The Health Insurance Portability and Accountability Act of 1996 (HIPAA)requires healthcare institutions to implement appropriate safeguards to protect electronic Protected health Information (ePHI) from “reasonably anticipated threats and hazards”. The Health Information for Economic and Clinical Health Act (HITECH) is a part of the American Recovery and Reinvestment Act of 2009 (ARRA) and contains specific incentives to help accelerate the adoption of Electronic Health Record (EHR) systems among providers. The HITECH Act also increases the scope of privacy and security protections under HIPAA, increases potential legal liability for compliance failures, and provides for more enforcement.
Who must comply with HIPAA?
Any healthcare provider, health care clearinghouse or health plan (such as an insurance company) must comply with HIPAA.
- Healthcare Provider – A provider who transmits any health information in electronic form in connection with a transaction covered by part 160.
- Healthcare Clearinghouse – Means a public or private entity, including a billing service, repricing company, community health management information system or community health information system and value-added networks and switches that processes or facilitates the process if health information or receives a standard transaction from another entity and processes or facilitates that processing of health information into nonstandard format or nonstandard data content for the receiving entity.
- Health Plan – An individual or group plan that provides or pays the cost of medical care.
The following three subsections provide a high-level overview of Netragard’s HIPAA / HITECH auditing services. Our services are focused on quality, effectiveness, efficiency, and coverage.
Review Policies & Controls
Netragard performs a detailed review of all policies, procedures and controls for the purposes of ensuring that they are sufficiently robust and in compliance with HIPAA requirements. Any deficiencies that are identified are documented in a technically detailed report and accompanied by effective, efficient, and clear methods for remediation.
Internal & External Penetration Test
Netragard uses its research driven Penetration Testing services to satisfy HIPAA’s risk assessment requirements and to identify policy and procedural gaps. Any deficiencies that are identified are documented in a technically detailed report and accompanied by effective, efficient, and clear methods for remediation.
Physical Penetration Test
Netragard uses its Physical Penetration Testing methodology to satisfy HIPAA’s physical security requirements. This methodology can be delivered with varying levels of threat and intensity depending on the clients needs. Any deficiencies that are identified are documented in a technically detailed report and accompanied by effective, efficient, and clear methods for remediation.
Detailed Technical Report
At the conclusion of services Netragard provides a detailed technical report to its customers. The report contains three primary sections which include an executive summary containing a four quadrants chart, a technical overview section, and detailed technical findings. All findings are accompanied by methods for remediation that are as efficient, effective, and cost effective as possible.