HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996. It has gained acceptance for establishing regulatory standards around patient data security and privacy. Recently the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) significantly has ramped up their HIPAA audit program, with an increased focus on risk assessments.

All organizations maintaining or transmitting electronic protected health information, known commonly as ePHI, must comply with HIPAA. This includes business associates, which are contractors and subcontractors that perform services on behalf of a health insurance provider. ePHI is defined as “identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual. “HIPAA features three components related to data protection: the Security Rule, the Privacy Rule and the Breach Notification Rule. Each one is encompassed by the overarching Omnibus Rule, which took effect in 2013 and ushers in enforcement of business associates for the first time. The requirements of the Omnibus Rule were mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009 as part of the economic stimulus bill. While the move from paper records to electronic records within medical and health care organizations vastly improves the patient experience, the risk to security and privacy increases. Breaches – whether they are caused by theft, unauthorized access, human error or external attacks – are rising year over year within the medical and health care industries, according to the Identity Theft Resource Center, which tracks reports of data-loss incidents.

Security Rule: This rule dictates the administrative, physical, technical controls necessary to secure electronic protected health information (ePHI), whether it is created, maintained, stored or in transit. Covered entities and business associates must conduct risk assessments and prevent against unauthorized access.

Privacy Rule: This rule institutes safeguards for the control of personal health information, no matter its format: oral, written or electronic. Broadly, it sets limits for the disclosure of patient information without their consent and spells out the rights patients have over their data.

Breach Notification Rule: This rule orders HIPAA-covered entities and their business associates, in the event of a data breach involving ePHI, to notify affected individuals, the secretary of the U.S. Health & Human Services Department (HHS) and, in some cases, prominent media outlets – unless they can prove there is a low risk of compromise based on a risk assessment.

Consequences

The Office of Civil rights (OCR), within HHS, has received more than 85,000 HIPAA-related complaints since 2003. More than 30,000 of those have warranted an investigation, some 66 percent of which resulted in corrective action being required. And that number is certain to rise. A newly released electronic complaint portal is expected to nearly double the number of legitimate complaints from around 10,000 per year to about 18,000. In 2012, the OCR launched the Audit Pilot Program, with the initial round consisting of 115 audits of health care providers, health plans and health care clearinghouses – collectively meant to represent a broad sampling of the industry. Going forward, however, every covered entity or business associate is eligible for an audit. OCR investigations may result in penalties, which greatly vary and are determined by the date of the violation, whether the covered entity knew, or should have known, about the violation and whether the violation was due to wilful neglect.

The OCR may choose to reduce a penalty if the failure to comply is due to a reasonable cause and/or the penalty would be excessive given the nature and extent of non-compliance. A penalty will not be imposed if:

Failure to comply was not due to willful neglect and was corrected during a 30-day period after the entity knew, or should have known, about the violation.
The U.S. Department of Justice already imposed a criminal penalty for the failure to comply.

NetSentries provides a comprehensive portfolio that can help organizations of any size respond to HIPAA regulations. We are ideally suited to help support a compliance program centered on the administrative, physical and technical requirements of HIPAA.

Plan and Prepare

Conducting a HIPAA Risk Assessment is the first step to identifying and implementing safeguards necessary to meet compliance. NetSentries helps you find gaps that may exist between your current security posture and HIPAA requirements. The customizable assessments, scaled individually for covered entities and business associates, include identification of key assets and IT systems, assessment of controls and frameworks and a review of third-party providers and incident response programs.

Address Gaps and Vulnerabilities

HIPAA requires covered entities and their business associations to deploy technical controls to prepare for audits and protect sensitive ePHI, whether it is being stored or transmitted. Some of the ways we can help you include:

Urgent Care Solutions Bundle

A comprehensive solution addressing both HIPAA / HITECH and PCI compliance specifically tailored for Urgent Care facilities and operators.

Data Loss Prevention

Allows you to discover and classify sensitive data and prevent it from leaving the network.

Secure Web Gateway

Enables safe and productive access to Web 2.0 while ensuring compliance, minimizing data loss and eliminating malware risks

File Integrity Monitoring

Addresses the HIPAA Security Rule standard that specifically references “integrity” and states ePHI cannot be improperly altered or destroyed.

Network Access Control

Ensures managed and unmanaged devices connecting to the network comply with policies and do not introduce malware.

Web Application Firewall

Protects web applications against external attackers who may use vulnerabilities, such as SQL injection, to steal patient information.

Managed Detection & Response

Our state of the art ElastikTA Managed Detection & Response platform provide real time detection of all suspicious activity correlated with other contextual data, providing actionable responses.

From monitoring access to sensitive data to enforcing your acceptable usage policy, MDR helps you comply with stringent regulatory requirements, no matter your industry.

Our 24×7 Security Operations Centre is filled with the top notch security analysts who are equipped with advanced forensic tools and tradecraft to combat today’s sophisticated attacks, which means you get enterprise-grade security, no matter the size of your business.

Managed Detection & Response

Our state of the art ElastikTA Managed Detection & Response platform provide real time detection of all suspicious activity correlated with other contextual data, providing actionable responses.

From monitoring access to sensitive data to enforcing your acceptable usage policy, MDR helps you comply with stringent regulatory requirements, no matter your industry.

Our 24×7 Security Operations Centre is filled with the top notch security analysts who are equipped with advanced forensic tools and tradecraft to combat today’s sophisticated attacks, which means you get enterprise-grade security, no matter the size of your business.

SIEM

Helps you gain broad visibility of threats to your network and improve your compliance process through logging, monitoring, and analysis of events.