HIPAA Compliance

HIPAA was first signed into law in the U.S. in 1996 to establish policies and procedures for maintaining the security and privacy of individually identifiable health information, also known as Protected Health Information (PHI). The law not only defines standards but also outlines offenses and creates civil and criminal penalties for violations.

In 2005, the U.S. Department of Health and Human Services (HHS) formally implemented the HIPAA Security Rule to ensure the standard included regulations for protecting patients’ electronic PHI (ePHI) and preventing it from being disclosed without the patient’s consent.

The HIPAA Security Rule establishes legal standards for the protection of electronic protected health information (ePHI). The rule mandates and recommends as best practice a number of controls related to risk analysis and risk management, access authorization, password management, disaster recovery, facility access, encryption, and more.

Protected Health Information (PHI) includes individually identifiable health information that could be tied back to a specific patient. For example, an individual’s name in itself is not PHI, but their name associated with their diagnosis does fall under that umbrella. When PHI data is stored electronically, it’s known as ePHI.

A HIPAA compliance consultant can help ensure your organization properly safeguards PHI and ePHI in accordance with regulatory requirements. Contact us today to learn more.

Organizations that process, store, and interact with protected health information (PHI) and ePHI must comply with HIPAA and the HIPAA Security Rule. This includes “covered entities” such as:

• Healthcare providers and other health services organizations that transmit PHI to perform transactions like claims, determine benefit eligibility, and field referral authorization requests;
• Health plans, such as insurance providers and other organizations that help individuals and groups pay for healthcare services; and,
• Healthcare clearinghouses, or organizations that process other entities’ healthcare transactions for tasks like claims processing, billings, and data management.

HIPAA and the HIPAA Security Rule also apply to “business associates” of these covered entities who use or disclose individually identifiable health data to perform or provide services.

If you’re not sure whether your business is required to comply with HIPAA, contact us to get in touch with a HIPAA consultant who can help.

According to HHS, the goal of the HIPAA Security Rule is to protect electronic protected health information (ePHI) through administrative, physical, and technical safeguards:

• Administrative: This includes controls related to risk analysis and risk management, termination procedures, access authorization, password management, data backup plans, and disaster recovery plans.
• Physical: This includes controls related to facility access, workstation use and security, and device and media controls such as data backup and storage.
• Technical: This includes controls related to unique user identification, emergency access procedures, encryption, and decryption.

While not all of these controls are required for every organization, they each are designed to ensure the confidentiality, integrity, and availability of all ePHI that an organization interacts with as well as protect against reasonably anticipated threats and unauthorized disclosures of ePHI. Our HIPAA compliance services can help ensure your controls align with HIPAA requirements.

There is no formal certification available or required to prove HIPAA compliance. However, there are other HIPAA compliance solutions for organizations that want to provide assurance to customers that they adhere to the strict security standards outlined by HIPAA. This includes:

• Report on HIPAA Compliance: BARR’s attest services team can assess your cybersecurity program against HIPAA requirements and provide a formal report on their conclusions. 
• SOC 2 + HIPAA Security Rule: Many common trust services criteria (TSC) used in SOC 2 reporting align with HIPAA Security Rule requirements. For organizations also interested in pursuing a SOC 2 report, BARR’s attest services team can assess whether controls related to access management, risk management, and asset management are designed to meet HIPAA regulations.

BARR also offers a number of HIPAA consulting services, including readiness assessments to help your organization prepare for a SOC 2 report or Report on HIPAA Compliance. Learn more about BARR’s HIPAA compliance consulting services.

The Federal Trade Commission (FTC) cautions against adding a HIPAA seal or badge to your website and social media, and warns against using terms like “HIPAA compliant” and “HIPAA secure” in marketing materials, because it can be misleading to customers. If you claim to be HIPAA compliant and your organization is later found to be out of compliance—or worse, experiences a breach—you could open the door for litigation or enforcement actions, including hefty fines, from the FTC. 

While there is no formal HIPAA certification, there are ways to provide assurance to customers and stakeholders of your commitment to HIPAA compliance and data privacy. For instance, organizations can choose to work with a third-party auditing firm like BARR to assess your compliance with HIPAA data security requirements, either as a standalone assessment or as part of a SOC 2 audit that includes a review of an organization’s compliance with the HIPAA Security Rule. Afterward, you may state publicly that your organization has undergone an audit with an independent auditor to assess your compliance with HIPAA as part of a larger effort to demonstrate your commitment to securing patient health information.

No. The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law that defines standards for protecting patients’ protected health information (PHI) and outlines penalties for noncompliance. Created by the Health Information Trust Alliance (HITRUST), the HITRUST Common Security Framework (CSF) is a voluntary, threat-adaptive, and globally recognized framework designed to help organizations demonstrate their commitment to data security. While not exclusive to healthcare organizations, HITRUST assessments help ensure compliance with HIPAA by reviewing HIPAA requirements, as well as additional security controls essential for modern risk management. 

For organizations interested in pursuing HITRUST certification, there are three assessment options—the e1, i1, and r2 Assessments—that provide varying levels of assurance. BARR’s experts can help you determine which is the right fit for your organization. Contact us today for a free consultation.