HIPAA Security Compliance
As a Health Insurance Portability and Accountability Act (HIPAA) compliant business associate, we have extensive knowledge and experience to help you safeguard PHI while fulfilling the security rule requirements under HIPAA.
We can give you peace of mind that your patients’ data is safe and your business meets current HIPAA compliance regulations for data protection and integrity.
Coastal Networks HIPAA Compliance Services
-
Security Monitoring
-
Network Security Consulting
-
Management Plans
-
Business Associate Agreements
-
External Vulnerability Scans
-
User Login Auditing Reports
-
Policy and Procedures
-
Data/Email Encryption
-
Security Awareness Training
-
Hard Drive Destruction
HIPAA Security Risk Assessment
The HIPAA security rule requires that covered entities conduct a Risk Assessment to ensure you are compliant with HIPAA’s administrative, physical, and technical safeguards.
Many dental offices have not completed such an assessment. While enforcement of these requirements may have been slow to take shape, the Office of Civil Rights (OCR) is now aggressively pursuing HIPPA violations... and the penalties are steep. In addition, phase two audits are now underway.
To conduct a risk assessment, you may conduct the risk assessment yourself by using the free Health and Human Services Security Risk Assessment Tool or see how we can help.
How can we help?
Compliance with the HIPAA security rule may seem overwhelming. However, we are here to help simplify the process of acquiring and maintaining regulatory compliance.
Coastal Network performs HIPAA Risk Assessments in accordance with the Security Rule administrative safeguards 45 CFR §164.308(a) (1) and incorporates the provisions of the HIPAA Security Rule.
Coastal Network's HIPAA Risk Assessment is a technical and non-technical review to identify threats and vulnerabilities relevant to your organization. Our HIPAA Risk Assessment report includes tailored recommendations to ensure the confidentiality, integrity and availability of your protected health information (PHI).
When working with Coastal Networks, you will be able to maintain regulatory compliance while strengthening overall security and lowering the risk of a PHI breach.
Coastal Network's HIPAA Risk Assessment Process
-
Step 1: Conduct Risk Analysis
A comprehensive on-site Risk Analysis will be conducted that involves identifying risk and vulnerabilities to confidentiality, integrity and availability of ePHI in your office. The risk analysis will be performed following industry best practice standards as described by HHS, NIST, ISACA, HIMSS and AHIMA organizations which includes administrative, physical and technical safeguards. The Risk Assessment will include a risk score for measurement along with executive summaries and detailed reporting.
-
Step 2: Risk Management Plan
Based on the Risk Assessment, the risk management plan includes the implementation of security measures that reduce risk to reasonable and appropriate levels and protect against any reasonably anticipated threats, hazards, or disclosures of ePHI. The purpose of a Risk Management Plan is to provide structure for the evaluation, prioritization, and implementation of risk-reducing measures and controls. The risk prioritization and mitigation decisions will be determined by answering which controls and measures should be implemented and the priority in which they should be addressed based upon their risk score.
-
Step 3: Implementation
The implementation component of the risk management plan may vary based on the circumstance. Compliance with the Security Rule requires financial resources, management commitment, and the workforce involvement. Cost is one of the factors we must consider when determining measures and controls to fix an issue. However, cost alone is not a valid reason for choosing not to implement security measures that are reasonable and appropriate.
-
Step 4: Monitoring
The final step in the risk management process is to continue evaluating and monitoring the risk mitigation measures implemented. Risk analysis and risk management are not one-time activities. Risk analysis and risk management are dynamic processes that must be periodically reviewed and updated. Our 24/7 monitoring and risk analysis will be performed on a regular basis to identify and prioritize new risks to ePHI.
HIPAA Rules and Enforcement
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
The HIPAA Breach Notification Rule, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.
The Health Information Technology for Economic and Clinical Health (HITECH) Actwas enacted as part of the American Recovery and Reinvestment Act of 2009, to promote the adoption and meaningful use of health information technology associated with the electronic transmission of health information and strengthen the civil and criminal enforcement of the HIPAA rules.
A complete suite of HIPAA Administrative Simplification Regulations can be found for 45 CFR Parts 160, 162, and 164.
HIPAA Security Standards
Business Associate Agreements
Under the U.S. Health Insurance Portability and Accountability Act of 1996, a HIPAA business associates agreement (BAA) is a contract between a HIPAA covered entity and a HIPAA business associate (BA). The contract protects personal health information (PHI) in accordance with HIPAA guidelines.
Effective Feb. 18, 2010 in accordance with the HITECH Act of 2009, a business associates disclosure, handling, and use of PHI must comply with HIPAA Security Rule and HIPAA Privacy Rule mandates.
Under the HITECH Act, any HIPAA business associate that serves a health care provider or institution is now subject to audits by the Office for Civil Rights (OCR) within the Department of Health and Human Services and can be held accountable for a data breach and penalized for noncompliance.
Dental Business Associate Agreement Links: