HIPAA

HIPAA
MainNerve Expertise

Learn About HIPAA Compliance

The Health Insurance Portability and Accountability Act, or HIPAA, was signed into law in 1996 to make it easier for people to keep health insurance, protect the confidentiality and security of Protected Health Information (PHI) and electronic Protected Health Information (ePHI), and help the health care industry control administrative costs.

The law has four rules that impact any health care provider or entity that uses, stores or transfers PHI or ePHI in their business:

The Privacy Rule

Establishes a set of national standards for the safeguarding of protected health information (PHI) by defining what it is and limiting the use and disclosure of an individual’s health care information.

The Security Rule

Establishes national standards to protect individuals’ electronic protected health information (ePHI) that is created, received, used, or maintained.  It also requires that the integrity, confidentiality, and availability of ePHI be maintained.

The Breach Notification Rule

Establishes requirements for notifying patients if a breach of their information has occurred.

The Enforcement Rule

Additionally, there is the Enforcement Rule from the Health Information Technology for Economic and Clinical Health (HITECH) Act which was created to promote the adoption and meaningful use of health information technology. It also allows for Health and Human Services Office for Civil Rights to fine companies who don’t safeguard PHI correctly. The HITECH act outlined four categories of violations that reflect increasing levels of culpability up to $1.5M for all violations or breaches.

Companies must demonstrate that they are compliant with all of these rules by conducting risk assessments, security gap assessments and ensuring that they can demonstrate a “roadmap” to compliance by addressing the vulnerabilities identified.

ww
Ready to start talking with a professional? 
Speak to a Security Expert
In Simple Terms
What Does This Mean?
If your company can be identified as a Covered Entity (CE) or Business Associate (BA) and creates, stores or transfers PHI or ePHI, you are subject to be compliant under HIPAA/HITECH and subject to audits from the Office of Civil Rights (OCR) who has regulatory enforcement action. Non-compliance with HIPAA/HITECH can lead to significant fines and clawback of “meaningful use” dollars.
How Do I
Become Compliant?

By conducting security risk and gap assessments to identify the administrative, physical and technical controls as defined by CFR Part 45, 164.308, 164.310 and 164.312 and as outlined by NIST 800-30 Guide for Conducting Risk Assessments, NIST SP 800-66, An Introductory Guide to the HIPAA Security Rule, and road mapped to the security controls in NIST 800-53, Recommended Security Controls for Federal Information Systems. These assessments can be done by experienced HIPAA assessment companies such as MainNerve or other third parties.

Let Us Help
Applicable Services
Comprehensive Risk Assessments

MainNerve’s Comprehensive Risk Assessment provides a detailed report on findings and remediation recommendations, as well as a crosswalk to compliance that links each finding to specific HIPAA standards, so clients have a clear understanding of what should be addressed for HIPAA compliance. Our Comprehensive Risk Assessments follow NIST SP 800-14, 800-30, 800-66, and specifically address all items set forth in the HIPAA standards, 45 CFR Part 164, Subpart C – Security Standards for the Protection of Electronic Protected Health Information (ePHI).

Penetration Testing and Scanning

While penetration testing is not specifically mandated under HIPAA, it is a recommended practice and annual penetration tests and quarterly scans are encouraged to demonstrate “best practice” cybersecurity principles in case of an OCR audit as well as to heighten your cybersecurity posture.