Fredericksburg's Best HIPAA Compliance Company
Fredericksburg Technology helps your business maintain compliance with HIPAA laws, which can be daunting and confusing. We bring years of expertise in complying with HIPAA so you can focus more on your business and not worry so much about these issues. We’ll work together with you to ensure that you know what is required from you and how to handle/avoid any vulnerabilities. This is why we’re Fredericksburg’s Best HIPAA Compliance Company.
Schedule a free consultation
Fredericksburg Technology has experience in providing IT services to small and medium-sized businesses for over 10 years. Our managed services and on-site engagements include NIST and HIPAA compliance in partnership with companies like Dell, HP, Cisco, Fortinet and Microsoft. We can also manage our client’s IT infrastructure remotely and provide helpdesk services. Contact Fredericksburg’s Best HIPAA Compliance Company today for an assessment of your compliance requirements.
As Fredericksburg’s Best HIPAA Compliance Company, we can assess the application of security controls in information systems, typically for the purpose of developing and implementing procedures for correcting observed deficiencies in those controls. Configuration management responsibilities of Fredericksburg Technology include the establishment of baseline configurations for information systems. We also perform inventories for those systems, including documentation, hardware, software and firmware.
Fredericksburg Technology can establish the capability for responding to operational incidents, including documenting, tracking and reporting those incidents to the appropriate authorities. The identification and correction of system vulnerabilities can also help protect those systems from malicious code.
Fredericksburg Technology helps clients create and retain audit records for information systems, which facilitate the reporting of illegal or unauthorized activity on those systems. We can also ensure that this activity is traced back to individual users so they can be held accountable for their actions. Fredericksburg Technology can provide training on current security requirements, including the identification of system vulnerabilities and methods of mitigating their risk.
Clients must assess the security controls in their information systems periodically to determine their effectiveness. They also need to develop and implement plans to correct deficiencies in those controls. The configuration management responsibilities of clients primarily include informing Fredericksburg Technology when their baseline configurations and inventories change.
Clients should establish capabilities for handling operational incidents, including the documentation, tracking and reporting of those incidents. They also need to provide physical protection for their information systems, which generally involves limiting the physical access of those systems and operating environments to authorized individuals.
The audit and accountability responsibilities of the client primarily include periodic reviews of the audit records to ensure the activities on their information systems are lawful, authorized and appropriate. Clients must ensure they can trace those actions back to individual users and hold them accountable for their actions. Clients must also train the users of their information systems on the security risks of those systems.
FREQUENTLY ASKED QUESTIONS
The Healthcare Insurance Portability and Accountability Act was originally signed into law to “improve the portability and accountability of health insurance coverage” for employees between work. The Privacy and Security rules were signed in shortly after to protect “any information held by a covered entity which concerns health status, the provision of healthcare, or payment that can be linked to an individual”. Other aims of the HIPAA were to tackle waste, fraud, and abuse of health insurance and healthcare provision.
Due to a number of high profile scandals, the public are becoming more and more aware of their rights to protection of their privacy and data. The eventual consequences of those data breaches to the public can in some cases be catastrophic. As such, support for more stringent legislation has dramatically increased, which is why we have HIPAA and others like SOX, GDPR, SHIELD and CaCPA. The age of technology has made it all too easy to share and discover information- so not only can data be found but also lost and circulated faster than ever before.
In short- no. HIPAA is applicable to healthcare organizations within the US. Their data is mandated by the requirements of the organization. Even if the people are not us citizens, if they are in a US healthcare system they are also protected. If we consider the reverse, US citizens outside the US, if they are part of a non-us healthcare organization, they are not covered by HIPAA.
Protected Health Information (or PHI) is any “individually identifiable health information” held or transmitted by a covered entity or business associate. This can be in any form- electronic, paper or even oral. This is information that relates to an individual’s past, present or future physical or mental health or condition and the provision of the healthcare to the individual or payments relating to the health care of the individual.
HIPAA lists a number of common “identifiers” to make things a bit simpler:
- Geographic info
- Telephone numbers
- Fax numbers
- Vehicle identifiers and serial numbers
- Device identifiers
- Social security numbers
- IP addresses
- Medical record numbers
- Biometric identifiers (including finger prints/voice prints)
- Health Plan beneficiary numbers
- Full face photographs
- Account numbers
- Any other unique identifying number, characteristic, code
- Certificate/license numbers
A breach under HIPAA means the acquisition, access, use, or disclosure of PHI in a manner not complying with HIPAA, which compromises the security or privacy of the PHI. This is an extremely broad definition that might make you feel as though even smelling data could land you in trouble. Some examples of HIPAA breaches include: failing to give patients access to their PHI, unprotected storage of PHI (which can lead to laptops or USB sticks being stolen with unsecured PHI*), not logging off your computer/computer system that includes PHI, violation of the “minimum necessary requirement”, PHI in an email sent over the internet.
*Unsecured PHI means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorised persons through the use of technology or methodology.
To narrow the scope a bit, HIPAA has specified what’s NOT a breach by listing the three exceptions:
- If an unintentional breach (acquisition, access, or use only) of PHI was made in good faith and within scope of authority and does not result in further use or disclosure.
- Any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed
- A disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
The only other exemption for a breach is if it can be demonstrated that there is a low probability that the PHI has been compromised based on a risk assessment to which there are four factors: the likelihood of re-identification/types of identifiers, the unauthorized person to whom the breach was made, whether the PHI was actually acquired or viewed, and to what extent the risk to PHI has been mitigated.
Following a breach, covered entities and business associates must provide notification of the breach to the HSS (U.S Department of Health & Human services), individuals affected and, in some cases, the media. Notifications must be made without unreasonable delay and no later than 60 days following the discovery of the violation.
The penalties for a breach under HIPAA vary depending on the circumstances of the leak, and the volume of violations. For unknowingly violating HIPAA it is $100 per violation, but in the extreme cases covered entities and individuals who violate under false pretenses it is $100,000 fine (up to $1.5 MILLION for repeat violations) and up to 10 years in prison.
Fines are issued by the Office for Civil Rights (OCR).
Where is the data being stored, received, maintained or transmitted? Who has access to it? Is it controlled? These questions might seem obvious, but data is the biggest risk to your compliance. Organizations need to be very clear where, why, and how PHI is stored, who has access, and what exactly happens to this data. It’s important to keep an audit trail of all activity around the records to be able to prove your compliance. It is also worth identifying and addressing potential threats to your PHI. Become proactive rather than reactive in those vulnerabilities. Consider your network security, training members of staff and reducing access points to PHI internally.