Your Data, Our Priority: HIPAA HITECH Compliance Experts
As technology pushes innovation and growth in the healthcare industry, securing the handling of sensitive data by covered entities is crucial to the success of healthcare organizations. HITECH promotes the adoption of electronic health records (EHRs) to improve efficiency and lower healthcare costs, expands on required concepts for information security, and defines breach violation notification and enforcement actions.
HIPPA v HITECH
HIPAA and HITECH have very marginal differences as they both aim to protect ePHI and work in tandem with one another to ensure enforced compliance. The largest difference between the two acts is that HITECH allows patients to request and obtain access reports which explain who had access to their ePHI and under what authority.
Covered Entities must adhere to both acts to remain in compliance – but HITECH strengthened the holding of HIPAA as it provided the authority to enforce HIPAA non-compliance.
What Elevate Can Do For Your Organization
Our IT Compliance and IT Security expertise assist you in determining if your entity meets the HIPAA HITECH requirements and perform various mandatory services such as:
- Gap Analysis
- HIPAA Security, Breach, and Privacy Rule Training
- HIPAA Risk Analysis (see below)
- Penetration & Intrusion Testing
HIPPA Risk Analysis
Elevate has conducted many Risk Analyses (also known as Risk Assessments) to assess information security risks and ensure HIPAA Security Rule Compliance.
Hence, we follow the guidance documents published by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) entitled,” Guidance on Risk Analysis Requirements under the HIPAA Security Rule” as it describes the nine (9) essential elements that a Risk Analysis must incorporate, regardless of the risk analysis methodology employed. It must also correlate assessments with all applicable State/Federal Security rules and regulations such as the requirements of the HIPAA Security Risk Analysis as defined in the HIPAA Security Final Rule 45 CFR 164.308(a)(1)(ii)(A).
Additionally, the HIPAA Risk Analysis is conducted in accordance with the recommended NIST 800-30 standard recommended by the OCR and the overall guidance of Implementation of HIPAA Security Rule NIST 800-66 Rev 1 Standard.
The 9 elements for the risk analysis include:
- Scope of the Analysis – all ePHI that the organization creates, receives, maintains, or transmits must be included in the risk analysis
- Data Collection – Methods for data collection of information assets with ePHI
- Identify and Document Potential Threats and Vulnerabilities Critical Analysis – Develop a critical analysis of the typical vulnerability and likelihood of threats
- Assess Current Security Measures
- Determine the Likelihood of Threat Occurrence
- Determine the Potential Impact of Threat Occurrence
- Establish a Threat Matrix
- Determine the Level of Risk
- Finalize Documentation and provide meaningful recommendations to appropriately mitigate the risks.