HIPAA Compliance + Cybersecurity

HIPAA Compliance + Cybersecurity

HIPAA Compliance Overview

DFIR - digital forensics and incident response

What is HIPAA compliance?

HIPAA is a United States regulation standard designed to protect the personal data collected as part of providing health care to individuals. The regulation provides a set of minimum data security requirements for organizations that handle protected health information (PHI).

HIPAA established important national standards for the privacy and security of protected health information. Since 2003, the enforcement activities associated with HIPAA has elevated the privacy practices of all entities subject to the federal regulation, enabling individuals to rest easy knowing that their information is safe with the businesses and institutions with which they share their PHI. View more information about HIPAA compliance through an essential e-Book guide.

Related Reading: 

7 Things CISOs Ought to Know About HIPAA Compliance

Free eBook

Who oversees / monitors / audits HIPAA compliance? Who oversees federal HIPAA compliance?

The question of who is “in charge” of HIPAA is more complicated than one might think. At the highest level, HIPAA is governed by the federal office of Health and Human Services (HHS). 

What does HIPAA stand for?

The acronym “HIPAA” stands for the Health Insurance Portability and Accountability Act.

HIPAA Compliance vs. HIPAA Compliance Certification - What's the difference?

In short, HIPAA compliance is about the rule and regulation, whereas HIPAA compliance certification relates to the process of training to become HIPAA compliant. 

To ensure members of your organization are trained in HIPAA compliance, Avertium provides a HIPAA Certification Program that is equipped with a comprehensive, ongoing plan developed just for your organization. As an on going plan, we will keep you aligned and updated with HIPAA regulations, including the latest industry trends and best practices. View more information about HIPAA compliance through an essential e-Book guide.

Who is subject to HIPAA?

When it comes to HIPAA compliance, “who” and “when” leads to the same answer. It’s important to identify whether your organization is subject to HIPAA to assess becoming HIPAA compliant – If unsure, reach out to Avertium for a consultation.

  • Who must be HIPAA compliant? When must you become HIPAA compliant? HIPAA regulation applies to organizations categorized as “covered entities” (health plans, health care clearinghouses, and health care providers) and “business associates” that handle protected health information (PHI). View more information about your rights as an individual under HIPAA.


Related Regulatory Resources:

 
Related Reading:

Does HIPAA Apply to Me?

Why is HIPAA Compliance important?

To understand why HIPAA compliance is important, one must understand why HIPAA regulations are put in place – to protect sensitive personal health information (PHI). Ensuring all records of PHI are protected can create a trusting connection with your clients. And HIPAA compliance sees to it that business associates and covered entities handling PHI are implementing those safeguards and security measures. 

Compliance is also important to avoid receiving fines for alleged PHI infringements, carried out by the Office for Civil Rights, by detecting security vulnerabilities through a risk assessment

If you are unsure whether your organization identifies as business associates or covered entities handling PHI and is therefore protected by HIPAA, reach out to Avertium for a consultation.

View more information about HIPAA compliance through an essential eBook guide.

Related Reading: 

First HIPAA Risk Assessment? Here’s How to Be Prepared

How much do HIPAA violations cost?

The question of “how much” is dependent on a number of factors. Federal penalty fines vary across incidents and are determined by the Office for Civil Rights (OCR). Organizations failing to comply with HIPAA regulations, can be charged with an infringement cost between $100 and $50,000 with a maximum of $1.5 million per year for each incident. View more information about HIPAA violation costs by taking a look at the different penalty structures.

Related Reading:

How to Achieve + Maintain HIPAA Compliance

DFIR - Digital forensic

How can I achieve HIPAA compliance?

The first step is to complete a HIPAA risk assessment. According to the US Department of Health and Human Services (HHS), the law requires a periodic risk analysis to be completed as the initial step in identifying and implementing security measures that comply with and carry out the standards and implementation specified in the Security Rule. Avertium’s experts recommend that these assessments be conducted annually.

 

Related Regulatory Resources:

Related Avertium Resources:

Related Reading:

3 Things for HIPAA Compliance When Returning to Normal Operations

How do I ensure HIPAA compliance?

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use
electronic protected health information.

A best practice to ensure your organization is compliant with HIPAA is by implementing encryptions throughout any network with access to electronic protected health information (ePHI) data. Encryption is For more comprehensive measures, reach out to Avertium for a consultation.

Related Reading: 

Complying with HIPAA Encryption Standards; What You Need to Know

What does the Avertium HIPAA compliance readiness program look like?

 
  1. Kicking off is identifying any areas of risk within your organization and comparing it against HIPAA regulations through a comprehensive risk assessment. 
  2. Following that is a gap analysis that dives into the identified risks and is then used to create an initial roadmap of recommendations for remediation efforts. 
  3. Once the initial roadmap is clearly laid out, the next step is the process of implementation. 
  4. Finally, Avertium crafts an ongoing compliance plan with quarterly check-points and consultations to help keep your organization aligned and updated with HIPAA regulations. 
It’s important to understand that, just as the cybersecurity landscape evolves every day, so should your approach to HIPAA compliance. This is a cyclical journey. When leveraging Avertium for your HIPAA compliance readiness program needs, you also receive Avertium’s branded trust mark, conveying to everyone that your organization takes HIPAA compliance very seriously. View more information about Avertium’s HIPAA Certification Program through this e-brief. 

Related Reading:

How long must HIPAA-related documents be retained?

According to HHS, covered entities must retain HIPAA related documents for a minimum of six years from the latest date of either its creation or the last known date it was in effect. HIPAA requirements preempt state laws if they require shorter periods of document retention.

View more information about time limit implementation for HIPAA compliance records.

Certifications + Regulations Related to HIPAA

Artboard 27soc1audit

What is HITRUST CSF? How does it relate to HIPAA compliance?

Before answering “what” it is, keep in mind that being HIPAA compliant does not mean that you’ve achieved HITRUST CSF, but being HITRUST CSF does ensure HIPAA compliance.

HITRUST Common Security Framework (HITRUST CSF) is a widely adopted security set of controls, providing organizations with security tailored to protect sensitive data in the health care industry. View more information about HITRUST VSF Version 9.4.

Avertium is one of the few HITRUST assessor firms with Certified CSF Practitioners (CCSFP). Learn more about Avertium’s HITRUST services.

Related Reading:

What is HITRUST? Answers to Your HITRUST CSF Questions

What is the SOC 2 certification? Is it HIPAA compliant?

Focusing on information and IT security in relation to health care industries, SOC 2 is not HIPAA compliant – it is, however, cross-referenced with regulations and frameworks such as HIPAA.

The scope of the certification and audit is to evaluate and manage your organization’s cyber risk management program which is dependent on the program’s ability to meet selected Trust Services Criteria (TSC). 

Related Reading:

How can Zero Trust Security benefit me?

The Zero Trust Security (ZTS) model is true to its name – a security framework that denies access until authentication and authorization steps are complete. 

We want to ensure the security of Protected Health Information (PHI) from the proliferation of threats in the health care industry. And one requirement to stay HIPAA compliant is to implement identity access management security standards such as the multi-factor authentication (MFA) control and the ZTS model. View more information about a guidance on establishing Zero Trust and how it can improve your cybersecurity defenses – Published by NIST.

Related Reading: 

Demystifying Zero Trust: What Is Zero Trust Security, and How Can It Bolster Your Environment?

HIPAA Compliance Resources

Stay ahead of potential attackers. The evolution of technology — from security frameworks to regulations —impacts the ever-changing and evolving training process and implementation for HIPAA. Avertium has deep expertise in HIPAA compliance, MSS, AND a team of Certified HITRUST Assessors ready to help you bulk up your security posture.

As cybersecurity threats become more sophisticated, it’s important to maintain HIPAA compliance as a means of securing Protected Health Information data sets. By undergoing risk assessments and scans of your organization’s applications regularly, you can proactively identify gaps and vulnerabilities, and implement remediation efforts before a breach can occur. 

Downloadable Content

Blogs

Related Resources:

Last updated: September, 2020

Table of Contents

Glossary of Related Terms / Acronyms

PHI – Protected Health Information

ePHI – Electronic Protected Health Information

HHS – Health and Human Services

OCR – Office for Civil Rights

HITECH – Health Information Technology for Economic and Clinical Health 

HITRUST – Health Information Trust

CSF – Common Security Framework

SOC – Service Organization Control

TSC – Trust Services Criteria

MSSP – Managed Security Service Provider

ZTS – Zero Trust Security

NIST – National Institute of Standards and Technology

Download the HIPAA Compliance Service Brief