What is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act, which is a set of regulations concerning the management of medical information, including privacy and security. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted by United States Congress to improve health care in country by mandating standards-based security controls.

HIPAA requires that any company handling healthcare data, from hospitals to insurance companies, pharmacies must comply with HIPAA security standards when transmitting and storing electronically protected health information (ePHI).

Major rule changes that affect healthcare businesses, known as covered entities and business associated across the health care industry:

HIPAA Privacy Rule

Are we working with an accepted framework, is it COBIT, COSO, or a mix of both?

HIPAA Security Rule

The HIPAA Security Rule sets guidelines for the integrity and security of PHI and ePHI. The Security Rule applies to both covered entities and business associates, especially when data is in transit between two contracted organizations.

Omnibus Rule

The HIPAA Omnibus Rule made it mandatory for business associates to be HIPAA compliant, whereas only covered entities needed to be prior. The HIPAA Omnibus Rule also sets standards for Business Associate Agreements (BAAs), which must be executed between organizations sharing PHI before any information is transferred, handled, or maintained.

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule sets standards for the process that must be followed by entities and business associates in an event of a breach. Minor Breaches (impacting less than 500 people) must be reported to HHS within 60 days of the end of the calendar year in which it happened. Meaningful Breaches (impacting more than 500 people) must be reported to HHS within 60 days of the discovery of the breach. Depending on the scope of breach, patients, local law enforcement and news media must also be informed or contacted

Why Is HIPAA Compliance Important?

Compliance with HIPAA standards are required for all healthcare organizations and businesses due to the sensitive nature of information handled by them. Any cyber incident or attack on a health-related business can result in lost or stolen data that has broad ramifications on personal information, health, safety and financial security of individuals. Failing to conform with HIPAA standards can result in severe consequences for healthcare businesses, including:

Reputation Consequences

The second it’s exposed that an organization is a victim of cyber-attack that resulted in infiltration of its and its customer information, that company’s reputation decreases. In case of healthcare businesses, such reputational damage can negatively impact future business and lose the trust of patients and partners because of the sensitivity of the information they carry.

Legal Penalties

Since HIPAA compliance is a federal requirement for all healthcare businesses operating in and from United States, failure to comply with HIPAA requirements can result in severe fines from state and federal authorities. These fines increase if a breach occurs as a result of HIPAA non-compliance. Patients may even sue the organizations because of their negligence.

Financial losses

Amongst the reputational and legal damage done to a healthcare organization due to HIPAA non-compliance, financial damages can be steep. Often, because of damages incurred to brand reputation and expenses occurred in legal matters are enough to bankrupt entire healthcare enterprises.

How do I get HIPAA Compliant?

Since there are no precise standards or independent audit frameworks, HIPAA requirements are basically a self-certification that your organization have confidence in that are met. The best way to accomplish this is by instituting a data and cyber security approach that strives to secure your overall IT landscape, rather than focusing on HIPAA regulations alone, which just require PHI or ePHI to be secure. To address both security and compliance, a solution should include the following: A Comprehensive Risk Management Program – Risk assessment and management are at the heart of the HIPAA security rule and an annual requirement. Without properly identifying the risks associated with how your organization handles PHI, you will not be able to justify the security controls program you implement to protect it. Having a documented risk assessment and using that to develop your security controls program is the fundamental building block of a HIPAA compliance program.

Develop Security Policies

Develop and document policies and procedures corresponding to HIPAA regulatory standard. Distribute these policies and procedures to your staff to level that what is acceptable and what is not, what is required and who is responsible for what.

Robust Access Management

Who has access to what systems and information? Access Management is the first step in securing and conforming your IT Landscape for any compliance. Your IT systems must appropriately establish access privileges with respect to your defined policies.

Business Associate Management

You must document all vendors with whom you share PHI and execute Business Associate Agreements to ensure PHI is processed securely and mitigate liability. BA Agreements must be reviewed annually to account for changes to the nature of your relationships with your vendors

Comprehensive Security Controls

Your IT landscape must include additional data security controls which must include, but shouldn’t be limited to, encryption of data, the authentication of data received and the continuous monitoring of your IT systems for vulnerabilities and breaches.

How CyberGen can assist you with your HIPAA requirements?

HIPAA compliance requires a diverse set of protective measures, which in turn requires deployment of several IT and cybersecurity solutions. To understand all the regulations your organization must meet, outline each part of the HIPAA regulation and create a plan to address each requirement. We at CyberGen utilize our team’s in-depth knowledge of regulations, frameworks, and methodologies to help you comply with existing guidelines and identify where any cybersecurity gaps may exist and how effectively these can be addressed. CyberGen consultants have extensive experience in evaluating organizational processes and respective procedures to help ensure your business is compliant with adequate and effective controls in place. We deliver data security and privacy solutions to a variety of businesses in healthcare vertical. Some of our healthcare compliance consulting services include:

Readiness Reviews

CyberGen Consultants will accurately define and develop a scope to minimize delays and eradicate blind spots in your environment and processes to help you establish an efficient compliance program for PCI DSS.

Critical Asset Security Assessment

CyberGen initiate an evaluation that includes an in-depth review and analysis of policies, procedures and documentation, interviews with staff, and testing existing processes and controls. This includes vulnerability analysis and penetration testing of critical assets such as healthcare applications, database servers, and more.

Risk Assessments

CyberGen perform an accurate, thorough assessment of compliance with HIPAA/HITECH regulations by comparing potential risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information.

Policies and Procedures Update

We assist you in adding to or upgrading your HIPAA/HITECH policies and procedures based on findings from our readiness review or compliance assessment. Our experienced consultants can also assist in developing and implementing these policies and procedures

Perimeter Security Assessment &

The HIPAA Security Rule requires you to safeguard Electronic Personal Health Information (ePHI). This service identifies vulnerable systems and networks, along with remediation measures to protect these from malware and potential hackers

Web Application Security Assessment

The WASA includes credentialed and non-credentialed vulnerability assessment and penetration testing to validate security measures that protect web applications against hackers, malware, privilege escalation, and account hijacking.

CyberGen’s expertise in GRC space help businesses