The Health Insurance Portability and Accountability Act, or HIPAA, was signed into law in 1996 to make it easier for people to keep health insurance, protect the confidentiality and security of Protected Health Information (PHI) and electronic Protected Health Information (ePHI), and help the health care industry control administrative costs.
The law has four rules that impact any health care provider or entity that uses, stores or transfers PHI or ePHI in their business:
Companies must demonstrate that they are compliant with all of these rules by conducting risk assessments, security gap assessments and ensuring that they can demonstrate a “roadmap” to compliance by addressing the vulnerabilities identified.
By conducting security risk and gap assessments to identify the administrative, physical and technical controls as defined by CFR Part 45, 164.308, 164.310 and 164.312 and as outlined by NIST 800-30 Guide for Conducting Risk Assessments, NIST SP 800-66, An Introductory Guide to the HIPAA Security Rule, and road mapped to the security controls in NIST 800-53, Recommended Security Controls for Federal Information Systems. These assessments can be done by experienced HIPAA assessment companies such as MainNerve or other third parties.
Comprehensive Risk Assessments
MainNerve’s Comprehensive Risk Assessment provides a detailed report on findings and remediation recommendations, as well as a crosswalk to compliance that links each finding to specific HIPAA standards, so clients have a clear understanding of what should be addressed for HIPAA compliance. Our Comprehensive Risk Assessments follow NIST SP 800-14, 800-30, 800-66, and specifically address all items set forth in the HIPAA standards, 45 CFR Part 164, Subpart C – Security Standards for the Protection of Electronic Protected Health Information (ePHI).
On-line HIPAA Compliance Website
MainNerve highly recommends HIPAAgps as a site for smaller companies to ensure their compliance with all HIPAA security rules. The site has training videos, access to the industry’s best HIPAA Comprehensive Risk Assessment, policy and procedure templates, and encrypted storage for sensitive HIPAA documents, ensuring that compliance will be maintained in the future.
Penetration Testing and Scanning
While penetration testing is not specifically mandated under HIPAA, it is a recommended practice and annual penetration tests and quarterly scans are encouraged to demonstrate “best practice” cybersecurity principles in case of an OCR audit as well as to heighten your cybersecurity posture.