted?

Has your organization conducted a Security Risk Assessment as required by the HIPAA Security Rule?

Have you developed a Risk Management Program for your organization?

Does your organization have current Policies and Procedures around the HIPAA Privacy, Security, and Breach Notification Rules?

Have all workforce members been trained on your Policies and Procedures?

Do you have a designated HIPAA Privacy and/or Security Officer?

Have you identified all vendors/third parties that require access to your PHI/ePHI?

Do you have a documented process for Incidents/Breaches?

As certified HITRUST assessors, we can help you fortify your compliance with HIPAA.

Download the Complete HIPAA Checklist

DOWNLOAD NOW

Resources

Article

HIPAA Security rule changes for 2025

The U.S. Department of Health and Human Services (HHS) issued a notice to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI). The modifications are intended to combat rising cyber threats in the healthcare sector by updating national standards for covered entities and their business associations.The proposal coincides with broader efforts, including the National Cybersecurity Strategy and HHS' Healthcare Sector Cybersecurity Plan, which prioritizes enhanced cybersecurity enforcement, accountability, and best practices for critical infrastructure.Key Proposals to Strengthen the HIPAA Security Rule Include: Uniform Requirements: Eliminate the distinction between "Required" and "Addressable" implementation specifications, making all specifications mandatory with limited exceptions.Written Documentation: Mandate written documentation for all Security Rule policies, procedures, plans, and analyses.Updated Standards: Revise definitions and specifications to reflect technological and terminological changes.Compliance Timelines: Establish specific timeframes for compliance with many existing requirements.Asset Inventory & Network Mapping: Technology asset inventories and network maps should be updated at least annually or following any significant changes.Enhanced Risk Analysis: Mandate written risk assessments with asset reviews, threat identification, and risk evaluation.Access Change Notifications: Notify regulated entities within 24 hours when workforce access to ePHI is modified or terminated.Incident Response & Contingency Planning: Mandate system restoration within 72 hours, prioritized recovery, and tested incident response plans.Annual Compliance Audits: Conduct compliance audits at least once a year.Business Associate Verification: Require business associates to verify safeguards for ePHI and certify their accuracy annually.Encryption: Mandate encryption for ePHI at rest and in transit, with limited exceptions.Technical Controls: Deploy anti-malware, remove unnecessary software, and disable unused network ports to mandate consistent configurations.Multi-Factor Authentication: Mandate its use, with limited exceptions.Vulnerability Management: Perform vulnerability scans biannually and penetration testing annually.Network Segmentation: Require segmentation to improve security.Backup and Recovery: Establish separate technical controls for backups and recovery systems.Annual Security Reviews: Replace general security maintenance with mandatory annual reviews and tests of security measures.Contingency Notifications: Business associates and subcontractors must notify covered entities within 24 hours of activating contingency plans.Group Health Plan Safeguards: Mandate plan sponsors to implement Security Rule safeguards, ensure agents comply, and notify plans of contingency activations within 24 hours.While the Department is undertaking this rulemaking, the current Security Rule remains in effect. Get in touch with Accorian for assistance with HITRUST or HIPAA compliance at info@accorian.com.For more details, visit https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html.

View More

Article

HIPAA Disaster Recovery Plan: Your Guide to Patient Data Security

In the dynamic cybersecurity landscape, 2023 statistics reveal an alarming 53% of incidents targeted healthcare providers, emphasizing the need to protect sensitive patient data under the Health Insurance Portability and Accountability Act (HIPAA) 1996. HIPAA, a cybersecurity cornerstone, mandates compliance and safeguards for Protected Health Information (PHI). Beyond data protection, it underscores HIPAA disaster recovery plans, compelling organizations to establish strategies for mitigating risks and ensuring patient data availability, integrity, and confidentiality. What is the HIPAA Disaster Recovery Plan? A disaster is an unforeseen event beyond organizational control that harms IT infrastructure and compromises sensitive PHI data. To safeguard against the threat, a HIPAA disaster recovery plan plays a crucial role. This plan delineates an IT-focused strategy to restore system operability, be it the entire infrastructure, specific computer facilities, or applications, at an alternate site post an emergency. The plan includes policies and procedures to be executed in the event of a disaster, assigning responsibilities to staff for a swift and efficient response and recovery. Furthermore, the HIPAA Disaster Recovery Plan is a comprehensive strategy focused on safeguarding and recovering ePHI in the face of diverse emergencies, ranging from natural disasters to cyberattacks and human errors. Steps to Create a HIPAA Disaster Recovery Plan 1. Conduct a Business Impact Analysis</h3 > Conducting a Business Impact Analysis (BIA) is a thorough assessment essential for evaluating the cybersecurity readiness of your healthcare organization. It demands a meticulous examination of your business's data types and volumes, storage locations, and the necessary time and resources to restore access to specific data categories. It also involves strategically determining which data is most important for your business operations. The BIA process for your organization includes: Identifying the various types and sizes of data within your management purview Recognizing where your data is stored and acknowledging the systems critical to your day-to-day operations Estimating the maximum resources and time required to recover each data type 2. Perform a Risk Assessment Establish a robust risk assessment framework that integrates continuous monitoring and analysis. A vital element of this framework involves developing an extensive risk register and strategically prioritizing potential threats based on their likelihood and impact on the organization. Additionally, simulate hypothetical disaster scenarios to assess their potential consequences: Cybersecurity Threats: Unauthorized intrusions, such as malware, ransomware, or hacking attempts, pose a significant risk by disrupting systems and compromising critical data. Severe Environmental Incidents: Events like hurricanes, floods, tornadoes, and adverse weather conditions can lead to extended power outages, impacting the seamless functioning of operations. IT Downtime: Situations involving reduced or non-existent IT availability due to technical malfunctions, software glitches, hardware failures, or unforeseen circumstances can immobilize operations. 3. Maintain a Document/Report</h3 > Maintain meticulous documentation of your breach, disaster recovery plan, and any incidents, including incident reports, recovery logs, and post-incident evaluations. Regularly review and update this documentation to align with organizational process and procedure changes. This report serves as a valuable resource in the event of a disaster. 4. Create a Response Team</h3 > Establish a dedicated team for disaster recovery, assigning specific roles with a keen emphasis on a profound understanding of the pivotal role of HIPAA compliance in the recovery process. Implement regular exercises to ensure the team is adept at handling diverse scenarios and enabling a swift response in the face of cybersecurity challenges. Maintain an up-to-date contact list and communication strategy, facilitating prompt action when required. This ensures a rapid and coordinated response to cybersecurity incidents. 5. Develop a Data Backup Plan</h3 > In the HIPAA disaster recovery strategy, the data backup plan plays a pivotal role by requiring organizations to secure...

View More

Article

HIPAA UPDATES 2023

Written By Vigneswar Ravi & Vignesh M R II The Latest on HIPAA Compliance HIPAA Compliance will be undergoing significant changes, this year in 2023, which you need to be aware of. But, let's look at its history before we get into the upcoming changes in the HIPAA Privacy Rule. The United States established HIPAA in 1996.  However, there were no set rules for gaining access to medical records till then. In fact, all the local and state governments had established their own rules and fees. HIPAA established standardized rights and responsibilities for managing and safeguarding Protected Health Information (PHI). However, changes in working practices and technological advancements over the last ten years have given rise to various issues with HIPAA. To address these concerns, the department of Health and Human Services (HHS) Office for Civil Rights (OCR) had to issue HIPAA guidelines to clarify misunderstandings about HIPAA requirements rather than make rule changes. The major HIPAA update was enacted a decade ago, and changes to HIPAA Rules are now required. The latest response was due earlier this year but has been postponed until March 2023. Proposed HIPAA Updates to the Privacy Rule in 2023 PART 1 Allowing patients to examine their PHI in person and take notes or photographs. Reducing the maximum time for providing PHI access from 30 days to 15 days. Restricting the rights of individuals to transfer ePHI to a third party maintained in an Electronic Health Record (EHR). Confirming that an individual has the authority to instruct a covered entity to transmit their electronically Protected Health Information (ePHI) to a personal health application upon the individual’s request. Specifying when individuals receive ePHI free of charge. Mandating that covered entities notify individuals about their entitlement to receive or authorize the transfer of their Protected Health Information (PHI) to a third party, in cases where they are provided with a summary of the PHI instead of a complete copy. Extending the authorization of the armed forces to disclose or use the PHI to all uniformed services. Adding a definition for electronic health records. Modifying the language to enhance the ability of a covered entity to disclose PHI to prevent a potential threat to health or safety in circumstances where the harm is "reasonably and significantly predictable.” Creating a pathway for individuals to direct the sharing of PHI maintained in an EHR among covered entities. Obtaining a written acknowledgment from a person for receiving a Notice of Privacy Practices will not be required by covered entities. Requiring HIPAA-covered entities to publish on their website the estimated fee schedules they charge for PHI access and disclosures. Furnishing personalized cost estimates for supplying individuals with a copy of their PHI will be required of HIPAA-covered entities. Broadening the scope of healthcare operations to include care coordination and case management. Requiring HIPAA-covered healthcare providers and health plans to respond to records requests from other covered entities when individuals exercise their HIPAA right of access. Granting authorization to covered entities to utilize and disclose certain Protected Health Information (PHI) if they genuinely believe it is in the individual’s best interest. Introducing an exemption to the minimum necessary standard for individual-level care coordination and case management purposes, irrespective of whether these actions are classified as treatment or healthcare operations. PART 2 In November 2022, Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) issued a Notice of Proposed Rulemaking (NPRM) which sees both Part 2 and HIPAA changes to align these regulations better. Part 2 protects patient privacy and treatment records for substance use disorder (SUD), with HIPAA...

View More

Article

HITRUST And HIPAA Compliance Helps Organizations Create More Walls Around Their Customer Information

Cybercriminals are often attracted to the data held by healthcare companies. Patient data, banking information, and other personal identifying information (PII) are gathered by healthcare organizations, forming rich collections of data. With such comprehensive data sets, cybercriminals are more frequently targeting healthcare providers and their service providers, sometimes resulting in significant losses. Ransomware is a type of malware that encrypts files, preventing access to the data. Given the increasing risk, it is all the more necessary that healthcare entities implement safeguards to protect against the harmful impacts of a ransomware attack. Information security compliance frameworks, such as HIPAA and HITRUST, provide reliable guidance to organizations seeking to prepare for ransomware attacks proactively.A Rise in Ransomware Attacks in HealthcareIn October 2022, Common Spirit Health – one of the largest non-profit health systems in the United States – became the target of a ransomware attack that left some of their systems inaccessible even weeks later. This attack underscores the need for healthcare organizations to exercise due care in managing critical data.In planning a ransomware attack, cybercriminals look for opportunities to exploit the workforce and unsecured data. A vulnerable cybersecurity risk management strategy could leave:● Prescriptions unfilled● Surgeries delayed● Doctors unable to access records● Patient information publicly exposedHow Does HITRUST and HIPAA Relate To Each OtherThe Health Insurance Portability and Accountability Act (HIPAA) is a federal law of the United States of America that contains security and privacy rules to protect sensitive patient health information from use or disclosure without a patient’s consent. Healthcare providers, health plans, healthcare clearinghouses, and organizations that use or disclose healthcare information on their behalf (known as business associates) are all subject to HIPAA. The US government further strengthened the protections of HIPAA with the HITECH Act, adding requirements for enforcement and breach notification.In drafting the CSF framework, HITRUST aligned numerous national and international regulations, standards, and frameworks, including HIPAA and the HITECH Act, to create a comprehensive and reliable set of privacy and security controls. Since its first release, the CSF has been updated numerous times, incorporating updated sources and an ever-expanding set of global privacy and security standards.In addition to the CSF,  HITRUST provides the following resources for entities to further strengthen their cybersecurity and risk management programs:● HITRUST CSF● HITRUST Threat Catalogue● MyCSF SaaS assurance and analytics platform● Assurance assessments● Assessment results management● Risk management and compliance programs scaled for small businesses and startups● Training programs for best HITRUST practicesReinforcing Cybersecurity with HITRUST and HIPAAThese two work together most effectively by facilitating healthcare providers to prove their HIPAA adherence with HITRUST compliance.Though Systems and Organizations Controls 2 (SOC 2) examinations exist – which CPAs administer – HITRUST is one of the key certification that prove HIPAA compliance. This is only one of the ways they work together to prevent ransomware attacks.Because healthcare companies are looking into HITRUST and HIPAA, this prompts companies to inform staff about the risks of ransomware attacks. Aggressive ransomware attacks pressure healthcare executives to stay notified about emerging threats, requiring them to provide training and resources for staff to be aware of ransomware signals.Abiding by HITRUST and HIPAA also creates more walls around customer information. It instructs employees but restricts access and usage of that information to prevent abuse and misuse.It also improves aspects of risk management programs that might not have been identified if it weren’t for third-party oversight. HITRUST assessment reports not only highlight any gaps in healthcare company strategies but can also highlight inconsistencies and techniques for more effective data control and monitoring.Unprepared healthcare entities will execute procedures reactively instead of proactively mitigating threats. Some companies rely solely...

View More

Article

Why Being HIPAA compliant is not enough

If there is a central key aspect of healthcare security, it is HIPAA. The Health Insurance Portability and Accountability Act of 1996 changed the way healthcare providers increased the security of patient data and information. Every person that works in healthcare, from the front desk person to a brain surgeon, learns exactly what HIPAA is and how they must incorporate it in their jobs. But is following the basic rules of HIPAA truly enough to be secure? Why is HIPAA not enough? First, the HIPAA Security Rule is meant to cover a wide range of medical practices, from the small single-doctor office to a huge university teaching hospital. The wide range meant that many of the security elements are necessarily vague. While this allows the Security Rule to apply to the wide range, it also allows for gaps in how patient data is securely treated. Second, not every standard is required. This is because HIPAA provides guidelines and a framework for security, but it is not prescriptive. It is up to each company or clinic to define what compliance means to them. Addressable standards can be eliminated if the location can document a business reason for not addressing the particular standard. This allows companies to either not implement all the standards that they need or go too far using unnecessary safeguards. Third, HIPAA does not have any official confirmation of compliance. Compliance is demonstrated through a risk assessment and control documents. This lack of certification means that human error can creep in and affect the security of patient data.  It also makes it hard to know which vendors are really following HIPAA.   Finally, HIPAA was created in 1996, long before electronic health records were standard practice. Now that the healthcare industry relies on electronic records, HIPAA simply doesn’t address the concerns of a changing, connected world. How can HITRUST change how you manage ePHI? HITRUST, or Health Information Trust Alliance Common Security Framework, was created in 2009 to address the changing nature of how patient information was being used and transmitted. While it includes the HIPAA Security Rule as part of its framework, it also uses security standards from: Payment Card Industry Data Security Standard (PCI DSS) Control Objectives for Information and Related Technology (COBIT) National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) International Organization for Standardization (ISO) Federal Trade Commission (FTC) Red Flags Rule Centers for Medicare and Medicaid Services Addressable Risk Safeguards (CMS ARS) State requirements Multiple other standards HITRUST is a comprehensive set of standards that more adequately meets the needs of the healthcare industry today. It allows each organization to create a set of control standards that fits their specific risks and needs. And what happens when your organization grows beyond your current control guidelines? HITRUST allows for scaling to include the new risks and needs as you grow. HITRUST is also kept up to date with the ever-changing security risks and laws. As recent events have shown, new regulations can be passed or existing ones change. HITRUST can adapt to these changes quickly so that you remain compliant without interruption. HITRUST also makes proving compliance to clients and vendors easier. It uses a single, third-party assessment to show how your organization is compliant across multiple standards. And you receive an actual certification, showing that you are not only HIPAA compliant but also truly able to protect patient data from theft and misuse. HITRUST is becoming the de facto standard for security in the health space.  We have extensive experience with HITRUST implementation and certification. We are ready to be your full-service security...

View More

The Accorian Advantage

Accorian’s cybersecurity and compliance teams bring a wealth of experience to help navigate organizations through their information security journey. Our hands-on, white-glove approach combined with a goal-oriented, proven methodology brings both fiscal value and expertise to each of our clients. The facts speak for themselves.

Security Compliance & Assessment Services

CONSULTING & ASSESSMENT SERVICES

PENETRATION TESTINGRed TEAM ASSESSMENTS
TECHNOLOGY STAFFING

Contact Info

E. info@accorian.com

T. +1-732-443-3468

Contact With Us

Office Address

Accorian Head Office

6,Alvin Ct, East Brunswick, NJ 08816 USA

Accorian Canada

Toronto

Accorian India

Ground Floor,11, Brigade Terraces, Cambridge Rd, Halasuru, Udani Layout, Bengaluru, Karnataka 560008, India

Ready to Start?​

Drop your CVs to joinourteam@accorian.com

Interested Position

Download Case study

Download SOC2 Guide