Sikich Security & Compliance Navigation

Protect your patients' data and your reputation.

Information technology is a critical component of your business operations. A breach of security could cause significant damage to your organization and your customers and patients.

Furthermore, both the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economical and Clinical Health (HITECH) Act require health care organizations to comply with federal standards when handling and transmitting patient data.

An effective information security program depends on both technology and operational practices. Technologies such as servers, networking components and applications require secure implementation to reduce vulnerabilities and protect sensitive information, as well as meet HIPAA and HITECH mandates for security.

Who Needs It

There are two primary components of HIPAA to understand in regard to your information security obligations. These components are commonly referred to as the Privacy Rule and the Security Rule.

These rules apply to "covered entities" (as defined by 45 C.F.R. § 160.103), which include:

  • Health plans (e.g., health insurance companies, HMOs, employer health plans, government programs)
  • Health care clearinghouses (i.e., those organizations that process health information they receive from another organization)
  • Health care providers who transmit any health information in electronic form in connection with certain financial and administrative transactions, such as electronic billing and fund transfers (e.g., doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies)

These rules also extend to independent contractors, known as "business associates," who have access to individually identifiable health information or perform certain functions and activities.

The Privacy Rule

The Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) in both paper and electronic formats. The U.S. Department of Health & Human Services (HHS) states that the Privacy Rule requires:

  • Notifying patients about their privacy rights and how their information can be used.
  • Adopting and implementing privacy procedures for its practice, hospital, or plan.
  • Training employees so that they understand the privacy procedures.
  • Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
  • Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

The Security Rule

The Security Rule specifies what administrative, physical and technical safeguards must be in place to assure the confidentiality, integrity and availability of Electronic Protected Health Information (EPHI or e-PHI).

Specifically, covered entities must (as defined in 45 C.F.R. § 164.306(a)):

  • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  • Protect against reasonably anticipated, impermissible uses or disclosures; and
  • Ensure compliance by their workforce.

HITECH

The HITECH Act extends HIPAA's privacy and security requirements to business associates and augments notification requirements when PHI is breached or disclosed.

  • For breaches that affect 500 or more individuals, organizations must notify affected individuals, the HHS and the media.
  • For breaches that affect less than 500 individuals, organizations must notify the HHS annually.

What We Do

To demonstrate compliance with HIPAA and HITECH, Sikich works with your team to:

  • Facilitate a risk assessment identifying the impact of potential risks and implemented countermeasures,
  • Perform a specialized IT audit that benchmarks your organization against the HIPAA/HITECH requirements to identify any gaps with your current compliance,
  • Provide remediation guidance to help you meet your privacy and security obligations, and
  • Create a breach notification plan to establish proper procedures and reporting requirements in the event of a data breach.

Our assessment covers the following areas:

Administrative Safeguards

  • Security Management Process
  • Assigned Security Responsibility
  • Workforce Security
  • Information Access Management
  • Security Awareness and Training
  • Security Incident Procedures
  • Contingency Plan
  • Evaluation of Requirements
  • Business Associate Contracts and Other Arrangements

Physical Safeguards

  • Facility Access Controls
  • Workstation Use
  • Workstation Security
  • Device and Media Controls

Technical Safeguards

  • Access Controls
  • Audit Controls
  • Integrity Controls
  • Person or Entity Authentication
  • Transmission Security

Policies, Procedures and Documentation Requirements

  • Written Security Policies and Procedures
  • Written Records of Required Actions, Activities or Assessments
  • Review and Updates

At the conclusion of the assessment, we will provide a final report that outlines the HIPAA/HITECH requirements and your compliance with the specific requirements applicable to your organization.

Blog Post: A Hacker's Bucket List

As technologists and security enthusiasts, part of the "fun" we have at work is tossing around attack scenarios and challenging each other with situational risk. This time it started out with:

"If I steal credit card track data, I can make HUGE purchases (and perhaps return for cash).

"If I steal PIN data, I can get cash directly.

"If I steal health-related data in bulk from a doctor's office, the most profitable thing I can do with it is..."

While my inbox had dozens of responses, some of my favorites included:

  • Sell the data to marketing or pharmaceutical companies for targeted marketing.
  • With prescription information records, find out where the patient gets their meds called in, show up at the pharmacy acting as the patient, and purchase the meds to sell on the black market (or simply sell the data there).
  • Blackmail or extort the patient if they have some medical condition or history that's potentially embarrassing or detrimental to their life (e.g., injury sustained while driving intoxicated, treatment for STD, etc.).
  • Post it to Pastebin for the lulz.
  • Create fake identities with the information to sell to illegal immigrants.

Read more »

Meet your HIPAA/HITECH security requirements.

All it takes is your name and phone number or email address to learn more about our services and expertise. If you'd like, you'll also be able to send additional details after you submit your information here.