Home Compliance StandardsHIPAA / Healthcare Industry What to Look for in HIPAA Consulting Partners
HIPAA / Healthcare Industry

What to Look for in HIPAA Consulting Partners

by RSI Security
written by RSI Security
it

When comparing HIPAA compliance service providers, there are four key factors to target:

  • Their approach to access control, which is critical for HIPAA Privacy Rule compliance
  • Their capacity for risk assessment and management for the HIPAA Security Rule
  • Their visibility and communications infrastructure for HIPAA Breach Notifications
  • Their ability to help you meet all your regulatory compliance needs efficiently

 

Factor #1: Visibility and Access Control for Privacy

The most foundational part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the Privacy Rule. It defines HIPAA’s overall scope, beginning with what needs to be protected and who needs to protect it. Namely, protected health information (PHI) includes data on or containing patients’ health conditions, treatment, and payment records. Covered entities are organizations both within and adjacent to healthcare—and their business associates.

The prescriptive portions of the Privacy Rule require organizations to make PHI available to patients upon request. All other uses and disclosures should be prevented, except for:

  • Disclosures to the individual identified in/on the PHI (or their representatives)
  • Uses in the service of healthcare treatment, payment, or operations goals
  • Uses or disclosures the subject had a chance to agree or object to
  • Uses or disclosures incidental to other authorized ones
  • Uses in the service of public interests or public benefit activities
  • Uses of limited data sets in the service of medical or other research

Further, all of these Permitted Uses and Disclosures need to be limited to the minimum extent possible. The best HIPAA compliance service providers will help you install access and visibility infrastructure to control access to PHI while also making it available to patients when needed.

 

Factor #2: Risk Assessment and Mitigation for Security

Effective HIPAA compliance support also needs to account for the requirements of the Security Rule, which extends coverage to electronic PHI (ePHI) and establishes proactive risk mitigation.

The Security Rule requires implementing proactive risk assessment to identify and manage all threats to PHI. It also requires implementing three classes of safeguards to mitigate these risks:

  • Administrative safeguards – 
      • Security Management Processes
      • Security Personnel
      • Information Access Management
      • Workforce Training and Management
      • Evaluation
  • Physical safeguards – 
      • Facility Access and Control
      • Workstation and Device Security
  • Technical safeguards – 
    • Access Controls
    • Audit Controls
    • Integrity Controls
    • Transmission Security

Unlike other regulatory frameworks, HIPAA is vague. There is little technical specification or guidance in terms of how organizations need to meet these requirements. This is by design, as the HHS wants covered entities to have flexibility in their approaches to protecting PHI. But the ambiguity can also make the work of protecting PHI hard to navigate without adequate support.

When comparing HIPAA advisors, consider your existing infrastructure and how much guidance you’ll need to craft and implement controls to address the HIPAA Security Rule requirements.

 

Request a Consultation

 

Factor #3: Communications Support for Breach Notification

The other prescriptive rule in HIPAA is the Breach Notification Rule, which requires covered entities to provide three distinct kinds of notice when a breach occurs (see below). The rule also defines a data breach as any instance in which identifiable PHI is leaked—or Privacy or Security Rule protections have been broken to such an extent that a breach could have occurred.

If a breach happens, the three kinds of notice that covered entities are responsible for are:

  • Individual Notice – Information about the breach must be provided to all individuals impacted by it within 60 days of discovery. If contact information for at least 10 people is not available, this information must be posted to the covered entity’s homepage for at least 90 days, along with a toll-free number individuals can call for further guidance.
  • Secretary Notice – All breaches must be reported to the Secretary of the HHS. If the breach impacts 500 or more individuals, it must be reported within 60 days of discovery, but breaches impacting fewer than 500 individuals may be reported to the HHS annually.
  • Media Notice – Breaches that impact 500 or more individuals within a given state or other jurisdiction also need to be reported to local media outlets servicing the location.

Organizations seeking HIPAA compliance support should not overlook this oft-forgotten part of HIPAA. It can be easy to assume that sound security will prevent all breaches from happening, but even the best-defended systems can experience attacks or leaks. You need to be ready to identify and stop a breach when it happens—and report on it according to HIPAA’s guidelines.

Seek out a partner who will help you with the required communications infrastructure.

PII

Factor #4: Coverage for All Your Other Compliance Needs

Finally, you should consider a compliance advisor who can help you meet other needs beyond HIPAA compliance comprehensively and efficiently. Many organizations subject to HIPAA are also subject to regulations in other industries or local data privacy laws, with requirements that overlap with HIPAA. Meeting all their needs while minimizing control overlap and redundancy is a challenge. But it’s one that the ideal HIPAA advisor can help solve—ideally through HITRUST.

The HITRUST CSF is a comprehensive cybersecurity framework designed to streamline your controls for HIPAA and several other regulations into one implementation. Covered regulations include PCI DSS, NIST, GDPR, and many more. A single HITRUST assessment can empower compliance across all of these regulations, maximizing cyberdefense while minimizing spend.

For this reason, you should consider a HITRUST certified CSF practitioner for HIPAA support.

 

Find the HIPAA Compliance Support You Need

If your organization is currently working within or adjacent to healthcare, or considering expanding into the field, you’ll need to dedicate resources to maintaining HIPAA compliance.

The best and most efficient way to protect PHI and prevent costly HIPAA Enforcement is to work with a quality HIPAA advisor. The ideal consulting partner will help you establish visibility and access controls, risk assessment and management infrastructure, and communication channels for HIPAA’s prescriptive rules. And they’ll streamline compliance across other regulations, too.

At RSI Security, we’re committed to helping organizations meet all their compliance needs efficiently. We know that the right way is the only way to keep sensitive data secure, and we’ll help you enjoy greater freedom and flexibility through disciplined security implementation.

To learn more about our HIPAA consulting services, contact RSI Security today!

 

Request a Free Consultation

 

Download FREE HIPAA Compliance Checklist
0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

What are the top 5 Components of the...

March 29, 2023

Does HITECH Affect HIPAA?

August 22, 2019

HIPAA Guidelines For Employees

November 26, 2019

How to Meet the HIPAA Guidelines for Healthcare...

August 8, 2023

HITRUST vs. HIPAA: What’s the Difference?

July 3, 2019

The Do’s and Don’ts of Preparing for HIPAA

August 29, 2018

Achieving HIPAA Compliance

July 24, 2018

How to Conduct a HIPAA Data Breach Analysis

October 5, 2021

Top Healthcare Internal Data Security Challenges

July 28, 2021

Your Guide to HIPAA Breach Determination and Risk...

April 5, 2023

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More