HIPAA Security Consulting


Risk Evaluation and Documented Computer Security for your Healthcare or Dental Practice

Initial Compliance Review and Implementation Service


HIPAA Security Rule Risk Analysis
  • Assess IT infrastructure security (servers, PC’s, firewalls, wireless, remote access, EMR/Practice Management system, etc.).
  • Conduct external security scans of technology to determine risk level.
HIPAA Privacy Rule Assessment
  • Assess areas of “physical” risk including security of paper based PHI, physical location and visibility of technology and screens, proper removal/destruction of ePHI (on devices and hard drives), staff training requirements, termination procedures, business associate agreements, privacy policies for patients, etc.
  • Written report provided on all non-technology findings with recommendations for mitigating risk.
Technology Security Implementation
  • Install new equipment/software necessary to meet security standards.
  • Perform data encryption, firewall setup, network access, etc. as needed.
  • Perform complete initial system backup.
  • Initiate ongoing procedures for security updates (password changes, system upgrades, routine backups, etc.).
Documentation of Compliance
  • Once initial assessments and implementation are complete, signed certification is provided for your records and insurance requirements.
Base cost $1,500 (additional charges may be quoted for larger practices, remote locations, or hardware/software requirements).


Scheduled Compliance 90-Day "Checkup"


HIPAA Security Rule Continued Compliance
  • Assess IT infrastructure security (servers, PC’s, firewalls, wireless, remote access, EMR/Practice Management system, etc.).
  • Conduct external security scans of technology to determine risk level.
HIPAA Privacy Rule Assessment
  • Assess areas of “physical” risk including security of paper based PHI, physical location and visibility of technology and screens, proper removal/destruction of ePHI (on devices and hard drives), staff training requirements, termination procedures, business associate agreements, privacy policies for patients, etc.
  • Updated report provided on all non-technology findings with recommendations for mitigating risk.
Technology Security Maintenance and Upgrades
  • Upgrade equipment/software as needed to continue to meet security standards.
  • Upgrade or re-perform data encryption, firewall setup, network access, etc. as needed.
  • Perform routine backup.
  • Change passwords and reset login/access controls as needed
Documentation of Compliance
  • Updated, signed certification of continued compliance for your records and insurance requirements.
Available only after a full HIPAA Compliance Review and Implementation Service has been conducted.
Base cost $300 per "Checkup" (additional charges may be quoted for larger practices, remote locations, or hardware/software requirements).


Sole-Proprietor Practices


Initial assessment and "checkup" services listed above may be offered at reduced rates for individuals with small practices and a single computer. Please contact us to discuss your setup and to receive a quote.


We Help with HIPAA

HIPAA Security Consulting can assist your health care practice by performing a risk analysis audit, implementing necessary security measures, and providing ongoing scheduled updates to ensure that your technology is in compliance. We also provide documentation of your systems that can establish proof of compliance with HIPAA regulations.

Contact us for additional information including a risk audit specifically for your practice.


HIPAA FAQs

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) covers a number of topics but specifically includes requirements for protecting the privacy and security of personal health information. Since this information is increasingly electronic, the regulations are designed to be flexible to conform to changing technology. Health care providers that collect and retain patient information must be able to prove compliance.

What are the basic rules of HIPAA related to Protected Health Information (PHI)?

HIPAA has a Privacy Rule and a Security Rule. The Privacy Rule defines what data is private (for example, names, social security numbers, phone numbers, etc.). The Security Rule defines how the data is kept private, increasingly in electronic settings (for example, passwords, firewall requirements, encryption standards, etc.).

What are the Security Requirements?

The HIPAA Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI (electronic Protected Health Information).

Specifically, covered entities must:
1. Ensure the confidentiality, integrity, and availability (by an authorized person) of all e-PHI they create, receive, maintain or transmit;
2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
3. Protect against reasonably anticipated, impermissible uses or disclosures; and
4. Ensure compliance by their workforce.

What patient information do I need to protect?

There are 18 identifiers that must be protected: 1) Names or part of names, 2) Geographical identifiers, 3) Dates directly related to an individual, 4) Phone numbers, 5) Fax numbers, 6) Email addresses, 7) Social Security numbers, 8) Medical record numbers, 9) Health insurance beneficiary numbers, 10) Account numbers, 11) Certificate or license numbers, 12) Vehicle license plate numbers, 13) Device identifiers and serial numbers, 14) Web URLs, 15) IP addresses, 16) Fingerprints, retinal and voice prints, 17) Full face or any comparable photographic images, 18) Any other unique identifying characteristic

What is a Risk Analysis? Is it Required?

A Risk Analysis is required under the HIPAA Security Rule. After the initial analysis, ongoing risk evaluations should be carried out on a regular basis as technology and health office setups change. A Risk Analysis involves the following:

1) Evaluate the likelihood and impact of potential risks to e-PHI.
2) Determine and implement appropriate security measures to address the identified risks.
3) Document the chosen security measures and indicate the rationale for adopting those measures.
4) Maintain continuous, reasonable, and appropriate security protections.

What are the Administrative Safeguards?

1. A Security Management Process - Potential risks to e-PHI must be identified and analyzed, and you must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
2. Security Personnel - You must designate a security official who is responsible for developing and implementing your security policies and procedures.
3. Information Access Management - Use and disclosure of personal health information must be limited to the "minimum necessary" according to the HIPAA Privacy Rule. The Security Rule requires that you implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).
4. Workforce Training and Management - You must provide for appropriate authorization and supervision of workforce members who work with e-PHI. You must train all workforce members regarding your security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate policies and procedures.
5. Evaluation - You must perform a periodic assessment of how well your security policies and procedures meet the requirements of the HIPAA Security Rule.

What are the Physical Safeguards?

1. Facility Access and Control - You must limit physical access to your facilities while ensuring that authorized access is allowed.
2. Workstation and Device Security - You must implement policies and procedures to specify proper use of and access to workstations and electronic media. You also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).

What are the Technical Safeguards?

1. Access Control - You must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
2. Audit Controls - You must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
3. Integrity Controls - You must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
4. Transmission Security - You must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

Are my business associates required to comply?

If you have authorized a third party or business associate (for example, a billing firm or an accountant) to access any e-PHI, then you are responsible for ensuring their compliance with HIPAA rules. Many healthcare practices establish an agreement or contract with business associates which documents security requirements and expectations. If you know of an activity or practice of the business associate that constitutes a material breach or violation of the business associate’s obligation, you must take reasonable steps to cure the breach or end the violation. Violations include the failure to implement safeguards that reasonably and appropriately protect e-PHI.

Do I need to have documented policies and procedures?

Yes. You must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. You must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.

You must also periodically review and update your documentation in response to changes in technology or organizational changes that affect the security of electronic protected health information (e-PHI).

What are the penalties for noncompliance?

The HIPAA Security Rule establishes a set of national standards for confidentiality, integrity and availability of e-PHI. The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is responsible for administering and enforcing these standards, in concert with its enforcement of the Privacy Rule, and may conduct complaint investigations and compliance reviews.

If you are found to be noncompliant, fines may be imposed. See the table on our home page for an overview of fines assessed.




Documentation Remote Access

© 2019 HIPAA Security Consulting
A wholly owned subsidiary of The MacSmith

The information provided using this website is only intended to be general summary information to the public. It is not intended to take the place of either the written law or regulations.